Proposal to amend Hong Kong’s personal data laws and the implications
The Discussion Paper focuses on introducing amendments to the PDPO to address the issue of doxxing.
On 17 May 2021, the Constitutional and Mainland Affairs Bureau published a discussion paper (Discussion Paper) on proposed amendments to the Personal Data (Privacy) Ordinance (PDPO). This follows previous discussions back in January 2020 on amending the privacy law in Hong Kong (see our earlier article here). The Discussion Paper focuses on introducing amendments to the PDPO to address the issue of doxxing, which is an act of disclosing personal information online without the consent of the relevant data subject, usually with the intention to harass the victim.
What are the proposed amendments?
The Discussion Paper introduces three major proposed amendments to the PDPO, namely (1) to add an offence to curb doxxing acts; (2) to empower the Privacy Commissioner for Personal Data (the Commissioner) to carry out criminal investigations and prosecutions; and (3) to confer on the Commissioner statutory powers to demand the rectification of doxxing contents.
Doxxing acts offence
It is proposed that a new offence be introduced under section 64 of the PDPO to curb doxxing acts. The current section 64 of the PDPO only captures the disclosure of personal data without the data user's consent. However, most recent doxxing cases involve repeated reposting of a data subject's personal information on online platforms, and it is difficult to rely on the current section 64 of PDPO to combat doxxing acts as it is unlikely that the Commissioner can identify the data users concerned and establish whether consent has been obtained from the data user. The proposed amendments to section 64 propose to create an offence where a person discloses any personal data without the data subject's consent with the intention to threaten, intimidate, harass, or cause psychological harm to, the data subject or any immediate family. A person may face a fine of up to HK$1m and imprisonment of 5 years for committing doxxing.
Criminal investigation and prosecution powers
It is proposed that the Commissioner is empowered to carry out criminal investigations and initiate prosecutions; those powers are currently only held by the Police and the Department of Justice.
Rectification of doxxing contents
At present, the Commissioner may request online publishers and platforms to remove doxxing content, but compliance with such requests is not legally mandatory. The amendments propose to give the Commissioner the power to order a person to take rectification action within a designated timeframe (such as removing the doxxing content before a certain deadline) by issuing a Rectification Notice to any person who provides services in Hong Kong to Hong Kong residents. An appeal may be made to the Administrative Appeals Board (AAB) against a Rectification Notice by any person affected not later than 14 days after a notice is served, but the person must comply with the notice in the meantime, pending the AAB's final decision, so as to contain any harm caused to the data subjects. If online publishers and platforms fail to comply with a Rectification Notice, it is proposed that the penalties would be similar to that of the contravention of an enforcement notice (ie failure to comply may result in a fine of HK$50,000 and imprisonment for 2 years on a first conviction).
What implications might there be for online businesses in Hong Kong?
These proposed amendments pose operational concerns for many online businesses that allow user-generated content on their websites. As mentioned in our previous update, we expected strong pushback from the sector if liability were to be imposed on online platforms and their staff for user-generated content. Online industry stakeholders have voiced concerns that they do not, in the usual course, have editorial control over user-generated content and should not be penalized for users' doxxing actions over which platform operators do not have complete control.
The requirement for the Commissioner to issue a Rectification Notice before a legal obligation to remove doxxing content is triggered eases these operational concerns to some extent, as it lessens the burden to conduct onerous continuous monitoring of user-generated content. However, the difficulty of removing viral content remains, particularly where there may be a failure to respond completely with a certain timeframe despite the efforts of an online operator.
The criminal implications of such a failure are particularly concerning for businesses. After the release of the Discussion Paper, many large technology companies have expressed strong opposition to the broadness of the proposed amendments. In particular, many employers are concerned that the proposed amendments may expose their employees in Hong Kong to prosecution for a failure to comply with a Rectification Notice. For example, it is still unclear what degree of knowledge may be required to establish criminal liability of companies and their staff. There are also open questions as to who within a company should be responsible for complying with a Rectification Notice, and how such an employee might be protected.
More broadly, concerns have been raised as to whether the PDPO is the right legislative vehicle for these amendments and whether the Commissioner is the right regulator to pursue criminal investigations and initiate prosecutions. It has been observed that empowering the Commissioner to initiate criminal investigations and prosecutions is unusual and goes beyond the typical remit of privacy regulators seen in many other jurisdictions.
We expect there to be further discussion between the government and relevant stakeholders to refine the details of the proposed anti-doxxing regime. We also expect the Commissioner to establish clearer guidance on what constitutes a doxxing act and failure to rectify. Meanwhile, online operators are recommended to start reviewing their practices and procedures, including existing notice and takedown policies and procedures, to prepare for the proposed new laws.
