Article

Doxxing and privacy reforms to be introduced this August

The Australian Attorney General recently announced that the Government would bring privacy law reform in early August, including provisions to combat the release of private data online, also known as doxxing. The reforms are the result of a public consultation in March on how to address doxxing through civil remedies, most notably the proposed introduction of a statutory tort for serious invasions of privacy.

As instances of doxxing continue to rise and challenge the balance between privacy and freedom of expression, there is a growing call for a robust legal framework to build a safer online environment. While some laws do exist that may assist individuals who are doxxed, the scope and effectiveness of these laws in combatting doxxing is mixed. While we await the Government to publish more details of the draft legislation, we share our insights on the reform and look at how it compares to approaches in other jurisdictions.

Doxxing

Doxxing, as defined by the eSafety Commissioner, is “the intentional online exposure of an individual’s identity, private information or personal details without their consent”. Victims of doxxing not only suffer from an invasion of privacy but also face risks of identity theft, financial fraud, public shaming, and risks to personal safety via stalking. At the same time, there are concerns that anti-doxxing legislation may curb freedom of expression and journalism. It is this tension between achieving privacy outcomes to protect individuals from doxxing and freedom of expression that is a major issue for consideration in the doxxing reforms.

Consultation on doxxing and privacy reforms

The Attorney-General’s Department consultation outlines its proposed approach to doxxing by enhancing privacy protections as part of the Privacy Act reforms. In this regard, the proposal is to:

  • Introduce a new statutory tort for serious invasions of privacy;
  • Introduce new or strengthened individual rights to access, object, erase, correct, and de-index their personal information; and
  • Progress other privacy reform proposals in the Privacy Act Review.

The latter two are covered in the Privacy Act Review and agreed-in-principle by the Government.

In relation to the first item, the Privacy Act Review recommends the introduction of a statutory tort for serious invasions of privacy in the form recommended by the Australia Law Reform Commission in Report 123 (Serious Invasions of Privacy in Digital Era) (''ALRC Model''). The Government has agreed-in-principle to the introduction of the statutory tort per the ALRC Model.

The ALRC Model provides that the statutory tort would require proof of these key elements:

  • Invasion of privacy either by intrusion into seclusion or misuse of private information, committed intentionally or recklessly, and serious;
  • A reasonable expectation of privacy by the victim in all the circumstances; and
  • The public interest in privacy outweighs any countervailing public interests.

A comparison to Hong Kong’s anti-doxxing provisions

By comparison, Hong Kong introduced anti-doxxing provisions into its Personal Data (Privacy) Ordinance (the ''HK anti-doxxing provisions'') in 2021. The HK anti-doxxing provisions criminalise doxxing activities, empower the Privacy Commissioner for Personal Data (''PCPD'') to conduct criminal investigations and prosecution, and authorise the PCPD to issue cessation notices and demand removal of doxxing messages.

The HK anti-doxxing provisions provide for two tiers of doxxing offences.

  • First-tier offence: A person commits a first-tier offence if that person discloses any personal data of a data subject without the relevant consent of the data subject and has an intent to or is being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member.
  • Second-tier offence: The offence becomes second-tier if the disclosure caused specified harm to the data subject or any of their family members.

Under the HK anti-doxxing provisions, “specified harm” means “(a) harassment, molestation, pestering, threat or intimidation to the person, (b) bodily harm and psychological harm to the person, (c) harm causing the person reasonably to be concerned for the person’s safety or well-being, or (d) damage to the property of the person”.

The PCPD has the power to issue cessation notices on a Hong Kong person (including individuals or bodies of persons) or a person that has provided or is providing any service to any Hong Kong person, requesting them to take a cessation action. For electronic messages, cessation action may include removing the message from the relevant platform, ceasing or restricting access by any person or discontinuing the hosting service for part or whole of the platform.

The PCPD has been robustly enforcing the HK anti-doxxing provisions. Between April 2022 and March 2023, the PCPD handled more than 1,500 doxxing cases and issued more than 1,000 cessation notices. As of March 2024, there have been at least 40 court judgments relating to doxxing, which include 21 convictions.

Comparing a statutory tort and the criminal law approach in Hong Kong

Unlike Hong Kong, Australia’s proposed approach is not to criminalise doxxing rather it introduces a new statutory tort and other protections in the Privacy Act. The table below highlights the differences in the legal frameworks and potential outcomes for doxxing incidents.

Approach

Australia

Statutory tort of serious invasions of privacy based on the ALRC Model

Hong Kong

Criminal Law

Practices concerned

Australia

Intrusion into seclusion or misuse of private information

Hong Kong

Disclosure of personal data of a data subject

Elements

Australia

  • Reasonable expectation of privacy (objective but consider all circumstances).
  • Fault requirement - committed intentionally or recklessly.
  • Serious invasion of privacy.
  • Public interest in privacy outweighs any countervailing public interests.

