Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Hong Kong: Guideline on PDPO amendment enforcement
The Privacy Commissioner for Personal Data ('PCPD') announced, on 8 October 2021, that the Personal Data (Privacy) (Amendment) Bill 2021 ('the PDPO Amendment Ordinance') was gazetted and has come into force on 8 October 2021. In particular, the PCPD noted that it has published the Implementation Guideline for the Amendment Ordinance ('the Guideline') in the Hong Kong Gazette to accompany the PDPO Amendment Bill, which sets out the amendments and changes to the offences and sanctions. Furthermore, the PCPD has set up a telephone hotline for handling enquiries or complaints relating to doxxing activities, and a portal with information on doxxing on the PCPD's website.
In this insight, OneTrust DataGuidance provides an overview of the Guideline and the specific guidance set out by the PCPD regarding the operation of the PDPO Amendment Ordinance and the amendments introduced under the bill under four parts - doxxing, the PCPD's powers, serving of notices, and complaints mechanisms.
Doxxing
Doxxing was introduced under the PDPO Amendment Ordinance to address the concerns of the Hong Kong Government regarding the increasing misuse and malicious disclosure of personal data of individuals, jeopardising the physical and psychological safety, and right to a private life.
Section 64 of the PDPO Amendment Ordinance introduces a doxxing offence under a two-tier system which distinguishes the severity of the offence, with the main distinction between the two tiers being whether 'specified harm' has occurred following the disclosure (Section 2.2.1 of the Guideline).
Specified harm is interpreted under the PDPO Amendment Ordinance as (Section 2.2.7 of the Guideline):
- harassment, molestation, pestering, threat, or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person's safety or well-being; or
- damage to the property of the person.
However, the Guideline establishes that whether the provisions on specified harm apply is to be decided on a case-by-case analysis, as well as that the interpretation of such terms depends on judgement of the Hong Kong Court. Furthermore, the Guideline establishes that different factors may be taken to consideration when establishing whether the relevant and actual circumstances fall under the umbrella definition of 'specified harm'. Such factors include the content of the message that is alleged to have doxed an individual, how such a message was expressed and what its contents were, the manner of dissemination, and the characteristics of the victim or their family members (Sections 2.2.8 and 2.2.9 of the Guideline).
Criminal, investigative, and prosecution powers under the PDPO
The additional amendments introduced by the PDPO Amendment Ordinance focus on strengthening the PCPD's powers in terms of criminal investigations.
The amendments introduce two significant changes to the previous scope of the PDPO, with the power to arrest or search persons, premises, or devices where reasonable suspicion exists in relation to a doxxing offence.
Investigatory powers are now given to prescribed officers and authorised officers who exercise these on behalf of the PDPO; such officers can exercise the power to stop and search, or arrest persons that are suspected to have violated the PDPO, pursuant to Section 66H of the PDPO Amendments. In addition to this, the PCPD may also coordinate joint operations with relevant government departments or organisations, including the Hong Kong Police Force. Particularly, the Guideline emphasises the seriousness of violating the PDPO through a doxxing offense, noting that under the new amendments an authorised officer may, without warrant, exercise the powers to stop, search, and arrest any person whom the officer reasonably suspects of having committed a doxxing or a related offence (Section 3.2.1 of the Guideline).
The PDPO amendments also grant to the PCPD the power to issue written notices to individuals with an order to request such individuals to provide any relevant materials or answer relevant questions in order to assist the PCPD in conducting its investigations. Materials include any document, information, or thing a person has or may have possession or control. Such written notice must be in a specified form, signed by the PCPD or a prescribed officer, and indicate the subject matter and purpose of the relevant investigation. To bolster investigations, the PCPD or prescribed officers will also have the ability to be granted a warrant to search premises and access electronic devices, given that reasonable grounds of suspecting that a doxxing related offence has been committed or there is material related to an investigation within the premises or electronic devices the warrant relates to. Such a warrant will be granted by the magistrate courts of Hong Kong upon a valid application by the PCPD or prescribed officer (Sections 3.2.2 to 3.3.3 of the Guideline).
The Guideline explains that where a warrant is issued and enforced, a prescribed officer must: be in uniform or display their warrant card, state the purpose of the search and the authority in which they are acting, and produce the warrant. During the execution of a warrant, if an officer considers a valid claim of legal privilege exists, then such privilege will be valid and materials affected by it will not be examined, but seized, sealed, and deposited for examination with further legal advice for the material (Sections 3.2.4 to 3.3.6 of the Guideline).
The Amended PDPO Ordinance allows the PCPD or a prescribed officer to access electronic devices without a warrant when the criteria are met. These criteria are where they reasonably suspect that doxxing or a related offence has been, is being, or is about to be committed, the electronic device in question stores material that is evidence for the relevant investigation, and it is satisfied that a delay caused by an application for a warrant is likely to defeat the purpose of accessing the device, or it is not reasonably practicable to make the warrant application.
Power of cessation
The another notable amendment to the PDPO introduces the power to serve a notice of cessation, requiring the person or entity in question receiving the notice to undertake a cessation action. The Guidelines clarify that cessation notices may be served to anyone where the criteria is met by the PCPD, which include where the PCPD reasonably suspects (Section 4.2.1 of the Guideline):
- that personal data was disclosed without the consent of the data subject who is a Hong Kong resident or present in Hong Kong;
- the person disclosing the personal data had an intent to or was being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
- a Hong Kong entity or person is able to take the cessation action in relation to the disclosure of personal data.
The Guideline explains that the PCPD may serve cessation notices on individuals or entities who are able to take cessation actions, and these may include disclosers of doxxing content, such as operators of electronic platforms, internet service providers or hosting service providers, etc (Section 4.2.2 of the Guideline). With regards to extra-territoriality, the PCPD may serve a cessation notice on a non-Hong Kong service provider, such as the operator of an overseas social media platform directing it to take action under Section 66M(2) of the Amended PDPO Ordinance (Section 4.2.3 of the Guideline). Non-compliance of any cessation notice is an offence and may result to a fine or imprisonment. An appeal may be made against the cessation notice, although the person or entity must still undertake a cessation action until such appeal is granted (Section 4.3 of the Guideline).
Furthermore, the PCPD has the ability to apply for an injunction where there is or is likely to be a large-scale or repeated commission of offences under Section 64 of the Amended PDPO Ordinance. The injunction aims to prevent the future recurrence of doxxing incidents targeted at specific persons or groups pursuant to section 66Q of the Amendment Ordinance, with non-compliance to such injections is an offence that may result to a fine or imprisonment. Both the cessation order and injunctions may be obtained expeditiously to minimise, prohibit, and prevent the risk of harm to a data subject or their family members (Section 4.4 of the Guideline).
Conclusion
The Guideline sets out the different requirements to be aware of in relation to the PDPO Amendment Ordinance. One of the main takeaways from the Guideline is that the amendments to the PDPO appear to solely focus on individual's criminal actions relating to doxxing offences, and the serious repercussions that may be faced where non-compliance with the PDPO occurs. Additionally, the compliance requirements and imposition of sanctions carries over to businesses and entities that may be the subject of investigations, cessation orders, or injunctions that may impede normal business operations. Therefore, being aware and wary of the operation of the PCPD under the new amendments will prove useful while the expected impact or strictness of the enforcement of the law remains to be seen, especially for network and platform operators where doxxing is much more likely to occur in their day-to-day business.
Theo Stylianou Privacy Analyst
[email protected]