Violations could attract hefty fines and up to five years in prison

UPDATED Hong Kong’s controversial new anti-doxxing law, which criminalizes the non-consensual disclosure of individuals’ sensitive personal data, has come into effect despite opposition from both technology firms and privacy advocates.

Effective October 8, the law gives the regional government’s privacy watchdog powers to prosecute doxxing-related offences, with offenders potentially liable for jail terms of up to five years and fines of up to HK$1 million (US$128,200).

“Anyone who discloses the personal data of another person without consent, whether recklessly or with intent to cause specified harm to the person or his or her family, such as harassment, molestation, pestering, threat, intimidation, bodily or psychological harm or damage to property, commits the offence of doxxing,” said the Office of the Privacy Commissioner for Personal Data (PCPD), the domestic data protection regulator.

The harshest penalties are imposed if victims suffer harassment, intimidation, physical or psychological harm, damage to their property, or a threat to their safety or wellbeing.

The law, an amendment (PDF) to the Personal Data (Privacy) Ordinance 2021, was passed by Hong Kong's legislature on September 29.

Pro-democracy protests

The amendment was drafted in the wake of a surge in doxxing-related incidents during pro-democracy protests that convulsed the special administrative region (SAR) in 2019, as reported by The Daily Swig in January 2020.

Sparked by a controversial treaty that enabled the extradition of criminal suspects to mainland China, the protests saw numerous demonstrators investigated for sharing photos and other personal data online of what protestors claimed were rogue police officers.


BACKGROUND Hong Kong aims to tackle doxxing with overhaul of data privacy laws


Police officers were themselves accused of doxxing too, with two reported instances involving the live streaming of videos in which journalists’ identity cards were visible.

The PCPD says it has handled more than 5,800 doxxing cases between the very first report in June 2019 and the end of June 2021, and has detailed a number of convictions under the previous legal framework.

“Doxxing acts have become rampant and personal data has been weaponised since 2019 in Hong Kong,” the PCPD told The Daily Swig.

The amendment “aims to combat doxxing acts that are intrusive to personal data privacy," it added. “The legislature and the Hong Kong SAR government have made reference to relevant laws in other jurisdictions, including Singapore, Australia and New Zealand during the legislative process.”

‘Not aligned with global norms’

The PCPD is also empowered to conduct searches on online service providers’ electronic equipment, order arrests without a warrant, and request that content be removed from websites hosted outside Hong Kong. Failure to comply could see local representatives face up to HK$100,000 in fines and two years’ imprisonment.

These provisions have provoked alarm among tech firms, which fear staff could be exposed to the risk of prosecution over the publication of user-submitted content.

The Asia Internet Coalition (AIC), a Singapore-based trade association that represents Apple, Facebook, Google, LinkedIn, Twitter, and Amazon, explained its concerns in a letter sent to the Hong Kong government in June.


Read more of the latest data privacy news and breaches


“Introducing sanctions aimed at individuals is not aligned with global norms and trends,” it said, warning that technology companies might be tempted to “refrain from investing and offering their services in Hong Kong” as a result.

However, the PCPD told The Daily Swig: “The Privacy Commissioner met with representatives of the [AIC] in early July 2021 and there was a good exchange of views between the parties. The representatives of the AIC reaffirmed that doxxing is a matter of serious concern and that it is necessary to combat doxxing in order to protect personal data privacy”.

Having criticized a National Security Law passed in 2020 for curtailing freedom of speech and protest, human rights and pro-democracy groups are similarly concerned the anti-doxxing legislation is yet another tool for stifling dissent.

‘Clear, focused and target-specific’

But the PCPD commented: “The Amendment Ordinance has struck a reasonable balance between the protection of privacy and freedom of speech, and will not affect the freedom of speech and free flow of information that members of the public currently enjoy. It has no bearing on normal and lawful business activities in Hong Kong.”

The PCPD added that other proposed amendments to Hong Kong’s 1996 privacy law – including establishing a mandatory data breach notification mechanism, data retention period, powers to impose administrative fines, and regulation of data processors – are still being considered.


This article was updated on October 16 with additional comments from the PCPD.


RELATED OPPA: Ohio could become the third US state to enact a new consumer privacy law in 2021