Privacy Commissioner’s Office has Completed
Compliance Checks on 60 Organisations
Regarding the Impact of the Use of Artificial Intelligence
on Personal Data Privacy

To actively align with the National “15^th Five-Year Plan” and implement the policy direction of the Government of the Hong Kong Special Administrative Region in promoting the development of “AI Plus”, and to promote the more secure and responsible use of Artificial Intelligence (AI) across different sectors, the PCPD launched a new round of compliance checks in January 2026, following the two rounds of compliance checks completed in 2024 and 2025. The exercise sought to understand the latest usage of AI in Hong Kong and its impact on personal data privacy, with a view to further promoting the governance and the safe development of AI. The PCPD published the findings of the compliance checks on 19 May.
 
The compliance checks covered 60 organisations. In addition to the sectors covered in the 2025 compliance checks, including banking and finance, beauty services, education, government departments, insurance, medical services, public utilities, retail, social services, telecommunications and transportation, the compliance checks this round were expanded to cover the accounting, food and beverage, innovation and technology, logistics and property management sectors. The exercise sought to gain a more comprehensive understanding of whether different sectors complied with the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO) in the collection, use and processing of personal data when using AI systems. 
 
The compliance checks also examined the 60 organisations’ implementation of the recommendations and best practices set out in the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework), and the “Checklist on Guidelines for the Use of Generative AI by Employees” (Gen AI Checklist) published by the PCPD, as well as assessed their overall performance in AI governance.
 
Based on the findings of the compliance checks, the PCPD has the following major observations regarding the organisations’ personal data protection practices in their use of AI (see Annex for details):

 

Latest Application of AI in Hong Kong

• Among the 60 organisations reviewed, 57 organisations (95%) used AI in their day-to-day operations, representing an increase of 15 percentage points compared to the results of the compliance checks carried out in 2025, showing that the application of AI is becoming increasingly prevalent across various sectors. Among these, 45 organisations (approximately 79%) had been using AI for over a year, indicating that AI is gradually becoming an essential part of operations; and
   
  
• Among these 57 organisations, 29 (approximately 51%) used three or more AI systems. These AI systems were primarily applied in areas such as administrative support, customer service, research and development, marketing, and compliance/risk management, etc. The results of the compliance checks are similar to those of last year.

Collection, Use and Processing of Personal Data

• Among the 57 organisations using AI, 24 (approximately 42%) collected and/or used personal data through AI systems. These organisations were primarily from the accounting, banking and finance, education, government departments, innovation and technology, insurance, medical services, property management, public utilities, retail, social services, telecommunications and transportation sectors, etc.;
   

• All organisations reviewed which collected and/or used personal data through AI systems provided data subjects with Personal Information Collection Statements on or before the collection of personal data, specifying the purposes for which the data would be used, as well as the classes of persons to whom the data might be transferred, etc. Among these, seven organisations (about 29%) specified the use of AI tools in processing personal data in their Personal Information Collection Statements. The results of the compliance checks are the same as those of last year;
   

• Among all organisations reviewed which collected and/or used personal data through AI systems, seven (about 29%) of them retained the personal data collected through AI systems, representing a decrease of approximately 50 percentage points compared to the results of the compliance checks carried out in 2025. These organisations specified the retention periods for personal data and would delete the data once the original purposes of collection had been fulfilled. The remaining 17 organisations (approximately 71%) did not retain the relevant data;
    

• All organisations reviewed which collected and/or used personal data through AI systems implemented appropriate security measures to ensure that the personal data they held in the course of using AI systems was protected. The results of the compliance checks are the same as those of last year. The measures included access control, data encryption, penetration testing and anonymisation of personal data, etc. Among these, five organisations (around 21%) also put in place AI-related security alerts and conducted red-teaming drills; and
   

• Among the 24 organisations, 15 (approximately 63%) made reference to the AI related guidelines or advice published by the PCPD when they collected, used and processed personal data through AI systems. The guidelines included Model Framework, Gen AI Checklist, “10 Tips for Users of AI Chatbots” and “Guidance on the Ethical Development and Use of Artificial Intelligence”. Additionally, seven organisations (about 29%) planned to make reference to the aforesaid guidelines. The results of the compliance checks are similar to those of last year.

