Date: 20 January 2020
Response to media enquiry on the complaint and enforcement figures related to doxxing, with particular reference to the relevant data protection principles (DPP), serving of enforcement notices and contravention of section 64 of the Personal Data (Privacy) Ordinance (PDPO)
Thank you very much for your enquiry about the complaint and enforcement figures related to doxxing, with particular reference to the relevant data protection principles (DPP), serving of enforcement notices and contravention of section 64 of the Personal Data (Privacy) Ordinance (PDPO). The response from the office of the Privacy Commissioner for Personal Data (PCPD) is as follows:
Doxxing in relation to contravention of DPP
-
The numbers of complaints received by the PCPD from 2017 to 2019 on doxxing on social networks in relation to contravention of DPP are as follows:
|
2017 |
2018 |
2019 |
Cyberbullying and Doxxing (in relation to contravention of DPP) |
44 |
57 |
69 |
-
The outcomes of the above-mentioned doxxing cases are as follow:
Outcomes |
2017 |
2018 |
2019 |
No prima facie evidence of contravention
(Reasons being, as appropriate:
-
domestic purposes exemption under section 52 of the PDPO was applicable;
-
complainant failed to identify the doxxer;
-
the complainant withdrew the complaint)
|
40 |
38 |
54 |
Resolved through conciliation
(Conciliation means include, as appropriate:
-
we wrote to the platform/ doxxer to request removal of the postings;
-
the postings were taken down after our intervention;
-
the doxxer undertook not to upload postings again)
|
4 |
19 |
15 |
Enforcement Notice issued for the above cases |
0 |
0 |
0 |
Cases referred to Police for suspected s.64 (2) offences |
0 |
0 |
0 |
-
In the past (before the starting of the social incidents in early June), doxxing cases were mostly among friends for the purpose of venting their resentment, primarily involving misuse of personal data under their control and hence contravention of the requirements of the DPPs. They were non-criminal in nature.
-
If the personal data uploaded by a netizen in his personal capacity is only related to his personal, family or domestic affairs, or only for recreational purposes, the related post would not be regarded as a contravention of the PDPO owing to the exemption under section 52 of the PDPO.
-
No Enforcement Notice was served in those previous doxxing cases. That is mainly because after our conciliation, the disputes were resolved by having the postings taken down or undertaking by the doxxers not to upload the offensive postings again. Some complainants withdrew their complaints on their own volition after learning that use of personal data for personal, family or domestic affairs is exempted under the PDPO.
-
In previous doxxing cases, the postings were mainly defamatory in nature related to personal, family or domestic affairs, as opposed to incitement or intimidation against the background of ongoing social unrests. They were not criminal in nature and there was no legal basis for us to refer the previous cases with reference to section 64(2) to the Police for criminal investigation.
-
If necessary, the Privacy Commissioner would serve an Enforcement Notice or warning, as the case may be, to the wrongdoers. Only non-compliance with instructions of Privacy Commissioner would amount to an offence.
-
Contravention of an Enforcement Notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment for 2 years.
Doxxing in relation to section 64(2)
-
The postings in recent doxxing cases involved intimidating or incitement messages which may cause psychological harm to the victims. Hence, the doxxers may have committed the offence of criminal doxxing under the PDPO.
-
The PCPD received the first criminal doxxing case on 14 June 2019. Since June, serious doxxing acts have taken place and personal data has been “weaponised”.
-
Section 64(2) of PDPO provides that a person commits an offence if the person discloses, without the consent of a data user who controls or is in possession of any personal data of a data subject (such as public domain or platforms), especially the person who is innocent (including the spouse and children of a doxxing victim), and the disclosure causes psychological harm to the data subject, most of which came from intimidation. Upon conviction, the maximum penalty is a fine of HK$1,000,000 and an imprisonment for 5 years. ‧ The relevant criminal investigations will be carried out by the Police and prosecution decisions will be made by the Department of Justice.
-
As at 10 January 2020, the PCPD has referred 1,402 cases of this nature to the Police for criminal investigation and for consideration for prosecution.
-
As the Secretary for Constitutional and Mainland Affairs stated in the Legislative Council Meeting on 8 January 2020, “as at 31 December, 2019, a total of eight persons were arrested by the Police for alleged violation of section 64(2) of the PDPO. On September 25, 2019, a man was charged with an offence relating to "conspiracy to disclosing personal data obtained without data users' consent" under section 64 of the PDPO for alleged improper disclosure of the personal data of other individuals on the Internet. The case will be heard again by the court on January 15, 2020.”