The Personal Data (Privacy)(Amendment) Ordinance 2021 A New Regulatory Regime

The implementation of the Personal Data (Privacy)(Amendment) Ordinance 2021 (“the Amendment Ordinance”) heralds a new era in the regulatory regime for the protection of personal data in Hong Kong.

Effective from 8 October, the Amendment Ordinance has introduced a targeted and robust regime to enable me and my office, the Office of the Privacy Commissioner for Personal Data (“the PCPD”), to combat doxxing behaviour in Hong Kong more effectively.

The main objects of the Amendment Ordinance are to amend the Personal Data (Privacy) Ordinance, Cap. 486 (“the PDPO”) to: (a) create a two-tier offence for disclosing personal data without consent; (b) empower the Privacy Commissioner for Personal Data (“the Commissioner”) to carry out criminal investigations and institute prosecutions for doxxing-related offences; and (c) confer on the Commissioner the statutory power to issue cessation notices to request the removal of doxxing messages.

Specific Offences Created to Curb Doxxing Acts

Under the Amendment Ordinance, new doxxing offences have been introduced under a two-tier structure. The first-tier offence is a summary offence for disclosing personal data without the data subject’s consent, and the discloser has an intent or is being reckless as to the causing of any specified harm by that disclosure to the data subject or any family member of the data subject (new section 64(3A) of the PDPO). The second-tier offence is an indictable offence which is committed if, in addition to satisfying the requisite elements of the new offence under section 64(3A) above, specified harm is caused to the data subject or his or her family member as a result of the disclosure (new section 64(3C)). To properly cover the range of sufferings or damages caused to doxxing victims, the term “specified harm” is widely defined to cover (a) harassment, molestation, pestering, threat or intimidation; (b) bodily harm or psychological harm; (c) harm causing concern about safety or well-being; or (d) damage to the property (new section 64(6)).

The indictable offence carries a heavier penalty under the two-tier structure. Any person who commits the second-tier doxxing offence (new section 64(3C)) is liable on conviction on indictment to a fine of HK$1,000,000 and to imprisonment for 5 years. Any person who commits the first-tier offence (new section 64(3A)) is liable on summary conviction to a fine at level 6 (namely HK$100,000) and to imprisonment for 2 years.

The new sections that give rise to the aforesaid two new offences have replaced the former section 64(2) of the PDPO, which merely covered the disclosure of personal data obtained from a data user without the consent of the data user (as opposed to the data subject). The two new offences also extended the protection under the law to cover any family member of the data subject, who was not so protected under the old law.

It is noteworthy that all the exemptions under Part 8 of the PDPO, and the defence provisions for disclosing personal data without consent as contained in section 64(4), remain substantially intact after the amendments.

Criminal Investigation and Prosecution Powers

Before the legislative amendments, the PCPD did not have criminal investigation and prosecution powers in respect of offences under the PDPO. As a consequence, we have to refer doxxing cases which apparently involve the commission of any offence under the PDPO to the Police for further investigation, and in turn to the Department of Justice for consideration of prosecution. To step up enforcement actions against doxxing and to streamline the entire process, under the Amendment Ordinance, the Commissioner is empowered to carry out criminal investigation and institute prosecution for doxxing and related offences (covering any contravention of section 64(1) or (3A), 66E(1) or (5), 66I(1) or 66O(1)) triable summarily in the Magistrates’ Courts (new section 64C).

On criminal investigation powers, under the Amendment Ordinance, the Commissioner may request relevant documents, information or things from any person, or require any person to answer relevant questions in an investigation into doxxing-related offences (referred to as “specified investigation”) (new section 66D).

The Commissioner or a person authorized by the Commissioner will be able to stop, search and arrest a person without warrant, if the person is reasonably suspected to have committed doxxing-related offences (new section 66H). Providing the Commissioner with such powers of criminal investigation and arrest would effectively expedite the handling of doxxing-related cases by the PCPD.

In addition, the Commissioner is empowered to apply for a warrant to enter and search premises and seize materials for the purpose of a specified investigation (new sections 66G(1) and (2)). The Commissioner may also apply for a warrant to access, search and decrypt information stored in an electronic device, such as a mobile phone (new sections 66G(1) and (3)). Under urgent circumstances where it is not reasonably practicable to obtain such a warrant, the Commissioner may access an electronic device without a warrant (new section 66G(8)). The power reflects similar power possessed by the Police at common law, as confirmed in the case of Sham Wing Kan v Commissioner of Police [2020] 2 HKLRD 529. Such power is absolutely essential in the case of an electronic device as it is crucial to preserve evidence contained in such a device on spot, especially when it is relatively easy for such evidence to be removed with a click.

Cessation Notice

In the words of the Honourable Mr Justice Russell Coleman of the Court of First Instance, “the impact of doxxing on victims is severe and long-lasting”. It is important, therefore, to remove doxxing messages expeditiously, as they may be forwarded or reposted in seconds by netizens.

In the past two years, in our handling of doxxing cases, the PCPD has written to the operators of eighteen platforms over 300 times to request the removal of over 6,000 doxxing web links. However, as the requests were not mandatory in nature, only about 70% of the doxxing web links were removed and the situation is not satisfactory.

Under the Amendment Ordinance, the Commissioner may serve a cessation notice where: (a) there is a disclosure of personal data of a data subject without consent; (b) the discloser has an intent or is being reckless as to the causing of any specified harm to the data subject or any family member of the data subject by that disclosure; and (c) the data subject is a Hong Kong resident or is present in Hong Kong when the disclosure is made (new section 66K(1)).