Implementation and Management of AI Systems

• Among the 24 organisations, 23 (about 96%) conducted tests prior to the implementation of AI systems to ensure their reliability, robustness and fairness. In addition, 19 organisations (about 79%) conducted privacy impact assessments prior to the implementation of AI systems. The ratios are similar to those of last year;
   
• Among the 24 organisations, 19 (about 79%) adopted the “human-in-the-loop” approach for human oversight of AI systems, ensuring that human actors retained control of the decision-making process to prevent or mitigate errors or improper decisions made by AI systems. The remaining five organisations (about 21%) adopted the “human-in-command” approach, under which human actors reviewed the outputs of AI systems to oversee the operations of systems and intervened only if necessary;
   
• All organisations reviewed which made reference to the Model Framework published by the PCPD adopted the “human-in-the-loop” approach for human oversight of the AI systems, representing an increase of around 17 percentage points compared to the results of the compliance checks carried out in 2025;
   
• Among these 24 organisations, 22 (approximately 92%) formulated data breach response plans to address contingencies. The results of the compliance checks are the same as those of last year. Among the organisations, nine organisations (around 41%) specifically addressed AI-related data breach incidents in their response plans, representing an increase of around nine percentage points compared to the results of the compliance checks carried out in 2025; and
   
• Among the 24 organisations, 15 (approximately 63%) conducted internal audits and/or independent assessments on a regular basis, representing an increase of around 17 percentage points compared to the results of the compliance checks carried out in 2025; while six (25%) planned to conduct internal audits and/or independent assessments on a regular basis to ensure that the use of AI complies with the organisation’s AI strategies and/or policies.

AI Strategy and Governance

• Among these 24 organisations, 19 (about 79%) established AI governance structures, such as setting up AI governance committees and/or appointing designated personnel to be responsible for overseeing the use of AI systems. The results of the compliance checks are the same as those of last year;
   
• All organisations reviewed that collected and/or used personal data through AI systems permitted employees to use generative AI at work. Among these, 17 (about 71%) formulated internal policies or guidelines for employees’ use of generative AI at work to help ensure its proper use. Five organisations (about 21%) planned to formulate such policies or guidelines; and
   
• Among these 24 organisations, 20 (about 83%) provided AI-related training for employees, representing an increase of around eight percentage points compared to the results of the compliance checks carried out in 2025. Among these, 18 (90%) also included training content on AI-related privacy risks, representing an increase of around seven percentage points compared to the results of the compliance checks carried out in 2025.

The PCPD has completed the compliance checks and identified no contravention of the PDPO during the process.
 

The PCPD encourages organisations to make reference to the “AI Security” thematic webpage (https://www.pcpd.org.hk/english/artificial_intelligence/index.html), which provides one-stop access to information on safeguarding personal data privacy when using AI. Through this compliance check exercise, the PCPD would like to provide the following recommended measures to all organisations that develop or use AI:

• Compliance with the requirements of the PDPO: Where personal data is collected or processed in the development or use of AI, organisations should adopt measures to ensure compliance with the relevant requirements of the PDPO, and should monitor and review AI systems on a continuous basis;
   
• Governance and training: Formulate an overall strategy for the development or use of AI as well as establish an internal AI governance structure, and provide adequate training to all relevant personnel. In addition, organisations should formulate an AI incident response plan to monitor and address accidental incidents that may occur; 
   
• Establish internal policies or guidelines: Establish internal policies or guidelines governing the use of AI (including generative AI or AI agents) by employees at work, and regularly review and update the policies or guidelines to mitigate human risks;
   
