In the wake of rampant doxxing incidents in recent years, Hong Kong has made key revisions to the data privacy regime to criminalize the unauthorized disclosure of personal data causing specified harms to an individual and his family members, and to enhance the privacy watchdog’s investigation and enforcement powers.
The Personal Data (Privacy) (Amendment) Ordinance 2021 targeting at curbing doxxing activities has taken effect on 8 October 2021. Apart from looking at the new legal regime in Hong Kong, this article will also highlight the legal landscape against doxxing in Mainland China and Singapore.
Three main aspects in Hong Kong
Criminalisation of doxxing behaviour
To curb doxxing activities, the offence under the previous section 64(2) of the Personal Data (Privacy) Ordinance (PDPO) would be replaced by two offences of a wider scope.
The first tier offence is against disclosure of personal information without the victim’s (the data subject) consent where the disclosing party has an intent or is reckless as to causing any specified harm by that disclosure. If the disclosure results in any specified harm, the disclosing party would be liable for a second tier indictable offence.
Under both offences, “specified harm” generally consists of four limbs, namely (i) harassment, molestation, pestering, threat or intimidation to the person, (ii) bodily or psychological harm to the person, (iii) harm causing the person reasonably to be concerned for the person’s safety or well-being; (iv) damage to the property of the person.
Conferring investigation and prosecution powers to the Privacy Commissioner
The Privacy Commissioner will be empowered to investigate doxxing behaviour and prosecute relevant offences at the Magistrates’ Courts. This allows the Privacy Commissioner to choose whether it wishes to prosecute directly, or to refer more serious cases to the police or the Department of Justice for prosecution.
In order to facilitate investigations and toughen enforcement against doxxing behaviour, the Privacy Commissioner will be empowered to require any person to provide relevant information, answer relevant questions and give assistance. Consequently, it will be an offence for anyone who (i) without reasonable excuse, fails to comply with such a request, (ii) with intent to defraud, fails to comply with such a request, or (iii) during his compliance, with intent to defraud, provides materially false or misleading information. The Privacy Commissioner will have further powers to stop, search and arrest any person without a warrant, if the person is reasonably suspected to have committed certain offences and to apply for a warrant to enter and search premises, seize items and access electronic devices during their investigations.
Privacy Commissioner may issue cessation notices and apply for injunctions
If the data subject is a Hong Kong resident or is present in Hong Kong when an unauthorised disclosure is made, the Privacy Commissioner will have authority to issue a cessation notice to compel compliance, regardless of where the disclosure has taken place. Cessation actions can include the removal of doxxing content, limiting access to the doxxing content or its disclosing platform, as well as discontinuance of hosting service for that platform. They apply not only to individuals or companies in Hong Kong, but also overseas service providers that have no presence in Hong Kong.
In light of repeated doxxing behaviour prejudicing certain individuals or groups in the society, the Privacy Commissioner will also be empowered to make injunction applications to the court to compel compliance.
Remedies for the deficiencies prior to the amendment
Between June 2019 and June 2021, the PCPD received over 5,800 complaints of doxxing. The impact of exposing personal information is worsened by the internet and social media platforms which allow fast and easy sharing and reposting, thereby making it harder for the PCPD and police to track down culprits and control the outspread.
On 27 September 2021, a former clerical assistant from the Immigration Department was sentenced to 45-month imprisonment after leaking personal information of 215 people, including government, judicial and police officers, politicians, public figures and their families, and sharing via Telegram for over 11 months. Condemning the behaviour as “a betrayal of moral standards” and “a cyberterrorist act”, the court expressed that the sentence could have been longer and challenged the police’s delay in identifying the culprit.
More importantly, the PCPD and police have experienced difficulty in enforcing the old section 64 prior to the amendment for a few reasons. First, they could not identify the data user given multiple reposting of the same doxxing content. Next, they were unable to prove that the content was obtained from that specific data user or that the disclosing party failed to obtain that data user’s consent. The old section further fails to remedy situations where the data subject is harassed or physically harmed (as opposed to psychologically harmed), or where harm is caused to the data subject’s family members, which unfortunately has been prevalent.
The PCPD’s previous requests to remove doxxing content lacked non-compliance consequences, often resulting in delayed response and a response rate of only approximately 70% among internet service providers.
Consequences of doxxing in Mainland China and Singapore
Doxxing behaviour is equally regarded as a serious issue outside of Hong Kong. In determining whether the proposed revisions are sufficient to tackle the problem, it would be helpful to consider the legal protection available in neighbouring jurisdictions.
In Mainland China, although the first reported doxxing or “internet vigilante” event dated back to 2001, there is still no specific offence of doxing and doxxing behaviour is only regulated as one form of violations of statutory personal information protection and personality right. It may trigger civil, criminal and/or administrative liabilities as follows:
Depending on the nature and seriousness of the infringement related to privacy, personal information or reputation and any financial consequences that result from it, the disclosing party could be exposed to civil liabilities, including an order to cease any infringement, making official apologies, as well as paying compensation to the victim.
If an internet user or internet service provider uses the internet to illegally disclose personal privacy and other personal information such as a natural person’s genetic information, medical records, health examination data, criminal records, home address, private activities, etc., and thereby causing damage to others, they would be liable for compensating the victim’s losses.
Depending on the harm caused by doxxing behaviour, the perpetrators might commit the offence of insultation or defamation where the circumstances are serious. The penalty for such offences is up to imprisonment of 3 years.
