Date: 8 July 2020
Response to media enquiry on cyberbullying
Thank you very much for your enquiry about cyberbullying. Our response to your enquiry is as follows:
Enquiry
“I'm writing to ask for information on cyberbullying. Please find the questions below. Thank you.
-
How many reports of cyberbullying did you receive from January to June this year?
-
How many reports of cyberbullying did you receive last year?
-
What can a person who is cyberbullied do? What will you do when receiving a report of cyberbullying? What laws or regulations are there protecting people from cyberbullying?”
Overall Answer
Cyberbullying generally refers to bullying behaviour online which mostly takes place among friends for the purpose of venting resentment, primarily involving misuse of personal data and hence a contravention of the requirements of Data Protection Principle (DPP) 3 of the Personal Data (Privacy) Ordinance (PDPO). This is distinguished from Criminal doxxing
[1]
Answer: Question 1
-
From 1 January to 30 June 2020, this office received 157 complaints on cyberbullying.
Answer: Question 2
-
From 1 January to 31 December 2019, this office received 69 complaints on cyberbullying.
Answer: Question 3
-
Any person who suspects that his personal data privacy has been infringed and can provide prima facie evidence (including details about misuse of the personal data) may complain to this office.
-
Upon receipt of a complaint, this office will follow up on the case in accordance with the PDPO and established procedure in strict confidence.
-
DPP3 stipulates that unless the data subject has given explicit and voluntary consent, personal data shall only be used for the purpose for which it was originally collected or for a directly related purpose. There is no exemption from DPP3 for personal data obtained from the public domain through channels such as public registers, search engines or public directories. In other words, cyberbullying based on the use of personal data of targeted persons collected from these public sources could be a contravention of DPP3.
-
Contravention of a DPP is not an offence, but the Privacy Commissioner for Personal Data, Hong Kong may serve an enforcement notice on the data user concerned to remedy the contravention. It is a criminal offence for the data user not to comply with the enforcement notice. The offence may attract a maximum fine of $50,000 and maximum imprisonment for two years and, in the case of a continuing offence, a daily fine of $1,000.
[1] Criminal doxxing generally refers to disclosure of personal data obtained without consent of the data user concerned who holds the data, coupled with intimidating or incitement messages which may cause psychological harm to the data subjects concerned. The doxxers may have committed a criminal offence of under section 64 of the Personal Data (Privacy) Ordinance (PDPO).