Hong Kong’s legislature today began debating new legal rules that would criminalize doxxing, the practice of publicly disclosing someone’s private information. While the government has said the rules are meant to protect individuals from having their personal data leaked online, critics say the legislation is so ambiguous in wording and expansive in scope that it undermines the freedom of expression and communication, and may even threaten US tech firms’ presence in Hong Kong.
What is the doxxing law?
The proposed changes would criminalize doxxing, making the offense punishable by up to HK$1 million ($129,000) in fines and five years’ jail time.
It would empower the city’s privacy commissioner to launch criminal investigations and prosecute suspected violators, and to demand the handing over of documents and information from anyone linked to a probe. In addition, it would authorize the privacy commissioner to seize and search electronic devices without a court warrant. The government argues these steps are necessary to “streamline” the handling of doxxing cases, as the new powers given to the privacy commissioner means they would not need to refer cases to the police.
Beyond the ability to seize and search materials, it would also allow the privacy commissioner to issue legally binding take-down orders for any doxxing content. The cessation notices can be served to people or service providers regardless of whether they’re physically in Hong Kong or not, and regardless of whether the alleged data disclosure was made in Hong Kong or not. (The disclosure has to involve someone who is a Hong Kong resident or present in Hong Kong at the time the disclosure was made. However, the law also covers family members of the subject who may be harmed by the disclosure, and the law doesn’t specify whether the family member must be present in Hong Kong.)
The extraterritoriality is in line with the approach taken under Hong Kong’s national security law, which covers everyone on earth.
Why are critics including Facebook, Google, and Twitter alarmed?
Last month, an industry group representing major tech firms including Facebook, Google, Twitter, and Apple warned in a detailed letter (pdf) that the proposed amendments poses a “grave impact on due process and risks for freedom of expression and communication” and could force them to cease offering their services in Hong Kong.
The Singapore-based Asia Internet Coalition—which also counts Amazon, Apple, Airbnb, and Yahoo among its members—laid out in detail the issues of concern with regards to the bill, and offered various recommendations. Particularly worrying, according to the letter, is the fact that what constitutes doxxing is never explicitly defined in the bill beyond being described as “intrusive to personal data privacy and in effect weaponize personal data.” Given that there is currently no universally accepted definition of doxxing, this poses “problematic ambiguity” could lead to overly broad interpretations that criminalize innocent acts of information sharing, the letter said.
Already, there is precedent for vague doxxing rules being used to potentially stifle the free flow of information. In October 2019, at the height of the Hong Kong protests, a court granted a sweeping injunction ostensibly aimed at protecting police from doxxing. However, it was so vaguely worded that appeared to ban the publishing of any identifiable photos of police officers without consent, including those taken in a public place, with no exemptions made for the media.
Another cause for concern is the risks posed to Hong Kong-based employees of the US tech firms. Given the extraterritoriality of the new rules, an alleged doxxing disclosure made on an overseas social media platform would still be subject to take-down orders.
For example, if alleged doxxing content is shared on Facebook, the government could hold Hong Kong-based Facebook employees criminally liable for failing to remove the content in question, even if the content is hosted on overseas servers. The Hong Kong government has already made it clear that it may prosecute local staff if their company fails to comply with a take-down order. Hong Kong authorities could also block websites that do not remove alleged doxxing content. In effect, this is yet another step towards making China’s firewall truly global.
In the letter, the companies said that the only way to shield its staff from these risks “would be to refrain from investing and offering their services in Hong Kong.” While an overseas service provider, with no presence or services in Hong Kong, can also receive a cessation notice and be liable for failing to act on the notice, it’s unclear how local authorities would take legal action against such an entity. Whether and how the firms will actually curtail their business presence in Hong Kong remains to be seen.
Lokman Tsui, a free speech and digital rights expert who has researched doxxing issues and Hong Kong’s data protection laws, wrote in a recent Twitter thread that there are many ways in which a foreign tech firm can be said to be “leaving a market.”
While data protection rules are in flux globally, the letter noted that the new search and arrest powers given to the privacy commissioner practically elevate the body into a parallel police force “in a manner that is highly unusual and out of step with international privacy developments.”
Twitter, Facebook, and the Asia Internet Coalition declined to provide additional comments. Quartz has also reached out to Google for comment.
When will the law come into force?
The amendments went through their first and second readings today. It’s unclear when the third and final reading is scheduled for before they’re voted on in a legislature that no longer has an opposition. As such, the new rules are almost certain to be rushed through as quickly as possible and rubber-stamped, in the same way that new immigration rules were quickly added this year in a move that could empower the government to impose exit bans. The government has indicated as much, saying last week that it hopes to secure the bill’s “early passage.”