Much as I would abhor doxxing, I regret that personal data has been used by some nowadays as a weapon in an attempt to hurt, intimidate or silence others with different political views.
What constitutes “doxxing”? Doxxing involves the gathering of the personal data of a target or even his/her family members from different sources and the subsequent disclosure of such personal data on the internet, social media platforms or other open platforms without the consent of the relevant data subject.
In a typical doxxing case, the more common personal data which are disclosed include:
- Hong Kong Identity Card Number
- Date of Birth
- Mobile telephone number
- Address (often residential address)
- Names of family members
From the above particulars of the personal data disclosed online in a typical doxxing case, one would not be surprised that some of the victims of doxxing found themselves exposed to intimidation calls or, equally worse, cyberbullying or identity thefts. In some cases, the names and other personal data of the victims were used to borrow money, order merchandise online or register for organ donation, causing continuous and serious distress or psychological harm to the victims or even their family members.
In combatting doxxing, my office (the PCPD) has, since June 2019, handled more than 4,700 doxxing-related complaints and cases found proactively by ourselves through online patrols. To tackle this unprecedented phenomenon of doxxing, the PCPD has written more than 200 times to request the operators of a total of 18 websites, online social media platforms or discussion forums concerned to remove more than 3,500 doxxing web links. The PCPD has also urged the online platforms to post warnings that netizens who engage in doxxing may commit a crime under section 64 of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO).
As part of our enforcement efforts, we have referred over 1,400 cases to the Police for criminal investigation and consideration of prosecution. We have also referred 45 cases that involved possible violation of the Court’s interim injunction orders to the Department of Justice for follow-up.
Through our publicity efforts, the PCPD has appealed to the general public to protect themselves from falling prey to doxxing activities by avoiding casual or arbitrary disclosure of personal data.
Other than being immoral, doxxing behaviour can also bring serious legal consequences.
In particular, doxxing may constitute a contravention of section 64(2) of the PDPO, which stipulates that a person commits an offence if the person discloses any personal data of a data subject that was obtained from a data user without the data user’s consent and the disclosure causes psychological harm to the data subject. The offence is punishable by a fine of up to HK$1 million and imprisonment for 5 years.
Doxxing behaviour may also be a crime under the Crimes Ordinance (Cap. 200) if there is evidence that the acts in question constitute criminal intimidation, or access to a computer with criminal or dishonest intent. Furthermore, the victims of doxxing may commence civil litigation against the doxxer to claim compensation.
While doxxing is virulent, it is utterly wrong for someone to think that the cyber world is above the law.
To combat doxxing, we have strengthened our collaboration with other law enforcement agencies and trade associations. As a result of our efforts, for example, the Hong Kong SAR Licensed Money Lenders Association Ltd. has appealed to all its members to tighten up their customer due diligence and verification procedures to prevent identity thefts. We also learnt from the Department of Health that a warning notice has been posted on its website for registration for organ donation to deter people from using the personal data of others to make organ donation.
It is against this background that I welcome the Court’s ruling in the first conviction case under section 64(2) of the PDPO in October this year. In that case, the defendant took advantage of his work in a telecommunications company to obtain the personal data of a family member of a police officer through his office computer and disclosed the data to a group on a social media platform for doxxing, thereby causing psychological harm to the victim, which included feeling helpless and fragile, and worrying about the safety of himself and his family members. After trial, the defendant was convicted and sentenced to 18 months’ imprisonment for contravention of the PDPO.
Section 64(2) of the PDPO aside, the High Court has granted three doxxing-related interim injunction orders ( HKCFI 2773 (HCA 1957 of 2019),  HKCFI 2809 (HCA 2007 of 2019) and  HKCFI 2785 (HCA 1847 of 2020)). In June and October this year, by violating the Court’s interim injunction orders, the defendants in two cases were respectively convicted of civil contempt of court. Both defendants were sentenced to 28 days’ imprisonment, suspended for one year. Although the sentence was suspended in both cases, Mr Justice Russell Coleman stated in the judgment for the latter case that the impact of doxxing on victims is “severe and long-lasting”, and “the court should send a clear message to the public that such conduct is not tolerated in a civilised society”. When explaining the general principles on sentencing in cases of civil contempt, the Judge also made it clear that “subject to mitigating factors, if any, the starting and primary penalty for contempt of court in breaching an order in the nature of an injunction is imprisonment. The normal penalty for breaches of injunction orders is imprisonment measured in months.”
It is abundantly clear from the above judgment that violation of the Court’s injunction orders is a very serious matter. I would urge all not to flout the law.
– Ada Chung Lai-ling, Barrister, Privacy Commissioner for Personal Data, Hong Kong