On 16 July 2021, the Hong Kong SAR Government introduced the Personal Data (Privacy) (Amendment) Bill 2021 (the “Amendment Bill”) to the Legislative Council for the purposes of criminalizing doxxing.
The Amendment Bill confers broad investigative and enforcement powers on the Privacy Commissioner for Personal Data (the “Privacy Commissioner”) to prosecute such acts and demand actions to cease or restrict disclosures of doxxing contents. Such powers have specific implications for providers of electronic communication services (“ECS”). In this article, we outline the proposed legislative change and its specific implications for ECS providers.
Overview of Proposed Amendments Criminalizing Doxxing and Empowering Enforcement
Under the Amendment Bill, doxxing and conspiring to dox are criminal offences. Any person who discloses or conspires to disclose any personal data of a data subject or any of his / her family members without consent, with an intent to cause harm (including harassment, intimidation, bodily harm, psychological harm, causing a person to be concerned of his/her safety or well-being, damage to property, etc.) or being reckless as to whether such harm would be caused commits an offence that is punishable by fines and imprisonment.
The Commissioner, who is currently only empowered under the Personal Data (Privacy) Ordinance (the “Ordinance”) to issue enforcement notices for data breaches, will have wide ranging powers of investigation and enforcement. These powers include the power to:-
- answer questions in person or in writing, to make a statement or to give assistance that the Commissioner reasonably requires;
- provide any matter relevant to the investigation that is within the person’s possession or control;
Such powers are supported by offence provisions which make it an offence (punishable by fine and imprisonment) not to comply with Investigation Notices and Cessation Notices without reasonable excuse or to obstruct, hinder or resist the Commissioner or authorized persons in the exercise of their powers of investigation without lawful excuse.
Potential implications for ECS Providers
1. Obligation to assist in decryption and search for materials stored in electronic devices
Currently drafted, the power to search and access materials stored on electronic devices includes the power to request decryption and searching for such materials. Accordingly, it is possible that ECS providers such as electronic platforms and hosting service providers may be required to assist in decrypting and/or to searching for materials stored in such devices. It would be an offence to obstruct, hinder or resist the Commissioner or authorized persons in the exercise of their powers without lawful excuse.
2. Obligation to take action to cease or restrict doxxing1
Further, a new privacy enforcement regime of Cessation Notices having extra-territorial effect will also be introduced. Notably:
Accordingly, Cessation Notices can be issued against ECS providers (regardless of whether they are based in Hong Kong or abroad), including electronic platforms, hosting service providers and internet services providers, to take action to remove, cease, restrict access of any relevant message and/or discontinue the hosting service for the whole or part of the relevant platform where the relevant message is published. It would be an offence to contravene Cessation Notices without reasonable excuse, having regard to the nature, difficulty or complexity of the Cessation Notices in question, the reasonable availability of the technology necessary for compliance, the risk of incurring substantial loss or substantially prejudicing third party rights or the risk of incurring civil liability.
Recommended proactive preparatory steps for ECS providers
It is expected that the Amendment Bill may be passed by the Legislative Council in or before October this year.
We recommend ECS providers proactively prepare for the new enforcement regime. Key steps that ECS providers way consider taking include:-
1 The Commissioner of Police has similar powers under the Implementation Rules for Article 43 of the National Security Law, with the approval of the Secretary for Security, to authorize a designated police officer to request that ECS providers take action to remove, restrict and/or cease access to any message and/or platform or its relevant part, where the Commissioner of Police has reasonable grounds to suspect that a message published on an electronic platform is likely to constitute an offence of endangering national security or is likely to cause the occurrence of such an offence. It is not clear whether these powers can be exercised extra-territorially.