The HKSAR government gazetted amendments to the Personal Data (Privacy) Ordinance (PDPO) against doxxing (anti-doxxing bill) on 16th June, 2021, and the first reading and debate took place in legislature on 21st July, 2021 (Wednesday). Internet Society Hong Kong is concerned over the new anti-doxxing bill, while we acknowledge the importance of protecting citizens’ privacy, yet the newly proposed bill is authorizing Privacy Commissioner excessive power. We are worried that the bill will cause damage to the free flow of information in Hong Kong and go against the principles of open and unrestricted Internet promoted around the globe.
- Excessive Power to the Privacy Commissioner
We believed that the amendments would give excessive and disproportionate power to the Privacy Commissioner. Anti-doxxing bills overseas in general only deal with those who disclose information and have caused substantial harm to the victims. However, the amendments proposed by HKSAR government grant Privacy Commissioner power to request any third party, including online platforms, search engines and Internet service providers (ISP) to shut down websites in question, provide assistance to investigation, or potentially demanded to “decrypt” information by to monitor and access website traffic.
In practice, the amendments let the Privacy Commissioner conduct a search and decrypt anyone’s electronic devices without a court warrant for cases of suspected contravention of the bill. This would effectively empower Privacy Commissioners to conduct criminal investigations and request third parties to comply. This excessive power is unprecedented and also unheard of in other countries.
- Vague definition & grey areas in the bill
The law amendments are vague and consist of undefined grey areas, which could easily be abused as “speech crime”. The definition on personal data remains the same in the amended bill, however, doxxing acts which cause “psychological harm” and are “being reckless as to whether the data subject or any immediate family member would be threatened, intimidated or harassed” are regarded as an offence according to the amendments. This definition of doxxing is too vague and subjective, which might lead to “speech incrimination”. ISOC HK worries that the bill could easily be abused and lead to revenge-style prosecutions to crush whistle-blowers and disclosure of materials that are of public interest to know.
- Limit Information freedom and affect Hong Kong’s role as Internet hub
ISOC HK concerns that by granting Privacy Commissioner power to shut down websites and criminal investigation, on top of the vagueness of the bill, it can easily be abused and become a means to crush dissent and pre-empt whistle-blowers, causing a negative impact on the free flow of information. As mentioned above, the Privacy Commissioner is given excessive power, for instance, online platforms, search engines, and network service providers can be asked to shut down websites, breaking the principle that Internet providers are not responsible for the content transmitted, and transferring legal risks to third parties that have nothing to do with the leakage of personal data. Online platforms and service providers, due to technical limitations, might be forced to close down other related or even unrelated websites in one go, causing inaccessibility to other legitimate services. In addition, the amendments would undermine Hong Kong’s role as an Internet hub in the long run. Since the Privacy Commissioner has the right to search and decrypt any relevant person’s electronic device “under reasonable suspicion” without a court warrant, it would weaken the technology companies’ confidence to invest and set up business in Hong Kong. Foreign companies might not regard Hong Kong as a network hub or a preferred choice for cloud their services.
ISOC HK believes that while the current amendments to the Personal Data (Privacy) Ordinance solely deals with doxxing acts, the amendments neglected personal data protection in other important areas, such as large-scale leakage of personal data by enterprises and government bodies.. To ensure privacy protection, the government should strengthen regulation of personal data within enterprises and government bodies by making reference to the practice of foreign countries, such as mandatory disclosure of data breach incidents and formulate penalties against the offending organisation and compensate affected personnels, or having the negligence management criminally liable. On the contrary, solely targeting doxxing acts and unproportionately increasing Privacy Commissioner’s power would only limit free flow of Information in Hong Kong, affect the city’s role as Internet hub and make the society question that the authorities are only persecuting “speech crime” through law amendments.
20th July, 2021
Internet Society Hong Kong