Hong Kong – Be aware of the Personal Data Laws

The Personal Data (Privacy) (Amendment) Ordinance 2021 (the Ordinance) came into effect on 8 October 2021.  It amends the Personal Data (Privacy) Ordinance (Cap.486) (PDPO).  In our alert, we consider what these changes may mean for businesses handling personal data from Hong Kong.

The Personal Data (Privacy) (Amendment) Ordinance 2021 (the Ordinance) came into effect on 8 October 2021. 

It amends the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), particularly to:

  1. criminalise doxxing, i.e. unconsented disclosure of personal information of targeted individuals and groups;
  2. introduce a cessation notice regime to tackle doxxing with extra-territorial reach; and
  3. substantially expand the investigation and enforcement powers of the Privacy Commissioner for Personal Data (the Commissioner), in contexts beyond doxxing.
A look back into 2019 Since 2019, there has been a surge in doxxing activities in Hong Kong. The PDPO already criminalized disclosure of personal data obtained from a data user1 without the data user’s consent where such disclosure causes psychological harm to the data subject.2 Prosecution of this offence can be hard.  Let’s say, Person A’s name, age and photo identification were disclosed in social media.  It is easy to ascertain whether that person – the “data subject” – has consented or not.  For relevant intent and purposes, that person will likely have complained about the non-consensual disclosure.  However, it is not as easy to identify who the relevant “data user” is – is it that person’s employers, banks, travel agents, other service providers, or fellow users on social media platforms? The amendments remove this difficulty.  Now, the prosecution no longer need to track down who the given data user is, and whether it has consented. Of still wider implications, though, for businesses handling lots of personal data, are the new extensive powers the Ordinance has given the Commissioner.


The Ordinance introduces two-tier doxxing offences:

  1. First tier doxxing offence – in essence intentional or reckless non-consensual disclosure, without proof of any actual harm caused – punishable by up to HK$100,000.00 fine and 2 years’ imprisonment (s. 64(3A), (3B))
  2. Second tier doxxing offence – in essence intentional or reckless non-consensual disclosure causing harm – punishable by up to HK$1,000,000.00 fine and 5 years’ imprisonment (s. 64(3C), (3D))

Harm”.  The requisite “harm” is widely defined, and includes bodily harm, psychological harm, property damage and various forms of harassment (s. 64(6)).  The harm can be to the data subjects or their family members.

A wide net. Notably the first tier doxxing offence in Hong Kong, not requiring proof of actual harm, casts a wider net than often seen in other jurisdictions.  Doxxing offences exist in other jurisdictions, e.g. Singapore3 and New Zealand4.  These jurisdictions require proof of actual harm caused.

Extra-territorial? The Ordinance does not expressly provide for extra-territoriality for the doxxing offences.  Their jurisdictional reach is therefore debatable.


The Commissioner has a new power to issue “cessation notices”. We see resemblance between the takedown regimes in the doxxing context and under the Hong Kong National Security Law.5 These two seem the only currently available executive-led statutory takedown regimes in Hong Kong.

Doxxing people residing or present in Hong Kong.  In essence, the Commissioner now has the power to compel takedown of content reasonably believed to be contravening doxxing offences, where the data subject is a Hong Kong resident or is present in Hong Kong at the time of disclosure (ss. 66K, 66L).

Extra-territorial reach.  Businesses in and outside Hong Kong should pay attention, because a cessation notice has extra-territorial reach.  It may be served by email or similar methods on persons in Hong Kong or on a “non-Hong Kong service provider” that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person (ss. 66M, 68).

Penalty and exposure for non-compliance.  Failure to comply with a cessation notice is itself a criminal offence, punishable by fine and imprisonment (s. 66O(1)).

Further, in our view, a failure to comply will give rise to exposure to potential accessory liability, on the part of, say, a platform operator hosting content published by others, for aiding and abetting the principal doxxing offences.

A powerful tool.  Other jurisdictions have their own takedown regimes, but the exact scope and mechanisms vary.  For instance, in Singapore, it is for a doxxing victim to apply to the court for takedown.6  Comparatively, the Commissioner has a much more efficient takedown power in her toolbox.

Defences.  Specific defences are available to a person contravening a cessation notice, such as unavailability of technology necessary for compliance, and risk of incurring substantial loss or prejudice to a third party (s. 66O(2)).

Appeals.  One can appeal a cessation notice to the Administrative Appeals Board within 14 days of service of the notice, but compliance is required pending appeal (s. 66N).

