Date: 20 January 2020
Response to media enquiry on the applicability of section 64(2) of the Personal Data (Privacy) Ordinance (Cap 486) (“PDPO”)
Thank you very much for your email enquiry. Our response to your enquiries for the applicability of section 64(2) of the Personal Data (Privacy) Ordinance (Cap 486) (“PDPO”) is as follows:
-
Section 64 was amended in the previous PDPO review exercise in 2012 to curb the prevalent cases at the material time where a data subject’s personal data was unlawfully disclosed by a third party who obtained the personal data from the data user but without first obtaining the data user’s consent. Some examples of the cases are:-
(a) Sale by an employee of a company’s personal data without the company’s (data user’s) consent, and for which he received payment from the purchaser; and
(b) Disclosure by a hospital staff of a celebrity’s health records, which he obtained without the hospital’s (data user’s) consent and the disclosure caused psychological harm to the celebrity.
-
It was against this background that section 64 was introduced.
-
Nowadays, there are vastly different modes of unauthorised disclosure associated with “doxxing” and more often than not, the doxxers obtained the personal data from sources other than the data subjects, or may not even know where the personal data (i.e. the messages containing photos of others, their personal data, often coupled with intimidating content, etc.) originated but simply post or forward the messages in various platforms and fora.
-
Currently, the Privacy Commissioner is not conferred with comprehensive criminal investigation and prosecution powers under the PDPO; and potential cases concerning contravention of the “criminal doxxing” provision has to be referred to the Police for further handling. Whilst the situation is not satisfactory, it should not however be treated as giving a green light to the doxxers in carrying out further acts of doxxing.
-
The Privacy Commissioner has already reflected the situation to the Government in June 2019 advocating that the PDPO should be reformed so that the Privacy Commissioner will be vested with comprehensive criminal investigation and prosecution powers as appropriate.
-
It appears that it would be an effective and direct way to address the issue of criminal doxxing by referring to data subject’s consent as the data subject would also be the person who suffers “psychological harm”.