Newspaper Column

Since the introduction of the new anti-doxxing regime under the Personal Data (Privacy) (Amendment) Ordinance 2021 (the Amendment Ordinance), Hong Kong’s response to the weaponisation of personal data has progressed from the establishment of a statutory framework to breathing life into it through active enforcement, promotion and education, and an expanding body of decided cases. With the continuous resolute enforcement, enhanced publicity and education efforts of my Office, the Office of the Privacy Commissioner for Personal Data (the PCPD), as well as the societal transition from chaos to order, illegal doxxing activities have been substantially curbed. In 2025, proactive online patrols uncovered just nine doxxing cases, representing a reduction of over 99% from the 1,134 cases identified in 2022, the first full year after the commencement of the Amendment Ordinance. Doxxing related complaints also fell from 630 in 2022 to 299 in 2025, a decrease of 53%.
 
These statistics, while encouraging, present only part of the picture. Since the first sentencing decision under the new anti-doxxing regime in October 2022, which saw an eight-month term of imprisonment being imposed and reflected the court’s firm stance against doxxing, the legal framework has continued to mature through case law. Appeal decisions of the Court of First Instance in recent years have provided valuable guidance on key statutory elements of the doxxing offences, including the meaning of “specified harm” and the threshold for establishing the mens rea of recklessness, while decisions in the magistrates’ courts have offered practical insight into how the regime operates on the front line. Together, these developments exemplify an efficacious legal framework that safeguards personal data privacy while respecting freedom of speech.
 
This article reviews the core features of the Amendment Ordinance, and highlights the legal principles and notable features emerging from recent appellate and magistracy cases.
 
The Two-Tier Structure for Doxxing Offences
 
The Amendment Ordinance establishes a two-tier structure for doxxing offences:
 

• The Summary Offence: The first tier is a summary offence under section 64(3A) of the Personal Data (Privacy) Ordinance (the PDPO) for disclosing any personal data of a data subject without the relevant consent of the data subject, where the discloser has an intent to cause any specified harm or is being reckless as to whether any specified harm would be caused, or would likely be caused, to the data subject or any family member of the data subject. Any person who commits the first-tier doxxing offence is liable on summary conviction to a fine of HK$100,000 and to imprisonment for 2 years.
• The Indictable Offence: The second tier is an indictable offence under section 64(3C) and contains all the elements of crime of the first-tier offence, and additionally requires proof that the disclosure does cause specified harm to the data subject or any family member of the data subject. Any person who commits the second-tier doxxing offence is liable on conviction on indictment to a fine of HK$1,000,000 and to imprisonment for 5 years.

The definition of “specified harm” is set out in section 64(6) of the PDPO. It means, in relation to a person, (a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.
 
Appellant Cases
 
With this statutory framework in place, it is instructive to examine how the appellate courts have interpreted the relevant elements of crime.
 
HCMA 80/2024 (Cheung Tse Leung Sonny): “Specified Harm” and Recklessness
 
The first case arose from an online dispute that escalated well beyond its origins as a work dispute. In 2021, the data subject (X) provided personal data to the defendant (D) when sourcing casual work through him. Following some grudges relating to work, D sent X an altered image of her (X’s) Hong Kong Identity Card with certain derogatory captions (Image). X subsequently recounted the incident on an online forum, prompting two netizens (who had no prior connection to either party) to contact D via WhatsApp. During heated exchanges, D forwarded the Image to these netizens. After trial, D was convicted of two counts of the summary offence of doxxing.
 
Dismissing D’s appeal against conviction, the Court of First Instance (the CFI)’s judgment is noteworthy in two principal respects.
 
First, while the CFI acknowledged D’s submission that a mere loss of employment opportunity does not amount to “damage to the property of the person” under section 64(6)(d) of the PDPO, it found that “harm causing the person reasonably to be concerned for the person’s safety or well-being” under section 64(6)(c) was nevertheless made out in the case. In reaching this conclusion, the CFI did not require proof of a discrete harm flowing from the disclosure. Instead, the Court considered the nature and sensitivity of the personal data disclosed, as well as the surrounding circumstances, and held that X’s concern for her safety or well-being was not unreasonable in the circumstances.
 
 
Second, on recklessness, the CFI rejected D’s contention that the PDPO requires proof of a “significant” degree of risk. The applicable test is the familiar one established in Sin Kam Wah[1] and R & G[2], i.e. whether the defendant was aware of a risk that did or would exist, or, in respect of a result, if he was aware of a risk that the result would occur, and it was, in the circumstances known to him, unreasonable to take the risk. On the facts, the CFI considered the evidence of recklessness to be compelling. D was plainly aware of the risk of causing specified harm to X associated with the disclosure, yet nonetheless forwarded the Image to two strangers without verifying who they were, showing complete disregard of the potential consequences.
HCMA 198/2023; 51/2024 (Ip, Anthony Chun Hin): Dispelling the “Two Layer Harm” Requirement
 
The second appeal arose from a renovation dispute that spilled into social media. After disagreements over unfinished renovation works of the defendant (D) at the intended matrimonial home of the victims, D published two Facebook posts revealing extensive personal data of both victims with negative remarks. Following the posts, harassing and suspicious calls targeted at the victims were made. D faced two charges of the indictable offence of doxxing (Charge 1 and Charge 2). Although D was convicted of Charge 2, the magistrate acquitted him of Charge 1 and instead convicted him of the summary offence.
 