Statutory immunity.  A person who complies with a cessation notice is given statutory immunity from civil liability arising from the compliance (s. 66P).


The Commissioner has new extensive investigation and enforcement powers, to:

  1. compel information production, interview attendance and other assistance (s. 66D);
  2. enter and search premises, and seize, remove and detain any material in the premises (s. 66G(2));
  3. access, seize and detain electronic devices, and decrypt, search for and reproduce any material stored in the devices, with magistrate’s warrant or without one in case of urgency (s. 66G(3), (8));
  4. stop, search and arrest any person who is reasonably suspected of committing certain PDPO offences, including the doxxing offences (s. 66H); and
  5. prosecute the first tier doxxing offence and other summary offences under the PDPO (s. 64C).

Exercisable beyond doxxing.  Notably, these powers are exercisable beyond the doxxing context, but generally in the context of certain suspected offences under the PDPO, such as disclosure of personal data obtained without the data user’s consent.7

Statutory secrecy.  Note also that the Commissioner’s investigations are subject to statutory secrecy (s. 66R), similar to regimes governing investigations by the Independent Commission Against Corruption and the Securities and Futures Commission.

Implications in your daily operation

Generally, businesses touching personal data from Hong Kong should consider the impact of the Ordinance, and get ready for it. 

Businesses potentially impacted are those in or outside Hong Kong, with broad customer, user, employee bases, giving access to personal data of people resident or present in Hong Kong.  Industries like:

  1. banking and financial;
  2. hospitality;
  3. travel; and
  4. technology (e.g. social media, e-commerce, cloud service providers, data centres).

How businesses should get ready:

  1. get relevant functions educated about the Ordinance;
  2. map exposure to the Ordinance;
  3. update existing personal data policies and procedures;
  4. update policies and procedures, and get proper training, for handling cessation notices from and investigations by the Commissioner.  Notably investigations must be handled with heightened care, to avoid inadvertent contravention of statutory secrecy, with potential criminal consequences; and
  5. seek legal advice when handling doxxing cessation notices and personal data investigations.

  “Data user”, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data (PDPO, s. 2).
2    “Data subject”, in relation to personal data, means the individual who is the subject of the data (PDPO, s. 2).
3   Singapore Protection from Harassment Act, section s. 3.
4   New Zealand Harmful Digital Communications Act 2015, section s. 22.
5   Implementation Rules for Article 43 of the Hong Kong National Security Law, Schedule 4. 6   Singapore Protection from Harassment Act, sections ss. 15A and 15C.
7   Contrary to PDPO, s. 64(1).
內地《個人信息保護法》 簡介

Other News & Reports

Forward-Looking Statements
This press release includes “forward-looking statements” within the meaning of the “safe harbor” provisions of the United States Private Securities Litigation Reform Act of 1995, including, without limitation, statements regarding Artefaktum’s ability to strengthen the security profiles of its customers and partners. When used in this press release, the words “estimates,” “projected,” “expects,” “anticipates,” “forecasts,” “plans,” “intends,” “believes,” “seeks,” “may,” “will,” “should,” “future,” “propose” and variations of these words or similar expressions (or the negative versions of such words or expressions) are intended to identify forward-looking statements. These forward-looking statements are not guarantees of future performance, conditions, or results, and involve several known and unknown risks, uncertainties, assumptions, and other important factors, many of which are outside Artefaktum’s management’s control, that could cause actual results or outcomes to differ materially from those discussed in the forward-looking statements. Important factors, among others, that may affect actual results or outcomes include Artefaktum’s inability to recognize the anticipated benefits of collaborations with Artefaktum’s partners and customers; Artefaktum’s ability to execute its plans to develop and market new products and the timing of these development programs; the rate and degree of market acceptance of Artefaktum’s products; the success of other competing technologies that may become available; Artefaktum’s ability to identify and integrate acquisitions; the performance of Artefaktum’s products; potential litigation involving Artefaktum; and general economic and market conditions impacting demand for Artefaktum’s products. The foregoing list of factors is not exhaustive. You should carefully consider the foregoing factors and the other risks and uncertainties described under the heading “Risk Factors” in Artefaktum’s registration statement declared effective by its inception date and other documents that Artefaktum has filed or will file. These filings identify and address other important risks and uncertainties that could cause actual events and results to differ materially from those contained in the forward-looking statements. Forward-looking statements speak only as of the date they are made. Readers are cautioned not to put undue reliance on forward-looking statements, and Artefaktum does not undertake any obligation to update or revise any forward-looking statements, whether as a result of new information, future events, or otherwise, except as required by law.