Image Source:

This article is written by Srishti Agrawaal, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho.


During the protests of 2019 that took place in Hong Kong in reference to the Anti-Extradition Law Amendment Bill movement, the practice of “doxxing” came under scrutiny after the police officers were targeted as their personal details were released online. This detail so released did not just contain their own personal details but also the information related to their houses and went as far as leaking the information of the schools of their children, thus threatening the security of their families as well. 

This act raised concerns over the amount of data collected by social media platforms and the protection of the same. Hong Kong is an important city for tech giants such as Facebook, Google due to the presence of its servers that collect the data and preserve them for the smooth running of these tech companies. During the protests, social media was rightfully termed as the battleground, as it had played a large role in the documentation, organisation and assembly of large-scale protests.

Download Now

The cybersecurity loopholes were largely exposed and exploited to their maximum extent in these protests. This led the Government of Hong Kong to propose an amendment to the existing data privacy laws and introduce anti-doxxing laws. 

What is doxxing? 

Doxxing is the act of maliciously publishing the personal details of the users and spreading their private information without their consent. This information could be related to the victim’s real name, their house addresses, their social security number, their bank account details etc., thus it is an alarming threat to the users. Though doxxing as a term emerged in the 1990s, it has recently been used in cultural wars, where the rival gangs would reveal information about the opposite group due to differences in opinion, thus bringing the virtual fight to the real world. The main purpose behind revealing the information of the victim remains the intent to threaten, humiliate or even punish them. 

As per the proposed amendments, any person found guilty of doxxing could face a penalty charge of up to 1 million Hong Kong Dollars and/ or a prison sentence of up to 5 years. 

What got the social media giants worried?

As per the latest reports a coalition of the companies such as Google, Facebook, Twitter etc. citing the threat to the security of their employees in Hong Kong, wrote a letter to the Centre for retracting the proposed law on anti-doxxing, as they fear that the companies would be made vicariously liable for the doxxing of anybody if the information leaked is collected by the said companies and has been promised to be protected by the same. These companies have cited that the vague definition of “doxxing” could give arbitrary power to the authorities that could be equivalent to the powers of the police force. 

While acknowledging the “serious” nature of the problem, the industry group said the proposals to limit free expression were overbroad, ambiguous and a “completely disproportionate and unnecessary response,” particularly “excessive” plans to hold platforms, and their staff, criminally liable for the content they “have no control” over. The letter also provides for an amicable solution in the form of disinvestment and halt to all operations in the city of Hong Kong. 

The alleged national security law is argued to be an encroachment on the freedom of speech and expression and human rights, thus adding more to the adverse conditions in the business environment for the social media giants. 

The law that prevailed earlier

The data privacy law that prevailed earlier was the Personal Data (Privacy) Ordinance, popularly known as PDPO. The organisations that were involved in the processes of collecting, holding or using personal data had to mandatorily comply with the regulations laid down under this law, additionally, they also had to comply with the Six Data Protection Principles that were contained in Schedule 1 of the PDPO. These six principles are the foundation of the data protection law in Hong Kong. 

The law prevalent covers both the public and the private sectors. The law was established in the year 1996 but underwent major amendments in the year 2012 that was majorly focused on direct marketing regulation and enforcement with respect to the use of personal data. 

Basic requirements with which data collectors must comply

The six DPPs set the basic requirements with which data collectors must comply in the handling of personal data. The principles are as follows: 

Principle 1: Purpose and manner of collection of personal data

This principle states that data should only be collected if the same is a required necessity for any lawful purpose that has a direct connection to the activity of the data user. It shouldn’t be excessive and must be adequate in nature, that is as much as required, nothing more. They also had the duty to inform the data subjects of the purpose of collection, the transferees of the data if any, whether it is mandatory to provide data, what would be the repercussions for not providing the same, what steps need to be undertaken for correction of the said data. 

Principle 2: Accuracy and duration of retention

This principle states that the data collector must have updated and accurate information. It also states that the data collected must not be retained longer than the required time or must delete information once the purpose is fulfilled. Even if the services of a data processor are engaged the same principle is applicable to them as well, regardless of the fact that they are not present in the city of Hong Kong. This principle is read with Section 26 of the PDPO that entails the duty of ensuring the deletion of data once the purpose for the collection of the same is complete. 

Principle 3: Use of personal data 

If the data collected has to be used for another purpose then the prescribed consent of the data subject must be obtained.   

Principle 4: Data security requirements 

This ensures that the data users must undertake all the responsibility for the protection of the data so collected against unauthorized or accidental processing, erasure, loss of use. 

Principle 5: Privacy policies

Data users have the obligation for declaring the purposes for holding the data and their policies and practices on how they handle the data. 

Principle 6: Data access and correction 

This principle instead of implying a duty upon the data collector gives the right to the data subject to undertake methods to ascertain whether the data user holds any of his or her personal data and to request a copy of the personal data, the data so collected can be corrected as well if the need be. 

As per the laws of data protection, as provided by the PDPO, one can infer that the data collection by data user is allowed but it is subject to certain conditions and only if the conditions are fulfilled it is allowed for the data of the user and also the data subject to be used. 

Hong Kong is renowned for being one of the first countries in Asia to have enacted data protection laws. The proposed amendments to the data protection laws can be argued to be brought under the pressure of the police forces and the adjudicating authorities, during early 2020, the social media giants such as Facebook, and Google had denied the authorities access to the data of the protestors. As had been stated before, social media was one of the many battlegrounds of the protests and had thus been a crucial medium of helping the virtual world meet the real world, thus the Hong Kong authorities wanted to access the data of such organisers which had been promptly denied by the social media companies. 

The arguments of the tech giants about the definition of doxxing being too vague must be looked into and corrected as the same as the authority of introducing some new loopholes which may potentially be exploited by the authorities. Too much power on either hand is always a dangerous thing. 

The tech giants are well within their rights to collect data and use the same as this is their main activity and the same has been authorized by the PDPO as well. One question that the authorities in Hong Kong can ask; is about the transparency and the protection of the data collected. 


Doxxing is an unethical practice and is rightfully so condemned by the cyber world. It has given rise to cyber-bullying and cyber-harassment and has made the users of the cyber world feel threatened. The introduction of anti-doxxing laws can be seen as both a positive and a negative. If enacted it would ensure stricter protocols for the protection of user data and stricter punishment for wrongful usage. On the other hand, one can argue that the fears of the tech giants of being made vicariously liable are not baseless for sometimes even if proper protection is ensured, the data leaks occur, then the question of who is responsible would be raised. 

Clearer instructions and definitions must be ensured in the amendment, as per the threat to the tech giants, they need to understand that the anti-doxxing being criminalized is a good effort towards proper cybersecurity. The circumstances under which the law is being enacted should also be taken into consideration as well as it indicates whether the law is bent towards benefiting the government or to benefit the citizens; if the tech giants make good on their threat of quitting Hong Kong, it could prove to be a fatal blow to the economy of the city.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here