Some countries now criminalise doxxing directly. Most still force victims through stalking, privacy, harassment, or platform-removal rules instead. That is the real global picture.
Why this matters
Doxxing is not just online nastiness. It can trigger stalking, threats, mob harassment, swatting, job loss, and real-world danger. UK and Australian government guidance both describe it as the malicious publication of personal or identifying information, often with the aim of harassment, intimidation, or worse.
The legal problem is simple: “doxxing” is a common term, not a universal legal category. Some systems now ban it directly. Many others still prosecute the same conduct through harassment, stalking, malicious communications, privacy, or data-protection law.
At a glance
- Direct anti-doxxing offences: Australia, the Netherlands, Singapore, and Germany.
- Indirect criminal routes: the US, UK, Canada, India, and South Africa usually rely on stalking, threats, harassment, or related offences.
- Data and platform routes: the EU and Brazil lean more heavily on data-protection and platform systems than on a single crime called “doxxing.”
Doxxing is not one law. It is a collision between criminal law, privacy law, and platform rules.
What counts as doxxing
At its core, doxxing means publishing or distributing identifying information without consent and with a harmful purpose. That can include a home address, phone number, workplace, family details, personal images, or account data. But the legal trigger is rarely just “posting data.” It is usually intent, harm, fear, threat, harassment, or unlawful data processing.
That is why not every exposure of personal information is automatically illegal. In Canada, criminal harassment requires fear for safety. In the Netherlands, the law turns on intimidating use of identifying data. In Australia, the new federal offence turns on using a carriage service in a way reasonable people would regard as menacing or harassing.
Where doxxing is directly criminalized
Australia now has one of the clearest anti-doxxing laws in the world. The Privacy and Other Legislation Amendment Act 2024 created federal doxxing offences that commenced on 11 December 2024. One offence carries up to 6 years’ imprisonment for menacing or harassing publication of personal data using a carriage service, and a separate group-targeted offence carries up to 7 years.
The Netherlands moved the same way. Since 1 January 2024, obtaining, distributing, or otherwise making available identifying personal data to instil fear, cause serious disturbance, or seriously hinder someone in their work can be punished by up to 2 years in prison or a fine. The maximum term rises by one-third for certain protected professions, including journalists, police, and judges.
Singapore added a specific doxxing offence through amendments to its Protection from Harassment Act. The Ministry of Law described it plainly: publishing personally identifiable information to harass, threaten, or facilitate violence is a crime. Singapore also built in stronger harassment penalties and court remedies through its Protection from Harassment system.
Germany also criminalises the dangerous dissemination of personal data under section 126a of its Criminal Code. In other words, Germany does not treat doxxing as a vague online harm. It treats certain forms of it as a defined criminal offence.
Where the law still works indirectly
The United States still has no single federal anti-doxxing statute. Federal prosecutors instead lean on cyberstalking, threats, extortion, and related offences when the facts fit. Under 18 U.S.C. § 2261A, using electronic services in a course of conduct that causes substantial emotional distress or fear can amount to federal stalking, and DOJ cases show doxxing often appears inside cyberstalking and swatting prosecutions rather than as a standalone charge called “doxxing.”
The UK is similar. There is still no standalone doxxing offence, so prosecutors look to harassment, stalking, and communications offences instead. The Online Safety Act adds another layer by forcing in-scope services to assess illegal-content risk, reduce it, and swiftly remove illegal content once aware of it, but that is a platform-duty system, not a clean criminal doxxing code.
Canada also works through overlap. Section 264 of the Criminal Code covers criminal harassment when the conduct causes the victim reasonably to fear for their safety or the safety of someone they know. The maximum penalty is up to 10 years on indictment. That means doxxing can be punishable in serious cases, but only when the legal threshold is met.
India still lacks a standalone doxxing law. Section 66E of the Information Technology Act is narrower than many summaries claim: it targets capturing, publishing, or transmitting the image of a private area without consent, not every form of personal-data exposure. The Bharatiya Nyaya Sanhita can still catch related conduct, including stalking through internet or electronic monitoring, but the framework remains piecemeal rather than dedicated.
South Africa sits in the same camp. Its Cybercrimes Act criminalises harmful data messages that incite violence or property damage, threaten violence, or disclose intimate images without consent, and the Act allows protective court orders tied to those offences. Separate protection orders are also available under the Protection from Harassment Act. That means victims may get real remedies even without a law formally labeled “doxxing.”
Brazil does not have a named criminal doxxing law either. Its LGPD is a data-protection route, not a pure anti-doxxing statute: it regulates processing of personal data, allows sanctions up to 2% of Brazilian revenue capped at R$50 million per infraction, and expressly excludes some categories such as private non-economic use and processing exclusively for journalistic and artistic purposes. That makes Brazil a context-heavy regime, not a simple ban.
The EU is tougher on data and platforms than on doxxing itself
The European Union still does not have one uniform criminal offense called doxxing. What it does have is a strong mix of data-protection and platform rules. GDPR can trigger regulatory penalties up to €20 million or 4% of global annual turnover for the most serious infringements, while the Digital Services Act requires notice-and-action mechanisms and risk reduction around illegal content. That gives victims regulatory and takedown tools, but criminal liability still depends heavily on national law.
What victims can actually do
The first move is evidence, not panic. Save screenshots, URLs, timestamps, usernames, reposts, and any threats. UK government guidance and Australia’s eSafety guidance both stress documenting the material quickly and reporting it both to the platform and, where safety is at risk, to police or the relevant authority.
The second move is to use the system that fits the harm:
- Police if the post involves threats, stalking, fear for safety, or violence.
- Platform notices and removal tools if speed matters more than punishment.
- Regulators or specialist portals where cyber abuse or data misuse is central, including eSafety in Australia and India’s National Cyber Crime Reporting Portal.
- Protection orders or civil action where the goal is stopping repeat abuse, forcing removal, or claiming compensation.
Why enforcement still fails
Global doxxing law is getting tougher, but it is still messy. A few jurisdictions now ban doxxing outright. Most still require victims to squeeze the conduct into stalking, threats, privacy, or data-protection law. And even where the law is clear, speed is the problem: personal data can spread globally in minutes, while police, courts, platforms, and regulators move on very different timelines.
That is the uncomfortable truth behind the headlines. Stronger laws help. But clear reporting routes, fast removals, and better cross-system enforcement matter just as much.
Conclusion
Doxxing laws worldwide are no longer a legal vacuum. Australia, the Netherlands, Singapore, and Germany have moved toward direct criminalization. The US, UK, Canada, India, Brazil, South Africa, and the EU still rely more heavily on adjacent offenses, privacy law, or platform duties. The bottom line is blunt: doxxing is increasingly punishable, but not in one clean, global way.