Hong Kong to toughen up privacy law against doxxing

Screen capture of pro-government doxxing site hkleaks.

Hong Kong could soon lay down a set of amendments to the Personal Data (Privacy) Ordinance to curb doxxing, the act of publishing identifying information of a person on the internet with malicious intent.

Doxxing is a crime under the current Privacy Ordinance, but the Privacy Commissioner has in the past faced difficulties in tracing the sources of doxed content or verifying whether the information shared was obtained without consent. It also lacks the legal power to obligate platforms to remove doxed content.

Put forward in the Legislative Council on May 17, the upcoming bill will extend protection to the data subject's immediate family members and empower the Privacy Commissioner to conduct criminal investigations, initiate prosecutions, send content removal requests to platforms directly — without having to obtain a court order, apply for injunctions related to doxed content, and may even block foreign sites if they do not comply with content removal notices.

The proposed amendments also institute tougher penalties for those who commit doxxing — a maximum five-year jail term and a HK$1,000,000 fine (approximately US$ 128,765 dollars). Anyone, including local staff of overseas websites, could face two year imprisonment and a HK$100,000 fine (approximately US$ 12,976 dollars), if the platforms that they are in charge of or working for fail to comply with content removal requests.

Doxxing has become a widespread practice of both anti and pro-government protesters in Hong Kong since the anti-China extradition protests broke out in June 2019.

As riot police officers failed to display their ID numbers during operations, some pro-democracy activists reacted by compiling and circulating photos of officers who were seen using excessive force on protesters. Some police officers’ identities have also been revealed, and members of their families have been harassed in real life.

In response, the Secretary for Justice and the Commissioner of Police obtained an injunction in October 2019 prohibiting any members of the public from using or disclosing personal data of police officers and their family members if it would be likely used to intimidate them.

On the other side of the coin, Beijing and Hong Kong officials have publicly called for exposing teachers if they expressed support to the protests in class. They've also called for doxxing journalists working for pro-democracy media outlets and health workers who participated in strikes (for example, health workers staged a strike in early 2020 demanding the government closed Hong Kong's borders).

The pro-government doxxing site HKleaks hosts 3,434 files of personal data, including photos, telephone numbers, emails, social media accounts, and biographies of protesters, journalists, teachers, medical workers, artists, among others. This data has circulated on messaging apps and on social media platforms.

However, Hong Kong's privacy watchdog is powerless to protect those citizens fairly and equitably.

Between June 2019 and April 2021, the Privacy Commissioner documented 5,700 doxxing cases. It wrote 297 letters to 18 websites or platforms requesting the removal of 5,905 hyperlinks. About 70 percent of their requests were complied with.

But given its lack of investigating powers, the Privacy Commissioner referred 1,460 cases to the police, which arrested a total of 17 suspects in that period. Thus far, two were convicted of disclosing personal data without consent, one of which was sentenced to two-year imprisonment for obtaining police officers’ personal information and posting it on a Telegram group, according to the discussion paper submitted to the Legco.

The Privacy Commissioner referred 60 additional cases to the Department of Justice, all related to doxxing of police officers and their family members. Four people have been convicted.

If the proposed amendment is passed, the Privacy Commissioner could investigate these cases on its own, as well as take legal action without going through other law enforcement agencies.

Responding to concerns raised pro-establishment lawmakers that foreign social media platforms would not comply to take-down requests, Secretary for Constitutional Affairs Erick Tsang said:

Hong Kong employees of websites based overseas will be liable to arrest if their bosses fail to remove doxxing data from the platforms, under a new legal amendment to criminalise the malicious publishing of personal data… A lot of these overseas platforms will have operational or management staff in Hong Kong. We can catch these people. I believe they will be relatively cooperative with the notices.

Privacy Commissioner Ada Chung also stated that the proposed amendments could include a provision to ban whole websites if they are solely dedicated to hosting doxed information.

Under the national security law, the police has the power to block foreign sites without notifying the public. The first confirmed case took place in January 2021: Traffic to HKChronicles.com, an anti-government site that hosted doxed information of riot police officers, was blocked by internet service provider Hong Kong Broadband Network after it received a take-down order from the police.

The pro-government doxxing site HKleaks, meanwhile, is still online.

If the law passes, it remains to be seen whether the Privacy Commissioner will implement the law fairly and take action against doxxing regardless of the victims’ real or perceived political affilitions. It will be another test to the rule of law in Hong Kong.

Start the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.