Out-Law News 1 min. read

Hong Kong authority makes first arrest for suspected ‘doxxing’


The Office of the Privacy Commissioner for Personal Data (PCPD) of Hong Kong Special Administrative Region (HKSAR) has arrested a Chinese man for a suspected breach of “disclosing personal data without consent” under the Personal Data (Privacy) Ordinance (PDPO).

The arrested person breached section 64(3A), and it was the first arrest made by the PCPD under the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance), which empowers the Privacy Commissioner to carry out criminal investigations and institute prosecutions for doxxing acts, according to a statement.

Doxxing refers to collecting and publishing a person’s personal data or that of their family members, relatives or friends. Data is typically collected from search engines, social platforms and forums and public registers. It is then disclosed on the internet, social media or other public places.

Technology expert at Pinsent Masons Jennifer Wu said: “It is important to educate employees on these changes, if not done so already, and have policies and procedures in place in the event an employee provides personal information to third parties without the company and the data subject’s consent. Now that the first arrest has been made, companies need to take extra care to ensure they are not falling foul of the doxxing laws.”

The Amendment Ordinance came into effect in October 2021. It criminalises doxxing acts and introduces a cessation notice regime to tackle doxxing with extra-territorial reach. An extra-territorial effect is introduced such that a cessation notice may be served by the Privacy Commissioner regardless of whether the disclosure is made in Hong Kong or not. A cessation notice may be serviced on a Hong Kong person such as companies having a place of business in Hong Kong, or, in relation to an electronic message, a non-Hong Kong service provider such as operators of overseas social media platforms.

There are two tiers of doxxing offences under the Amendment Ordinance. The first tier refers to essentially intentional or reckless non-consensual disclosure which is not proven to have caused actual harm. Breaches of the Ordinance will be fined up to HK$100,000 (US$13,000) and two years’ imprisonment.

The second tier refers to essentially intentional or reckless non-consensual disclosure causing harm. Breaches will be punished by up to HK$1 million fine and five years’ imprisonment.

Harm includes bodily harm, psychological harm, property damage and a series of harassment. It also includes harm to the “data subjects” or related family members.

The amended Ordinance also applies to the online world. Service providers and companies receiving notice to take down contents should seek legal advice if it has concerns over the service or contents of the cessation notice because it is an offence not to comply.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.