• Use agentic AI prudently: When organisations use agentic AI to collect, use and process personal data, they should consider carefully the nature and sensitivity of the personal data involved, and only grant agentic AI the minimum access rights necessary to perform the tasks concerned. Organisations should also download the latest version of agentic AI from official channels, exercise caution when installing and using Plugins or Skills, adopt adequate measures to ensure system security and data security, and continuously assess the risks involved;
   
• Conduct risk assessments: Conduct comprehensive risk assessments (including privacy impact assessments) to systematically identify, analyse and evaluate the risks, including privacy risks, arising from the development or use of AI, and adopt appropriate risk management measures commensurate with the risk levels. For instance, a higher level of human oversight should be adopted for AI systems with a higher risk profile;
   
• Conduct regular audits: Conduct regular internal audits (and independent assessments where necessary) for AI systems to ensure system security and data security, and to ensure that the development or use of AI continues to comply with the organisation’s policies, including the requirements of its AI strategy; and
   
• Communicate with stakeholders: Maintain effective communication with stakeholders to enhance transparency in the use of AI, and fine-tune AI systems in a timely manner in response to feedback from stakeholders.

Privacy Commissioner’s Office Organises the

“PCPD 30^th Anniversary Privacy Protection Summit”

The PCPD celebrates its 30^th anniversary this year and will commemorate this important milestone by organising the “PCPD 30^th Anniversary Privacy Protection Summit” (Summit) on 16 June.

 

Held in celebration of the 30^th anniversary of the PCPD, the Summit will be officiated by The Hon John LEE Ka-chiu, GBM, SBS, PDSM, PMSM, Chief Executive of the Hong Kong Special Administrative Region, China. It would bring together privacy regulators, data protection experts, industry leaders and academics from Hong Kong, the Chinese Mainland and overseas to discuss emerging trends in technologies such as AI, their implications for privacy and the evolving regulatory landscape of privacy laws in different jurisdictions. Expert speakers from the Chinese Mainland will also discuss how the Country navigates the balance between safeguarding data privacy and fostering innovation in the digital era.

PRIVACY 101

Managing Personal Data Security on Portable Devices

Convenience and risk often go hand in hand. Portable storage devices (PSDs) such as USB flash drives, external hard disks and laptops offer a handy means for organisations to store and transfer personal data, enabling work efficiency against geological constraints. However, the portability of PSDs is also a double-edge sword as a lost or stolen PSD can expose large volumes of personal data in an instant.  

To prevent personal data privacy from being easily compromised, organisations should therefore implement adequate data protection policy to support the use of PSDs. Here are some recommended measures for organisations to adopt:

1. Conduct risk assessment: Organisations should first evaluate the types of PSDs in use, the sensitivity of data stored, and the likely impact on data subjects if a data breach incident involving PSDs occurs, to facilitate the formulation of the corresponding data protection policy;
2. Formulate a clear PSD policy: A documented organisation-wide policy should govern the use of PSDs, covering aspects such as the specific circumstances of use and the type and amount of personal data allowed to be stored or processed on PSDs;
3. Provide guidelines, procedures and training: Practical guidelines and step-by-step procedures should be developed to assist users in complying with the organisational policy. Users must be trained to follow the relevant guidelines and procedures, and made accountable for non-compliance;
4. Data encryption: Personal data stored on PSDs should be encrypted to prevent the data from being accessed by unauthorised persons in case the PSDs are lost or stolen. A strong encryption algorithm and encryption mechanisms that would mandate encryption and cannot be bypassed or disabled by users should be chosen;
5. Deploy technical controls: Organisations should consider implementing end-point security softwares, data loss prevention systems, and inventory controls to support PSD policies; and
6. Have a data breach handling policy in place: Given the vulnerability of data stored on PSDs, organisations should have a formal data breach handling and notification policy in place.

For further guidance, please refer to the “Guidance on the Use of Portable Storage Devices”.

