Skip to content

Newspaper Column

PCPD in Media

Hong Kong’s anti-doxxing law plugs privacy loophole and protects freedoms -- Privacy Commissioner's article in South China Morning Post (November 2021)

The introduction of anti-doxxing to Hong Kong’s privacy law on October 8 heralds a new era in the regulatory protection of personal data, in criminalising the disclosure of other people’s personal data without consent.

The new law, called the Personal Data (Privacy) (Amendment) Ordinance 2021, also empowers the Privacy Commissioner for Personal Data to carry out criminal investigations, institute prosecutions for doxxing-related offences and order the removal of doxxing messages.

Under the changes, doxxing can be a summary offence, which is less serious, or a graver indictable offence. In the first tier, doxxing is a summary offence where someone discloses another’s personal data without consent while intending to cause “specified harm”, or being reckless about doing so, to that person or a family member.

Where “specified harm” is caused to the person or a family member as a result of the doxxing, this may be considered a second-tier, indictable offence.

“Specified harm” includes harassment, molestation, pestering, threats or intimidation, bodily or psychological harm, causing concern about safety or well-being, or damage to property. The range is wide so as to properly cover the suffering or damage caused to doxxing victims.

Anyone found guilty of a summary doxxing offence is liable to a HK$100,000 (US$12,850) fine and two years in jail. This increases to a HK$1 million fine and five years in jail for an indictable offence.

“Doxxing should not and cannot be tolerated in Hong Kong, if we still take pride in our city as a civilised society where the rule of law reigns,” said Justice Jeremy Poon Shiu-chor, the chief judge of the High Court.

He added that doxxing “seriously endangers our society as a whole”, given that it can ignite “the fire of distrust, fear and hatred”, which can “consume the public confidence in the law and order of the community, leading to disintegration of our society”.

His words vividly and succinctly summarised the vicious nature of doxxing, which should be condemned by us all. Indeed, when doxxing targets members of the judiciary, they represent attacks on the cornerstone of the rule of law and should be stopped.

The latest legislative change, described as a measured response to a “heinous crime” by Grenville Cross, a former director of public prosecutions and a renowned criminal justice analyst, criminalises doxxing and more effectively combats the crime by increasing the privacy commissioner’s enforcement powers.

It will not affect normal and lawful business activities in Hong Kong, nor the freedom of speech and free flow of information that members of the public enjoy.

Such rights are enshrined in the Basic Law and the Hong Kong Bill of Rights Ordinance. There is nothing in the new privacy laws which encroaches upon those rights.

Freedom of speech, by any token, does not encompass the right to abuse other people’s personal data and cause them harm, either intentionally or recklessly, whether online or otherwise.

It is noteworthy that the privacy commissioner’s new criminal investigation powers are confined to doxxing-related offences and are similar to those of the police.

Over the past two years, in our handling of doxxing cases, my office has written to the operators of 18 platforms over 300 times to request the removal of over 6,000 doxxing web links. However, as the requests were not mandatory, only about 70 per cent of the doxxing web links were removed and the situation is not satisfactory.

Under the new regime, the privacy commissioner may serve a cessation notice to request the removal of doxxing messages when the victim is a Hong Kong resident or present in Hong Kong when the disclosure is made. Failing to comply with such a notice is an offence.

A cessation notice may be served on a person in Hong Kong (including on an internet service provider having a place of business in Hong Kong) or, in relation to an electronic message, a service provider outside Hong Kong (which covers the operator of overseas social media platforms) that is able to take a cessation action, given that the cyber world has no borders.

The problem of doxxing is not unique to Hong Kong. In making the recent legislative changes, the government and my office took into account the regulatory framework and experiences in other jurisdictions, including Australia’s Enhancing Online Safety Act 2015, New Zealand’s Harmful Digital Communications Act 2015 and Singapore’s Protection from Harassment Act.

In Singapore, for example, the Protection from Harassment Act was amended in 2019 to cover the malicious publication of any identity information of a targeted person. There is also an extraterritorial provision so Singaporean courts may try an offence so long as, for instance, the victim was in the country at the time of publication of the identity information.

What Hong Kong has done was simply to fill a lacuna in the law, in line with similar laws and regulations in other jurisdictions.