Hong Kong’s new Personal Data (Privacy) (Amendment) Ordinance criminalises doxxing and gives sweeping investigative and enforcement powers to the privacy commissioner for personal data to prosecute such acts, as well as other privacy breaches, for causing harm and/or seeking to gain, and to demand actions to cease or restrict unlawful disclosures of personal data. Such powers have specific implications for providers of electronic communication services (ECSs).
Under the new law, passed by lawmakers on 29 September 2021, doxxing and conspiring to dox will now become criminal offences. Doxxing is where any person discloses or conspires to disclose any personal data of a data subject, or any of his or her family members, without their consent, with an intent to cause harm (including harassment, intimidation, bodily harm, psychological harm, causing a person to be concerned for his/her safety or well-being, damage to property, etc.), or is reckless as to whether such harm would be caused. The offence is punishable by fines and imprisonment.
The commissioner, who is currently only empowered to issue enforcement notices for data breaches, will have wide ranging powers of investigation and enforcement over the new offences, as well as the existing offence of disclosure of personal data without consent and with an intent to obtain money or other property, or to cause the loss of the same.
These powers include being able to, either in person or through an authorised agent:
- Issue notices in writing (Investigation Notices) requiring any person who the commissioner reasonably suspects to have possession or control of materials relevant to the investigations or who may otherwise be able to assist with the investigation to:
(i) answer questions in person or in writing, to make a statement or to give assistance that the commissioner reasonably requires;
(ii) provide any materials relevant to the investigation that are within the person’s possession or control.
- Enter and search premises with a warrant.
- Access and search electronic devices with or without a warrant (in certain circumstances).
- Stop, search and arrest persons.
- Serve cessation notices on any Hong Kong person or on non-Hong Kong service providers where the commissioner has reasonable grounds to believe they are able to take a cessation action.
- Apply to the Court of First Instance for injunctions in relation to conduct that constitutes an offence.
- Prosecute certain offences in the commissioner’s name.
Such powers are supported by provisions that make it an offence (punishable by fine and imprisonment) not to comply with investigation and cessation notices without reasonable excuse, or to obstruct or resist the commissioner or authorised persons in the exercise of their powers of investigation without lawful excuse.
IMPLICATIONS FOR ECS PROVIDERS
Decryption and search. The power to search and access material stored on electronic devices includes the power to request decryption and searching for such items. ECS providers such as electronic platforms and hosting service providers may therefore be required to assist in such decryption and/or search for materials.
Cease and restrict. Further, a new privacy enforcement regime of cessation notices having extra-territorial effect will also be introduced, notably:
- Cessation notices can be issued against any messages of a data subject as long as the data subject is a Hong Kong resident or is present in Hong Kong, irrespective of whether the message exists in Hong Kong.
- Cessation notices can be served on any Hong Kong person or non-Hong Kong service providers if the commissioner has reasonable ground to believe that such persons can take a cessation action (whether or not in Hong Kong) in relation to the message. Note that a non-Hong Kong service provider is defined as a person (not being a Hong Kong person) who has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person.
Accordingly, cessation notices can be issued against ECS providers (regardless of whether they are based in Hong Kong) including electronic platforms, hosting service providers and internet service providers, to take action to remove, cease, restrict access of any relevant message, and/or discontinue the hosting service for the whole or part of the relevant platform where the relevant message is published.
It would be an offence to contravene cessation notices without reasonable excuse, having regard to the nature, difficulty or complexity of the cessation action, the technology necessary for compliance, and other risks involved
As the law has already been passed and taken effect, the authors recommend that ECS providers proactively prepare for the new enforcement regime, understand its intricacies and its potential impact on their business, and have an experienced legal team in place for responding to the commissioner’s investigation and enforcement actions.
Kareena Teh is a partner and Philip Kwok is a counsel at LC Lawyers
LC Lawyers LLP is an independent law firm, and the Hong Kong law firm member of the EY global network, in collaboration with other law firm members.
Suite 3106, 31/F One Taikoo Place
979 King’s Road, Quarry Bay, Hong Kong
Tel: +852 2629 1768
Fax: +852 2956 1980