Hong Kong proposes introduction of doxxing-related criminal offences – Personal Data (Privacy) Amendment Bill 2021

Briefly, the Bill contains proposed amendments focusing on anti-doxxing measures which can be categorized as follows:

1. Creating offences to curb doxxing acts committed without the data subject’s consent

The Bill proposes a total of six (6) new offences: 2 main offences on doxxing with 5 ancillary offences related to non-compliance with or obstruction of investigative and enforcement powers exercised by the Privacy Commissioner (PC). The main doxxing offences are as follows (the ancillary offences are discussed under part (iv) below):

• Section 64 (3A) makes it an offence for any disclosure of personal data of a data subject without the relevant consent of the data subject (a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. Section 64 (3C) is similar, save that the offence includes an additional element of whether disclosure causes any specified harm to the data subject or any family member of the data subject;
• “Specified harm” here means (a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.

2. Empowering the Privacy Commissioner to carry out criminal investigation and institute prosecution

The Bill proposes to empower the PC with four (4) main types of prosecution and investigative powers:

• Power to prosecute offences
  Such powers cover not just the proposed new doxxing offence, but other criminal offences in the PDPO. The new proposed power does not derogate from the powers of the Secretary of Justice to prosecute criminal offences.
  
  
• Power to require to deliver materials and provide assistance
  Such powers include, among others, the power to require a person to provide the PC with materials, require a person to answer questions or require a person to give the PC all the assistance reasonably required.
  
  It is worth noting that a person is not excused from complying with a requirement of a notice only on the ground that to do so might tend to incriminate a person. The proposed exception does provide that if certain criteria are met, such information would not be admissible in evidence against the person in criminal proceedings except for fraud and perjury.
  
  
• Power in relation to premises and electronic devices
  Such power includes, among others, search and seizure powers (with warrant) at relevant premises and access of electronic devices (with or without warrant) to assist with investigations.
  
  
• Power to stop, search and arrest persons
  Such powers may be exercised, without warrant, by the PC (or a person authorised by the Privacy Commissioner) to stop, search and arrest any person reasonably suspected of having committed a doxxing or related offence.

3. Conferring on the Privacy Commissioner statutory powers to demand the cessation of doxxing contents

If the PC has reasonable ground to believe that (a) there is a subject message; and (b) a “Hong Kong person” is able to take a cessation action (whether or not in Hong Kong) in relation to the message, then the PC may serve a “cessation notice” on the person directing the person to take the cessation action. “Cessation action” includes removing the message from the electronic platform, cease or restrict access by any person of the platform or discontinuing the hosting service for the platform.

It is worth noting the extra-territorial scope of the proposed “cessation notice” regime. So long as (i) the relevant message concerns a disclosure (whether taking place inside or outside Hong Kong) of a Hong Kong resident or a person that is present in Hong Kong (at the time when the disclosure is made); and the person that discloses the personal data essentially commits the doxxing offence described above, and (ii) the person that is going to receive the cessation notice can take the cessation action, a cessation notice can be issued, regardless of where the recipient of the notice is.

4. Ancillary offences related to non-compliance with or obstruction of investigative and enforcement powers

5 ancillary offences are as follows:

• Non-compliance with a notice*;
• Non-compliance with a notice with intent to defraud;
• Obstruction, hindrance or resistance to investigations;
• Non-compliance with a cessation notice;
• Non-compliance with secrecy obligations.

*Note: It is a defence if the person can establish that he had a reasonable excuse for failing to comply with the requirement.

While the current Bill does not address other proposed amendments previously discussed such as mandatory data breach notification, data processor regulation, data retention requirements, expansion of definition of personal data and sanctioning powers (see here for a brief summary), it is likely that such proposed amendments will be introduced at a later stage.

The Bill will be formally introduced into the Legislative Council for first and second reading on 21 July. Following which, a bills committee may be formed.