Client Alert – Beware of doxxing messages


The much anticipated amendments to the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) are gathering pace. On 11 May 2021, the Hong Kong government proposed amendments to the existing statutory regime against ‘doxxing’ activities. ‘Doxxing’ generally refers to the gathering of personal data of third parties or their related persons[1] through online social platforms[2], and the online disclosure thereof.


The existing statutory provisions[3] prohibit the disclosure of any personal data of a data subject[4] which was obtained from a data user without the data user’s consent, with an intent to obtain gain, or if the disclosure causes loss in money or other property or psychological harm to the data subject.

Since the PDPO’s enactment in 1995, technology and the use of the internet/social media has made great strides. This has provided a platform for doxxing activities, the occurrence of which has become particularly topical in Hong Kong in recent time. The current statutory regime is therefore in need of reform because, among other reasons, the Privacy Commissioner for Personal Data is not empowered to trace the origin of doxxing activities.

It was against the above background that the proposed amendment was introduced. While the proposed provision is intended to be technology neutral, it is in reality the online social platform operators (Platform Operators) and their users (likely to be individuals) (Platform Users) that would be concerned by the change the most.

Proposed Amendment

Platform Operators and Platform Users should pay special attention to the following aspects[5] of the proposed amendment.

a. Additional offence under section 64

It is proposed that a provision creating an additional offence be introduced under the existing section 64, which reads:

A person commits an offence if the person discloses any personal data of a data subject without the data subject’s consent,

(i) with an intent to threaten, intimidate or harass the data subject or any immediate family member, or being reckless as to whether the data subject or any immediate family member would be threatened, intimidated or harassed; or

(ii) with an intent to cause psychological harm to the data subject or any immediate family member, or being reckless as to whether psychological harm would be caused to the data subject or any immediate family member;

and the disclosure causes psychological harm to the data subject or any immediate family member.

b. Penalty of the additional offence

A person engaging in doxxing activities in contravention of the proposed offence risks being the subject of a fine of up to HK$1,000,000 and up to 5 years imprisonment.

c. Newly added rectification notice system

The notice requires any person suspected of committing an offence under section 64 (comprising both the existing and new provisions) to take rectification actions[1] within a designated timeframe. Absent geographical constraints in the Internet, such notice is to be served on any person who provides services in Hong Kong to Hong Kong residents, in order to direct the relevant online platform to rectify the doxxing content.

Clearly, the proposed amendment exposes Platform Operators and Platform Users to greater risks of committing an offence contrary to section 64. This is so not least because of the replacement of the conviction threshold of ‘without the data user’s consent’ with ‘without the data subject’s consent’, thereby rendering it easier for law enforcement agencies to track and trace – the data subject is generally more easily identified than a data user in the presence of repeated posting and reposting. The proposed amendment followed a series of injunction and contempt of court actions arising from doxxing (and cyberbullying activities generally) taken by the government recently, which evidences the government’s commitment in combatting such activities. It is therefore prudent for Platform Operators and Platform Users to adopt an appropriate approach in respect of potentially doxxing messages.

Next steps for Platform Operators and Platform Users

There are a number of steps Platform Operators and Platform Users can begin to take, which reflect best practice in advance of the legislative amendments coming into force:

  • Avoid disclosing any data of a personal nature, unless the data in question cannot possibly constitute ‘personal data’[7] under PDPO, or the consent of both the data user and the data subjects (and the data subjects’ immediate family members) are obtained.
  • Exercise caution when contracting out online platform services where multiple third parties are involved, which inevitably makes platform management difficult. Ensure adequate policies and procedures are in place.
  • Conduct regular checks to ensure that platforms do not contain sensitive or inappropriate information. Where platform operators are also data users under the PDPO[8], regular checks enables compliance with the PDPO, the six Data Protection Principles in particular.
  • Publish prominent warning messages to state clearly that posting (or otherwise disclosing) sensitive and inappropriate information may violate section 64 of the PDPO.
  • Establish internal policies (e.g. who has platform access and editing rights?), protocols and personnel to guard against potential doxxing activities and, where necessary, for speedy rectification actions. 
  • Remove the messages containing sensitive or inappropriate information from the platform immediately when found, and report to the Office of the Privacy Commissioner for Personal Data as soon as practicable.[9] Set up channels for Platform Users to report improper contents.
  • Cooperate with investigation. Under the proposed amendment, any person who refused to comply without a reasonable excuse, or who deliberately provided false or misleading details, would be guilty of an offence.

Kevin Warburton / Jeffrey Tong

If you would like to discuss any of the matters raised in this article, please contact:

Pamela Mak
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

[1] Such other persons as family members, relatives or friends.

[2] These include search engines, networking platforms and discussion forums, public registers, anonymous reports.

[3] Sections 64(1) and (2) of the PDPO.

[4] Pursuant to section 2 of the PDPO, a data subject essentially means the owner of a personal data.

[5] Other aspects of the proposed amendment include, for example, increased investigative and prosecution powers vested in the Privacy Commissioner for Personal Data.

[6] This means, for example, removing the doxxing message from the platform within a designated timeframe, similar to the mechanism of the Enforcement Notice under section 50 of the PDPO.

[7] ‘Personal data’, per section 2 of the PDPO, includes any data (other than name or ID number) of a person, which may not be direct identifiers, that can when combined with other data indirectly ascertain a person’s identity. Moreover, it was proposed that the definition of ‘personal data’ be expanded to cover information relating to an ‘identifiable’ natural person (see January 2020 review paper produced by the Constitutional and Mainland Affairs Bureau (LC Paper No. CB(2)512/19-20(03))).

[8] A ‘data user’ is, per section 2 of the PDPO, a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data.

[9] This is in line with the spirit of the mandatory breach notification, which is encouraged and may become law, it being one of the six proposed amendments to the PDPO set out in the January 2020 review paper produced by the Constitutional and Mainland Affairs Bureau (LC Paper No. CB(2)512/19-20(03)).