Data Privacy & Doxxing

Since October 2021, Hong Kong has criminalised doxxing under Part 3A of the Personal Data (Privacy) Ordinance (Cap. 486). The Privacy Commissioner for Personal Data now has direct criminal investigation and prosecution powers. We advise individuals and organisations on the implications of these provisions and on data privacy compliance more broadly.

Doxxing Offences & Penalties

The doxxing amendments create two tiers of offence. Disclosing personal data without consent with intent to cause specified harm carries a maximum penalty of two years' imprisonment and a fine of HK$100,000. Where the disclosure actually causes specified harm, the maximum penalty increases to five years' imprisonment and a fine of HK$1,000,000. "Specified harm" includes harassment, threats, intimidation, bodily harm, and psychological harm. We advise on what constitutes a disclosure, the intent thresholds, and the defences available under the Ordinance.

Cessation Notices & Organisational Compliance

The Privacy Commissioner may issue cessation notices requiring the removal of doxxing content, and non-compliance with a cessation notice is itself a criminal offence. For organisations, these provisions create significant compliance considerations — particularly for online platforms, employers, and businesses that handle personal data. We advise on responding to cessation notices, defending against doxxing allegations, and developing data privacy policies that address the doxxing regime alongside the broader requirements of the Personal Data (Privacy) Ordinance.

If you are facing a doxxing investigation or need advice on data privacy compliance, contact us for a confidential discussion.