Skip to main content

A. Two-tier doxxing offences



Under section 64(3A) of the Ordinance, a person commits an offence if he/she discloses any personal data of a data subject without the relevant consent of the data subject, and in the circumstances that either:


  • He/she is with an intent to cause any specified harm to the data subject or any family member of the data subject; or


  • He/she is reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.




The “second-tier offence” is provided for under section 64(3C) of the Ordinance. On top of the requirements of the “first-tier offence”, if the disclosure of personal data has in fact caused any specified harm to the data subject or any family member of the data subject, the person would have committed the “second-tier offence”.




There are four categories of “specified harm” under section 64(6) of the Ordinance, namely:


  1. Harassment, molestation, pestering, threat or intimidation to the person


Example: When a data subject (e.g. Person A) and his family member’s personal data were disclosed by netizens extensively and as a result, he received a considerable amount of nuisance calls and messages, and was thus subject to immense psychological pressure and harassment.


  1. Bodily harm or psychological harm to the person


In determining whether the disclosure has caused this category of specified harm, the Court will generally take into account medical reports which contain a doctor’s assessment of the physical or psychiatric condition of the data subject. These reports will serve as proof of the physical or psychological harm suffered by the data subject.


Generally, there is a relatively high threshold for proof of “psychological harm” in which case expert evidence is required to prove that harm has been caused to the psychological aspect of the victim.


Example: When doxxers disclosed personal data of Person A’s children online and suggested various methods to bully and boycott these children at school, including picking them up from school with a gunny sack. Person A suffered from psychological harm as a result.


  1. Harm causing the person reasonably to be concerned for the person’s safety or well-being


Example: When netizens disclosed the wedding date and venue of Person A on an online forum and called for others to attend the wedding for “celebration”; and as a result, Person A was worried that the netizens would be incited to cause disturbance at the wedding.


  1. Damage to the property of the person


Example: When Person A’s personal data, including the plate number of his vehicle and registration information, were uploaded on social media platforms; and as a result, his car was maliciously damaged and Person A had to bear the repair costs.


In handling a complaint on doxxing, the PCPD would consider the relevant and actual circumstances of a specific case when determining whether it falls within the scope of “specified harm”. The relevant factors may include but not limited to:


  • Content of the concerned message;


  • Way of expression;


  • Context in which the concerned message appeared;


  • Manner of dissemination of the concerned message;


  • Extent of circulation of the concerned message;


  • Veracity of the concerned message; and


  • Characteristics of the victims and their family members.


The ultimate determination of the applicability of the relevant provisions in relation to specific cases as well as the interpretation would be done by the Hong Kong Court.




The available defences against the offences of doxxing are provided under section 64(4) of the Ordinance, namely:


  • The person reasonably believed that the disclosure was necessary for the purpose of preventing or detecting crime;


  • The disclosure was required or authorised by or under any enactment, by any rule of law or by an order of a court;


  • The relevant consent of the data subject was obtained; or


  • The person disclosed the personal data solely for the purpose of a lawful “news activity” (or a directly related activity) as defined under section 61(3) of the Ordinance; and had reasonable grounds to believe that the publishing or broadcasting of the personal data was in the public interest.




For the first-tier offence under section 64(3A), on summary conviction, the maximum penalty is a fine of HK$100,000 and imprisonment for 2 years (section 64(3B)).


For the second-tier offence under section 64(3C), on conviction on indictment, the maximum penalty is a fine of HK$1,000,000 and imprisonment for 5 years (section 64(3D)).