D appealed against both his convictions, while the prosecution appealed against the acquittal of D of Charge 1. The appeals were heard together by Deputy Judge Yiu of the CFI.
 
On its appeal against acquittal, the prosecution argued that the magistrate erred in construing section 64(6)(c) of the PDPO, namely “harm causing the person reasonably to be concerned for the person’s safety or well-being” (Safety/Well-being Concern), as requiring some harm caused by the disclosure in the first place and that harm causing the Safety/Well-being Concern. The prosecution’s position was that, on a proper interpretation in light of the legislative intent, it suffices for the material disclosure to cause the Safety/Well-being Concern. In other words, the prosecution only needed to prove one layer of harm, as opposed to the requirement of two layers imposed by the magistrate.
 
Having considered the legislative history and relevant authorities, the CFI held that the magistrate’s requirement of an additional, intermediary layer of harm was not justified. Instead, it is sufficient for the prosecution to prove that the disclosure caused the Safety/Well-being Concern. In reaching this conclusion, the CFI noted that in introducing the Amendment Ordinance, it was one of the Government’s intent to deviate from the threshold of “causing psychological harm” in the prior regime regarding non-consensual disclosure of personal data, which had caused difficulties in prosecuting cases in the past.
 
These High Court decisions are noteworthy. Not only do they shed light on the interpretation of the relevant elements of the doxxing offences, the judgments also contain valuable discussions on the legislative history underpinning the Amendment Ordinance, the relevance of other criminal offences that adopt similar formulations for harm, and the assistance offered by the PCPD’s Implementation Guideline.
 
Magistracy Cases
 
Meanwhile, magistrate court cases have offered practical insight into the application of the new anti-doxxing law. Three themes are particularly worth noting:
 

• Heightened Judicial Concern for Children: In imposing sentences, the court has shown particular vigilance where the act of doxxing affects children. In WKCC 2552/2024, the magistrate imposed 30 days’ imprisonment for repeated disclosures of the personal data of a ten-year-old child and his mother across two public Facebook groups and two personal Facebook accounts. Additionally, in WKCC 2708/2025, the defendant was imprisoned for 14 days after he was convicted of posting flyers containing the personal data of a seven-year-old child and her mother, including the child’s name, grade and school, near the primary school that the child attended, and displaying such personal data on a t-shirt that he wore at various public places. In passing the above sentences, the magistrates noted the involvement of child victims and described the offending acts as serious.
• Public Accessibility of Information Is Not a Shield: The fact that the personal data concerned is obtained from the public domain does not immunise a discloser from criminal liability. In WKCC 3987/2024, the defendant had reposted certain personal data in a WhatsApp group, accompanied by negative commentary. Part of the defence case at the trial was that the data was obtained from the Register of Nurses, which was publicly accessible, and that the disclosure of such data did not cause specified harm. The magistrate rejected the argument and convicted the defendant of the summary offence of doxxing. The ruling aligns with the PCPD’s stance that publicly available data is still subject to the use limitation requirement of the PDPO. The mere fact that personal data is publicly available does not mean it may be used for any purpose without the data subject’s consent, including doxxing or other forms of abusive misuse.
• Inciting or Aiding Doxxing Can Attract Criminal Liability: Cases also demonstrate that liability is not confined to the discloser of personal data. Individuals who incite or aid unlawful doxxing may also incur criminal liability. In ESCC 642/2025, the defendant came across a forum post in which a man described the stress and disruption caused to his daily life after he was accused of indecent assault. The defendant then left a comment urging other netizens to disclose the personal data of the female accuser in the case. He was subsequently convicted of inciting the summary offence of doxxing and, following a guilty plea, got two months’ imprisonment. In ESCC 603/2024, the defendant created a public Facebook group intended as a platform for landlords and estate agents to exchange information about allegedly “problematic tenants”. She also published posts advocating the use of methods outside the judicial process to deal with such tenants, and indicated that publicly exposing them online could be more effective. The magistrate held that the relevant posts amounted to a clear invitation for landlords to provide personal data of tenants for the purpose of exposing such data online. As such, the defendant had assumed the role of an aider and abettor. As a result, she was convicted of aiding and abetting the doxxing offence and sentenced to 120 hours of community service.

 
Conclusion
 
Four years on, with our proactive and resolute enforcement actions and a growing body of jurisprudence, Hong Kong’s anti-doxxing regime has continued to mature. The courts have provided clearer guidance on the interpretation of the various elements of the doxxing offences while addressing a diverse range of doxxing behaviours brought before them. The marked reduction in online doxxing messages and doxxing-related complaints reflects the regime’s effectiveness in curbing the weaponisation of personal data. This has been achieved, notably, without compromising freedom of speech and the free flow of information, which are the cornerstones of a democratic society.
 
Looking ahead, the rapid advancement of artificial intelligence, including synthetic media and deepfakes, will likely present unprecedented challenges for detecting and combatting unlawful doxxing behaviours. As such, while we take pride in the progress made so far, we would continue with our efforts to maintain a safe and civilised online environment that is free from doxxing messages.