Media Statements

The Privacy Commissioner’s Office has Completed
Compliance Checks on 60 Organisations
Regarding the Impact of the Use of Artificial Intelligence
on Personal Data Privacy

To actively align with the National “15th Five-Year Plan” and implement the policy direction of the Government of the Hong Kong Special Administrative Region in promoting the development of “AI Plus”, and to promote the more secure and responsible use of Artificial Intelligence (AI) across different sectors, the Office of the Privacy Commissioner for Personal Data (PCPD) launched a new round of compliance checks in January 2026, following the two rounds of compliance checks completed in 2024^[1] and 2025^[2]. The exercise sought to understand the latest usage of AI in Hong Kong and its impact on personal data privacy, with a view to further promoting the governance and the safe development of AI. The PCPD today (19 May 2026) published the findings of the compliance checks.
 
The compliance checks covered 60 organisations. In addition to the sectors covered in the 2025 compliance checks, including banking and finance, beauty services, education, government departments, insurance, medical services, public utilities, retail, social services, telecommunications and transportation, the compliance checks this round were expanded to cover the accounting, food and beverage, innovation and technology, logistics and property management sectors. The exercise sought to gain a more comprehensive understanding of whether different sectors complied with the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO) in the collection, use and processing of personal data when using AI systems. 
 
The compliance checks also examined the 60 organisations’ implementation of the recommendations and best practices set out in the “Artificial Intelligence: Model Personal Data Protection Framework”^[3] (Model Framework), and the “Checklist on Guidelines for the Use of Generative AI by Employees”^[4] (Gen AI Checklist) published by the PCPD, as well as assessed their overall performance in AI governance.
 
Based on the findings of the compliance checks, the PCPD has the following major observations regarding the organisations’ personal data protection practices in their use of AI (see Annex for details):
 
Latest Application of AI in Hong Kong

• Among the 60 organisations reviewed, 57 organisations (95%) used AI in their day-to-day operations, representing an increase of 15 percentage points compared to the results of the compliance checks carried out in 2025, showing that the application of AI is becoming increasingly prevalent across various sectors. Among these, 45 organisations (approximately 79%) had been using AI for over a year, indicating that AI is gradually becoming an essential part of operations; and
   
• Among these 57 organisations, 29 (approximately 51%) used three or more AI systems. These AI systems were primarily applied in areas such as administrative support, customer service, research and development, marketing, and compliance/risk management, etc. The results of the compliance checks are similar to those of last year.

Collection, Use and Processing of Personal Data

• Among the 57 organisations using AI, 24 (approximately 42%) collected and/or used personal data through AI systems. These organisations were primarily from the accounting, banking and finance, education, government departments, innovation and technology, insurance, medical services, property management, public utilities, retail, social services, telecommunications and transportation sectors, etc.;
   
• All organisations reviewed which collected and/or used personal data through AI systems provided data subjects with Personal Information Collection Statements on or before the collection of personal data, specifying the purposes for which the data would be used, as well as the classes of persons to whom the data might be transferred, etc. Among these, seven organisations (about 29%) specified the use of AI tools in processing personal data in their Personal Information Collection Statements. The results of the compliance checks are the same as those of last year;
   
• Among all organisations reviewed which collected and/or used personal data through AI systems, seven (about 29%) of them retained the personal data collected through AI systems, representing a decrease of approximately 50 percentage points compared to the results of the compliance checks carried out in 2025. These organisations specified the retention periods for personal data and would delete the data once the original purposes of collection had been fulfilled. The remaining 17 organisations (approximately 71%) did not retain the relevant data;
   
• All organisations reviewed which collected and/or used personal data through AI systems implemented appropriate security measures to ensure that the personal data they held in the course of using AI systems was protected. The results of the compliance checks are the same as those of last year. The measures included access control, data encryption, penetration testing and anonymisation of personal data, etc. Among these, five organisations (around 21%) also put in place AI-related security alerts and conducted red-teaming drills; and
   
• Among the 24 organisations, 15 (approximately 63%) made reference to the AI related guidelines or advice published by the PCPD when they collected, used and processed personal data through AI systems. The guidelines included Model Framework, Gen AI Checklist, “10 Tips for Users of AI Chatbots” ^[5] and “Guidance on the Ethical Development and Use of Artificial Intelligence” ^[6]. Additionally, seven organisations (about 29%) planned to make reference to the aforesaid guidelines. The results of the compliance checks are similar to those of last year.

Implementation and Management of AI Systems

• Among the 24 organisations, 23 (about 96%) conducted tests prior to the implementation of AI systems to ensure their reliability, robustness and fairness. In addition, 19 organisations (about 79%) conducted privacy impact assessments prior to the implementation of AI systems. The ratios are similar to those of last year;
   
• Among the 24 organisations, 19 (about 79%) adopted the “human-in-the-loop” approach for human oversight of AI systems, ensuring that human actors retained control of the decision-making process to prevent or mitigate errors or improper decisions made by AI systems. The remaining five organisations (about 21%) adopted the “human-in-command” approach, under which human actors reviewed the outputs of AI systems to oversee the operations of systems and intervened only if necessary;
   
