Kareena Teh (Partner)
Email: kareena.teh@eylaw.com.hk

Philip Kwok (Counsel)
Email: philip.kwok@eylaw.com.hk

On 16 July 2021, the Hong Kong SAR Government introduced the Personal Data (Privacy) (Amendment) Bill 2021 (the “Amendment Bill”) to the Legislative Council for the purposes of criminalizing doxxing.

The Amendment Bill confers broad investigative and enforcement powers on the Privacy Commissioner for Personal Data (the “Privacy Commissioner”) to prosecute such acts and demand actions to cease or restrict disclosures of doxxing contents. Such powers have specific implications for providers of electronic communication services (“ECS”). In this article, we outline the proposed legislative change and its specific implications for ECS providers.

Overview of Proposed Amendments Criminalizing Doxxing and Empowering Enforcement

Under the Amendment Bill, doxxing and conspiring to dox are criminal offences. Any person who discloses or conspires to disclose any personal data of a data subject or any of his / her family members without consent, with an intent to cause harm (including harassment, intimidation, bodily harm, psychological harm, causing a person to be concerned of his/her safety or well-being, damage to property, etc.) or being reckless as to whether such harm would be caused commits an offence that is punishable by fines and imprisonment.

The Commissioner, who is currently only empowered under the Personal Data (Privacy) Ordinance (the “Ordinance”) to issue enforcement notices for data breaches, will have wide ranging powers of investigation and enforcement. These powers include the power to:-

  • issue notices in writing (“Investigation Notices”) requiring any person who the Commissioner reasonably suspects to have possession or control of materials relevant to the investigations or may otherwise be able to assist with the investigation to:

- answer questions in person or in writing, to make a statement or to give assistance that the Commissioner reasonably requires;
- provide any matter relevant to the investigation that is within the person’s possession or control;

  • enter and search premises with a warrant;
  • access and search electronic devices with or without a warrant (in certain circumstances);
  • stop, search and arrest persons;
  • serve cessation notices (“Cessation Notices”) upon any Hong Kong person or non-Hong Kong service providers who the Commissioner has reasonable grounds to believe are able to take a cessation action;
  • apply to the Court of First Instance for injunctions in relation to conduct that constitutes an offence;
  • prosecute certain offences in the Commissioner’s name.

Such powers are supported by offence provisions which make it an offence (punishable by fine and imprisonment) not to comply with Investigation Notices and Cessation Notices without reasonable excuse or to obstruct, hinder or resist the Commissioner or authorized persons in the exercise of their powers of investigation without lawful excuse.

Potential implications for ECS Providers

1. Obligation to assist in decryption and search for materials stored in electronic devices

Currently drafted, the power to search and access materials stored on electronic devices includes the power to request decryption and searching for such materials. Accordingly, it is possible that ECS providers such as electronic platforms and hosting service providers may be required to assist in decrypting and/or to searching for materials stored in such devices. It would be an offence to obstruct, hinder or resist the Commissioner or authorized persons in the exercise of their powers without lawful excuse.

2. Obligation to take action to cease or restrict doxxing[1]

Further, a new privacy enforcement regime of Cessation Notices having extra-territorial effect will also be introduced. Notably:

  • Cessation Notices can be issued against any messages of a data subject as long as the data subject is a Hong Kong resident or is present in Hong Kong, irrespective of whether the message exists in Hong Kong or abroad; and
  • Cessation Notices can be served upon any Hong Kong person or non-Hong Kong service providers if the Commissioner has reasonable ground to believe that the person or service provider can take a cessation action (whether or not in Hong Kong) in relation to the message. Note that a non-Hong Kong service provider is defined as a person (not being a Hong Kong person) that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person.

Accordingly, Cessation Notices can be issued against ECS providers (regardless of whether they are based in Hong Kong or abroad), including electronic platforms, hosting service providers and internet services providers, to take action to remove, cease, restrict access of any relevant message and/or discontinue the hosting service for the whole or part of the relevant platform where the relevant message is published. It would be an offence to contravene Cessation Notices without reasonable excuse, having regard to the nature, difficulty or complexity of the Cessation Notices in question, the reasonable availability of the technology necessary for compliance, the risk of incurring substantial loss or substantially prejudicing third party rights or the risk of incurring civil liability.

Recommended proactive preparatory steps for ECS providers

It is expected that the Amendment Bill may be passed by the Legislative Council in or before October this year.

We recommend ECS providers proactively prepare for the new enforcement regime. Key steps that ECS providers way consider taking include:-

  • Understand the proposed enforcement regime and its potential impact on the business, particularly the services that could become inadvertently involved in doxxing and investigations by the Commissioner;
  • Consider carefully the type of assistance and facilities that can or cannot be provided to the Commissioner in the event of an investigation and in responding to Investigation Notices and Cessation Notices;
  • Prepare internal protocols for responding to any investigations by the Commissioner and complying with Investigation Notices and Cessation Notices;
  • Provide proper training to staff for any potential investigations and enforcement actions by the Commissioner; and
  • Have an experienced legal team in mind for responding to the Commissioner’s investigation and enforcement actions.

Article references:

  1. The Commissioner of Police has similar powers under the Implementation Rules for Article 43 of the National Security Law, with the approval of the Secretary for Security, to authorize a designated police officer to request that ECS providers take action to remove, restrict and/or cease access to any message and/or platform or its relevant part, where the Commissioner of Police has reasonable grounds to suspect that a message published on an electronic platform is likely to constitute an offence of endangering national security or is likely to cause the occurrence of such an offence. It is not clear whether these powers can be exercised extra-territorially.