LCQ7: Measures against doxxing and cyber-bullying
Following is a question by the Hon Alice Mak and a written reply by the Acting Secretary for Constitutional and Mainland Affairs, Mr Andy Chan, in the Legislative Council today (November 4):
Question:
From the eruption in the middle of last year of the disturbances arising from the opposition to the proposed legislative amendments to September 30 this year, the Office of the Privacy Commissioner for Personal Data (PCPD) handled a total of over 4 700 cases relating to doxxing. Among such cases, around 35 per cent of the persons who had been doxxed were police officers or their family members. In this connection, will the Government inform this Council:
(1) whether it knows (i) the number of requests for assistance received by PCPD since January of last year from persons claiming that they had been doxxed, with a breakdown by the background of the assistance seekers, (ii) the respective numbers of cases in respect of which PCPD had taken various follow-up actions (including (a) requesting the operators to remove illegal web links and (b) referring the cases to the Police for conducting criminal investigation), and (iii) the respective numbers of persons prosecuted and convicted;
(2) whether it has assessed if the current evidential threshold is too high for offences relating to doxxing;
(3) as the Government indicated in its reply to my question on January 8 this year that it was studying with PCPD the amendments to the Personal Data (Privacy) Ordinance (Cap. 486), so as to more specifically address the acts relating to doxxing, of the specific contents of the legislative amendments and the legislative timetable; and
(4) given that the Singapore authorities passed the amendments to the Protection from Harassment Act last year, including introducing new offences and penalties, expanding the scope of redress for victims of cyber-bullying, and establishing the Protection from Harassment Court to expedite the handling of applications for redress, so as to address the problem of doxxing, and that the General Data Protection Regulation which took effect in the European Union in 2018 provides that an individual enjoys the right to erasure (also known as "the right to be forgotten") and is entitled to require organisations and enterprises to delete his or her personal data under specified circumstances, whether the Government will make reference to such practices and amend the local legislation to step up efforts in combating the acts of doxxing and cyber-bullying; if so, of the details (including the public consultation and legislative timetables); if not, the reasons for that?
Reply:
President,
After consulting the Security Bureau and the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), a consolidated reply to the question is set out as follows:
(1) The PCPD received the first complaint relating to doxxing on June 14, 2019. As at the end of September 2020, the PCPD has handled 4 714 doxxing-related cases, including complaints received as well as cases uncovered by the PCPD's proactive surveillance. Of these, 4 370 of the cases were handled before the end of 2019 and 344 were handled between January to September 2020. Victims of these doxxing cases come from different backgrounds. Among the cases, 1 657 involved police officers and their family members (representing around 35 per cent of the total number of cases), and 189 related to doxxing against government officials and public servants (representing around 4 per cent of the total number of cases). Besides public officers, members of the public who had allegedly expressed support to the Government or the Police (representing around 30 per cent of the total number of cases) while some members of the public after allegedly voiced opposition against the Government or the Police (representing around 31 per cent of the total number of cases) were also doxxed.
For cases where criminal elements might be involved, the PCPD will refer the doxxing cases to the Police for follow-up to facilitate criminal investigation and consideration of prosecution. According to section 64(2) of the Personal Data (Privacy) Ordinance (PDPO), a person commits a criminal offence if he/she discloses any personal data obtained from a data user without the data user's consent and such disclosure causes psychological harm to the data subject. The person who commits such offence is liable on conviction to a maximum fine of $1,000,000 and imprisonment for up to five years. As at the end of September 2020, the PCPD has referred 1 413 cases on suspicion of contravening section 64 of the PDPO, i.e. disclosing personal data obtained without consent from data users, to the Police for follow-up. The Police has to date arrested 17 individuals for alleged contravention of section 64 of the PDPO. On October 9, 2020, a defendant was convicted in the District Court of, among other charges, contravention of section 64(2) of the PDPO. This was the first conviction under section 64 of the PDPO.
Furthermore, on October 25, 2019, the High Court granted an injunction order restraining any person from using, publishing, communicating or disclosing personal data of any police officer(s) or their family members intended or likely to intimidate, molest, harass, threaten or pester any police officer(s) or their family members without consent of the persons concerned; from intimidating, molesting, harassing, threatening or pestering any police officer(s) or their family members; or from assisting, inciting, abetting or authorising others to commit any of these acts. As at the end of September 2020, the PCPD has referred 45 doxxing cases on suspicion of breaching the relevant injunction orders to the Department of Justice for further action. On June 17, 2020, a defendant was convicted in the High Court of civil contempt of court for disclosing personal data of a police officer and his family members on a social media platform. The defendant was sentenced to 28 days' imprisonment, suspended for one year. This was the first conviction for breaching the relevant injunction order following the court's granting of the injunction orders to restrain any person from doxxing against police officers. On October 19, 2020, another defendant was convicted in the High Court of civil contempt of court for forwarding personal data of a police officer on a social media platform. The defendant was also sentenced to 28 days' imprisonment, suspended for one year.
Apart from referring the relevant cases to the Police for follow-up, the PCPD will also monitor and continue patrolling of online platforms, and enhance publicity and education efforts. The PCPD has also reminded operators of relevant websites, online social media platforms or discussion forums that they should prevent their platforms from being abused as a tool for infringing personal data privacy. It has also requested the operators concerned to issue on their platforms warnings to netizens that doxxing behaviour may violate the PDPO and may also constitute criminal offence. In respect of requesting operators to remove doxxing-related web links, as at the end of September 2020, the PCPD has sent 229 written requests to different operators of websites, online social media platforms and discussion forums requesting for the removal of 3 461 web links relating to doxxing. So far, 2 308 web links (67 per cent) have been removed. The PCPD will also enlist cooperation from regulatory authorities in other jurisdictions to combat doxxing on social media platforms.
(2) to (4) Drawing on the actual experience of investigation and prosecution in handling doxxing cases in the past, the Constitutional and Mainland Affairs Bureau and the PCPD have been studying concrete proposals in amending the PDPO to more effectively handle and regulate doxxing related behaviour. Our aim is to endeavour to complete formulation of concrete legislative amendment proposals within next year and to consult the Legislative Council Panel on Constitutional Affairs followed by commencing legislative drafting work on the amendment proposal. In the process, the PCPD will make reference to relevant laws in other jurisdictions (including Singapore, the European Union, Australia and New Zealand) in order to propose reasonably practicable legislative amendment proposals on areas such as the definition of doxxing offence, penalties, evidential threshold, Privacy Commissioner for Personal Data's statutory criminal investigation and prosecution powers, while striking an appropriate balance among the protection of personal data privacy, freedom of expression and free flow of information when strengthening the combat against doxxing. Regarding the right to erasure (also named as "right to be forgotten") in the General Data Protection Regulation of the European Union, since the relevant topic is controversial, the PCPD will continue to closely monitor development and implementation of such in other jurisdictions in this regard before further considering the matter. At present, the existing PDPO already provides for the erasure of personal data under Data Protection Principle 2(2) in Schedule 1, and section 26 of the PDPO, specifying that a data user has the responsibility to take all practicable steps to erase personal data where the data is no longer required for the purpose for which it was collected.