Doxxing in Hong Kong, Four Years On

In 2021, Hong Kong has implemented statutory amendments to the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) to introduce new criminal offences that target harmful doxxing activities.

The PDPO further empowers the Privacy Commissioner for Personal Data (“Privacy Commissioner”) to investigate and prosecute cases when necessary.

In 2024, the Privacy Commissioner had handled 442 doxxing cases, which represents a 40% drop from previous years. Of these: 118 cases led to criminal investigations, resulting in 20 arrests.

Most of the complaints received involved financial disputes and family or relationship conflicts.  Four years on, what do we know about doxxing?

____________________________________________________________________________________________________________________________

When is it a criminal offence?

Doxxing is a practice where personal data is disclosed typically maliciously or recklessly without the consent of the data subject to cause harm or distress.

The PDPO classifies doxxing offences into two tiers: one triable summarily and the other triable on indictment.

First-Tier Offence

Under section 64(3A) of the PDPO, a person commits a first-tier doxxing offence if he: (1) discloses personal data without relevant consent, and (2) does so with the intent to cause specified harm to the data subject or their family, or is reckless as to whether harm would likely result.

This offence is punishable by a fine of up to HK$100,000 and imprisonment for up to 2 years (section 64(3B) of the PDPO).

Second-Tier Offence

A second-tier offence arises under section 64(3C) of the PDPO if (1) the person discloses personal data without consent as described above, and (2) the disclosure causes specified harm to the data subject or their family.

Upon conviction, the offender may face a fine of up to HK$1,000,000 and imprisonment for up to 5 years (section 64(3D) of the PDPO).

What constitutes “Specified Harm”?

“Specified harm” is broadly defined under section 64(6) of the PDPO to include:

1. harassment (e.g., pestering, intimidation, threats, or molestation);
2. bodily or psychological harm;
3. harm causing the individual to reasonably fear for their safety or well-being; and
4. damage to property.

What kind of data is covered by doxxing laws?

Under section 2 of the PDPO, “personal data” is defined as any information:

1. relating directly or indirectly to a living individual;
2. from which the individual’s identity can be ascertained; and
3. in a form that allows access to, or processing of, the data.

This definition is intentionally broad and would include, for examples:

1. names, identity card numbers, phone numbers, addresses, and email addresses;
2. photos, videos, or social media profiles;
3. employment, financial, or family information.

For example, the publication of someone’s phone number online alongside comments encouraging harassment would likely satisfy the elements of a doxxing offence, particularly if actual threats or intimidation follow.

In Secretary for Justice v Persons Unlawfully Conducting Themselves in Prohibited Acts [2020] HKCFI 2785, it was held that doxxing posts with fields such as a person’s occupation, location, relatives’ details, and even political affiliations (if disclosed maliciously or recklessly) would fall within the scope of personal data under the doxxing law.

Would disclosing only a name and photo be a criminal offence?

Whether disclosing only a name and photo constitutes a doxxing offence would depend on context and intent:

1. Without intent to cause harm or recklessness: Sharing a person’s name and photo (e.g., a friend’s graduation picture) without any malicious intent or recklessness is unlikely to constitute an offence. The key element here is the absence of harm or risk of harm.
2. With intent to cause harm or recklessness: If the name and photo are disclosed in a harmful context—e.g., alongside derogatory remarks or calls for harassment—such disclosure may violate the PDPO.

For example, there were cases where judges were targeted with intimidating posts encouraging violence – see Secretary for Justice v Persons Unlawfully Conducting Themselves in Prohibited Acts (mentioned above).

In STCC 1989/2022, a defendant disclosed a victim’s residential address and invited others to visit her, resulting in harassment. The court imposed an 8-month custodial sentence, highlighting the seriousness of malicious disclosures.

Would disclosing redacted personal data of a person be a criminal offence?

In the case of Privacy Commissioner Press Release, 11 February 2025, a debt collector was arrested for suspected doxxing after he posted a victim’s name, address, partially redacted HKID number and HKID copy on flyers, alleging unpaid debts. While the investigation is on-going, this case shows that, even partial identifiers (with redactions of personal data) can be sensitive and may trigger criminal liability or prosecution on the criminal offence of doxxing, if it is disclosed maliciously or recklessly.

Statutory Defences

The PDPO provides statutory defences under section 64(4) of the PDPO for individuals charged with doxxing offences. The accused may avoid liability if they can establish:

1. Preventing or detecting crime: The disclosure was reasonably believed to be necessary for crime prevention or detection.
2. Requirement or authorization by law: The disclosure was required or authorized under any enactment, rule of law, or court order.
3. Reasonable belief of consent: The accused reasonably believed the disclosure was made with the relevant consent of the data subject (or data user, as applicable).
4. Lawful news activity: For disclosures made solely for lawful journalistic activities, the accused must prove: (a) The disclosure was part of a news-gathering or reporting activity, and (b) They had reasonable grounds to believe the publication was in the public interest.

The role of the Privacy Commissioner

From October 2021 to December 2023, the Privacy Commissioner issued 1,878 cessation notices and referred over 1,500 cases to the Police.

To assist all parties to understand the amended provisions and criminal liabilities about doxxing, the Privacy Commissioner has published the “Personal Data (Privacy) (Amendment) Ordinance 2021 Implementation Guideline”. For further details and court decisions, please visit: https://www.pcpd.org.hk/english/doxxing/index.html

Practical steps to avoid committing a doxxing offence

Given the gravity of the penalties, individuals and organizations must exercise caution when handling or sharing personal data. Below are some practical tips to avoid committing doxxing offences:

1. Know what constitutes personal data: Understand the definition of personal data under the PDPO and avoid disclosing information that could identify individuals without their consent.
2. Avoid recklessness: Even with no malicious intent, any reckless disclosures that result in specified harm may still lead to prosecution. Always consider the potential impact of sharing personal data.
3. Obtain express consent: Before disclosing personal data, seek the individual’s explicit consent, especially for sensitive or identifiable information.
4. Implement robust data protection policies: For businesses, ensure compliance with the PDPO by implementing data protection policies and training employees on safeguarding personal data.
5. Exercise caution on social media: Avoid reposting or forwarding personal data shared by others. Doxxing violations often occur when users share harmful posts without considering the legal implications.
6. Seek legal advice when in doubt: If unsure about the legality of a disclosure, consult a legal professional to assess the risks and ensure compliance with the PDPO.

Conclusion

Hong Kong’s enhanced anti-doxxing legislation reflects a strong commitment to protecting personal privacy. To avoid liability, individuals and organizations must exercise caution when handling personal data, particularly in digital or public forums.

At Fairbairn Catley Low & Kong, we strive to understand the complexities and evolving nature of personal data privacy laws and the significant impact the potential criminal offence of doxxing can have on individuals and organizations. Please feel free to contact us for enquiries.