17 November 2021
Doxxing, the publishing of personal information about an individual on the internet or social media, usually with malicious intent, has been a global issue for some time and has become more serious with the growth of the internet and social media. Although the existing Personal Data Privacy Ordinance (PDPO) prohibited the unauthorised disclosure of personal data which causes psychological harm to the data subject, the offence was drafted years before the explosion of the internet and social media and does not specifically deal with this issue. After 2 years of consultation and discussion, the Hong Kong Government has now introduced new legislation to combat doxxing.
The Personal Data (Privacy) (Amendment) Ordinance 2021 which took effect on 8 October 2021:
-
Introduces a two-tier doxxing offence;
-
Empowers the PCPD to conduct criminal investigations and initiate prosecution of doxxing; and
-
Confers on the PCPD the power to demand the cessation of doxxing activities and content.
The two-tier doxxing Offence
The now repealed provision of the PDPO (section 64(2) required proving that the personal data was obtained from a data user without the data user’s consent. This can be difficult to establish given that data can be obtained from many sources, including the public domain, and repeated re-posting of information can make it a challenge to identify the relevant data user.
Under the Amendment Ordinance, a person commits an offence if he discloses any personal data of a data subject without the data subject’s consent. The new law also extends the protection to cover a data subject’s family members:-
-
The first-tier offence concerns the situation where there has been an intent to cause, or the person was reckless as to whether any “specified harm” will be caused to a data subject and/or his family members. No actual harm needs to have occurred. A person who commits a first tier-offence is liable on summary conviction to a level 6 fine (i.e. $100,000) and imprisonment for 2 years;
-
The second-tier offence covers where actual specified harm has been caused. A person who commits a second-tier offence is liable for conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years.
“Specified harm” is defined tomean (a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.
PCPD’s enhanced powers
The Amendment Ordinance empowers the PCPD to carry out criminal investigations and prosecution in relation to the new doxxing offences without the need to refer the cases to the Police or the Department of Justice. The new powers include the power to request any person to provide assistance and deliver materials, and to search premises and access electronic devices.
In addition, the PCPD is also legally empowered to demand removal of doxxing content by an individual or company in Hong Kong. Under the previous law, it was not mandatory to comply with the PCPD’s requests. It is important to note that the cessation notice regime also applies to a non-Hong Kong service provider, who provides any service to any individual or company in Hong Kong,:-
-
Hong Kong persons – If the PCPD has reasonable grounds to believe that there is (i) a doxxing message (whether or not it exists in Hong Kong); and (ii) an individual or company in Hong Kong is able to take a cessation action (whether or not in Hong Kong) in relation to the message, then the PCPD may serve a cessation notice on the person;
-
Extra-territorial scope– As long as the PCPD has reasonable grounds to believe that (i) there is a doxxing message; and (ii) that a non-Hong Kong service provider is able to take a cessation action in relation to the message, then a cessation notice may also be served on that person.
“Cessation action” includes any action (i) to cease or restrict access to the message; (ii) to remove the message; or (iii) to discontinue the hosting service for the relevant platform or whole platform where the message is published.
Failure to comply with a cessation notices amounts to a criminal offence, unless the recipient can establish a defence that:
-
The recipient had a reasonable excuse for contravening the cessation notice; or
-
It was not reasonable to expect the person to comply with the cessation notice because of, amongst others, (i) the nature or complexity of the cessation action; (ii) the technology necessary for compliance was not reasonably available; or (iii) there was a risk of incurring substantial loss to, or otherwise substantially prejudicing the right of a third party.
Conclusion
It is advisable for data users to exercise extra caution to avoid unauthorised disclosure of personal information. Service providers, online platform operators and companies should also be aware of their obligations under the laws and reviewing their platform terms and conditions (if it does not already have such rights) to prohibit users from committing any illegal acts and provide the service provider with the right without liability to remove contents which it is required by the law to remove or which may put it at risk of breaching any application laws.
Online platform operators should also formulate internal policies on how to respond to cessation notices and requests from the PCPD to assist in criminal investigations relating to doxxing offences. Overseas service providers should also take note of the extraterritorial effects of the cessation notice regime under the Amendment Ordinance.
For further information, please contact: