Hong Kong – Be aware of the Personal Data Laws


The Personal Data (Privacy) (Amendment) Ordinance 2021 (the Ordinance) came into effect on 8 October 2021.  It amends the Personal Data (Privacy) Ordinance (Cap.486) (PDPO).  In our alert, we consider what these changes may mean for businesses handling personal data from Hong Kong.

The Personal Data (Privacy) (Amendment) Ordinance 2021 (the Ordinance) came into effect on 8 October 2021. 

It amends the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), particularly to:

  1. criminalise doxxing, i.e. unconsented disclosure of personal information of targeted individuals and groups;
  2. introduce a cessation notice regime to tackle doxxing with extra-territorial reach; and
  3. substantially expand the investigation and enforcement powers of the Privacy Commissioner for Personal Data (the Commissioner), in contexts beyond doxxing.
A look back into 2019 Since 2019, there has been a surge in doxxing activities in Hong Kong. The PDPO already criminalized disclosure of personal data obtained from a data user1 without the data user’s consent where such disclosure causes psychological harm to the data subject.2 Prosecution of this offence can be hard.  Let’s say, Person A’s name, age and photo identification were disclosed in social media.  It is easy to ascertain whether that person – the “data subject” – has consented or not.  For relevant intent and purposes, that person will likely have complained about the non-consensual disclosure.  However, it is not as easy to identify who the relevant “data user” is – is it that person’s employers, banks, travel agents, other service providers, or fellow users on social media platforms? The amendments remove this difficulty.  Now, the prosecution no longer need to track down who the given data user is, and whether it has consented. Of still wider implications, though, for businesses handling lots of personal data, are the new extensive powers the Ordinance has given the Commissioner.


The Ordinance introduces two-tier doxxing offences:

  1. First tier doxxing offence – in essence intentional or reckless non-consensual disclosure, without proof of any actual harm caused – punishable by up to HK$100,000.00 fine and 2 years’ imprisonment (s. 64(3A), (3B))
  2. Second tier doxxing offence – in essence intentional or reckless non-consensual disclosure causing harm – punishable by up to HK$1,000,000.00 fine and 5 years’ imprisonment (s. 64(3C), (3D))

Harm”.  The requisite “harm” is widely defined, and includes bodily harm, psychological harm, property damage and various forms of harassment (s. 64(6)).  The harm can be to the data subjects or their family members.

A wide net. Notably the first tier doxxing offence in Hong Kong, not requiring proof of actual harm, casts a wider net than often seen in other jurisdictions.  Doxxing offences exist in other jurisdictions, e.g. Singapore3 and New Zealand4.  These jurisdictions require proof of actual harm caused.

Extra-territorial? The Ordinance does not expressly provide for extra-territoriality for the doxxing offences.  Their jurisdictional reach is therefore debatable.


The Commissioner has a new power to issue “cessation notices”. We see resemblance between the takedown regimes in the doxxing context and under the Hong Kong National Security Law.5 These two seem the only currently available executive-led statutory takedown regimes in Hong Kong.

Doxxing people residing or present in Hong Kong.  In essence, the Commissioner now has the power to compel takedown of content reasonably believed to be contravening doxxing offences, where the data subject is a Hong Kong resident or is present in Hong Kong at the time of disclosure (ss. 66K, 66L).

Extra-territorial reach.  Businesses in and outside Hong Kong should pay attention, because a cessation notice has extra-territorial reach.  It may be served by email or similar methods on persons in Hong Kong or on a “non-Hong Kong service provider” that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person (ss. 66M, 68).

Penalty and exposure for non-compliance.  Failure to comply with a cessation notice is itself a criminal offence, punishable by fine and imprisonment (s. 66O(1)).

Further, in our view, a failure to comply will give rise to exposure to potential accessory liability, on the part of, say, a platform operator hosting content published by others, for aiding and abetting the principal doxxing offences.

