Hong Kong’s anti-doxxing law plugs privacy loophole and protects freedoms
- In making doxxing a crime and boosting the privacy commissioner’s enforcement powers, the new ordinance puts Hong Kong’s laws in step with those in Australia, New Zealand and Singapore
- It will not affect normal and lawful business activities in Hong Kong, or affect freedom of speech and the free flow of information
The introduction of anti-doxxing to Hong Kong’s privacy law on October 8 heralds a new era in the regulatory protection of personal data, in criminalising the disclosure of other people’s personal data without consent.
Where “specified harm” is caused to the person or a family member as a result of the doxxing, this may be considered a second-tier, indictable offence.
Anyone found guilty of a summary doxxing offence is liable to a HK$100,000 (US$12,850) fine and two years in jail. This increases to a HK$1 million fine and five years in jail for an indictable offence.
“Doxxing should not and cannot be tolerated in Hong Kong, if we still take pride in our city as a civilised society where the rule of law reigns,” said Justice Jeremy Poon Shiu-chor, the chief judge of the High Court.
He added that doxxing “seriously endangers our society as a whole”, given that it can ignite “the fire of distrust, fear and hatred”, which can “consume the public confidence in the law and order of the community, leading to disintegration of our society”.
It will not affect normal and lawful business activities in Hong Kong, nor the freedom of speech and free flow of information that members of the public enjoy.
Such rights are enshrined in the Basic Law and the Hong Kong Bill of Rights Ordinance. There is nothing in the new privacy laws which encroaches upon those rights.
Freedom of speech, by any token, does not encompass the right to abuse other people’s personal data and cause them harm, either intentionally or recklessly, whether online or otherwise.
‘Hold internet service providers liable for not removing leaked data’: judge
Over the past two years, in our handling of doxxing cases, my office has written to the operators of 18 platforms over 300 times to request the removal of over 6,000 doxxing web links. However, as the requests were not mandatory, only about 70 per cent of the doxxing web links were removed and the situation is not satisfactory.
Under the new regime, the privacy commissioner may serve a cessation notice to request the removal of doxxing messages when the victim is a Hong Kong resident or present in Hong Kong when the disclosure is made. Failing to comply with such a notice is an offence.
A cessation notice may be served on a person in Hong Kong (including on an internet service provider having a place of business in Hong Kong) or, in relation to an electronic message, a service provider outside Hong Kong (which covers the operator of overseas social media platforms) that is able to take a cessation action, given that the cyber world has no borders.
The problem of doxxing is not unique to Hong Kong. In making the recent legislative changes, the government and my office took into account the regulatory framework and experiences in other jurisdictions, including Australia’s Enhancing Online Safety Act 2015, New Zealand’s Harmful Digital Communications Act 2015 and Singapore’s Protection from Harassment Act.
In Singapore, for example, the Protection from Harassment Act was amended in 2019 to cover the malicious publication of any identity information of a targeted person. There is also an extraterritorial provision so Singaporean courts may try an offence so long as, for instance, the victim was in the country at the time of publication of the identity information.
What Hong Kong has done was simply to fill a lacuna in the law, in line with similar laws and regulations in other jurisdictions.
Ada Chung Lai-ling is the Hong Kong’s Privacy Commissioner for Personal Data