 

PRIVACY COMMISSIONER’S FINDINGS

Loss of Notebook Computer under Work-from-Home Arrangements

Background

A government department reported to the PCPD that a staff member had lost an official notebook computer, which was provided to the staff member under work-from-home (WFH) arrangements, on public transport. The computer contained draft staff appraisal reports including their names, ranks and dates of appointment, salary points, duties and preliminary assessments. The staff member had failed to delete the draft appraisal reports upon completion of the appraisal period.

Remedial Measures

Upon receiving the notification from the government department, the PCPD initiated a compliance check. The PCPD found that while the personal data contained in the notebook computer had been encrypted to reduce the risk of unauthorised or accidental access to the data, the department reminded staff to take extra care in handling official portable devices. The department revised its guidelines reminding staff members that notebook computers should not be used as permanent storage of restricted information, and such information should be deleted when it was no longer necessary.

Lessons Learnt

Many organisations have adopted WFH arrangements in the wake of the COVID-19 pandemic. It is noted that most organisations have policies in place to require their staff members to encrypt electronic records in notebook computers. However, it is difficult to ensure staff members deleted obsolete documents containing personal data in notebook computers. To further enhance the protection of personal data, organisations should consider requesting their staff members to access work files through a virtual private network (VPN) connection instead of storing work files locally.

TECH TALK

Staying Safe on Screen – Privacy Tips for Video Conferencing

From work meetings to online classes, video conferencing has become an indispensable part of our daily lives. However, with its growing popularity, cyberattacks targeting at video conferencing platforms and their users are also on the rise.

These include meeting bombing by an uninvited guest, phishing attacks disguised as meeting invitations, unintended data sharing with third parties, and malware or zero-day attacks exploiting software vulnerabilities. Here are some practical security measures to protect yourself:

1. Keep software up-to-date: Apply the latest updates and security patches to all relevant hardware and software involved in video conferencing, including the application, operating systems, web browsers and anti-malware software;
2. Control access to your meeting: Only share the meeting ID with intended participants, use one-time meeting IDs where possible, and set a strong meeting password to prevent unintended third parties from joining;
3. Manage screen sharing carefully: Do not allow participants to share their screens by default. Only allow specific participants to do so where appropriate, and only share the application needed rather than the whole desktop;
4. Verify meeting links before clicking: When you receive a link to join a video conferencing meeting, ensure that the link comes from a trusted source and do not open links and attachments from unknown senders;
5. Be mindful of the meeting location: Video conferencing meetings should be conducted at designated private places and any visible sensitive information should be removed from the camera view; and
6. Turn off camera and microphone when not in use: Cameras and microphones should be turned off when not in use during the meeting to avoid unintended disclosure of personal data.

WHAT’S ON

Combating Doxxing Behaviour – Privacy Commissioner Publishes an Article in Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Four Years On: Cracking Down on Doxxing” in Hong Kong Lawyer.

In the article, the Privacy Commissioner reviewed the work of the PCPD over the past four years in implementing the relevant provisions of the new anti‑doxxing regime under the Personal Data (Privacy) (Amendment) Ordinance 2021. She highlighted that through resolute enforcement, enhanced publicity and education efforts of the PCPD, as well as the societal transition “from chaos to order”, illegal doxxing activities have been substantially curbed. The article further illustrated how the legal framework has matured through case law, citing various appeal decisions that provide valuable guidance on key statutory elements of the doxxing offences and magistracy decisions that offer practical insight into how the regime operates on the front line.

Looking ahead, the Privacy Commissioner emphasised that the rapid advancement of AI will likely pose new challenges in detecting and combating unlawful doxxing behaviour. She reaffirmed the PCPD’s commitment to maintaining a safe and civilised online environment that is free from doxxing messages.

Please click here to read the article.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media on Scams which Involve Impersonating an Electrical Appliance Retailer

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Now News’ “News Magazine” on 22 May to explain scam cases which involve calls from fraudsters impersonating staff of an electrical appliance retailer.

