During the Hong Kong protests in 2019, doxing — the malicious sharing of personal information online — was rife.
Protesters used Facebook and Telegram to broadcast the details of police officers accused of violence, and government supporters published the private information of opposition politicians, activists and journalists.
“Such weaponisation is arguably the worst form of data [use] in action we have ever seen,” said Hong Kong’s privacy commissioner for personal data. From mid-June 2019 to March 2020, there were about 5,000 incidents of doxing reported to, or uncovered by, the commissioner, according to the department’s annual report. A number of people who had shared the personal details of police officers were jailed. For 2020 as a whole, the number of doxing cases had dropped to about 1,000 as the protests fell away during the pandemic.
Hong Kong is now taking further action on doxing with changes to data privacy laws. But in doing so, it has raised concerns that the new measures will give the territory’s administration sweeping powers to crack down on freedom of expression, curtail access to public information and restrict the way social media groups operate.
Companies such as Google, Facebook and Twitter have warned about the impact of policy changes that would give the privacy commissioner vast powers to launch criminal investigations and proceedings against the local offices of social media companies for not removing material on their platforms. It could also in effect make the employees of the tech groups liable for user content. And Hong Kong has said it could block access to websites containing doxing content.
The tech groups say they may be forced to stop providing services in the territory as result of the changes. “The only way to avoid these sanctions . . . would be to refrain from investing and offering their services in Hong Kong,” says the Asia Internet Coalition, which represents the tech groups.
The proposals would mean that sharing personal information online that could cause the subject “psychological harm” would result in tough penalties including up to five years in jail. The AIC says this is too broad and discretionary a term to be used as an appropriate legal test.
In other measures, company directors will be allowed to withhold some of their personal information, such as full identification numbers, from Hong Kong’s companies registry.
This has led to concerns that directors could use versions of their name in different languages to obscure their identity, making fraud more likely. Following an outcry from corporate governance groups, investors, lawyers and accountants — who use the register to conduct investigations and due diligence — some people, such as company liquidators, can apply for full access to the information.
There are reasons for Hong Kong to act over the misuse of publicly available personal information. Hong Kong’s data privacy laws have lagged behind international standards, particularly in the case of large corporate data breaches. And the harm caused to individuals who are victims of doxing should not be minimised.
However, critics say Hong Kong’s policy response has the potential to severely restrict the free flow of information for legitimate purposes. This would further undermine Hong Kong’s reputation as an international business centre.
“It is an incredibly mainland Chinese way of operating, designed to invest a huge amount of discretion in the authorities in terms of how the rules are enforced,” says one senior adviser to the tech companies.
In mainland China, the crackdown on ride-hailing app Didi last week showed how the mission of protecting data privacy can be deployed with huge impact, in this case wiping billions of dollars from the company’s value.
Hong Kong chief executive Carrie Lam has dismissed concerns over the application of the new policies, stating the territory wants only to target “illegal doxing”. However, her reassurance might not have brought much comfort for international business. Lam likened the data privacy measures to the rollout of the national security law last year, which has radically altered the legal landscape of Hong Kong.
And for international companies operating in Hong Kong, the new measures touch on pervasive issues — how will the territory’s authorities apply laws? And will any action on privacy chime with common-law norms?
“In the past there was faith,” said the senior adviser to the tech firms, “but that certainty has been eroded.”