Outfoxxing Doxxing: Privacy Changes Ahead

Amy Cooper-Boast, Stephanie Lo and Suli Jayasekara

The Australian Government has announced that it will bring forward legislation in August this year to tackle the growing issue of doxxing – both to ensure that victims of doxxing have sufficient legal recourse and to deter perpetrators. With public consultation completed in March, these laws will represent the first step in implementing the broader suite of proposed reforms to the Privacy Act 1988 (Cth) (Privacy Act) (discussed in this previous Insights article). Criminalisation of the practice of doxxing is also expected.

What is doxxing?

Presently, there is no statutory definition of ‘doxxing’ (or ‘doxing’). The practice has been described as the ‘intentional online exposure of an individual’s identity, private information or personal details without their consent”.[1] The Attorney General’s Department has identified the following three types of doxxing:

  • De-anonymising doxxing – revealing the identity of someone who was previously anonymous (for example, someone who uses a pseudonym).
  • Targeting doxxing – revealing specific information about someone that allows them to be contacted or located, or their online security to be breached (for example, their phone number or home address, or their account username and password).
  • De-legitimising doxxing – revealing sensitive or intimate information about someone that can damage their credibility or reputation (for example, their private medical, legal or financial records, or personal messages and photos usually kept out of public view).

The phrase ‘doxxing’ developed as an abbreviation for ‘dropping documents’ online, which may be sourced through either legitimate means or through illegitimate hacking. The practice has been evident across wide-ranging contexts, such as:

  • doxxing of women impacted by domestic or family violence;
  • the release earlier this year of membership of a WhatsApp group involving hundreds of Jewish Australians;
  • doxxing of American Palestinian human rights activists;
  • ‘GamerGate’ in 2014, in which male gamers doxed female game developers;
  • the Ashley Madison incident in 2015, in which users of the website, aimed at those seeking extra-marital affairs, were publicly identified; and
  • the release of details of employees involved in the public health response to the COVID-19 pandemic, as well as those who had suffered from the virus.

The impact of these activities can leave targets vulnerable to, and fearful of, cyberstalking and physical stalking, discrimination, identity theft and financial fraud, public embarrassment, humiliation or shaming, damage to reputation, anxiety and reduced confidence.[2]

In contrast to defamation, doxxing does not necessarily involve the spreading of false information about an individual. Rather, the disclosed information is generally accurate, but is released without the consent of the individual to whom the disclosed information relates.

Australia’s current regime to combat doxxing

In Australia there is no overarching mechanism for dealing with doxxing – rather, such conduct is addressed through education, awareness, victim support and some limited avenues of legal redress.

The eSafety Commissioner supports children who have been victims of doxxing through the legislated Cyberbullying Scheme, and adults through the Adult Cyber Abuse Scheme. In serious cases, the eSafety Commissioner works with social media services to remove material posted as a result of doxxing from the internet.

In certain circumstances, doxxing may already constitute a criminal offence. Section  474.17 of the Criminal Code 1995 (Cth) renders it an offence to use a carriage service to menace, harass or offend someone, attracting a maximum penalty of 5 years imprisonment. While some forms of doxxing may be caught by s 474.17, there has been no enforcement action, of that nature, to date.

Doxxing, where committed by an APP entity, may also constitute a breach of the Australian Privacy Principles (APP) under the Privacy Act. However, presently, small businesses (those with an annual turnover of $3 million or less), as well as individuals dealing with personal information for a non-business purpose, are not subject to the APPs. In circumstances where doxxing is typically committed by individuals rather than businesses, the gaps in the current protections are evident.

Proposed reforms

The Attorney-General’s Department sought submissions earlier this year on its proposal to address doxxing via the upcoming reforms to the Privacy Act, including:

  • The creation of a new statutory tort for serious invasions of privacy, which would allow individuals to seek compensation and other remedies through the courts for doxxing (amongst other serious privacy invasions).
  • Five new rights (to access, object to, erase, correct and de-index one’s personal information) to provide individuals with a greater degree of transparency and control.
  • Progressing other privacy reforms proposed in the Privacy Act Review.

On 1 May 2024, the Government announced that it would:

“…bring forward legislation in early August to outlaw the release of private information online with an intent to cause harm (known as doxxing), and overhaul the Privacy Act to give all Australians and particularly women who are experiencing domestic and family violence greater control and transparency over their personal information”.[3]

The Attorney-General commented that doxxing will be subject to “serious criminal penalties”,[4] and that reforms to overhaul the Privacy Act and protect Australians from doxxing were being brought forward at the Prime Minister’s request. These reforms are being pursued in conjunction with enhanced protections against hate speech and initiatives to strengthen online safety.[5]

Over the coming months, further details will emerge on both the foreshadowed anti-doxxing legislation, and the wider range of agreed / agreed in-principle proposals revealed by the Government in late 2023 to effect a wholesale update to the Privacy Act. While there have been no further announcements with respect to the content, detail or progress of the broader privacy reforms, targeted consultations have been undertaken, focusing, to date, on the proposed removal of the small business exemption and the proposals affecting employees, journalism and research.

These developments are a timely reminder that the much-anticipated reforms to the Privacy Act are on the near horizon. Businesses are encouraged to refer to our recommended practical steps now to ensure that they are compliant with their privacy obligations and best-positioned to address the upcoming changes.

[1] Attorney-General’s Department, Public Consultation on Doxxing and Privacy Reforms, https://consultations.ag.gov.au/integrity/doxxing-and-privacy-reforms/

[2] Attorney-General’s Department, Public Consultation on Doxxing and Privacy Reforms, https://consultations.ag.gov.au/integrity/doxxing-and-privacy-reforms/

[3] The Hon Mark Dreyfus KC MP, Media Release, ‘Tackling Online Harms’, 1 May 2024, https://ministers.ag.gov.au/media-centre/tackling-online-harms-01-05-2024

[4] The Hon Mark Dreyfus KC MP, Media Release, ‘Tackling Online Harms’, 1 May 2024, https://ministers.ag.gov.au/media-centre/tackling-online-harms-01-05-2024

[5] The Hon Mark Dreyfus KC MP, Speech, Privacy by Design Awards 2024, 2 May 2024, https://ministers.ag.gov.au/media-centre/speeches/privacy-design-awards-2024-02-05-2024

Share

Email | Linkedin | Print

Australia

LK Law Pty Ltd
Level 23, 25 Grenfell Street
Adelaide SA 5000
Australia
Visit us | Email us
Telephone: +61 8 8239 4600

London

LK Law LLP
33 Black Friars Lane
London EC4V 6EP
United Kingdom
Visit us | Email us
Telephone: +44 20 7400 2180
Back to top