On 29 September 2021, the Hong Kong Legislative Council passed a bill to reform the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) by introducing a two-tier offence to criminalise doxxing acts, conferring new enforcement powers on the Hong Kong Privacy Commissioner to prosecute doxxing offences and issue cessation notices with extra-territorial effect to demand the removal of doxxing contents by both Hong Kong persons and non-Hong Kong service providers.
The new anti-doxxing provisions serve as the Hong Kong Government’s response to combat rampant doxxing activities, which saw an uptick from mid-2019. Between June 2019 and June 2021, the Privacy Commissioner received more than 5,800 doxxing-related cases. These included cases where persons committed doxxing acts inflicting harm on targeted victims, their family members or close relations, by collating their personal data via search engines, social media platforms or the public domain and subsequently disclosing the same on the Internet and other open platforms. Victims included government officials, judges, politicians, police officers and celebrities. Personal data disclosed included names, photographs, phone numbers, addresses and occupations, as well as sensitive personal data, such as Hong Kong Identity Card numbers and dates of birth. The victims suffered various types of harm, such as fear of harassment, intimidating calls and cyberbullying.
New anti-doxxing provisions are considered necessary, as the existing section 64 of the PDPO relied on by the Privacy Commissioner to counter doxxing acts, is not intended to combat such acts. Under section 64, a person commits an offence if he discloses personal data of a data subject obtained from a data user without the data user’s consent, either with an intent to obtain gain or benefit or to cause loss in money or property to the data subject or the disclosure causes psychological harm to the data subject. Yet, in doxxing cases where personal data is often leaked anonymously or repeatedly reposted, identifying the sources of the data is difficult, let alone being able to show that the data was obtained from the data user “without the data user’s consent”. The new provisions also seek to remedy the lack of mandatory powers for the Privacy Commissioner to demand service providers to remove doxxing content.
The new two-tier offences to criminalise doxxing acts
Under these provisions, “specified harm” is defined broadly to protect data subjects, and covers harassment, molestation, pestering, threat or intimidation to the person, both bodily harm or psychological harm, harm causing the person to be reasonably concerned for his safety or well-being or damage to the property of the person.
Existing defences available under section 64 will be maintained. Where the discloser can show that (a) he reasonably believed that the disclosure was necessary for preventing or detecting crime; (b) the disclosure was required or authorised by law or any court order; (c) he reasonably believed the data user had consented to the disclosure; or (d) the disclosure was for news activity purposes and he reasonably believed that the disclosure was in the public interest, the discloser is able to raise a defence.
Privacy Commissioner conferred with new criminal investigation and prosecution powers
The Privacy Commissioner currently lacks criminal investigation and prosecution powers and relies on the Hong Kong Police Force and the Department of Justice to conduct investigations and prosecutions. To ensure effective investigation and prosecution of doxxing cases, the Government confers new investigation and enforcement powers on the Privacy Commissioner including the powers to:
The Privacy Commissioner may initiate a prosecution in his name in respect of certain doxxing summary offences, including any conspiracy to commit such offences, at the Magistrates’ Court.  For moe serious cases, the Commissioner may refer them to the Hong Kong Police Force or the Department of Justice for follow-up.
Power to issue cessation notices with extra-territorial effect
The Privacy Commissioner does not currently have mandatory powers to demand online platforms to remove web links related to doxxing contents. The new anti-doxxing provisions empower the Privacy Commissioner to issue cessation notices with extra-territorial effect to Hong Kong persons or non-Hong Kong service providers to demand their taking of cessation actions, where:
The power to serve such cessation notices to curb disclosure of personal data which occurs outside Hong Kong and on non-Hong Kong service providers would catch scenarios of disclosure via the Internet where such disclosure may be outside Hong Kong and prevent circumvention by disclosers who commit doxxing acts outside Hong Kong.
Depending on circumstances, the Privacy Commissioner may demand (i) removal of written or electronic doxxing messages from electronic platforms (e.g. websites, online applications); (ii) discontinuance of hosting services for the part or whole of the platform on which the message is published; or (iii) ceasure or restriction of access to the message or the relevant platform on which the message is published.
Failure to comply with cessation notices may result in a fine of HK$50,000 and 2 years imprisonment for a first conviction, unless a defence can be established. Whilst persons served with a cessation notices may appeal within 14 days after service of the notice, they are required to comply with the notice within the designated timeframe pending the appeal in any event.
Implications for Businesses
The introduction of the anti-doxxing provisions demonstrates the Government’s resolve to combat doxxing acts which infringe personal data privacy of victims and cause them harassment and distress. Disclosure of personal data would be penalised as long as the requisite intent or recklessness is demonstrated, even in the absence of actual harm caused to the victims. The new provisions also give the Privacy Commissioner greater enforcement and investigation powers, e.g. by directing the removal of doxxing content, and failure to comply would be a criminal offence.
It remains to be seen how the Privacy Commissioner will interpret and enforce these provisions. This would partly be affected by whether they can recruit sufficient staff who are experienced in dealing with this kind of investigation. Concerns have been raised by multi-national companies, such as the social media platforms, as to whether the new law and its wide scope might harm trade and discourage service providers to make further investments in Hong Kong. We hope that the Privacy Commissioner will issue guidelines or FAQ on the new provisions to guide citizens and businesses away from any potential breach. Businesses should be prepared to review and/or invest in measures to curb doxxing and/or ensure that their staff are well trained to respond to cessation notices. In particular, businesses with cross-jurisdictional offices should review their internal coordination processes with local offices to ensure prompt follow-up action would be taken in response to cessation notices.
This anti-doxxing reform appears to have taken priority over other reforms to the PDPO proposed by the Privacy Commissioner back in January 2020, including introducing mandatory data breach notification and conferring on the Privacy Commissioner the power to administer fines. However, with the successful passing of the new law, we might see the implementation of other reforms in the next term of the Legislative Council.
 Say "No" to Doxxing. https://www.pcpd.org.hk/english/complaints/doxxing/doxxing.html
 New section 64(3A) and section 64(3C)
 Under section 64(2) of the PDPO, a person commits an offence if (a) the person discloses any personal data of a data subject which was obtained from a data user without the data user’s consent; and (b) the disclosure causes psychological harm to the data subject. Under section 64(3) of the PDPO, a person who commits an offence under section 64(2) is liable on conviction to a fine of $1,000,000 and to imprisonment for 5 years.