Hong Kong’s leader has moved to allay fears raised by American tech giants such as Google, Facebook, Twitter and Yahoo over a planned anti-doxxing law
, saying the implementation of the legislation will prove its effectiveness and ease their concerns.
Chief Executive Carrie Lam Cheng Yuet-ngor on Tuesday said the coming overhaul of the city’s data privacy regime was aimed at addressing rampant cyber harassment following the anti-government protests of 2019.
Legislation now in its final stages of drafting will empower the Office of the Privacy Commissioner for Personal Data to investigate and take action against those who violate the new rules.
But a coalition representing the United States companies and others warned in a recent submission to the office that the broad legal wording represented a potential barrier to trade and would discourage them from investing or offering their services in Hong Kong.
“Any anti-doxxing legislation, which can have the effect of curtailing free expression, must be built on principles of necessity and proportionality,” read the letter from the Asia Internet Coalition.
Lam, however, likened their concerns to fears swirling around the national security law, which she insisted had been proven false since the Beijing-imposed implementation of the legislation.
“Many people have been traumatised by doxxing. The proposed amendments to the law will address this problem,” she said ahead of her Tuesday cabinet meeting.
“When these amendments are introduced, it is like the national security law that sparked concerns and anxiety at the time of legislation.
“Only through the implementation of a regulation will we know how effective it is … We spent a full day yesterday listening to various speakers talking about [the security law’s] implementation, which did not result in any of the situations opponents had predicted in attempting to smear [the law] at the beginning of the legislation process.”
Lam was among the top local officials at a Department of Justice forum on Monday who credited the security law – which bans acts of subversion, secession, terrorism and collusion with foreign forces – with restoring peace and stability to the city after the 2019 civil unrest.
On Tuesday, the chief executive said she believed the privacy commissioner’s office would be happy to meet the tech companies in question and listen to their concerns.
Following a Constitutional and Mainland Affairs Bureau paper reviewing the existing Personal Data (Privacy) Ordinance in January last year, the commissioner is now in the process of finalising details of the anti-doxxing law by the end of the current legislative session, which is expected in late October.
The proposed amendments to the ordinance will cover six areas including a mandatory data breach notification, a requirement for a data retention policy and regulations governing the disclosure of personal data.
Under those changes, anyone engaged in doxxing with the intent to threaten, intimate, harass or cause psychological harm to others and their family members – or “being reckless” to produce the same effect – will face up to five years in jail and a maximum fine of HK$1 million (US$129,000).
During the 2019 unrest, police officers and their supporters, as well as protesters and journalists, were commonly targeted by those seeking to maliciously expose their personal data and pictures on the internet.
Hong Kong is the latest jurisdiction to make the move to outlaw doxxing, following in the footsteps of Singapore, the European Union, Australia, New Zealand and Canada.
Singapore made the practice an offence in January last year under the Protection from Harassment Act, which criminalises individuals or entities intentionally causing harassment, alarm or distress to another person.
The Singapore-based Asia Internet Coalition, which counts 13 online and technology firms among its membership, including some of the world’s largest companies, declined to respond to Post queries on why the organisation was prepared to adapt to the city state’s doxxing legislation but was unwilling to do so for Hong Kong’s version.
In its submission to the Hong Kong privacy regulator, the coalition said it was unfair to hold local staff responsible if their overseas-based companies did not remove content on their platforms as authorities required.
The body also criticised what it said was a loose definition of doxxing, which risked deeming innocent acts of sharing information unlawful.
The alliance also asked that the privacy commissioner’s office clarify how psychological harm, a factor in determining convictions, was to be interpreted, or remove it from the proposal altogether.
A spokesman for the office said the new rules only concerned unlawful doxxing and its related enforcement powers, while the scope of new requirements would be clearly set out.
“The [privacy commissioner] strongly rebuts any suggestion that the amendments may in any way affect foreign investment in Hong Kong,” he said, adding that the regulator would meet alliance representatives soon.
In the absence of a law specifically forbidding doxxing, authorities have looked to other legal mechanisms to bring prosecutions, such as injunctions.
Between June 2019 and May 2021, the regulator handled more than 5,700 doxxing-related cases, of which about a quarter were subject to a police investigation.
During that period, 63 of those cases involving an alleged breach of the court’s injunction orders were referred to the Department of Justice for further action.