Doxxing is a relatively recent phenomenon involving the intentional malicious exposure of an individual’s personal data online and has become an increasingly common and harmful practice. Doxxing, as a practice, poses a unique set of harms. The personal data disclosed may include names, addresses, contact details, and other identifiers, all of which can subject the victim to harassment, stalking, reputational damage, and even physical harm.
A criminal offence for doxxing now forms part of the Privacy and Other Legislation Amendment Bill 2024 (Bill) before Commonwealth Parliament. This article about these doxxing reforms is part of our series summarising key elements of the Bill.
The main consultation process leading up to the Bill did not specifically address doxxing, and it was not the specific subject of any of the 116 recommendations provided by the Attorney-General’s Department in early 2023 (although some of the recommendations, such as the proposed statutory tort for serios invasion of privacy, may have application in doxxing scenarios).
However, following a series of prominent controversies, including the leaking and publication of a private WhatsApp discussion group for members of the Australian Jewish community, the Commonwealth Government sought to accelerate reforms to specifically criminalise doxxing, undertaking a brief supplementary consultation in March 2024.
If passed, the Bill would add two new criminal offences (Offences) to the Criminal Code Act 1995 (Cth) (Criminal Code):
- a ‘standard’ offence, under section 474.17C of the Criminal Code (17C Offence); and
- a more serious offence where the conduct involves protected attributes such as race, religion or sexuality, under section 474.17C of the Criminal Code (17D Offence).
These new Offences would exist alongside a number of existing criminal offences which might already apply in some doxxing scenarios, such as using a carriage service to menace, harass or cause offence.
The HWL Ebsworth privacy law team does not purport to have specific expertise in criminal law, but we present here a brief summary of the Offences, as part of understanding the broader reform package in the Bill.
The 17C offence
The 17C Offence would criminalise the release of personal data using a carriage service in a manner that a ‘reasonable person’ would regard as menacing or harassing.
The term ‘carriage service’ captures a broad range of electronic communications, including the dissemination of data via internet services and telecommunications.
To be convicted of the 17C Offence, the prosecution must demonstrate that:
- the accused used a carriage service to make available, publish, or otherwise distribute personal data;
- the personal data relates to one or more individuals; and
- the accused engaged in this conduct in a manner that reasonable persons would deem, in all the circumstances, to be menacing or harassing.
The fault element for this Offence is recklessness, a standard set out under section 5.6 of the Criminal Code. In this context, recklessness requires that the accused was aware of a substantial risk that their conduct could be deemed menacing or harassing, and that proceeding with such conduct was unjustifiable in light of the risk.
Notably for privacy professionals, the concept of ‘personal data’ is not the same as ‘personal information’ under the Privacy Act 1988 (Cth), nor is it the same as ‘personal data’ under the European Union’s General Data Protection Regulation (GDPR). Instead, ‘personal data’ encompasses any ‘information about [an] individual that enables the individual to be identified, contacted, or located’. The Bill provides a non-exhaustive list of examples of personal data, including names, photographs, telephone numbers, email addresses, and home or work addresses.
Importantly, the inclusion of an objective ‘reasonable person’ standard ensures that the offence is not contingent upon the subjective perceptions of the victim. This threshold imbues the Offence with an element of flexibility, enabling the judiciary to consider the broader societal and cultural context in which the doxxing occurred. For example, where data is shared in an inflammatory or threatening manner—such as posting an individual’s home address alongside explicit calls for violence or harassment—the court will be required to evaluate the surrounding circumstances to determine whether the conduct meets the threshold of menace or harassment.
The offence carries a maximum penalty of six years’ imprisonment. This relatively severe penalty reflects the gravity of the harm that can arise from doxxing conduct, particularly in circumstances where the exposure of personal data may result in long-lasting psychological, reputational, and financial damage. The courts, in their sentencing determinations, are likely to consider not only the nature of the data disclosed but also the extent to which the dissemination was intended to incite or facilitate further harm.
The 17D offence
The second and more serious Offence to be introduced would carry a higher penalty of up to seven years’ imprisonment.
This 17D Offence would apply where a person uses a carriage service to disseminate personal data targeting individuals or groups based on their protected attributes, such as race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or ethnic origin.
To establish the 17D Offence, the prosecution must prove the following elements beyond reasonable doubt that:
- the accused used a carriage service to distribute personal data;
- the data pertains to one or more members of a group distinguished by protected attributes;
- the accused acted, in whole or in part, based on the belief that the targeted group is distinguished by one or more of these attributes; and
- the conduct would be regarded by reasonable persons as menacing or harassing in all the circumstances.
The protected attributes listed in the Bill are race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality and national or ethnic origin.
It is significant that the legislation does not require the protected attribute to be an actual characteristic of the victim. Rather, it is sufficient if the accused believes that the group or individual possesses the protected attribute and engages in the doxxing conduct on that basis.
