Media Statements

Privacy Commissioner’s Response to Media Enquiries about
Chief Executive’s Suggestion of the Need for Legislative Amendment to Tackle Doxxing

(18 October 2019) In yesterday (17 October)’s “Chief Executive's Question and Answer Session on the Policy Address 2019”, the Chief Executive Carrie LAM CHENG Yuet-ngor said that the Government considered it necessary to examine the laws of Hong Kong, with a view to strengthening relevant sections of the laws to tackle doxxing and cyberbullying on the internet. In response to media enquiries about this issue, the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG made the following response:

The Privacy Commissioner pointed out that over the past four months, personal data has been weaponised and become a major concern for privacy protection. In the face of doxxing activities on the internet, the office of the Privacy Commissioner for Personal Data (PCPD) has encountered multiple difficulties in investigation and follow-up actions.   Among other things, the PCPD has no power to order the relevant platforms to remove doxxing posts.  Most of the 13 platforms involved do not operate from or are not registered in Hong Kong. As of noon 18 October 2019, the PCPD received and proactively discovered 2,659 related cases. The PCPD has written 82 times to the 13 online platforms involved, urging the removal of a total of 1,632 illegal web links and requiring the platforms to issue warnings to their netizens stating that doxxing or cyberbullying would contravene section 64 of Personal Data (Privacy) Ordinance (PDPO), i.e. offences for disclosing personal data obtained without consent from data users. Although 612 web links have been removed, 1,020 web links (63%) remain unremoved.

Among the platforms involved, two are registered in Hong Kong. The PCPD has conducted investigations of these two platforms in accordance with PDPO.  The most active platform operates outside Hong Kong. In order to protect the victims from harm as soon as possible, the PCPD has for 20 times strictly urged that platform to remove more than 1,000 links, but more than 900 links are still on that platform. The PCPD has also urged all the platforms concerned to provide registration information or IP addresses of the netizens who uploaded the relevant doxxing posts. However, all the platforms (including the above-mentioned platform with the most serious doxxing activities) have not responded to the PCPD.

The above-mentioned platform with serious doxxing activities has no office in Hong Kong. Neither is its domain name registered in Hong Kong.  Only an overseas address is available. The PCPD has contacted the relevant overseas government agency stationed in Hong Kong for assistance and hoped that the Hong Kong Computer Emergency Response Team Coordination Centre would take follow-up actions.  Unfortunately, there has been no significant result.

In any event, doxxing is a criminal offence under section 64 of PDPO. After preliminary examination of the relevant information, the PCPD has referred 1,297 cases of such nature to the Police for further criminal investigation and for consideration for prosecution.

To sum up, the difficulties encountered by the PCPD in handling doxxing cases on the internet include:

• PDPO does not confer upon the PCPD the power to conduct criminal investigation and prosecution for criminal offences (including doxxing) under PDPO. Although PDPO gives the PCPD the power to enter any premises for the purposes of an investigation, the PCPD does not have the power to search for or seize relevant evidence. 
• Netizens in Hong Kong are not required to provide their real names and identity when registering as social media account holders.  Consequently, the PCPD cannot trace those netizens who have posted illegal posts.  The PCPD has to resort to writing for 82 times to the 13 platforms concerned, asking for the user registration information and IP addresses of the netizens who uploaded the illegal posts. However, no response has been received from the platforms.
• As mentioned above, most of the 13 platforms concerned do not operate from or are not registered in Hong Kong. Some of them were temporarily out of operation, but soon afterwards they were published in multiple overseas domains one after the other or concurrently.  Such situation cannot be regulated by PDPO effectively. There is no express provision in PDPO empowering the PCPD with extraterritorial jurisdiction, and the scope of the regulated bodies (i.e. the data users) is rather narrow and limited to the individuals who control the collection, holding, processing or use of personal data in or from Hong Kong. Most of the social platforms and websites concerned do not operate from Hong Kong.  The fact that they are registered overseas makes tracking, searching for evidence and enforcement more complicated and difficult. Even if the PCPD has extraterritorial jurisdiction under PDPO, its actual implementation still relies on cooperation of organisations under investigation. It is beyond the reach of PCPD’s power, unless the SAR Government and the overseas jurisdictions could develop a mutual assistance mechanism for the investigation of criminal offences relating to personal data.
• The PCPD does not have the authority to apply to the court for an injunction on behalf of the victims, in order to require the relevant platforms to remove and stop uploading the relevant doxxing web links. There is a need for the PCPD to expand the scope of legal assistance for victims and to timely stop the acts that cause harm to them.

To overcome the difficulties above, it is necessary to enhance the power of the PCPD. The directions of amendment include:

1. Giving the PCPD clear powers to conduct comprehensive investigation and direct prosecution of criminal offences under PDPO, including the power to search for and seize evidence, and to conduct prosecution on its own;
2. Amending the scope of protection to include platforms and webpages that have relatively close connection to Hong Kong.  An example of such connection is the availability of means of contact in Hong Kong;
3. The PCPD being able to directly issue prohibitive orders to require the relevant social media platforms or websites to remove and stop uploading “doxxing” contents/posts and to require the relevant social media platforms to provide personal data (such as name, email address and IP address) of those posting “doxxing” messages (i.e. the offenders);
4. Expanding the scope of legal assistance provided to the victims by the Privacy Commissioner to assist the victims to apply to the court for an interim injunction, in order to curb the harm caused to them as soon as possible; and
5. Joining forces with other jurisdictions or joining forces at the international level to develop a mutual assistance mechanism in the investigations of criminal offences relating to personal data so that “doxxing” acts on the internet could be tackled with concerted efforts.

The Privacy Commissioner has the statutory duty to review PDPO from time to time. The Constitutional and Mainland Affairs Bureau (CMAB) has publicly stated that it was hoped that the review of PDPO could be initially rounded up before end June 2019. The Privacy Commissioner submitted the preliminary views on the amendments of PDPO to CMAB in June 2019. In the past few months, there have been continuous cyber-intimidation or incitement, and violations of personal data privacy in the community. The Privacy Commissioner is examining possible amendments to the relevant sections of PDPO, and will submit recommendations to the Government for consideration as soon as possible.

Meanwhile, there have been once again discussions in the community about the issue of restricting disclosure of the names and addresses of voters in the Register of Electors to curb doxxing. In July 2015, the PCPD published a report entitled “Survey of Public Registers Maintained by Government and Public Bodies”. The survey examined 10 commonly used public registers, including the Register of Electors. The PCPD has sent the report to the relevant Government bureaux, departments and agencies, providing a number of recommendations on how to improve the protection of personal data privacy in the registers. The PCPD will be pleased to discuss again with the Government and provide advice.