On Jan 17, 2021, just days after leaving office, the former chief justice, Geoffrey Ma Tao-li, told the Oxford Union Society that “I have also been personally abused, and doxxed as well”. This, quite clearly, was shocking, and it showed that nobody in the judiciary is safe online from the ill-intentioned. If even the head of the judiciary can be doxxed, nobody should be surprised if his subordinate judges have also been targeted, with their personal details circulated for all to see.
Although, given the scale of the problem, the secretary for justice, Teresa Cheng Yeuk-wah, on Oct 30, 2020, obtained an injunction from the High Court to protect judicial officers from doxxing, this, as with an earlier order to protect police officers, had only a limited impact.
This month, the privacy commissioner for personal data, Ada Chung Lai-ling, revealed that, between June 2019 and May 2021, there were 5,700 doxxing-related complaints, including cases discovered proactively through the commission’s own “online patrols”. Of these, 905 cases involved the wrongful disclosure of the victims’ identification numbers and residential addresses. The culprits invariably sought to inflict maximum pain on their victims, with Chung noting that “personal data has been weaponized by some in Hong Kong, and utilized in ways to intimidate, silence or harm others”, and the police force has been a major victim of this phenomenon.
During the insurrection of 2019-20, police officers, many engaged in front-line duties, were regularly targeted, together with their family members. Doxxing was used to punish them for doing their jobs so well, to distract them when they needed to be alert, and to weaken their morale by intimidating their families. Even the details of schools and classes attended by their children were disclosed online, which was a common intimidatory tactic of the protest movement. Almost 40 percent of the cases handled by the Privacy Commissioner involved the police, and many of the culprits, because of deficiencies in law enforcement, simply got away with it, which is intolerable in a society which upholds criminal justice.
It (Personal Data (Privacy) (Amendment) Bill 2021) is also a proportionate and much-needed response to the insurrection of 2019-20, during which untold hardships were caused to judges, police officers and other public officials, some of which are still ongoing
On Oct 22, 2019, in another case involving injunctive relief against doxxing, the chief judge of the High Court, Jeremy Poon Shiu-chor, considered its overall impact and implications (CACV 489/2019). He explained that “doxxing should not and cannot be tolerated in Hong Kong, if we are still to take pride in our city as a civilized society where the rule of law reigns”. He added that doxxing “seriously endangers our society as a whole”, given that it can ignite the fire of “distrust, fear and hatred” which will then “consume the public confidence in the law and order of the community, leading to disintegration of our society”. Poon’s analysis was, of course, impeccable, and the doxxers certainly have the rule of law firmly in their sights. But the big problem has always been the absence of the legal tools necessary to successfully combat doxxing, such as already exist in places like Australia, New Zealand and Singapore.
This, however, is changing, and, on July 14, the government disclosed the details of the Personal Data (Privacy) (Amendment) Bill 2021, which will be tabled in the Legislative Council for first reading on Wednesday. The principal law, the Personal Data (Privacy) Ordinance (Cap.486) will, crucially, be amended by the introduction of two tailor-made offenses to counter all types of doxxing. They are intended not only to protect the data subject, but also his or her family members.
The first offense will be summary in nature. It will criminalize the unauthorized disclosure of an individual’s personal data if the discloser has an intent to cause, or is being reckless as to the causing of, any “specified harm” to the data subject or a family member as a result of that disclosure. This offense will be punishable with a maximum fine of HK$100,000 ($12,900) and two years’ imprisonment.
The second offense will be indictable. It will arise if “specified harm” is caused to the data subject or a family member as a result of the unauthorized disclosure of personal data. For this graver offense, the maximum sentence will be a fine of HK$1 million and five years’ imprisonment.
In respect of both offenses, the phrase “specified harm” will be broadly defined. It will encompass harassment, molestation, threat, intimidation, bodily harm, psychological harm, and harm causing a victim to be concerned about safety and damage to the person’s property. In other words, all the consequences of doxxing activity will finally come within the reach of the criminal law, which will come as a huge relief to its victims.
Another key feature of the bill is the enforcement powers it confers upon the privacy commissioner. The commission will no longer need to refer its cases to the police, and will be empowered instead to conduct its own investigations, including search and seizure, which is long overdue. It will also, evidence permitting, be able to conduct its own summary prosecutions, although the Department of Justice is expected to become involved when cases are tried on indictment. In anticipation of the changes, the commission has already started a recruitment drive for investigators and prosecutors, and this will enable it to hit the ground running once the bill is enacted, hopefully by year’s end.
If, moreover, the Privacy Commissioner becomes aware of offensive content on an electronic platform, it will now be possible to order the internet service providers, wherever they are in the world, to remove it, or at least block access to its content. A failure to comply could result in an entire website being immobilized, although this will only be contemplated for those rare circumstances where there is deliberate noncompliance. If anybody, without reasonable grounds, refuses a request to remove offensive content, they will face a maximum fine of HK$50,000 and two years’ imprisonment on a first conviction, with an additional fine of HK$1,000 per day until such time as it is removed.
Although some critics have complained that the proposed legislation is too tough, it is constitutionally sound and respectful of the essential rights enshrined in the Basic Law and the Hong Kong Bill of Rights Ordinance (Cap.383). It is also a proportionate and much-needed response to the insurrection of 2019-20, during which untold hardships were caused to judges, police officers and other public officials, some of which are still ongoing.
But let nobody be under any illusions over what is contemplated. The bill has nothing to do with freedom of speech, the flow of information, or lawful news activity, and everything to do with protecting people from a heinous crime and upholding the rule of law. It is a fundamental principle that private data should not be used for illegal purposes, and only those who maliciously leak the personal information of others, or countenance any such practice, have anything to fear.
The author is a senior counsel, law professor and criminal justice analyst, and was previously the director of public prosecutions of the Hong Kong SAR.
The views do not necessarily reflect those of China Daily.