• All organisations reviewed which made reference to the Model Framework published by the PCPD adopted the “human-in-the-loop” approach for human oversight of the AI systems, representing an increase of around 17 percentage points compared to the results of the compliance checks carried out in 2025;
   
• Among these 24 organisations, 22 (approximately 92%) formulated data breach response plans to address contingencies. The results of the compliance checks are the same as those of last year. Among the organisations, nine organisations (around 41%) specifically addressed AI-related data breach incidents in their response plans, representing an increase of around nine percentage points compared to the results of the compliance checks carried out in 2025; and
   
• Among the 24 organisations, 15 (approximately 63%) conducted internal audits and/or independent assessments on a regular basis, representing an increase of around 17 percentage points compared to the results of the compliance checks carried out in 2025; while six (25%) planned to conduct internal audits and/or independent assessments on a regular basis to ensure that the use of AI complies with the organisation’s AI strategies and/or policies.

AI Strategy and Governance

• Among these 24 organisations, 19 (about 79%) established AI governance structures, such as setting up AI governance committees and/or appointing designated personnel to be responsible for overseeing the use of AI systems. The results of the compliance checks are the same as those of last year;
   
• All organisations reviewed that collected and/or used personal data through AI systems permitted employees to use generative AI at work. Among these, 17 (about 71%) formulated internal policies or guidelines for employees’ use of generative AI at work to help ensure its proper use. Five organisations (about 21%) planned to formulate such policies or guidelines; and
   
• Among these 24 organisations, 20 (about 83%) provided AI-related training for employees, representing an increase of around eight percentage points compared to the results of the compliance checks carried out in 2025. Among these, 18 (90%) also included training content on AI-related privacy risks, representing an increase of around seven percentage points compared to the results of the compliance checks carried out in 2025.

The PCPD has completed the compliance checks and identified no contravention of the PDPO during the process.
 
The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, “The results of the compliance checks reveal that AI is being integrated at an accelerating pace into the operations of various sectors,  with its scope of application expanding from day-to-day administrative support, customer service, marketing, risk management to research and development, human resources management and corporate communications, etc. I am pleased to note that all organisations reviewed formulated ‘Personal Information Collection Statements’, specified data retention periods, and implemented appropriate security measures in the collection and/or use of personal data through AI systems. Furthermore, most organisations reviewed adopted the ‘human-in-the-loop’ approach in monitoring AI systems, and conducted regular internal audits and/or independent assessments on AI systems, which demonstrated prudence in the application of AI across various sectors.”
 
The Privacy Commissioner also pointed out, “As the application of AI becomes increasingly prevalent, while organisations benefit from the convenience brought by AI, they must also address the potential privacy risks it poses. I am pleased to note that most organisations have established AI governance structures and are progressively developing internal policies or guidelines for the use of generative AI by employees. Organisations should develop comprehensive AI strategies, conduct risk and privacy impact assessments, adopt an appropriate level of human oversight, and regularly review and assess the impacts of AI systems on personal data privacy to ensure compliance with the relevant requirements of the PDPO when collecting, using and processing personal data through AI systems.”
 
The PCPD encourages organisations to make reference to the “AI Security” thematic webpage (https://www.pcpd.org.hk/english/artificial_intelligence/index.html), which provides one-stop access to information on safeguarding personal data privacy when using AI. Through this compliance check exercise, the PCPD would like to provide the following recommended measures to all organisations that develop or use AI:

• Compliance with the requirements of the PDPO: Where personal data is collected or processed in the development or use of AI, organisations should adopt measures to ensure compliance with the relevant requirements of the PDPO, and should monitor and review AI systems on a continuous basis;
   
• Governance and training: Formulate an overall strategy for the development or use of AI as well as establish an internal AI governance structure, and provide adequate training to all relevant personnel. In addition, organisations should formulate an AI incident response plan to monitor and address accidental incidents that may occur; 
   
• Establish internal policies or guidelines: Establish internal policies or guidelines governing the use of AI (including generative AI or AI agents) by employees at work, and regularly review and update the policies or guidelines to mitigate human risks;
   
• Use agentic AI prudently: When organisations use agentic AI to collect, use and process personal data, they should consider carefully the nature and sensitivity of the personal data involved, and only grant agentic AI the minimum access rights necessary to perform the tasks concerned. Organisations should also download the latest version of agentic AI from official channels, exercise caution when installing and using Plugins or Skills, adopt adequate measures to ensure system security and data security, and continuously assess the risks involved;
   
• Conduct risk assessments: Conduct comprehensive risk assessments (including privacy impact assessments) to systematically identify, analyse and evaluate the risks, including privacy risks, arising from the development or use of AI, and adopt appropriate risk management measures commensurate with the risk levels. For instance, a higher level of human oversight should be adopted for AI systems with a higher risk profile;
   
• Conduct regular audits: Conduct regular internal audits (and independent assessments where necessary) for AI systems to ensure system security and data security, and to ensure that the development or use of AI continues to comply with the organisation’s policies, including the requirements of its AI strategy; and
   
• Communicate with stakeholders: Maintain effective communication with stakeholders to enhance transparency in the use of AI, and fine-tune AI systems in a timely manner in response to feedback from stakeholders.

(3) Highlights of the 2025 and 2026 Compliance Checks Findings