Given that the cyber world has no borders, a provision on extra-territorial effect is also introduced in such a way that a cessation notice can be served by the Commissioner regardless of whether the disclosure is made in Hong Kong or not (new section 66K). Further, a cessation notice may be served on a person in Hong Kong (for example, an individual in Hong Kong or an internet service provider having a place of business in Hong Kong) or, in relation to an electronic message, a service provider outside Hong Kong (which covers the operator of an overseas social media platform) that is able to take a cessation action.

Non-compliance of a cessation notice is an offence, and the offender is liable to a fine of HK$50,000 and 2-year imprisonment on first conviction; and a daily fine of HK$1,000 if the offence continues; and a fine of HK$100,000 and 2-year imprisonment on each subsequent conviction; and a daily fine of HK$2,000 if the offence continues(new section 66O(1)).

An appeal mechanism against the cessation notice is available for the person on whom a cessation notice is served and any other person who is affected by the notice. They may lodge an appeal to the Administrative Appeals Board within 14 days after the date on which a cessation notice is served (new section 66N). To ensure that doxxing messages be removed in an expeditious manner, any such appeal does not affect the operation of the notice. In other words, the cessation notice must still be complied with within the timeframe specified in the notice pending the final determination of the appeal.

Further, to effectively prevent large-scale or repeated commissions of doxxing offences in the society, the Commissioner is also empowered under the Amendment Ordinance to apply for an injunction from the Court of First Instance, and the Court may grant an injunction if it is satisfied that a person (or any person falling within a category or description of persons) has engaged, is engaging or is likely to engage, in a doxxing offence (new section 66Q).

Overseas Experiences

In actuality, the problem of doxxing is not unique to Hong Kong. In the recent legislative amendment exercise, the Government and the PCPD have also taken account of the regulatory framework and experience in other jurisdictions.

For instance, in Australia, under the Enhancing Online Safety Act 2015, a person must not post certain categories of materials (which cover cyber-bullying material of an Australian child or intimate images) without the consent of the individual concerned. So long as the materials are classified as cyber-bullying material targeted at an Australian child, the eSafety Commissioner would have the power to issue a request to remove the material concerned. This is notwithstanding that the materials are posted on an electronic platform operating outside Australia.

Similarly, in New Zealand, pursuant to the Harmful Digital Communications Act 2015, it is an offence for a person to post a digital communication with an intent to cause harm to an individual, and when such posting actually causes serious emotional distress to the individual concerned. In assessing whether the post(s) would cause harm to an individual, the Court will consider an array of factors, such as the extremity of the language used and the context in which the communication appeared; and may make an order to take down the harmful material.

In Singapore, the Protection from Harassment Act was amended in 2019 to cover the malicious publication of any identity information (the definition of which resembles that of “personal data” under the PDPO) of a target person or a related person of the target person. Sections 3(1) and 5(1A) of the Act now provide, inter alia, that it is an offence to publish such identity information with an intent to cause harassment, alarm, distress to the target person or cause the target person to believe that unlawful violence will be used against him/her. An express extra-territorial provision is provided for in section 17 of the Act pursuant to which the Singaporean Courts shall have jurisdiction to try an offence and impose punishment so long as, for instance, the victim was in Singapore at the time of publication of the identity information and when the accused knew or had reason to believe that the victim would be in Singapore at the time of publication, notwithstanding that the accused was outside Singapore at the material time.

Striking a Reasonable Balance

In the words of the Honourable Mr Justice Jeremy Poon Shiu-chor, the Chief Judge of the High Court in the case of Junior Police Officers’ Association of the Hong Kong Police Force v Electoral Affairs Commission and others [2019] 5 HKLRD 291, “doxxing should not and cannot be tolerated in Hong Kong, if we still take pride in our city as a civilized society where the rule of law reigns.” He added that doxxing “seriously endangers our society as a whole”, given that it can ignite the fire of “distrust, fear and hatred” which will then “consume the public confidence in the law and order of the community, leading to disintegration of our society”. The dicta of the Chief Judge vividly, and succinctly, summarised the vicious nature of doxxing behaviour, which should be condemned by us all.

Indeed, when doxxing acts target members of the Judiciary, they represent attacks on the cornerstone of the rule of law, and should be stopped.

To quote Mr Grenville Cross, SC, a former Director of Public Prosecutions and a renowned criminal justice analyst, the recent legislative amendment is a measured response to a heinous crime. The objective of the Amendment Ordinance is to criminalise doxxing acts and more effectively combat the crime by increasing the enforcement powers of the Commissioner. The Amendment Ordinance will not affect normal and lawful business activities in Hong Kong, neither will it affect the freedom of speech and free flow of information that members of the public currently enjoy. Such rights have been, and are, enshrined in the Basic Law and the Hong Kong Bill of Rights Ordinance, Cap. 383, and there is nothing in the Amendment Ordinance which encroaches upon those rights. 

Jurisdictions

Privacy Commissioner for Personal Data

Ada was appointed as the Privacy Commissioner for Personal Data of Hong Kong in September 2020.

Ada was qualified as a barrister-at-law and a Certified Public Accountant. She has solid legal expertise and abundant administrative experience. Before her appointment as the Privacy Commissioner, Ada was the Registrar of Companies and had held various posts in the Department of Justice, including the Deputy Law Officer (Civil Law). In her role as the Registrar of Companies, she contributed significantly to the rewrite of the Companies Ordinance in Hong Kong and she spearheaded the implementation of the new Companies Ordinance in Hong Kong.