Hong Kong’s data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), has been amended to introduce “anti-doxxing” provisions.
The new regime creates offences to curb doxxing acts, and empowers the Privacy Commissioner for Personal Data (“Commissioner“) to carry out criminal investigations, institute prosecutions and issue cessation notices. The changes came into effect on 8 October 2021.
The Commissioner made its first arrest under the doxxing regime on 13 December 2021. An individual was arrested after the Commissioner received a report from an alleged victim that the suspect had posted the victim’s personal details on an online platform.
How are the changes relevant to businesses?
- The changes are most relevant to platform and online service providers (such as social media platforms).
- Where doxxing occurs on or via their platforms or services, they may be the recipient of a cessation notice from the Commissioner, which requests the removal of doxxing messages, and it is a criminal offence to contravene a cessation notice.
- Cessation notices may be served on non-Hong Kong service providers, and so the amendments impact both Hong Kong and overseas businesses.
Relevance to platform/online service operators
- Doxxing acts are most likely to occur on platforms and online services that allow for user-generated content, such as social media platforms.
- However, the law does not impose any obligation on platform/online service operators to proactively monitor or censor content on their platforms/services.
- Where the platform/online service operator has knowledge of potentially incriminating doxxing content but does not remove it, there is a risk of investigation into the content by the Commissioner which can prosecute offences in its own name where it suspects that an offence has been committed, and the platform/online service operator may be the recipient of a cessation notice from the Commissioner.
The Commissioner’s criminal investigation powers
- The Commissioner’s new criminal investigation powers are similar to those of the police, and the Commissioner may request any person to provide relevant materials and answer questions to facilitate investigations. Companies should put in place internal procedures and policies to assess and respond to law enforcement requests.
- Where a company receives a cessation notice, it has a legal obligation to comply, as contravention of a cessation notice constitutes an offence under the PDPO. In any case, platform/online service operators should have notice and takedown procedures in place.
It remains to be seen how the Commissioner will enforce the law against overseas companies that do not have a Hong Kong presence in practice. However, a cessation notice may be served on companies outside Hong Kong (see “In more detail” section below for more information).
In more detail
“Doxxing” refers to gathering personal data of a specific targeted person and/or related persons (such as family members) through various means, e.g., public registers and discussion platforms, and disclosing such personal data on the internet, social media or other open platforms (such as public places).
The introduction of specific legislative amendments to address doxxing was one of the six key proposals put forward by the government and the Commissioner in the formal review of the PDPO, which commenced in January 2020. This is the only key proposal that has been implemented. In October 2021, the Commissioner issued the Personal Data (Privacy) (Amendment) Ordinance 2021 Implementation Guideline to explain the new regime, including the scope of the doxxing offences and the Commissioner’s new powers.
We set out as follows the key provisions of the new “anti-doxxing” regime:
|Creation of new offences||Two new offences under a two-tier structure have been created:|
– First-tier offence (without actual harm): summary offence to (i) disclose a data subject’s personal data without consent; and (ii) the discloser has an intent to cause any “specified harm” to the data subject or any family member, or is reckless as to whether any “specified harm” would be, or would likely be, caused to the data subject or any family member. In other words, no actual harm has been caused by the disclosure. The maximum penalty is a fine of HKD 100,000 and imprisonment for two years.
– Second-tier offence (with actual harm): indictable offence to (i) disclose a data subject’s personal data without consent; (ii) the discloser has an intent to cause any “specified harm” to the data subject or any family member, or is reckless as to whether any “specified harm” would be, or would likely be, caused to the data subject or any family member; and (iii) the disclosure causes “specified harm” to the data subject or any family member. In other words, actual harm has been caused by the disclosure. The maximum penalty is a fine of HKD one million and imprisonment for five years.”Specified harm” means harassment, molestation, pestering, threat or intimidation to the data subject or any family member; bodily harm or psychological harm to that person; harm causing that person to reasonably be concerned for that person’s safety or well-being; or damage to the property of that person.-
|Commissioner’s new powers||The Commissioner may:|
– Issue a written notice to request any person to provide relevant materials and answer questions to facilitate the investigation
– Apply for a warrant to enter and search premises and seize materials for investigation, or access an electronic device
– Stop, search and arrest any person who is reasonably suspected of having committed a doxxing-related offence
– Prosecute in the name of the Commissioner a doxxing-related offence triable summarily in the Magistrates’ Court
The criminal investigation powers of the Commissioner reflect the powers of police officers under the Police Force Ordinance (Cap. 232).
|Cessation notices||The Commissioner may serve a cessation notice on a person who is able to take a cessation action, under the following circumstances:|
– The personal data of a data subject was disclosed (whether or not in Hong Kong) without consent by means of a written message or electronic message;
– The discloser had an intent or was reckless as to whether any “specified harm” would be, or would likely be, caused to the data subject or any family member; and
– When the disclosure was made, the data subject was a Hong Kong resident; or was present in Hong Kong.
A cessation notice can be served on a Hong Kong person, or a non-Hong Kong service provider that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person. A cessation notice may only be served on non-Hong Kong service providers in relation to electronic messages.
Cessation actions, in relation to an electronic message, include removing the subject message, ceasing or restricting access to the message or the relevant platform (in whole or in part), and discontinuing the hosting service for the relevant platform (in whole or in part).
It is an offence to contravene a cessation notice. On first conviction, the person who commits the offence is liable to a fine of HKD 50,000 and imprisonment for two years, and in the case of a continuing offence, a further fine of HKD 1,000 for every day during which the offence continues. On each subsequent conviction, the person who commits the offence is liable to a fine of HKD 100,000 and imprisonment for two years, and in the case of a continuing offence, a further fine of HKD 2,000 for every day during which the offence continues.