Background 

On 16 July 2021, the government gazetted a Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) to introduce a specific new offence of doxxing and new take down powers for the Office of the Privacy Commissioner for Personal Data (PCPD). The proposal has not been welcomed by representatives of the technology industry, which have criticised aspects of the proposed statutory take down mechanism as being a “disproportionate and unnecessary” response to doxxing.

Doxxing - the unlawful public disclosure of personal data, in particular online - became a feature of the recent social unrest in Hong Kong. The PCPD reports that it received its first complaint of doxxing in June 2019 and by the end of the following year (2020) had handled more than 5,400 doxxing cases. Many of these instances are reported to have been directed at police officers and other public officials.

The Bill will directly criminalise doxxing acts as an offence under the Personal Data (Privacy) Ordinance (PDPO). It will also grant the PCPD the power to require online platforms to remove alleged doxxing materials by service of a cessation notice and to investigate complaints.

Cessation notices

The PCPD will be given the power to serve a cessation notice on online platforms to either remove doxxing contents or restrict a person's access to a platform or an intermediary/ hosting service if the PCPD has reasonable grounds to believe that:

  • any personal data of a Hong Kong resident or other person in Hong Kong is being disclosed on the platform without the data subject’s consent and is intended to harass, threaten or cause other specified forms of harm (or is reckless as to that consequence); and
  • the notice can be complied with (including by action taken outside of Hong Kong).

The PCPD is given these powers directly and will not be required to obtain a court order first. This cessation notice may be served on overseas platforms directly or on their Hong Kong presences (not limited to affiliates). The notice will specify the action to be taken and the timeframe designated by the PCPD for compliance.

Non-compliance with a cessation notice will itself be an offence punishable on a first conviction to a HK$50,000 fine and two years’ imprisonment, and in the case of a continuing offence, to a further fine of HK$1,000 for every day during which the offence continues.

There is a defence of showing that it was not reasonable to expect the notice to be complied with (having regard to various factors) or that the platform has another reasonable excuse for not complying with the cessation notice. The defence is notably vague. However, the extra-territorial reach of the PCPD’s powers to order removal is such that it seems unlikely that a court would accept that access controls or limitations on administering content that prevent the Hong Kong affiliate of a global platform from removing the content without involvement/ acquiescence from the parent constitutes sufficient justification for non-compliance.

There will also be an appeal route to the Administrative Appeals Board, but the cessation notice will have to be complied with pending the appeal.

Primary offence

Doxxing will be made a summary offence, made out by the disclosure of personal data without the data subject’s consent with either an intent to cause specified harm to the data subject or a family member of the data subject or being reckless as to whether harm will be caused. The extension to include recklessness is presumably intended to avoid the PCPD having to undertake the burden of proving intent, and will be capable of being inferred from the circumstances of a posting.

The offence will be punishable with a fine of up to HK$100,000 and two years’ imprisonment, without proof of harm having been caused. If harm has been caused the maximum penalty will be increased to HK$1,000,000 and imprisonment of up to five years.

The PCPD will also be entitled to seek an injunction (or interim injunction) to restrain further dissemination of doxxing content.

Investigation powers 

The PCPD is also to be given direct criminal investigatory powers, including search and seizure powers and powers of arrest, based on a reasonable suspicion of an offence having been carried out, but without requiring a warrant. It will be an offence to refuse to comply with a request for documents or information without a reasonable excuse.

The PCPD has previously acted solely in an administrative enforcement capacity. The PCPD may also delegate these powers to the police.

Next steps

The first and second readings of the Bill have been tabled for 21 July 2021. No timetable has been proposed for the committee stage and third reading. However, by all appearances the government intends to expedite the enactment of the Bill.  

The Bill does not address any of the amendments to the PDPO discussed by the Legislative Council Panel on Constitutional Affairs in January 2020 (e.g. mandatory data breach notification, data retention policies, direct administrative fines, direct regulation of data processors, amending the definition of “personal data”, etc.), which are evidently on a different legislative pathway.