The Privacy Commissioner stated that, over the past few months, the PCPD received 24 complaints and seven enquiries, all of which involved fraudsters posing as staff of an electrical appliance retailer and contacting customers by phone. The callers falsely claimed that compensation or replacement of defective products could be arranged, but requested the customers to make payment upfront, resulting in financial losses in some cases. She reminded members of the public to be vigilant against suspicious calls, to verify the identities of callers and refrain from disclosing further personal data or making transfer payments hastily.

In addition, the Privacy Commissioner explained the findings of the compliance checks conducted by the PCPD regarding the impact of organisations’ use of AI on personal data privacy. She noted that the findings indicate organisations are becoming more prudent in their adoption of AI, alongside a heightened awareness of personal data privacy protection. She was also pleased to see that more organisations had formulated data breach incident response plans, and that more organisations are providing AI-related training to their staff.

The Assistant Privacy Commissioner (Complaints and Criminal Investigation) Ms Rebecca HO Kan-yeuk was also interviewed by RTHK News’ “Hong Kong Today” on 22 May to remind members of the public to guard against scams involving the impersonation of electrical appliance retailers.

Click here to listen to the interview by RTHK News’ “Hong Kong Today” (54:04-59:40) (Chinese only).

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain the Findings of Compliance Checks Regarding Organisations’ Use of AI

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 20 May, in which she explained the findings of the compliance checks published by the PCPD regarding the impact of organisations’ use of AI on personal data privacy.

To understand the latest usage of AI in Hong Kong and its impact on personal data privacy, the PCPD launched the third round of compliance checks in January 2026, covering 60 organisations. The Privacy Commissioner was pleased to note that all organisations reviewed complied with the relevant requirements of the PDPO when collecting, using and processing personal data through AI systems. They have also adopted prudent measures to protect personal data, including conducting privacy impact assessments and implementing appropriate security measures.

She further added that among organisations that collect and/or use personal data through AI systems, around 70% do not retain the personal data collected through AI systems, while the remaining 30% have specified data retention periods. This reflects an increased awareness among organisations of the importance of protecting personal data privacy.

Click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).

Reaching Out to the Community – Privacy Commissioner Interviewed by Media on the Impact of the Data Breach Incident of Canvas and Instagram’s Discontinuation of “End-to-end Encrypted Messaging” Feature

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 15 May, where she explained the impact of the data breach incident involving the online learning management platform Canvas, as well as Instagram’s discontinuation of its “end-to-end encrypted messaging” feature.

During the interview, the Privacy Commissioner stated that regarding the Canvas data breach incident, the PCPD has received data breach notifications from seven organisations, affecting more than 72,000 individuals. She advised that organisations that are possibly affected by the incident should review the security of their information systems (including that of the platform) before resuming their use of the platform. They should also consider deleting or minimising unnecessary data stored on the platform and monitoring system logs for any anomalous activities.

Despite the announcement by the operator of the relevant platform that the unauthorised actor has returned the compromised data to them, the Privacy Commissioner reminded affected users to remain vigilant, particularly against phishing and other possible scams, and to consider changing the user credentials of their accounts on the platform. As regards reports that the platform has paid ransom, the Privacy Commissioner also condemned the paying of ransom, noting that such action would encourage hackers to continue engaging in unlawful activities, and would also increase the risks of the platform being hacked again.

As for Instagram’s discontinuation of its “end-to-end encrypted messaging” feature, the Privacy Commissioner stated that the change may increase the risk of interception of messages by malicious actors when users are on insecure networks, such as public Wi-Fi, thereby increasing the risk of personal data breach and misuse. She advised users to consider downloading and backing up past chat records or deleting relevant messages to mitigate potential risks.

In addition, the Assistant Privacy Commissioner (Compliance, Global Affairs and Research) Mr Alex CHAN Chung-man was interviewed by Commercial Radio’s “On a Clear Day” on 14 May. He reminded members of the public to avoid disclosing their own or others’ personal data in messages and calls. Such data include, in particular sensitive personal data such as identification numbers and bank information, in order to safeguard personal data privacy.

Click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).

