Preliminary proposals seen as ‘GDPR-lite’ but tough on maliciously identifying people online
Doxxing could soon become a criminal offense in Hong Kong, as lawmakers confront a surge in the spread of private information online linked to ongoing anti-government protests.
The recommendation, part of a raft of proposals to overhaul the 1996 Personal Data (Privacy) Ordinance (PDPO), would hand the regional government’s privacy watchdog powers to compel websites and social media platforms to remove offending posts and prosecute their authors.
A white paper (PDF), issued on January 13 by the Constitutional and Mainland Affairs Bureau (CMAB), also proposes a mandatory data breach notification mechanism, greater enforcement powers, and a broader definition of what constitutes personal data.
The move follows a High Court ban, passed in October, on publishing personal information that could identify police officers and their families, some of whom had received death threats, according to police.
Explaining the proposal, Hong Kong privacy commissioner Stephen Wong told a press conference on January 21 that 1,400 doxxing-related police investigations since June 14, 2019 – five days after a controversial extradition treaty sparked the first protests – had not led to a single conviction.
For the uninitiated, doxxing refers to the practice of searching for and publishing private or identifying information about an individual online.
Protestors in Hong Kong say they resorted to sharing photos of rogue police officers online, sometimes using the encrypted messaging platform Telegram, after officers stopped wearing badge numbers on their uniforms.
Police officers have also been accused of doxxing themselves, in two instances displaying journalists’ identity cards during live streamed videos.
Gabriela Kennedy, a partner at Mayer Brown’s Hong Kong office, suggested to The Daily Swig that creating an offense specific to doxxing “may alleviate public concerns that doxxing cases are not treated impartially”, since criminal investigations “under the PDPO have to be referred to the police for prosecution”.
A five-day grace period proposed for reporting serious data breaches – two days longer than under GDPR – has been mooted as part of the plans to amend the PDPO.
This comes after Hong Kong’s privacy commissioner was powerless to fine Cathay Pacific for taking seven months to report a payment card breach potentially affecting 9.4 million passengers.
While the Office of the Privacy Commissioner for Personal Data (PCPD) reprimanded Hong Kong’s national carrier for “a lax attitude towards data governance”, it could only issue a financial penalty for the 2018 incident if Cathay first violated a remedial enforcement notice ordering an overhaul of its cybersecurity practices.
The new proposals recommend handing the PCPD the power to levy fines of firms found culpable of serious security breaches instead of putting them on notice that punishment would follow subsequent lapses.
Financial penalties could potentially be linked to the recipient’s turnover and imposed or not depending on “the data compromised, the severity of the data breach, the data user’s intent for the breach and attitude of breach handling, the remedial action taken by the data user and the track record of the data user, etc.”
Currently, the maximum penalty under PDPO is a fine of HK$1 million (US$129,000) plus five years in prison, with no tier of fines specific to data breaches.
In line with the EU, Canada, and Singapore, the proposals would also expand the definition of personal data from relating to an “identified” to an “identifiable” person.
However, Emmanuel Pernot-Leplay, who has a PhD in comparative law from Shanghai Jiao Tong University, found the absence of a more robustly protected category for ‘sensitive data’ to be “frankly surprising”.
Speaking to The Daily Swig, he said: “Even mainland China, in its latest non-binding rules accompanying the Cybersecurity Law, recommends applying additional safeguards to sensitive data.”
Sensitive data – which under GDPR includes information about ethic origin, political views, and religious beliefs – is currently addressed in Hong Kong under non-binding guidance on biometric data.
A recommendation to force organisations to apply a clear retention policy would close a gap in the current law by proposing maximum retention periods for different categories of personal data. Current legislation says personal data should not kept longer than is necessary but fails to define any particular time frames.
The proposals would also make data processors, in addition to data users/controllers, accountable for data retention and security, and issuing data breach notifications. However, Mayer Brown’s Kennedy notes that “GDPR imposes much more extensive obligations on data processors.”
More work needed
The proposals purport to “keep in view the development trends in various jurisdictions, especially the EU”, but while praising the proposals on data breach notification and administrative fines, Pernot-Leplay said evidence of convergence is otherwise “minimal”.
Human Rights Watch has urged the Hong Kong government to broaden the definition of personal data to encompass online and device identifiers and location data, create a separate category for sensitive data, and give data subjects more control over their personal data.
“The government’s current proposal is too narrow, and [the Legislative Council of Hong Kong] now has a critical opportunity to strengthen this outdated law and bring it closer to better models, such as Europe’s privacy laws,” said Sophie Richardson, China director at the charity.
Citing the doxxing measure in particular, Kennedy says the proposals “depart somewhat from the GDPR in order to suit local circumstances.”
Noting they are only “preliminary recommendations”, she urged lawmakers to adopt a “holistic” approach to amending the PDPO “to bring our regime more in line with international developments” and to “ensure the competitiveness of Hong Kong when it comes to data flows.”