Fight against doxxing in Hong Kong, mainland China and Singapore

Daniel Tang, Amarjit Kaur November 23, 2021 10:18

In the wake of rampant doxxing incidents in recent years, the Hong Kong government made key revisions to the data privacy regime, criminalizing the unauthorized disclosure of damaging personal data, and enhancing the privacy watchdog’s investigation and enforcement powers. These revisions, called the Personal Data (Privacy) (Amendment) Ordinance (PDPO) 2021, along with its Implementation Guideline, took effect on 8 October 2021.

Three main aspects in Hong Kong

1. Criminalisation of doxxing behaviour

To curb doxxing activities, the offence under the previous section 64(2) of the Personal Data (Privacy) Ordinance (PDPO) would be replaced by two offences of a wider scope.

2. Conferring investigation and prosecution powers to the Privacy Commissioner

The Privacy Commissioner will be empowered to investigate doxxing behaviour and prosecute relevant offences at the Magistrates' Courts.

3. Privacy Commissioner may issue cessation notices and apply for injunctions

If the data subject is a Hong Kong resident or is present in Hong Kong when an unauthorised disclosure is made, the Privacy Commissioner will have authority to issue a cessation notice to compel compliance, regardless of where the disclosure has taken place.

Remedies for the deficiencies prior to the amendment

Previously, the PDPO only regulated unauthorized disclosure of a data subject's personal information that is obtained from another person (the "data user").

It is difficult for the Office of the Privacy Commissioner for Personal Data (PCPD) and the police to enforce this provision for a few reasons. First, identifying the original "data user" after information is reposted is difficult. Next, they may be unable to prove the doxxing content was obtained from that data user, or was obtained without consent. Most importantly, the previous section fails to remedy situations where the data subject is harassed or physically harmed (as opposed to psychologically harmed), or where harm is caused to the data subject's family members.

As PCPD's lacks authority to compel compliance, internet service providers often responded with delay, resulting in an approximately 70% response rate.

Consequences of doxxing in Mainland China and Singapore

Doxxing behaviour is equally regarded as a serious issue outside of Hong Kong. In determining whether the proposed revisions are sufficient, it would be helpful to consider the legal protection available in neighbouring jurisdictions.

Mainland China

In Mainland China, there is no specific offence of doxxing and it is regulated as a violation of statutory personal information protection and personality right. It may trigger civil, criminal and/or administrative liabilities.

Depending on the harm caused by doxxing behaviour, perpetrators might commit the offence of insultation or defamation where the circumstances are serious. The penalty is up to 3 years imprisonment.

For example, in December 2013, a high school girl went shopping in a clothing shop. The shop owner later uploaded surveillance screenshots to Weibo, falsely claiming that the girl was a thief. the girl's school and home addresses were later exposed. The girl committed suicide the next day. The court held that the circumstance is serious, and the shop owner committed insulation as such activities exposed the girl to public humiliation and caused her death.

Singapore

In Singapore, there has been enhanced protection for victims of doxxing. Singapore enacted legislation known as the Protection from Harassment Act (POHA) in November 2014. The POHA was later amended to provide for an offence known as "doxxing", and this came into effect on 1 January 2020.

A key civil remedy under the POHA is for Protection Orders (PO) and Expedited Protection Orders (EPO) to be granted against the perpetrator. This is a highly effective remedy as it may be tailored to the victim's needs and has strong deterrent value with severe consequences if breached.

These measures to enhance protection for victims of doxxing and provide swift recourse signal recognition of the severe harms posed by doxxing.

Our observations

Some experts have concerns that the new amendments in Hong Kong lack clear definition of doxxing, whereas the Privacy Commissioner has repeatedly brushed off such claims as the new offences’ essential elements are sufficiently fleshed out in the Amendment Ordinance.

The new offences in Hong Kong may raise red flags for companies of all industries who could be liable for sharing clients' personal information. A representative office in Hong Kong of a foreign company could be criminally liable for its company's non-compliance of a cessation order, exposing it to significant risks even the doxxing content is disclosed outside of Hong Kong.

Following the implementation of the new amendments targeting at doxxing activities, it is prudent for companies to review their policies for collecting and processing customers' personal information. There should be clear guidelines on how employees use and handle this information and protocols should be introduced for handling situations where the company is subject to a cessation notice.

Joyce He, Vanessa Ng, Winnie Weng and Nicole Weers also contributed to the article.

-- Contact us at [email protected]

Daniel Tang, Amarjit Kaur

Daniel Tang is Partner in the corporate team of Withers. Amarjit Kaur is Partner in the litigation and arbitration team of Withers.