The Constitutional and Mainland Affairs Bureau (“CMAB”) has released a discussion paper with proposed amendments to the Personal Data (Privacy) Ordinance (“PDPO”) in Hong Kong to enforce protections against doxxing.  “Doxxing” is the act of revealing previously private information about an individual or organisation to the public without consent – usually done through online platforms.  The intention behind doxxing is often to make more information available about an individual or organisation so that they may be more easily targeted by third parties for humiliation, embarrassment, or even intimidation.  There is currently no express provision in the PDPO relating to doxxing (though there is an offence under section 64 of the PDPO for disclosing the personal data of a data subject which was obtained from a data user without the data user’s consent, with an intent to obtain a gain or cause a loss, or which causes psychological harm to the data subject), and so the proposed amendments would make doxxing an offence and grant more powers to the Privacy Commissioner in relation to doxxing.  It is expected that a bill following this discussion paper will be presented to the Legislative Counsel by October 2021.

The discussion paper by the CMAB lays out three proposed amendments.

1. Adding an offence to curb doxxing acts

The CMAB has proposed to introduce the offence under section 64 of the PDPO.  The provision would state that a person commits an offence if they disclose any personal data of a data subject without the data subject’s consent with an intent (or being reckless): (i) to threaten, intimidate or harass a data subject; and (ii)to cause psychological harm to a data subject.

These new provisions also offer protection to the data subject’s immediate family members (meaning any person who is related to the data subject by blood, marriage, adoption, or affinity).

The penalty under this clause for conviction on indictment would be a fine of HKD1,000,000 and imprisonment for 5 years, or on summary conviction to a fine of HKD100,000 and imprisonment for 2 years.

2. Empowering the Privacy Commissioner to carry out criminal investigation and prosecution 

Currently, when handling doxxing cases, the Privacy Commissioner is required to refer cases to the Police and the Department of Justice for criminal investigation and consideration of prosecution.  However, in the bid for stronger enforcement against doxxing, the CMAB has proposed to add new provisions to empower the Privacy Commissioner to carry out criminal investigation and initiate prosecution under section 64 of the PDPO.

This would mean that the Privacy Commissioner could request relevant information, documents or things from any person to facilitate investigation where the Privacy Commissioner has reasonable grounds to believe that a contravention of section 64 of the PDPO has been, or is being, committed.  The Privacy Commissioner would also be able to apply for the court’s permission for a warrant to enter any premises during an investigation to seize documents or other property and to prosecute in his/her own name.

3. Statutory powers to demand the rectification of doxxing contents

The discussion paper also proposes to provide the Privacy Commissioner with the ability to serve a “Rectification Notice” to any person that he/she has reasonable grounds to believe has contravened, or is contravening, section 64 of the PDPO.  As this would be applicable to online websites which do not necessarily have geographical constraints, the Rectification Notice can be served to any person who provides services in Hong Kong to Hong Kong residents.  Therefore, this would cover a wide range of websites that are accessible to Hong Kong residents and it appears to be implied that such provisions may have extra-territorial effect.  The notice would specify the concerned doxxing content, notify the person what rectification actions to take, as well as the deadline for complying with the notice.  

Key takeaways:

  • Companies with online platforms must ensure that staff are aware of the updates to the PDPO when they come into force, as they will need to act quickly should a Rectification Notice be received from the Privacy Commissioner.
  • Companies that are worried about their liability in relation to doxxing acts should seek legal advice immediately to ensure that proper internal policies are put in place to deal with these issues when they arise.