Reaching Out to the Media Sector – Privacy Commissioner Attends the Hong Kong News Awards 2025 Presentation Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong News Awards 2025 Presentation Ceremony cum Luncheon on 15 May and introduced the latest work of the PCPD to representatives of the media sector.

Organised by The Newspaper Society of Hong Kong, the Hong Kong News Awards aims at recognising the outstanding achievements of journalists and raising professional standards of the industry. The Hong Kong News Awards 2025 comprise four categories, namely reporting section, writing section, photographic section and design section, with a total of 78 awards granted.

Reaching Out to the Education Sector – Privacy Commissioner Attends the 45^th Anniversary Dinner of the Hong Kong Association for Computer Education

Privacy Commissioner Ms Ada CHUNG Lai-ling and Assistant Privacy Commissioner (Corporate Communications and Operations) Ms Joyce LAI attended the 45^th Anniversary Dinner of the Hong Kong Association for Computer Education (HKACE) on 7 May, where they exchanged views with members of the HKACE.

The PCPD has maintained close collaboration with the HKACE in organising various seminars on personal data privacy protection for the education sector, with a view to enhancing data protection standards in schools. The seminars include those on the possible scenarios and challenges for using AI in schools.

AI and Privacy Protection – Privacy Commissioner Publishes an Article on A Plus

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Harnessing AI in accounting: Guidelines for the use of generative AI by employees” on A Plus, the quarterly magazine of the Hong Kong Institute of Certified Public Accountants. 
 
In the article, the Privacy Commissioner highlighted that the privacy risks associated with the use of AI should not be neglected and sensitive data stored in generative AI systems may be targeted by cyber criminals. It is important that the accounting firms develop internal AI policies or guidelines to ensure AI can be used in an effective, safe and responsible manner. 
 
In addition, the Privacy Commissioner gave an overview of the recommendations provided in the Gen AI Checklist published by the PCPD. The Gen AI Checklist was intended to assist organisations in the formulation of internal policies or guidelines on the use of generative AI in order to comply with the requirements of the PDPO.  
 
Please click here to read the article. 

Reaching Out to Education Sector – Privacy Commissioner Speaks at Workshop on Media and Information Literacy

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the workshop titled “Media and Information Literacy (MIL) Series: (9) Workshop on Responsible Information Handling – Where Personal Data Meets Artificial Intelligence” on 29 April, where she delivered a presentation in hybrid mode to more than 130 teachers. The workshop was co-organised by the Education Bureau and the Journalism Education Foundation.
 
At the workshop, the Privacy Commissioner delivered a presentation titled “Understanding AI Security and Privacy Risks in Schools”, in which she explained the personal data privacy risks that may arise from the use of AI in schools, as well as how to prevent and handle AI deepfake incidents. She also shared with participants some recommendations on developing schools’ internal policies or guidelines on the use of generative AI.
 
In addition, representatives of the PCPD introduced the data protection principles under the PDPO and shared some real cases of data breach incidents involving schools. During the workshop, representatives of the PCPD guided the participants to try out some steps for anonymising personal data and demonstrated the effect of using deepfake technology to generate portraits of individual persons.
 
Please click here for the presentation deck (Chinese only).

Reaching Out to the Community – Assistant Privacy Commissioner Joins Panel Discussion at “Agentic AI Bootcamp”

Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) (Assistant Privacy Commissioner) Mr Alex CHAN Chung-man attended the “Agentic AI Bootcamp” co-organised by the Hong Kong Computer Society (HKCS) and Tencent WeTech Academy on 20 May, and spoke at a panel discussion titled “Cybersecurity Protection in the AI Era”.
 
During the panel discussion, the Assistant Privacy Commissioner discussed issues relating to cybersecurity protection in the AI era with Mr Paul WAN, Convenor of the Cybersecurity Specialist Group of HKCS; Mr Daniel KWONG, Field Chief Information Security Officer of North Asia of Fortinet; and Mr Ricky WOO, Executive Director and Chief Information Security Officer of DBS Bank (Hong Kong). The Assistant Privacy Commissioner shared the governance recommendations and best practices outlined in the Model Framework published by the PCPD. He also discussed AI-related risks, and how organisations should comply with the data protection principles when addressing such risks.

