Out-Law / Your Daily Need-To-Know
Hong Kong-based staff of online platforms could face fines or imprisonment if ‘doxxing’ data is not removed from those platforms fast enough under new legislative proposals under consideration in the city.
‘Doxxing’ refers to the malicious practice of making someone’s personal information available so that the person can be more easily targeted by others.
Though data protection law in Hong Kong, specifically section 64 of the Personal Data (Privacy) Ordinance (PDPO), prohibits the disclosure of personal data without the data user's consent, the Constitutional and Mainland Affairs Bureau (the Bureau) has said the existing law “was not intended to address the doxxing acts committed in recent years” and that it should therefore be updated. It said doxxing acts “are intrusive to personal data privacy and in effect weaponise personal data” and “have caused great harm to the victims in the society in recent years”. The Bureau outlined proposed amendments to the PDPO which were considered by Hong Kong’s Legislative Council Panel on Constitutional Affairs on Monday.
Under its proposals, new criminal offences would be added to the PDPO, the powers of the Hong Kong privacy commissioner would further be strengthened, and new obligations on the removal of doxxing content introduced into law too. Penalties would also be stiffened: those convicted of the new and existing offences would be liable for fines of up to HK$1,000,000 ($128,800) and would face up to five years’ imprisonment in the most serious cases, under the plans.
On the removal of doxxing content, the Bureau said that while individual online platforms have complied with the Hong Kong privacy commissioner’s requests for the removal of links to doxxing data in the past, there is no legal obligation on those platforms currently to do so. According to the Bureau, between June 2019 and April 2021, the commissioner sent requests to a total of 18 website operators, on approximately separate 300 occasions, seeking the removal of almost 6,000 links, of which about 70% were removed.
The Bureau has proposed that the Hong Kong privacy commissioner be given new powers to serve rectification notices on businesses where it has reasonable grounds to believe a doxxing offence has been committed. Through those notices the privacy commissioner would identify the doxxing content and set out actions the businesses would have to take to address it, including a timeframe for doing so. Failure to comply with the notice without “reasonable excuse” would constitute an offence.
Those proposals were considered by Hong Kong law makers on Monday who, among other things, reflected on their potential impact on online platforms based overseas, according to a report by Hong Kong Free Press. Secretary for constitutional affairs Erick Tsang said: “A lot of these overseas platforms will have operational or management staff in Hong Kong. We can catch these people… I believe they will be relatively cooperative with the notices.”
According to the Bureau, almost 1,500 cases were referred by Hong Kong’s privacy commissioner to the police for criminal investigation between June 2019 and April 2021. Two people have subsequently been convicted of doxxing offences under the existing provisions, it said.
Under its plans, two new offences specific to doxxing would be added to the PDPO.
It would be an offence, according to the proposals, for a person to disclose any personal data without the data subject’s consent “with an intent to threaten, intimidate or harass the data subject or any immediate family member, or being reckless as to whether the data subject or any immediate family member would be threatened, intimidated or harassed”.
It would also be an offence for a person to disclose any personal data without the data subject’s consent “with an intent to cause psychological harm to the data subject or any immediate family member, or being reckless as to whether psychological harm would be caused to the data subject or any immediate family member; and the disclosure causes psychological harm to the data subject or any immediate family member”.
The privacy commissioner would, if the proposals are introduced into law in Hong Kong, gain new powers to carry out criminal investigations itself and initiate prosecution under section 64 of the PDPO, including in relation to the planned new doxxing offences. In support of those new powers, the Bureau has further proposed strengthening the privacy commissioner’s powers to enter premises and seize documents.
The Bureau said it is working with Hong Kong’s Department of Justice to finalise the amendments to the PDPO in relation to doxxing acts and hopes to submit the proposed new legislation to the Legislative Council “within this legislative year”.
Prospective new anti-doxxing measures were mooted in a discussion paper concerning possible amendments of the PDPO that the Bureau issued in early 2020.
