The Hong Kong Personal Data Privacy Ordinance (PDPO) Amendment Bill was passed Wednesday 29 Sept 2021 (the Amendment(s)).
Essentially, the Amendments cover doxxing and broader direct powers of the data privacy commissioner.
Doxxing in its broadest form relates to disclosing personal data without consent. The Amendment replaces the existing language of Art 62(2) of the PDPO and creates two tiers for doxxing offences to protect data subjects and their family members as follows:
1. A summary offence for disclosing personal data without the data subject’s consent where the discloser has intent to or recklessly causes a specified harm to the data subject or a family member of the data subject due to the unconsented to disclosure of data (fine of HK$100,000 and up to two years’ imprisonment); and
2. An indictable offence, if a specified harm is caused to the data subject or a family member of the data subject due to the disclosure of personal data (fine up to HK$1,000,000 and imprisonment for up to five years).
To expedite doxxing cases, the data privacy commissioner will now have the power to summarily prosecute certain offences in the magistrates’ courts.
Data privacy commissioner has direct criminal investigation and prosecution powers
Significantly, prior to the Amendments, the data privacy commissioner has had to refer cases to the police and the Department of Justice (DOJ). Now, the data privacy commissioner has expanded investigative and enforcement powers, including powers to compel the provision of materials and assistance, to enter and search premises without a warrant (if there is a reasonable suspicion), to access and search electronic devices, to stop, search and arrest persons, to serve cessation notices and to apply for injunctions. Furthermore, the data privacy commissioner can also now decide to prosecute certain offences directly or refer a case to the police or the DOJ, depending on the severity of the case.
Data privacy commissioner has statutory powers to demand cease and desist
The data privacy commissioner can directly serve a cessation notice in the case of doxxing, where there is a disclosure of personal data without the data subject’s consent, the discloser intends to or recklessly causes a specified harm to a data subject or their family members due to the disclosure and the data subject is a Hong Kong resident or is present in Hong Kong when the disclosure was made.
Due to the global and boundaryless nature of the Internet, the Amendments give the PDPO extraterritorial effect with respect to doxxing. Consequently, the data privacy commissioner can serve cessation notices regardless of whether the disclosure is made in Hong Kong or not.
Cessation notices can be served both inside and outside of Hong Kong depending on whether a doxxer or internet service provider is within Hong Kong or outside Hong Kong – the latter is a likely scenario in the case of internet service providers such as messaging systems and social media platforms.
The data privacy commissioner may also seek an injunction where there is or is likely to be large-scale or repeated non-permissible disclosures as a precautionary measure to prevent the future recurrence of doxxing incidents targeting specific people or groups.
The PDPO Amendments represent the newest chapter in Hong Kong’s data privacy regulatory regime and the expanded powers of the Hong Kong Data privacy commissioner will certainly give the PDPO sharper teeth.
The author, a member of our Corporate and Commercial practice group, is a member of the International Association of Privacy Professionals and holds CIPP/E (certified international privacy practitioner/EU (GDPR)) and CIPM (certified information privacy manager) certifications. Alexander May is one of only a few multidisciplinary practitioners that focuses on corporate, commercial and data privacy.
This article is for general information purposes only, is not intended to, and does not constitute legal advice. Alexander May would be delighted to assist with any queries you may have related to data privacy impact assessments or any other data privacy matters.