A powerful tool.  Other jurisdictions have their own takedown regimes, but the exact scope and mechanisms vary.  For instance, in Singapore, it is for a doxxing victim to apply to the court for takedown.6  Comparatively, the Commissioner has a much more efficient takedown power in her toolbox.

Defences.  Specific defences are available to a person contravening a cessation notice, such as unavailability of technology necessary for compliance, and risk of incurring substantial loss or prejudice to a third party (s. 66O(2)).

Appeals.  One can appeal a cessation notice to the Administrative Appeals Board within 14 days of service of the notice, but compliance is required pending appeal (s. 66N).

Statutory immunity.  A person who complies with a cessation notice is given statutory immunity from civil liability arising from the compliance (s. 66P).


The Commissioner has new extensive investigation and enforcement powers, to:

  1. compel information production, interview attendance and other assistance (s. 66D);
  2. enter and search premises, and seize, remove and detain any material in the premises (s. 66G(2));
  3. access, seize and detain electronic devices, and decrypt, search for and reproduce any material stored in the devices, with magistrate’s warrant or without one in case of urgency (s. 66G(3), (8));
  4. stop, search and arrest any person who is reasonably suspected of committing certain PDPO offences, including the doxxing offences (s. 66H); and
  5. prosecute the first tier doxxing offence and other summary offences under the PDPO (s. 64C).

Exercisable beyond doxxing.  Notably, these powers are exercisable beyond the doxxing context, but generally in the context of certain suspected offences under the PDPO, such as disclosure of personal data obtained without the data user’s consent.7

Statutory secrecy.  Note also that the Commissioner’s investigations are subject to statutory secrecy (s. 66R), similar to regimes governing investigations by the Independent Commission Against Corruption and the Securities and Futures Commission.

Implications in your daily operation

Generally, businesses touching personal data from Hong Kong should consider the impact of the Ordinance, and get ready for it. 

Businesses potentially impacted are those in or outside Hong Kong, with broad customer, user, employee bases, giving access to personal data of people resident or present in Hong Kong.  Industries like:

  1. banking and financial;
  2. hospitality;
  3. travel; and
  4. technology (e.g. social media, e-commerce, cloud service providers, data centres).

How businesses should get ready:

  1. get relevant functions educated about the Ordinance;
  2. map exposure to the Ordinance;
  3. update existing personal data policies and procedures;
  4. update policies and procedures, and get proper training, for handling cessation notices from and investigations by the Commissioner.  Notably investigations must be handled with heightened care, to avoid inadvertent contravention of statutory secrecy, with potential criminal consequences; and
  5. seek legal advice when handling doxxing cessation notices and personal data investigations.

  “Data user”, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data (PDPO, s. 2).
2    “Data subject”, in relation to personal data, means the individual who is the subject of the data (PDPO, s. 2).
3   Singapore Protection from Harassment Act, section s. 3.
4   New Zealand Harmful Digital Communications Act 2015, section s. 22.
5   Implementation Rules for Article 43 of the Hong Kong National Security Law, Schedule 4. 6   Singapore Protection from Harassment Act, sections ss. 15A and 15C.
7   Contrary to PDPO, s. 64(1).
內地《個人信息保護法》 簡介

This material is for informational purposes only and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Artefaktum  has no responsibility or liability for any decision made or any other acts or omissions in connection with Reader’s use of this material.

Artefaktum does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.


Need additional assistance?

call us and we will provide the support that you need


At Artefaktum, we are engaged in civil and military missions that matter all over the world. As recognised solution and services provider of mission and investigation capabilities and innovative  IT solutions, we provide reliable national security solutions, services and technologies that ensure people’s safety and security. As a leading partner, we are not only a reliable security and investigation service provider for our customers, but rather the holistic business partner for companies, organisations and the public sector in various fields, including intelligence, space, cyber, defense, citizen security, health, and state and local markets. Our employees work daily to overcome the impossible, finding solutions to the most challenging problems faced by our clients.


Ian Watt 
+1 617 861 9250