The Personal Data (Privacy) (Amendment) Ordinance 2021 (the Ordinance) came into effect on 8 October 2021. It amends the Personal Data (Privacy) Ordinance (Cap.486) (PDPO). In our alert, we consider what these changes may mean for businesses handling personal data from Hong Kong.
The Personal Data (Privacy) (Amendment) Ordinance 2021 (the Ordinance) came into effect on 8 October 2021.
It amends the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), particularly to:
- criminalise doxxing, i.e. unconsented disclosure of personal information of targeted individuals and groups;
- introduce a cessation notice regime to tackle doxxing with extra-territorial reach; and
- substantially expand the investigation and enforcement powers of the Privacy Commissioner for Personal Data (the Commissioner), in contexts beyond doxxing.
NEW DOXXING OFFENCES
The Ordinance introduces two-tier doxxing offences:
- First tier doxxing offence – in essence intentional or reckless non-consensual disclosure, without proof of any actual harm caused – punishable by up to HK$100,000.00 fine and 2 years’ imprisonment (s. 64(3A), (3B))
- Second tier doxxing offence – in essence intentional or reckless non-consensual disclosure causing harm – punishable by up to HK$1,000,000.00 fine and 5 years’ imprisonment (s. 64(3C), (3D))
“Harm”. The requisite “harm” is widely defined, and includes bodily harm, psychological harm, property damage and various forms of harassment (s. 64(6)). The harm can be to the data subjects or their family members.
A wide net. Notably the first tier doxxing offence in Hong Kong, not requiring proof of actual harm, casts a wider net than often seen in other jurisdictions. Doxxing offences exist in other jurisdictions, e.g. Singapore3 and New Zealand4. These jurisdictions require proof of actual harm caused.
Extra-territorial? The Ordinance does not expressly provide for extra-territoriality for the doxxing offences. Their jurisdictional reach is therefore debatable.
The Commissioner has a new power to issue “cessation notices”. We see resemblance between the takedown regimes in the doxxing context and under the Hong Kong National Security Law.5 These two seem the only currently available executive-led statutory takedown regimes in Hong Kong.
Doxxing people residing or present in Hong Kong. In essence, the Commissioner now has the power to compel takedown of content reasonably believed to be contravening doxxing offences, where the data subject is a Hong Kong resident or is present in Hong Kong at the time of disclosure (ss. 66K, 66L).
Extra-territorial reach. Businesses in and outside Hong Kong should pay attention, because a cessation notice has extra-territorial reach. It may be served by email or similar methods on persons in Hong Kong or on a “non-Hong Kong service provider” that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person (ss. 66M, 68).
Penalty and exposure for non-compliance. Failure to comply with a cessation notice is itself a criminal offence, punishable by fine and imprisonment (s. 66O(1)).
Further, in our view, a failure to comply will give rise to exposure to potential accessory liability, on the part of, say, a platform operator hosting content published by others, for aiding and abetting the principal doxxing offences.
A powerful tool. Other jurisdictions have their own takedown regimes, but the exact scope and mechanisms vary. For instance, in Singapore, it is for a doxxing victim to apply to the court for takedown.6 Comparatively, the Commissioner has a much more efficient takedown power in her toolbox.
Defences. Specific defences are available to a person contravening a cessation notice, such as unavailability of technology necessary for compliance, and risk of incurring substantial loss or prejudice to a third party (s. 66O(2)).
Appeals. One can appeal a cessation notice to the Administrative Appeals Board within 14 days of service of the notice, but compliance is required pending appeal (s. 66N).
Statutory immunity. A person who complies with a cessation notice is given statutory immunity from civil liability arising from the compliance (s. 66P).
NEW EXTENSIVE INVESTIGATION AND ENFORCEMENT POWERS
The Commissioner has new extensive investigation and enforcement powers, to:
- compel information production, interview attendance and other assistance (s. 66D);
- enter and search premises, and seize, remove and detain any material in the premises (s. 66G(2));
- access, seize and detain electronic devices, and decrypt, search for and reproduce any material stored in the devices, with magistrate’s warrant or without one in case of urgency (s. 66G(3), (8));
- stop, search and arrest any person who is reasonably suspected of committing certain PDPO offences, including the doxxing offences (s. 66H); and
- prosecute the first tier doxxing offence and other summary offences under the PDPO (s. 64C).
Exercisable beyond doxxing. Notably, these powers are exercisable beyond the doxxing context, but generally in the context of certain suspected offences under the PDPO, such as disclosure of personal data obtained without the data user’s consent.7
Statutory secrecy. Note also that the Commissioner’s investigations are subject to statutory secrecy (s. 66R), similar to regimes governing investigations by the Independent Commission Against Corruption and the Securities and Futures Commission.
Implications in your daily operation
Generally, businesses touching personal data from Hong Kong should consider the impact of the Ordinance, and get ready for it.
Businesses potentially impacted are those in or outside Hong Kong, with broad customer, user, employee bases, giving access to personal data of people resident or present in Hong Kong. Industries like:
- banking and financial;
- travel; and
- technology (e.g. social media, e-commerce, cloud service providers, data centres).
How businesses should get ready:
- get relevant functions educated about the Ordinance;
- map exposure to the Ordinance;
- update existing personal data policies and procedures;
- update policies and procedures, and get proper training, for handling cessation notices from and investigations by the Commissioner. Notably investigations must be handled with heightened care, to avoid inadvertent contravention of statutory secrecy, with potential criminal consequences; and
- seek legal advice when handling doxxing cessation notices and personal data investigations.
1 “Data user”, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data (PDPO, s. 2).