Hong Kong Privacy Law: Navigating Doxxing Offences and Corporate Liability Under the PDPO

alfred leung YTL LLP

The recent arrests announced by the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) serve as a decisive reminder of the jurisdiction’s robust enforcement of privacy laws. On 10 March 2026, the PCPD apprehended two individuals in connection with suspected doxxing activities arising from a private monetary dispute. For corporations and senior management, this case underscores the escalating legal and reputational risks associated with the misuse of personal data.

Click here for the PCPD’s official news release.

The Facts: A Dispute Resulting in Criminal Allegations

According to the PCPD, the investigation centers on two individuals alleged to have contravened section 64(3A) of the PDPO by disclosing another person’s personal data without consent. The underlying dispute involved a joint property investment that soured. Subsequently, flyers were publicly posted containing negative commentary and, critically, disclosing the victim’s name, photographs, and images of family members. The arrestees have been granted bail pending further investigation.

This matter, while at an early stage, provides a useful lens through which to examine the statutory offences and potential liabilities that can arise from data misuse.

The Statutory Framework

A precise understanding of the PDPO’s offence provisions is essential. Part 9 of the Ordinance establishes a tiered regime of criminal liability for data privacy breaches.

1. The Core Doxxing Offence: Section 64(3A)

The arrests were made under section 64(3A) , which creates an offence where a person discloses personal data of a data subject without their “relevant consent” and:

  • intends to cause “specified harm” to the data subject or their family; or

  • is reckless as to whether such harm would be or would likely be caused.

The inclusion of “recklessness” as a mental element is significant. It lowers the evidentiary threshold for the prosecution, as it does not require proof of a positive intent to cause harm. It is sufficient that the accused proceeded with the disclosure in circumstances where a reasonable person would have appreciated the risk of harm.

Upon summary conviction, the penalty is a fine at Level 6 (HK$100,000) and imprisonment for two years.

2. Aggravated Offence: Section 64(3C)

Where a disclosure made with the requisite intent or recklessness actually causes “specified harm,” the offence is aggravated under section 64(3C). This is an indictable offence carrying the maximum penalty of a HK$1,000,000 fine and five years’ imprisonment.

3. Definition of “Specified Harm”

“Specified harm” is defined exhaustively in section 64(6) and includes:

  • Harassment, molestation, pestering, threat, or intimidation;

  • Bodily or psychological harm;

  • Harm causing reasonable concern for a person’s safety or well-being;

  • Damage to property.

The definition’s breadth, encompassing psychological harm and reasonable safety concerns, means that a wide range of consequential impacts can elevate a disclosure to a criminal matter.

Corporate Exposure: Vicarious Liability and the Employer’s Duty

For corporations, the implications of employee misconduct are a primary concern. Section 65 of the PDPO addresses the liability of employers and principals.

  • Vicarious Liability (Section 65(1)): The Ordinance provides that any act done by a person “in the course of his employment” is treated as done by the employer as well, irrespective of the employer’s knowledge or approval. This statutory codification of vicarious liability means that organizations can be held civilly liable for privacy breaches committed by their staff.

  • Statutory Defence (Section 65(3)): In civil proceedings, an employer may avoid liability by proving that it “took such steps as were practicable to prevent the employee” from committing the contravention. “Practicable” is defined in the Ordinance as “reasonably practicable,” imposing a standard of proactive and ongoing compliance.

  • Criminal Liability (Section 65(4)): It is important to note that section 65 does not apply to criminal proceedings. Criminal liability for doxxing rests with the natural person who committed the act. However, as a separate matter, directors and senior officers who consent to or connive in an offence by a body corporate may be personally liable under the Criminal Procedure Ordinance (Cap 221).

Civil Remedies: Compensation for Damages

Beyond criminal sanctions, the PDPO provides a civil remedy for aggrieved individuals. Section 66 entitles an individual who suffers “damage” by reason of a contravention to compensation from the data user.

Critically, section 66(2) expressly provides that “damage” may include injury to feelings. This acknowledges the non-pecuniary harm inherent in privacy intrusions and opens the door to significant compensation claims. Proceedings are brought in the District Court, though the full range of remedies available in the Court of First Instance may be sought.

Implications for Businesses

This enforcement action should prompt all organizations handling personal data to reassess their governance frameworks. Key considerations include:

  • Robust Policies and Training: The statutory defence under section 65(3) requires demonstrable, practicable steps to prevent misconduct. Written policies alone are insufficient; regular, documented training on the boundaries of acceptable data use and the consequences of doxxing is essential.

  • Incident Response Preparedness: An effective response to a data breach or employee misconduct can mitigate both regulatory sanctions and civil claims. Organizations should have a clear protocol for internal investigation, engagement with the PCPD, and communication with affected individuals.

  • Dispute Resolution Protocols: As this case illustrates, commercial disputes can escalate into criminal matters when data is misused. Clear internal guidance on permissible conduct during disputes is a critical risk management tool.

How YTL LLP Can Help

We advise individuals and corporations on compliance with the PDPO, defend against regulatory investigations and civil claims, and conduct privileged internal investigations into suspected data breaches. 

best lawyer hong kong solicitor alfred leung

Alfred Leung, Partner

alfredleung@hkytl.com; +852 3468 7202

This article is introductory in nature. Its content is current at the date of publication.  It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this article. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.