The Legislative Counsel Panel published a paper in May 2021 (the “Paper”) on proposed amendments to the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).
The main purpose of the latest round of proposed amendments to the PDPO is to combat a recent increase in “doxxing” – the use and publication on the Internet or social media of private information about individuals, typically with malicious intent.
According to the Paper, between June 2019 and April 2021, the Office of the Privacy Commissioner (the “Commissioner”) for Personal Data (“PCPD”) received over 5,700 doxxing-related complaints. In response, the PCPD has written over 297 times to operators of 18 websites, online social media platforms or discussion forums, urging them to remove over 5,905 hyperlinks to personal information.
The Panel recognises that the current PDPO regulates the “data user”, defined as a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data, and that the current Section 64 of the PDPO is not equipped to address doxxing acts.
Section 64(1) provides that a person commits an offence if he or she “discloses any personal data of a data subject which was obtained from a data user without the data user’s consent”. The lack of consent by the data user is hence a key element for conviction.. In most doxxing cases, however, the personal data involved are dispensed and repeatedly reposted on online forums, thereby making it difficult to ascertain the identity of the data user or whether the data user consented, or did not consent, for purposes of establishing the offence.
In order to address this, the Paper proposes to introduce an additional offence under Section 64, formulated as follows:-
A person commits an offence if the person discloses any personal data of a data subject without the data subject’s consent,
(a) with an intent to threaten, intimidate or harass the data subject or any immediate family member, or being reckless as to whether the data subject or any immediate family member would be threatened, intimidated or harassed; or
(b) with an intent to cause psychological harm to the data subject or any immediate family member, or being reckless as to whether psychological harm would be caused to the data subject or any immediate family member;
and the disclosure causes psychological harm to the data subject or any immediate family member.
The maximum penalty is proposed to be a fine of $1,000,000 and to imprisonment for 5 years on indictment, or a fine of $100,000 and to imprisonment for 2 years on summary conviction.
The Paper also proposes to empower the Privacy Commissioner (the “Commissioner”) for Personal Data to carry out criminal investigations and initiate prosecution under the new Section 64, as well as confer on the Commissioner the power to serve a Rectification Notice to any person for rectification action. The Rectification Notice can be served on any person who provides services in Hong Kong to Hong Kong residents.
The current plan of the Panel is to submit the Amendment Bill within this legislative year.
Contact us today if you need assistance in reviewing your data privacy policies.