Clifford Chance

The Personal Data (Privacy) (Amendment) Bill 2021 (Bill) has been gazetted on 16 July 2021 to criminalise doxing in Hong Kong. The first reading and commencement of second reading of the Bill took place on 21 July 2021.

What's New

In short, the Bill proposes to create two new offences (one summary and the other indictable) to criminalise doxing. Doxing (short for "dropping dox") is making someone's personal information available without consent, usually online and for malicious purposes including harassment or so that the person can be more easily targeted by others.

The Bill also proposes to empower the Privacy Commissioner for Personal Data (Commissioner) to serve notices to cease or restrict disclosure of doxing content and apply for injunctions, and carry out criminal investigation, enforcement and institute prosecution for the summary offence in the Magistrates' Courts.

New Doxing Offences

Under the existing law, section 64(1) of the Personal Data (Privacy) Ordinance (PDPO) makes disclosure of personal data an offence if obtained without the data user's consent with the intent to obtain monetary or property gain or cause monetary or property loss. However, it is targeted at cases such as an employee of a data user obtaining personal data of the data user's customers without the data user's consent for sale to third parties rather than doxing.

To combat doxing, the Bill proposes to replace the existing section 64(2) offence with two new doxing offences. 

1. Summary Offence: The first is a summary offence for disclosing personal data without the data subject's consent (as opposed to data user) and the disclosing party has an intent or is reckless as to cause specified harm to the data subject or the data subject's family member (relevant personal data disclosure). The definition of specified harm is wider than the existing section 64(2) offence requiring psychological harm, and includes harm to the person in the form of harassment, threats or intimidation; bodily or psychological harm; harm causing the person to reasonably be concerned for the person's safety or well-being; or damage to the person's property. Family member is defined widely to include a relation by blood, marriage or adoption.
2. Indictable Offence: The second is an indictable offence requiring the same relevant personal data disclosure with the additional requirement that specified harm is caused to the data subject or the data subject's family member.

The summary offence is subject to a maximum fine of HKD100,000 (about USD12,800) and imprisonment for two years and indictable offence, to a maximum fine of HKD1 million (about USD128,000) and imprisonment for five years.

The defences to the section 64 offences remain available for the two new doxing offences pursuant to section 64(4) and are where comprising disclosure is (a) reasonably believed to be necessary for preventing or detecting crime; (b) required or authorised by law or court order; (c) reasonably believed to be consented to; and (d) solely for news activity and publication or broadcast in the public interest.

New Enforcement Powers of the Commissioner: Cessation Notice, Injunction and On-site Investigation

To facilitate the handling of doxing cases, the proposed new powers of the Commissioner include:

Serving a notice

Serving a notice requiring cessation or restriction of the relevant personal data disclosure including the timeframe for doing so (cessation notice). This may involve requiring removal of a message from an electronic platform including a website or online application; cessation or restriction of access by any person including to the whole of the relevant platform or discontinuance of the hosting service.

Cessation notices are proposed to have extra-territorial effect in the sense that they may be served regardless of whether the disclosure is made in Hong Kong, but the data subject must be a Hong Kong resident or present in Hong Kong when the disclosure is made. Cessation notices may be served on Hong Kong persons (individuals present in Hong Kong or bodies that are incorporated or registered in Hong Kong or have a place of business in Hong Kong) and in relation to electronic messages, non-Hong Kong service providers (providing services to Hong Kong persons).

It is an offence not to comply with a cessation notice unless a reasonable excuse defence can be established having regard to the nature and difficulty of the cessation action; reasonable availability of the technology necessary for the cessation action; risk of substantial loss or prejudice to a third party, and risk of civil liability in contract or otherwise. Appeals against cessation notices may be made to the Administrative Appeals Board, however, pending the appeal, compliance remains mandatory.

Applying for court injunction

Applying for court injunction if a person has engaged, is engaging or is likely to engage in the section 64 offences. Interestingly, the relevant section provides that the court may exercise its power to grant an injunction whether or not it appears that the person intends to engage again or continue to engage in the relevant conduct. This appears contrary to existing tests for injunctions in civil proceedings and it remains to be seen whether and if so, how such tests will be adapted.

The Bill also proposes to provide the Commissioner with criminal investigation powers including requiring provision of materials, answering of questions or making of a statement relevant to the investigation upon reasonable suspicion. The Bill contains offences for non-compliance. Privilege against self-incrimination is available. Under the Bill, the Commissioner will also be empowered to:

• Stop, search and arrest persons without warrant if reasonably suspected of having committed a section 64 offence.
• Apply for a warrant to enter and search premises and seize materials, and to access, search and decrypt materials stored in electronic devices such as mobile phones. A warrant will not be required when commission of a section 64 offence is reasonably suspected and delay is likely to defeat the purpose of accessing the electronic device in question.
• Initiate prosecution for a section 64 offence except the indicatable offence.

Online social media and other platforms and websites, as well as internet service providers, who are incorporated or registered in Hong Kong or have a place of business in Hong Kong; those overseas offering services in Hong Kong; or individual staff present in Hong Kong, should familiarise themselves with the proposed new law and be aware that they may be requested to remove or block access to doxing content, otherwise they will face fines or imprisonment if not followed. Such platforms and service providers should also review their terms and conditions including for disclosure of personal data of users and suspension of account to facilitate this and the Commissioner's criminal investigation powers. Companies who are concerned with their staff's potential liability in relation to doxing and facing criminal investigation by the Commissioner should also ensure their internal policies are able to deal with these issues when they arise.

Felicia Cheng, Professional Support Lawyer, Hong Kong, contributed the writing of this article.