The Hong Kong government will soon pass a set of tough amendments to the Personal Data (Privacy) Ordinance (PDPO) against doxxing, which is commonly known as the act of publishing or disclosing a person's personal information, such as a phone number or address, without the person's consent and with malicious intent.
The bill, once passed, will give the Privacy Commissioner the power to conduct criminal investigations, prosecute violators, access the electronic devices of technology companies without a warrant in urgent circumstances and issue requests to remove content and block websites if they refuse to comply.
While the internet sector has raised concerns over the vague definition of doxxing and the rise in content-blocking in recent weeks, the government escalated its hardline approach and gazetted the bill on July 16. The first reading and debate were on July 21. Given that the Legislative Council has zero opposition currently, the bill will likely soon be passed without much amendment.
The current bill, which is slightly different from the original proposal introduced in May, creates two tiers of offences to curb doxxing.
The threshold of the first tier states that anyone who leaks an individual’s personal information ‘without consent’ with the intent to harm the person or their family could face two years of jail time and a maximum fine of 100,000 HK dollars (12,900 US dollars). The second tier, which includes psychological harm from data disclosure without consent, establishes a penalty of up to five years in jail with a maximum fine of 1 million HK dollars (129,000 US dollars).
Administrators of both local and overseas websites and service providers who are responsible for the platforms’ operations could also face up to two years imprisonment and a 100,000 HK dollar (12,900 US dollar) fine if they fail to remove content after receiving a notification from the Privacy Commissioner.
A vague definition, excessive power and extraterritorial implications
The proposed anti-doxxing legislation has raised grave concerns from the internet sector as reflected in a letter issued by the Asia Internet Coalition on June 25.
The letter criticized the amendments for vaguely defining doxxing as actions that are ‘intrusive to personal data privacy and in effect weaponise personal data,’ which they say could result in ‘an overly broad interpretation such that even innocent acts of sharing of information online could be deemed unlawful under the PDPO’.
The letter also pointed out that the amendments have not taken freedom of speech into consideration. For example, they do not exempt liability in ‘situations where information (including personal data) is disclosed by a person to establish/defend his or her legal rights, or where there is a public interest to know.’
The Coalition also described the power given to the Privacy Commissioner as ‘excessive':
[The amendments] would effectively empower an independent statutory authority to a level akin to the Hong Kong Police Force itself, and in a manner that is highly unusual and out of step with international privacy developments. There are, to our knowledge, no other jurisdictions in Asia-Pacific which have introduced equivalent powers to statutory authorities.
The letter expressed deep concern about the Privacy Commissioner's ability to conduct a search without a court warrant. The current bill specifies that the power to search without a warrant will be confined to ‘urgent circumstances’.
The coalition also found the extension of criminal liability to intermediaries from the scope of ‘persons’ (employees) and its extraterritorial implication under the amendments most unreasonable.
In current practice, overseas online platforms which have no legal entities in Hong Kong could neglect Hong Kong government authorities’ content removal requests without legal liability. But as the bill have extended the liability to their employees, these individuals may face criminal prosecutions if they are residing or in the worst scenario when they are travelling in Hong Kong.
In response to this specific concern, the latest version of the bill specifies that only executives or managers in a position to process content removal requests would be liable.
International tech giants including Facebook, Google, Amazon and Twitter, among others, are members of the Singapore-based Asia Internet Coalition.
According to a report from The Wall Street Journal, Facebook, Google and Twitter are considering leaving Hong Kong to prevent legal risk to their employees under the new legislation. Soon after the enactment of Hong Kong's national security law in July 2020, multiple social media and content hosting platforms including Telegram, Facebook, Google, LinkedIn and Twitter refused to respond to the Hong Kong government’s user data requests.
Freedom of information at risk
Even in the second draft, the Hong Kong government has not addressed other issues raised by the internet sector. In an interview with RTHK, Ada Chung Lai-ling, the current Privacy Commissioner, stressed that if an online platform does not cooperate and comply with the content removal requests, the Commissioner could request the ISPs to shut down or block the entire site.
Chung stated that majority of 70 percent of service and platform providers is cooperative in removing the problematic contents upon receiving the Commissioner's requests and she expected more will comply with the request after the passage of the amendment as it toughens the punishment and criminalizes non-compliance.
She highlighted the difficulties in enforcing the law if the platform is hosted overseas or if the company director is not in Hong Kong. To address this problem, the law extends criminal liability to local employees who are in a position to remove the content. Chung stressed:
“Local staff of these platforms won't be held responsible if they have nothing to do with the operation of the sites…We will only ask the [platforms] to remove the doxxing content… If they refuse to cooperate, we will consider removing the entire website. This is the last step if other approaches don't work.”
The pro-democracy sector in Hong Kong fears that the amendments would provide another legal basis, in addition to the NSL, for cutting off access to websites and tools such as LIHKG or Telegram, which are hosted overseas and used by dissidents to share protest-related information.
Law Ho Lam, president of the Internet Society Hong Kong (ISOCHK) agreed with the letter issued by the Asia Internet Coalition that the bill gives the Privacy Commission ‘excessive and disproportionate powers‘ and was worried that the vague definition of doxxing may lead to speech incrimination.
Wong Ho-wa, an open data activist, also feared that platform administrators would over-monitor and block unsure content to prevent legal liability, which would eventually undermine the freedom of information in Hong Kong.
In addition to the anti-doxxing law, the Hong Kong government also plans to introduce an anti-fake news law to strengthen its grip on digital news and the information flow.