Hong Kong: Personal Data (Privacy) Ordinance amended to introduce "anti-doxxing" provisions

In brief

Hong Kong's data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), has been amended to introduce "anti-doxxing" provisions.

The new regime creates offences to curb doxxing acts, and empowers the Privacy Commissioner for Personal Data ("Commissioner") to carry out criminal investigations, institute prosecutions and issue cessation notices. The changes came into effect on 8 October 2021.

The Commissioner made its first arrest under the doxxing regime on 13 December 2021. An individual was arrested after the Commissioner received a report from an alleged victim that the suspect had posted the victim's personal details on an online platform.


Contents

How are the changes relevant to businesses?

  • The changes are most relevant to platform and online service providers (such as social media platforms).
  • Where doxxing occurs on or via their platforms or services, they may be the recipient of a cessation notice from the Commissioner, which requests the removal of doxxing messages, and it is a criminal offence to contravene a cessation notice.
  • Cessation notices may be served on non-Hong Kong service providers, and so the amendments impact both Hong Kong and overseas businesses.

Comments

Relevance to platform/online service operators

  • Doxxing acts are most likely to occur on platforms and online services that allow for user-generated content, such as social media platforms.
  • However, the law does not impose any obligation on platform/online service operators to proactively monitor or censor content on their platforms/services.
  • Where the platform/online service operator has knowledge of potentially incriminating doxxing content but does not remove it, there is a risk of investigation into the content by the Commissioner which can prosecute offences in its own name where it suspects that an offence has been committed, and the platform/online service operator may be the recipient of a cessation notice from the Commissioner.

The Commissioner's criminal investigation powers

  • The Commissioner's new criminal investigation powers are similar to those of the police, and the Commissioner may request any person to provide relevant materials and answer questions to facilitate investigations. Companies should put in place internal procedures and policies to assess and respond to law enforcement requests.

Cessation notices

  • Where a company receives a cessation notice, it has a legal obligation to comply, as contravention of a cessation notice constitutes an offence under the PDPO. In any case, platform/online service operators should have notice and takedown procedures in place.

It remains to be seen how the Commissioner will enforce the law against overseas companies that do not have a Hong Kong presence in practice. However, a cessation notice may be served on companies outside Hong Kong (see "In more detail" section below for more information).

In more detail

"Doxxing" refers to gathering personal data of a specific targeted person and/or related persons (such as family members) through various means, e.g., public registers and discussion platforms, and disclosing such personal data on the internet, social media or other open platforms (such as public places).

The introduction of specific legislative amendments to address doxxing was one of the six key proposals put forward by the government and the Commissioner in the formal review of the PDPO, which commenced in January 2020. This is the only key proposal that has been implemented. In October 2021, the Commissioner issued the Personal Data (Privacy) (Amendment) Ordinance 2021 Implementation Guideline to explain the new regime, including the scope of the doxxing offences and the Commissioner's new powers.

We set out as follows the key provisions of the new "anti-doxxing" regime:

Provisions

Summary

Creation of new offences

Two new offences under a two-tier structure have been created:

  • First-tier offence (without actual harm): summary offence to (i) disclose a data subject's personal data without consent; and (ii) the discloser has an intent to cause any "specified harm" to the data subject or any family member, or is reckless as to whether any "specified harm" would be, or would likely be, caused to the data subject or any family member. In other words, no actual harm has been caused by the disclosure. The maximum penalty is a fine of HKD 100,000 and imprisonment for two years.
  • Second-tier offence (with actual harm): indictable offence to (i) disclose a data subject's personal data without consent; (ii) the discloser has an intent to cause any "specified harm" to the data subject or any family member, or is reckless as to whether any "specified harm" would be, or would likely be, caused to the data subject or any family member; and (iii) the disclosure causes "specified harm" to the data subject or any family member. In other words, actual harm has been caused by the disclosure. The maximum penalty is a fine of HKD one million and imprisonment for five years.

"Specified harm" means harassment, molestation, pestering, threat or intimidation to the data subject or any family member; bodily harm or psychological harm to that person; harm causing that person to reasonably be concerned for that person's safety or well-being; or damage to the property of that person.

Commissioner's new powers

The Commissioner may:

  • Issue a written notice to request any person to provide relevant materials and answer questions to facilitate the investigation
  • Apply for a warrant to enter and search premises and seize materials for investigation, or access an electronic device
  • Stop, search and arrest any person who is reasonably suspected of having committed a doxxing-related offence
  • Prosecute in the name of the Commissioner a doxxing-related offence triable summarily in the Magistrates' Court

The criminal investigation powers of the Commissioner reflect the powers of police officers under the Police Force Ordinance (Cap. 232).

Cessation notices

The Commissioner may serve a cessation notice on a person who is able to take a cessation action, under the following circumstances:

  1. The personal data of a data subject was disclosed (whether or not in Hong Kong) without consent by means of a written message or electronic message;
  2. The discloser had an intent or was reckless as to whether any "specified harm" would be, or would likely be, caused to the data subject or any family member; and
  3. When the disclosure was made, the data subject was a Hong Kong resident; or was present in Hong Kong.

A cessation notice can be served on a Hong Kong person, or a non-Hong Kong service provider that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person. A cessation notice may only be served on non-Hong Kong service providers in relation to electronic messages.

Cessation actions, in relation to an electronic message, include removing the subject message, ceasing or restricting access to the message or the relevant platform (in whole or in part), and discontinuing the hosting service for the relevant platform (in whole or in part).

It is an offence to contravene a cessation notice. On first conviction, the person who commits the offence is liable to a fine of HKD 50,000 and imprisonment for two years, and in the case of a continuing offence, a further fine of HKD 1,000 for every day during which the offence continues. On each subsequent conviction, the person who commits the offence is liable to a fine of HKD 100,000 and imprisonment for two years, and in the case of a continuing offence, a further fine of HKD 2,000 for every day during which the offence continues.

 

Contact Information
Marcia Lee
Special Counsel
Hong Kong
marcia.lee@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.