Definitional and interpretative challenges
As a relatively new problem, there is no single clear or standard definition of ‘doxxing’. It does seem though that it is usually understood to involve the exposure of personal details not previously widely known – the unmasking of an anonymous identity or circulating the personal contact details of a public figure, for example. A person’s employer will often not be a strictly ‘private’ piece of information, but surfacing and circulating that information might be seen as doxxing in some circumstances.
The Bill does not include a definition of ‘doxxing’, but practically it appears to involve the elements of the 17C Offence above – the online distribution of personal data, done with menace or harassment.
This appears to potentially criminalise conduct that is slightly broader than the common understanding of doxxing, because the Offences do not necessarily require that the personal data involved is ‘private’.
As a trite example, an online post mocking a politician might include ‘personal data’ such as their name and photograph (by no means a revelation) and would not commonly be thought of as doxxing (unless going further to include some private detail) but could meet the elements of the offence if sufficiently menacing.
The formulation of the Offences also presents certain interpretative challenges. For instance, the legislation does not provide explicit guidance on the threshold for when the dissemination of data becomes ‘menacing’ or ‘harassing’. The reliance on an objective ‘reasonable persons’ standard provides the judiciary with flexibility but may require somebody of cases to develop a consistent approach. Courts will be required to engage in fact-specific inquiries to determine whether the dissemination of personal data crosses the line from legitimate expression into criminal conduct.
Furthermore, the subjective fault element of recklessness complicates the prosecution’s task, particularly in cases where the intent behind the doxxing may be ambiguous or multifaceted. For instance, where data is shared as part of a broader political or social commentary, the courts will need to carefully dissect the motivations of the accused and weigh these against the harm caused to the victim.
No explicit defences or exemptions
The Bill does not introduce specific defences or exemptions to the doxxing offences. For contrast, we note that the Bill’s statutory tort for serious invasions of privacy would include a specific exception for certain journalistic activities.
In the absence of explicit safeguards, questions remain about how these offences will interact with implied rights, such as freedom of political communication, and how legitimate instances of information dissemination (eg, journalism or whistleblowing) will be treated under the new framework, though presumably those scenarios will be less likely to involve the requisite menace or harassment.
The Bill’s broad drafting also leaves open the possibility that relatively private disclosures, such as sharing information within a closed group, could still be captured if the requisite harassing or menacing character is present.
There may even be instances in which ‘doxxing’ could meet the elements of the Offence but might be argued by some to be justifiable in the circumstances. Young women met with a barrage of online harassment via direct messages might seek to keep their harassers accountable by posting public screenshots of those private conversations. A shopkeeper might look to identify and shame alleged shoplifters by posting their images to social media. These kinds of action could potentially be criminalised under the Offences, if done with sufficient menace or harassment.
Jurisdictional and practical barriers
A major impediment to the effective regulation of doxxing lies in the inter-jurisdictional nature of the internet. The digital realm is not confined by national borders, and this complicates the enforcement of domestic laws aimed at curbing harmful online conduct. In the case of doxxing, perpetrators may be located in different jurisdictions, rendering domestic legislation ineffective unless there is significant international cooperation.
Furthermore, even within Australia, the enforcement of laws related to online misconduct presents practical challenges. Perpetrators often use anonymous accounts, VPNs, and other tools to obfuscate their identities, making it difficult for law enforcement agencies to trace the source of the harmful conduct. (It is perhaps ironic that the enforcement of a law which seeks to limit people being unwillingly identified online could be frustrated by an inability to identify online perpetrators.)
In those instances, some existing powers may assist in at least limiting the spread of doxxing content. The Online Safety Act 2021 (Cth) grants the eSafety Commissioner broad powers to issue takedown notices and demand the removal of harmful content, although those reactive steps do little to do prevent the initial doxxing from taking place and may be hard to enforce where the content is hosted on international servers.
Moving forward
The Bill has been referred to the Legal and Constitutional Affairs Legislation Committee for inquiry and report by 14 November 2024. Noting that the structure of the Offences has likely been the subject of the least consultation of any element of the Bill, it seems possible that the elements of the Offences may be the subject of comment.
If the Bill is passed, the introduction of specific criminal doxxing Offences will represent a concerted step to address online harms. By targeting both general and discriminatory doxxing conduct, the Bill provides a framework for prosecuting individuals who weaponise personal data to harass, intimidate, or incite harm.
The Offences are not introduced in isolation and, coupled with the statutory tort for serious invasions of privacy, will provide more disincentives against inappropriate dissemination of personal information.
Nevertheless, the success of the legislation will depend on the interpretation and enforcement of the Offences, particularly given the challenges posed by the global and anonymous nature of the internet.
This article was written by Daniel Kiley, Partner and Christopher Power, Law Graduate.
