Hong Kong’s privacy commissioner has gained sweeping powers to request local and overseas internet service providers to remove “doxxing” content, after lawmakers passed amendments to the what they saw as a backward privacy law.

The Personal Data (Privacy) Ordinance amendment bill was approved in the Legislative Council on Wednesday with total backing from pro-establishment legislators. Disclosing personal data without consent, with an intent to cause psychological harm, is now a criminal offence in Hong Kong that can be punishable by up to a HK$1 million fine and five years in jail.

Photo: inmediahk.net via CC 2.0.

The amendments sought to streamline the handling of doxxing cases by the city’s privacy watchdog, by empowering the Privacy Commissioner for Personal Data to launch criminal investigations without referring the case to the police. It includes the authority to access an electronic device without a warrant under “urgent circumstances,” though entering and searching premises still requires a warrant.

The commissioner may also press charges against a doxxing suspect without relying on the Department of Justice to institute a prosecution.

The legislation carries extra-territorial effect as the privacy commissioner may serve a notice to internet service providers – both based in Hong Kong and outside the city – to take down information deemed by the authorities as doxxing within a designated timeframe.

“Given the boundless nature of the internet, an extra-territorial effect is also introduced such that a cessation notice can be served by the commissioner regardless of whether the disclosure is made in Hong Kong or not,” a document submitted to the legislature read.

File photo: Tom Grundy/HKFP.

A tech industry group featuring members such as Google, Twitter and Facebook told the Hong Kong government in June that while doxxing was “a matter of serious concern,” the legislation “can have the effect of curtailing free expression.” The government should consider the principles of necessity and proportionality when building the anti-doxxing law, it said.

Surge in cases

The legislation was proposed following a surge in doxxing cases during the months-long anti-extradition bill protests. The privacy watchdog said over 5,700 complaints were recorded between June 2019 and April this year, involving police officers and their family members, as well as supporters of the government and the force. Journalists were also targets of doxxing, with many victims being former employees of the now-defunct newspaper Apple Daily and public broadcaster RTHK.

In supporting the passage of the new privacy law, Elizabeth Quat of the DAB party said the existing “Stone Age” ordinance had failed to deter the disclosure of personal information. She said those behind “black-clad violence” had doxxed people who held a different political stance during the 2019 unrest in a bid to drive the city into “mutual destruction.”

Elizabeth Quat speaks in the Legislative Council on September 29, 2021. Photo: Legislative Council livestream screenshot.

“[The ordinance] had always been criticised as a toothless tiger… now it has some teeth,” she said.

Another lawmaker Ma Fung-kwok described the amendments as a “delayed justice,” saying many council members, including himself, were victims of doxxing. He said his phone number and address were divulged, causing inconvenience to his family members who also feared for their personal safety.

“It was an extreme injustice to those whose information was disclosed,” he said, adding the new law will be effective in preventing large-scale doxxing from happening again in the future.

Photo: Rachel Johnson, via Flickr.

The government should step up education on personal data privacy to primary and secondary students, Ma added, to prevent doxxing from taking place on campus.

On Monday, a former Immigration Department employee was sentenced to 45 months behind bars, after she pleaded guilty to leaking personal details of government officials, judges, celebrities, police officers and their family members on messaging app Telegram. Her actions resembled an “outright al-Qaeda-style cyberterrorist act,” the judge remarked.

‘HK Leaks’

At the time of writing, a website targeting democrats and journalists remains online almost two months after HKFP alerted the authorities with media enquires. Since 2019, the “HK Leaks” website has openly maintained an online database of personal data belonging to over 2,000 Hong Kong democrats, protesters and journalists.

ID card numbers, headshots, home addresses and phone numbers are often included. Historically, the site has been hosted on Russian servers and promoted by groups linked to the Chinese Communist Party. The authorities refused to comment on “individual cases” when asked by HKFP if the site would be removed.

Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit, Hong Kong Free Press is #PressingOn with impartial, award-winning, frontline coverage.

Kelly Ho

Kelly Ho has an interest in local politics, education and sports. She formerly worked at South China Morning Post Young Post, where she specialised in reporting on issues related to Hong Kong youth. She has a bachelor's degree in Journalism from the University of Hong Kong, with a second major in Politics and Public Administration.