As for what circumstances would be considered serious in terms of the offence of insultation, a case in 2013 can provide a useful illustration. In December 2013, a high school girl went shopping in a clothing shop. Soon after the shop owner uploaded the shop’s surveillance screenshots to Weibo, falsely claiming that the girl was a thief. On the same day, the girl’s school and home addresses were exposed. The girl committed suicide the very next day. The court held that the circumstance is serious, and the shop owner’s activities constitute the offence of insulation as such activities exposed the girl to public humiliation and caused her death. But as the shop owner made compensation to the girl’s parents, obtained the understanding of the girl’s family after the incident and showed repentance, the court imposed a less severe punishment on the shop owner and eventually sentenced the shop owner to imprisonment of 1 year.
Those who peek, sneakshot, eavesdrop or spread the personal information of others would be fined up to RMB500 or detained for up to 5 days, although for serious cases, the detainment could be prolonged to 10 days.
Any network operator or provider of network products or services infringing upon personal information may be subject to a fine in the range of 1 to 10 times the amount of illegal income, or if there is no illegal income therefrom, a fine of up to RMB1,000,000. The responsible person directly in charge would also be personally subject to a fine in the range of RMB10,000 to RMB100,000.
Apart from monetary penalties, various laws and regulations also provide for different kinds of administrative measures, such as a warning, order to correct, confiscation of the illegal proceeds, suspension or closure of the business, website or communication groups, cease and desist order, revocation of relevant business licence, temporary or definitive ban from the profession, property freezing, and recording and publishing of such sanctions in the “Social Credit Register” and other forms of ‘public exposure’ such as the public announcement of these measures.
Over the years in Singapore, there has been progressive enhanced protection for victims of doxxing. Singapore enacted legislation known as the Protection from Harassment Act (POHA), which came into force in November 2014 with the overall aim of protecting victims of harassment and stalking. The POHA was later amended to provide for an offence known as “doxxing”, and this came into effect on 1 January 2020.
The consequences of doxxing in Singapore include criminal liability and civil remedies such as protection orders which an applicant under the POHA can obtain against the perpetrator (who may either be an individual or an entity).
Doxxing is a criminal offence under the POHA, if it is done to:
- Intentionally cause harassment, alarm or distress [section 3(1)(c) of the POHA]; or intentionally or knowingly cause the victim to believe that unlawful violence will be used against him or to facilitate the use of violence against the victim [section 5(1A) of the POHA].
- The penalty for the former offence is a fine of up to SGD$5,000 and/or imprisonment for up to 6 months, and for the latter offence is a fine of up to SGD$5,000 and/or imprisonment for up to 12 months. These penalties may be enhanced for offences committed against vulnerable persons and victims in an intimate relationship with the offender.
Civil actions may be brought against perpetrators which would allow victims to claim compensation for damages suffered due to doxxing. Victims will have access to a range of civil remedies, including:
- a stop publication order, requiring the perpetrator to stop publishing any false statement of fact; or
- a disabling order, requiring the internet intermediary to disable user access to any false statement of fact.
Another key civil remedy under the POHA is for protection orders (PO) and expedited protection orders (EPO) to be granted against the perpetrator. This is a highly effective and protective remedy as it may be tailored to the victim’s needs and has strong deterrent value with severe consequences if breached.
A court may grant a PO against any individual or entity alleged to have committed the offence of doxxing, if the Court is satisfied that the perpetrator has committed a doxxing offence, and is likely to continue committing the offence or commit such other offence in respect of the victim. A PO may require the perpetrator to stop publishing the offending communication. This may even extend to requiring third parties, such as Facebook and Instagram, to remove the offending communication.
When a victim of doxxing is in dire need of protection, he or she may apply for an EPO, which offers a swifter application process for immediate protection. An EPO may be granted within 48 to 72 hours of filing an application and even within 24 hours if there is a risk of violence or actual violence.
There are severe consequences if a perpetrator breaches a protection order, involving a fine of up to SGD$5,000 and/or imprisonment of up to 6 months. A perpetrator who repeatedly breaches protection orders will be liable for a fine of up to SGD$10,000 and/or imprisonment of up to 12 months.
The POHA provides for reasonableness of conduct to operate as a defence against doxxing. There is no clear definition of what would constitute reasonable conduct, which is heavily fact-specific, but some factors which might be considered include the nature and context of the alleged offending acts, and the effect of those actions on the victim.
The Protection from Harassment Court (PHC) was established on 1 July 2021 to hear all criminal and civil matters pertaining to the POHA. The PHC adopts simplified procedures that are conducted on an expedited basis to provide victims with necessary legal recourse in a timely manner. This includes allowing PO and EPO applications to be filed via a straightforward claim form, without needing an Originating Summons that may be necessary in other courts. The establishment of the PHC is thus a welcome development which would help to strengthen the legal protection for victims of doxxing in Singapore.
The recent amendments in Singapore to enhance protections offered to victims of doxxing and provide swift recourse signals recognition of the severe harms posed by trends of posting people’s personal information / photographs online to cause them embarrassment and harassment.
Some industry experts and critics have expressed concerns that the new amendments in Hong Kong lack clear definition of doxxing, which consequently could be interpreted broadly, whereas the Privacy Commissioner has repeatedly brushed off such claims on the basis that the new offences’ essential elements are sufficiently fleshed out in the Amendment Ordinance. The Implementation Guideline recently issued by the PCPD may assist in the interpretation of various offences of concern.
The new offences in Hong Kong may raise red flags for companies of all kinds of industries who could be liable for sharing clients’ personal information. A representative office in Hong Kong of a foreign company could be criminally liable for its company’s non-compliance of a cessation order, exposing it to significant risks even though the doxxing content is disclosed outside of Hong Kong.
Following the implementation of the new amendments targeting at doxxing activities, it is prudent for companies to start reviewing their internal policies for collecting and processing customers’ personal information and the purpose of such collection. There should be clear guidelines on how employees use and handle such personal information and protocols should be introduced for handling situations where the company is subject to a cessation notice.