Hong Kong

  • Without the relevant consent of the data subject; and
  • With an intent to cause specified harm or being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any of their family member.
  • Becomes second-tier if the disclosure caused specified harm.

Defences

Australia

The balancing exercise between public interest in privacy and countervailing public interests, in effect, provide a public interest defence. Countervailing public interest matters include, among others, freedom of expression and freedom of the media.

Further available defences may also include:

  • Lawful authority
  • Incidental to defence of persons or property
  • Necessity
  • Consent
  • Absolute privilege
  • Publication of public documents
  • Fair reporting of public proceedings

Hong Kong

Available defences include:

  • Lawful authority
  • Crime prevention
  • Reasonable belief of consent
  • Disclosure solely for a lawful news activity with reasonable grounds to believe that the publication or broadcasting was in the public interest

Outcome

Australia 

Remedies for the plaintiff may include:

  • Damages
    • Including damages for emotional distress and in exceptional circumstances, exemplary damages
    • Capped at an amount not exceeding that on damages for non-economic loss in defamation
  • Account of profits
  • Interlocutory or other injunctions
  • Delivery and destruction or removal order
  • Correction order
  • Apology order

Hong Kong

The defendant may face up to:

  • For first-tier offences: HK$100,000 in fines and 2 years of imprisonment; and
  • For second-tier offences: HK$1,000,000 in fines and 5 years of imprisonment.

Although the HK anti-doxxing provisions provide for injunctions and cessation notice, the power is exercised by the PCPD to demand actions to cease or restrict disclosure of doxxing contents.

Other jurisdictions

The approach taken with respect to doxxing varies between jurisdictions. In addition to Hong Kong, doxxing practices are also criminalised in California and the Netherlands. Singapore also criminalises publication of identity information of another person with intent to cause and which causes harassment, alarm, or distress. Courts in the UK, New Zealand and some states in Canada recognize the right to respect for privacy or a tort for invasion of privacy but it is notable that all these jurisdictions have over-arching human rights laws that include a right to privacy in some form. Meanwhile, statutory tort for invasion of privacy has been recognized in some states in the US and in Canada.

Our insights

As Australia has not developed a common law tort for privacy, the statutory tort will be a positive step in Australia’s effort to uphold privacy rights and curb doxxing acts, especially absent a human rights act of some form. The legislative reform can consider experiences from other jurisdictions in developing the most appropriate approach for Australia. As the comparison above demonstrates, the use of civil tort, as opposed to criminal law, is intended to ensure competing public interests (such as freedom of expression and journalism) are appropriately balanced against the need to protect against doxxing and provide appropriate redress for victims. A valid concern remains regarding the accessibility of these civil rights to ordinary individuals that are the victims of doxxing, in terms of speed, cost and effectiveness, at least in the short term. It remains to be seen whether the civil tort will be effective in deterring doxxing.

However, the introduction of the statutory tort for invasion of privacy will be a significant step in the ongoing reforms of Australian privacy law. In parallel, the Australian federal government will press on with reform of the Privacy Act as a whole, with draft legislation slated to be introduced as early as August 2024. We will continue to provide updates on privacy law reform in Australia as information becomes available.

Be prepared for continuing reforms in privacy and online safety

Organizations that collect, hold, or process personal information of customers, suppliers, (potentially) employees or the wider public will be expected to comply with changes to the privacy laws. In anticipation of the expedited doxxing and privacy reforms and without information on whether there will be any grace period, organizations should be prepared to evaluate their data governance strategies and data protection practices. When more details of the reforms are published in August, organizations can get prepared by having in place comprehensive and well-drafted policies and training materials, as well as practical and effective procedures. This will also help organizations to prepare for the wider reforms to the Privacy Act.

In addition, organizations and especially social media companies and digital service providers should familiarise themselves with the latest developments including the Australian Government’s recent announcement on trialling age assurance technology to protect children from harmful content and introducing legislation to criminalise the creation and non-consensual distribution of deepfake pornography. In addition, the upcoming Federal Court hearing testing the limits of the removal notice regime under the Online Safety Act in Australia will be of great interest both locally and globally. The Australian government has repeatedly demonstrated a willingness to introduce new and innovative laws to regulate emerging digital and cybersecurity issues, sometimes with unintended consequences for the broader business ecosystem. It is important to stay close to the reforms and understand the impact on your operations. 

 

Tara Li, a trainee solicitor at our Hong Kong office, also contributed to this article.

Related capabilities