Hong Kong’s Two-Tier Doxxing Regime

Hong Kong criminalised doxxing in 2021 through amendments to the Personal Data (Privacy) Ordinance, introducing a two‑tier regime: 

Under section 64(3A) of the Ordinance, the “first-tier offence” is committed when a person discloses someone’s personal data without their consent: 

(a) with an intent to cause any specified harm to the victim or any family member; or

(b) being reckless as to whether any specified harm would be, or would likely be, caused to the victim or any family member.

A person commits a “second-tier offence” under section 64(3C) of the Ordinance if the disclosure actually causes any specified harm to the victim or any family member.

A person who commits a first-tier doxxing offence is liable, on summary conviction, to a fine of HK$100,000 and up to 2 years’ imprisonment. For a second-tier doxxing offence, the penalty on conviction on indictment is a fine of HK$1,000,000 and up to 5 years’ imprisonment.

Implications for employers 

Weaponising data obtained through employment to intentionally cause harm to colleagues can constitute serious misconduct justifying summary dismissal without notice under Hong Kong law. 

When an employee resigns or is terminated, the employee’s access including administrator rights to chat groups, shared mailboxes, and collaboration platforms should be revoked. This will minimise the risk for data leaks and reputational damage.

Employers should reinforce policies on data handling and confidentiality, ensuring staff understand that misuse of personal data is not only a breach of trust but potentially a criminal offence
Should you have any questions, please feel free to contact a member of our team.