Personal Data (Privacy) (Amendment) Ordinance 2021 – Criminalisation of doxxing

Personal Data (Privacy) (Amendment) Ordinance 2021 – Criminalisation of doxxing

(3 min. read)


The Personal Data (Privacy) (Amendment) Ordinance 2021 (the “Ordinance”) was published in the Gazette and came into effect on 8 October 2021.

A Government spokesman said, “Since 2019, doxxers have attacked those of different political stances through the indiscriminate disclosure of their personal data, in effect weaponising the personal data concerned. The Ordinance aims to combat malicious doxxing acts that have become more rampant in recent years, so as to protect the personal data privacy of the general public” (Press Release, 2021).

Doxxing is (a) making someone’s personal information available without consent and (b) for malicious purposes (including harassment) or so that the person can be more easily targeted by others.

Update by the Ordinance

To summarise, the Ordinance aims to combat unlawful doxxing acts in three aspects:

(1) criminalise doxxing acts as new offences targeting malicious acts of disclosing personal data of the data subject without his/her consent, with an intent or being reckless as to whether specified harm would be caused to the data subject or his/her family member;

(2) empower the Privacy Commissioner for Personal Data (“PCPD”) to carry out criminal investigations and institute prosecution towards doxxing-related offences; and

(3) confer on the Commissioner statutory powers to serve notices to those who are able to take a cessation action, directing them to cease disclosure of doxxing contents (cessation notices).

The amendments focus on combating doxxing acts and seek to strike a reasonable balance between protection of privacy and freedom of speech.

New doxxing offences

The Ordinance introduced two-tier doxxing offences under the new section 64 of the Ordinance.

(1) Summary offence (section 64(3A)): It is a summary offence if a person (a) discloses personal data without the data subject’s consent and (b) has an intent or is reckless as to whether any specified harm would be caused to the data subject or the data subject’s family member.

The summary offence is subject to a maximum fine of HKD100,000 and imprisonment for two years.

(2) Indictable offence (section 64(3C)): It is an indictable offence requiring the same personal data disclosure as in section 64(3A), with the additional requirement that specified harm is caused to the data subject or the data subject’s family member.

The indictable offence is subject to a maximum fine of HKD1 million and imprisonment for five years.

Family member” is defined widely in the Ordinance to include a relation by blood, marriage or adoption.

The definition of “specified harm” is wider than the existing section 64(2) offence requiring psychological harm, and includes one of these four limbs:

(a) harm to the person in the form of harassment, threats or intimidation;

(b) bodily or psychological harm;

(c) harm causing the person to reasonably be concerned for the person’s safety or well-being;


(d) damage to the person’s property.

Any person charged with a doxing offence may establish a defence pursuant to section 64(4) of the Ordinance, where disclosure was:

(a) reasonably believed to be necessary for preventing or detecting crime;

(b) required or authorised by law or court order;

(c) reasonably believed to be consented to by the data user or data subject; or

(d) solely for news activity (or a directly related activity) and such publication or broadcast was reasonably believed to be in the public interest.

Implementation Guideline

The Office of the Privacy Commissioner for Personal Data has issued the Implementation Guideline detailing the new doxxing offences and powers to conduct criminal investigation, prosecution and issue cessation notice (the “Guideline”) – click here for relevant link. 

The Guideline provides, among other things, examples of the “specified harm” that must be intended to be caused and the factors to be taken into account.

Materials that are the subject of claims of legal professional privilege are protected against the execution of a warrant and must be sealed and not examined (para 3.3.6 of the Guideline). 

The Guideline also provides (a) sample warrants to search premises and access electronic devices and (b) sample forms for written notices requesting materials and the answering of questions in connection with an investigation. 

Key takeaways

The introduction of the two new doxxing offences may affect a range of online users, e.g. online platforms and websites; social media platforms; and internet service providers incorporated in Hong Kong or have a place of business (or individual staff) in Hong Kong.  The following actions are recommended:

  • read the Ordinance and Guideline and familiarise with legislative changes in relation to doxing offences;

  • if in doubt, remove or block access to any potentially doxxing content to avoid any inadvertent contravention of the Ordinance;

  • review the terms and conditions of any relevant website, online platform or forum, in particular terms concerning the disclosure of personal data of users to give effect to the new legislative changes, including the Privacy Commissioner for Personal Data’s criminal investigations power; and

  • update internal policies and guidelines to anticipate and mitigate against any risks of these issues arising in respect of an organisation.

Contact us if you wish to discuss this topic in further detail.

This article is provided for informational purposes only. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.