By Arthur Chan 

Hong Kong, 23 July 2021:  Hong Kong’s authorities are taking concrete steps to clamp down on doxxing. The government is proposing tough new laws that will result in penalties not only for offenders, but also the tech platforms which display such data. As well, it wants the city’s privacy watchdog to be equipped with new investigative powers. 

The Personal Data (Privacy) (Amendment) Bill 2021 had its first hearing in the Legislative Council this week and is expected to passed by the end of October. While the administration has robustly defended the bill, saying it will safeguard residents’ fundamental rights and freedoms, cyber industry groups and online service providers believe it grants the government excessive powers.

What is doxxing?

Doxxing – the term comes from a spelling alteration of the abbreviation “docs” (for “documents”) – is generally understood to be the practice of maliciously leaking someone’s personal information so they may be targeted by others. Unlike other cybercrimes, which are usually committed for financial gain, doxxing is typically done for the purposes of victim shaming, personal revenge, demonstrating anger towards a particular person or organisation, or for scaring or intimidating victims.

It is worth noting there are various types of doxxing and it has no universally accepted definition. The bill before LegCo is intended “to amend and create offences for disclosing personal data without consent” but does not mention the term doxxing. However, the word appears almost 50 times in the pre-bill discussion paper presented to LegCo’s Panel on Constitutional Affairs in May.

Background 

Prior to the civil unrest of 2019, both the authorities and the public appeared indifferent to issues surrounding privacy in general and data privacy in particular. For example, little was done to combat intrusive media coverage of politicians, celebrities and other public figures. Effective legislation to combat cold calling and the sharing of data among telemarketing firms was proposed but never implemented. This inertia continued even in the face of the digital revolution, which made it far easier to research, store and share personal information.

Doxxing only really became a serious issue during the protests, which is when the government’s attitude hardened. Police officers and their families were the most common targets, with some protesters and journalists also suffering. Between June 2019 and April 2021, the Office of the Privacy Commissioner for Personal Data handled more than 5,700 doxxing-related complaints. It contacted the operators of websites, social media platforms and discussion platforms on almost 300 occasions to request the removal of more than 5,900 hyperlinks, about 70% of which were subsequently removed.

The existing Personal Data (Privacy) Ordinance (PDPO), implemented as far back as 1996, has proved inadequate for combating doxxing, which is a relatively new phenomenon. The PDPO only regulates “data users” – defined as someone who, either alone or with others, controls the collection, holding, processing or use of data.

During and after the disturbances, the Privacy Commissioner’s office referred more than 1,460 cases to police for criminal investigation. Only a handful of individuals were arrested and charged with offences such as disclosing personal data obtained without consent, criminal damage, fraud and incitement to commit public nuisance. In October 2019, the High Court granted an injunction banning the doxxing of police officers and their families. 

Chief Executive Carrie Lam voiced her concerns about doxxing on several occasions and pledged the government would bring in legislation to outlaw it. Many other jurisdictions, including Singapore, the European Union, Australia, New Zealand and Canada, already have similar laws. 

New legislation 

The government is proposing to amend section 64 of the PDPO to curb doxxing acts. It will be an offence to disclose any personal data with an intent to threaten, intimidate or harass the intended target or their family. Offenders will face up to two years in prison and a maximum fine of HK$100,000. In cases where it is proved the victim suffered psychological harm, the penalties rise to five years in prison and a fine of HK$1 million.

Further, it is suggested the Privacy Commissioner be given new powers to carry out criminal investigations and prosecutions. This will include requesting relevant information and documents from individuals or requiring them to answer questions. Anyone who refuses to comply or gives false information will commit an offence. It is also proposed that the Privacy Commissioner’s office can apply for a court order to enter premises and seize documents, and can initiate prosecutions. The government believes these measures will expedite the handling of doxxing cases. 

In addition, managers of internet service providers, or executives with the capability to remove online materials, can be ordered by the Privacy Commissioner to take down doxxing information. Failure to comply within a designated timeframe would leave the offender liable to a fine of up to HK$50,000 and two years in prison, rising to HK$100,000 and two years behind bars for subsequent offences. 

Reaction 

The most vocal critic of the proposals is the Singapore-based Asia Internet Coalition, an alliance that includes American tech giants such as Facebook, Google, Yahoo and Twitter. It says the new laws are a “completely disproportionate and unnecessary response” and will discourage tech companies from operating in Hong Kong.

In an open letter to Privacy Commissioner Ada Chung, the Coalition said: “Introducing severe sanctions and, especially, personal liability in relation to assessing requests for taking down content, has the consequence of encouraging online platforms to conduct little to no review of requests and over-block content, which will likely result in grave impact on due process and risks for freedom of expression and communication.”

Advocacy group Internet Society Hong Kong, part of a US-based organisation supporting unfettered access to the internet, says the proposals are stiffer than in other jurisdictions and cover not only social media platforms but also messaging systems such as WhatsApp and Telegram. It believes the regulations grant too much power to the Privacy Commissioner and could lead to “revenge-style prosecutions”.

Other critics have highlighted the bill’s board and vague scope. In particular, the requirement to prove “intent to cause any specified harm to the data subject” can be down to personal judgment. It is also claimed the power of enforcement officers to stop and search suspects and seize materials without a warrant if they “reasonably” suspect an offence has been committed is excessive. Similarly, failure to cooperate with an investigation without a “reasonable” excuse will be an offence. In these instances, “reasonably” and “reasonable” are open to interpretation.

The government strongly asserts the measures are necessary. Secretary for Constitutional and Mainland Affairs Erick Tsang insists the bill is not intended to target online platform service providers but only those who maliciously leak others’ personal information.

Summary 

This bill reignites the age-old debate about balancing people’s privacy with the right to free speech. Understandably, there are concerns about the relatively broad and vague scope of the proposals, although some of these may be addressed by legislators in the coming months. As well, it remains to be seen how authorities can take enforcement action against internet service providers located outside Hong Kong. We await with interest the final version of the bill to be presented to lawmakers later this year and, ultimately, how it will be enforced by the authorities. 

Arthur Chan has been an Associate with BC&C since 2018. He deals with Criminal Matters while also covering Civil and Commercial Litigation and handles cases involving personal injury and employment issues. He can be contacted at Arthur@boasecohencollins.com.