The main objects of the Amendment Ordinance are to amend the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 ('PDPO') to:

• create a two-tier offence for disclosing personal data without consent;
• empower the Privacy Commissioner for Personal Data ('the Commissioner') to carry out criminal investigations and institute prosecutions for doxxing-related offences; and
• confer on the Commissioner the statutory power to issue cessation notices to request the removal of doxxing messages.

Creation of new doxxing offences

Under the Amendment Ordinance, new doxxing offences have been introduced under a two-tier structure. The first-tier offence is a summary offence for disclosing personal data without the data subject's consent, with the discloser having the intent of, or being reckless with causing any specified harm by that disclosure to the data subject or any family member of the data subject. The second-tier offence is an indictable offence which is committed if, in addition to satisfying the requisite elements of the first-tier offence, specified harm is caused to the data subject or their family member as a result of the disclosure.

To properly cover the range of sufferings or damages caused to doxxing victims, the term 'specified harm' is widely defined to include:

• harassment, molestation, pestering, threat, or intimidation;
• bodily harm or psychological harm;
• harm causing concerns about safety or well-being; or
• damage to the property.

The two new offences have replaced the former offence under Section 64(2) of the PDPO, which merely covered the disclosure of personal data obtained from a data user without the consent of the data user (as opposed to the data subject). The two new offences also extended the protection to cover any family member of the data subject, who was not protected in this way under the old PDPO.

Any person who commits the first-tier offence is liable, on summary conviction, to a fine of HKD 100,000 (approx. €11,380) and to two years of imprisonment . Any person who commits the second-tier, indictable, doxxing offence is liable, on conviction on indictment, to a fine of HKD 1,000,000 (approx. €113,820) and to five years of imprisonment.

The scope of the two new doxxing offences is clearly delineated and target-specific. The offences aim to combat doxxing behaviours seriously intruding into privacy in relation to personal data.

Striking a reasonable balance

In the words of the Honourable Mr Justice Jeremy Poon Shiu-chor, the Chief Judge of the High Court in the case of Junior Police Officers' Association of the Hong Kong Police Force v Electoral Affairs Commission and others [2019] 5 HKLRD 291, "doxxing should not and cannot be tolerated in Hong Kong, if we still take pride in our city as a civilized society where the rule of law reigns". He added that doxxing "seriously endangers our society as a whole", given that it can ignite the fire of "distrust, fear and hatred", which will then "consume the public confidence in the law and order of the community". The dicta of the Chief Judge vividly, and succinctly, summarised the vicious nature of doxxing behaviour, which should be condemned by us all.

Indeed, when doxxing acts target members of the Judiciary, they represent attacks to the cornerstone of the rule of law, and should be stopped.

To quote Mr Grenville Cross SC, a former Director of Public Prosecutions of Hong Kong and a renowned criminal justice analyst, the recent legislative amendment is a measured response to a heinous crime. The objective of the Amendment Ordinance is to criminalise doxxing acts and more effectively combat the crime by increasing the enforcement powers of the Commissioner. The Amendment Ordinance will not affect normal and lawful business activities in Hong Kong, neither will it affect the freedom of speech and free flow of information that members of the public currently enjoy. Such rights have been, and are, enshrined in the Basic Law of the Hong Kong Special Administrative Region of the People's Republic of China and the Hong Kong Bill of Rights Ordinance (Cap. 383), and there is nothing in the Amendment Ordinance which encroaches upon those rights.

The freedom of speech of social media users, by any token, does not encompass the right to abuse others' personal data with a view to causing harm to the victims, either intentionally or recklessly.

Criminal investigation and prosecution powers

In terms of criminal investigation powers, similar to the powers currently possessed by the Police, under the Amendment Ordinance, the Commissioner is empowered to request relevant documents, information, or things from any person and to stop, search, or arrest a person in an investigation into doxxing-related offences. The Commissioner may also apply for a warrant to enter and search premises, or to access, search, and decrypt information stored in an electronic device, such as a mobile phone.

To streamline the process, the Commissioner is also given the power to prosecute, in the Commissioner's name, doxxing-related offences which are triable summarily in the Magistrates' Courts.

Cessation notice

Over the past two years, in our handling of doxxing cases, my office has written to the operators of 18 platforms over 300 times to request the removal of over 7,000 doxxing web links. However, as the requests were not mandatory in nature, only about 70% of the doxxing web links were removed and the situation was not satisfactory.

Under the new regime, the Commissioner may serve a cessation notice to request the removal of doxxing messages when the data subject in question, namely, the victim, is a Hong Kong resident or is present in Hong Kong when the disclosure is made.

Given that the cyber world has no borders, a provision on extra-territorial effect is also introduced in such a way that a cessation notice can be served by the Commissioner regardless of whether the disclosure is made in Hong Kong or not. Further, a cessation notice may be served on a person in Hong Kong (for example, an individual in Hong Kong or an internet service provider having a place of business in Hong Kong) or, in relation to an electronic message, a service provider outside Hong Kong (which covers the operator of an overseas social media platform) that is able to take a cessation action.

In this context, it is worth noting that the Commissioner is only empowered to serve a cessation notice on a person who is able to take a cessation action in respect of the doxxing message. In other words, only those who are able to take a cessation action would be the subject of service of cessation notice under the Amendment Ordinance.

As with similar legal notices issued by relevant authorities in other jurisdictions, any non-compliance with a cessation notice is a criminal offence, and the offender is liable, on first conviction, to a fine up to HKD 50,000 (approx. €5,690) and two years of imprisonment, and a daily fine of HKD 1,000 (approx. €114) for every day when the offence continues. Subsequent convictions will attract heavier penalties.

Proper checks and balances have already been built into the new regime in that an appeal mechanism against the cessation notice is available for the person on whom a cessation notice is served and any other person who is affected by the notice.

Regulatory framework of other jurisdictions

Indeed, the problem of doxxing is not unique to Hong Kong. In the recent legislative amendment exercise, the Hong Kong Government and my office have also taken account of the regulatory framework in other jurisdictions, including the Protection from Harassment Act (Cap. 256A) in Singapore, the Enhancing Online Safety Act 2015 in Australia, and the Harmful Digital Communications Act 2015 in New Zealand.

In Singapore, for example, the Protection from Harassment Act was amended in 2019 to cover the malicious publication of any identity information of a target person or a related person of the target person. Provisions of the Act now provide, inter alia, that the publication of such identity information with an intent to cause harassment, alarm, distress to the target person, or cause the target person to believe that unlawful violence will be used against them, counts as an offence. Pursuant to an express extra-territorial provision, the Singaporean Courts have jurisdiction to try an offence and impose punishment so long as, for instance, the victim was in Singapore at the time of publication of the identity information.

In Australia, under the recently enacted Online Safety Act 2021, a person must not post certain categories of materials (which cover cyber-bullying material of an Australian child or adult or intimate images) without the consent of the individual concerned. So long as the materials are classified as cyber-bullying material targeted at an Australian child or adult, the eSafety Commissioner would have the power to issue a request to remove the material concerned. This is notwithstanding that the materials are posted on an electronic platform operating outside Australia.

In line with similar laws and regulations in other jurisdictions, Hong Kong has filled a lacuna in the law to combat unlawful doxxing acts. In fact, social media platforms should, as a matter of law and social responsibility, ensure that unlawful contents are removed from their platforms.

Ada Chung Lai-Ling Privacy Commissioner for Personal Data, Hong Kong