Reaching Out to the Community – Assistant Privacy Commissioner Interviewed by Media on the Impact of the Canvas Data Breach Incident

Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) (Assistant Privacy Commissioner) Mr Alex CHAN Chung-man was interviewed by RTHK Radio 3’s “Backchat” on 19 May, where he explained the impact of the data breach incident involving the online learning management platform Canvas.

The Assistant Privacy Commissioner said that the PCPD has received data breach notifications from seven organisations in connection with the incident. At present, there is no evidence indicating that any data subject has suffered losses as a result of the incident.

He noted that malicious actors may exploit the leaked personal data to craft highly convincing phishing emails, and that the data may also be used for identity theft or for gaining unauthorised access to other systems. He reminded members of the public not to click on suspicious links in emails. At the same time, organisations should establish a “human firewall” and strengthen staff awareness of data security. He also encouraged organisations to make use of the PCPD’s one-stop data security resources, including the “Data Security Thematic Website”, “Data Security Hotline” and various guidance materials.

Click here to listen to the interview by RTHK Radio 3’s “Backchat”.

Reaching Out to the Community – Assistant Privacy Commissioner Interviewed by Media to Explain the Investigation Report on the Data Breach Incident of Yau Yat Chuen Garden City Club and Practical Tips on Safeguarding Children’s Online Privacy

Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) (Assistant Privacy Commissioner) Mr Alex CHAN Chung-man was interviewed by RTHK Radio 3’s “Backchat” on 27 April. During the interview, he explained the key findings of the investigation report of the data breach incident of Yau Yat Chuen Garden City Club and introduced the “Practical Tips for Parents and Teachers on Safeguarding Children’s Online Privacy” published by the PCPD

During the interview, the Assistant Privacy Commissioner pointed out that databases that contain the data of members often contain extensive, comprehensive, and continuously updated personal data. As such, they have become primary targets for cyberattacks. He reminded organisations to regularly review the effectiveness of the security measures of their information systems and to allocate sufficient resources on cybersecurity in order to reduce the risk of data breach.

In addition, the Assistant Privacy Commissioner called on parents and teachers to work together to create a safe and privacy-friendly digital space for children, and strengthen their awareness of the importance of protecting personal data privacy.

Event Organised in Celebration of PCPD’s 30^th Anniversary – Public Seminar on “Preventing Scams in the Digital Era”

To mark the 30^th anniversary of the PCPD, the PCPD is rolling out a series of educational and promotional initiatives. A public seminar entitled “Preventing Scams in the Digital Era” was successfully held on 5 May, attracting near 400 participants.
 
At the seminar, Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Mr Alex CHAN Chung-man shared with participants some practical advice on safeguarding personal data privacy in the era of AI, including how to use AI chatbots, smartphones and social media wisely.
 
The seminar also featured Senior Inspector of the Anti-Deception Coordination Centre of the Commercial Crime Bureau of the Hong Kong Police Force, Ms Stephanie ANG, who introduced the latest trends in scam cases and shared real-life cases and practical anti-scam tips.
 
Please click here for Assistant Privacy Commissioner Mr Alex CHAN Chung-man’s presentation deck (Chinese only).
Please click here for Senior Inspector Ms Stephanie ANG’s presentation deck (Chinese only).

MEDIA STATEMENT

PCPD Urges Vigilance Against Scammers Impersonating Electrical Appliance Retailer

The PCPD received 24 complaints and seven enquiries over the past few months concerning calls from fraudsters impersonating staff of an electrical appliance retailer, falsely claiming that they could arrange compensation or replacement of product. The PCPD appeals to members of the public to be vigilant against suspicious calls, to verify the identities of callers and not to be trapped simply because the callers are able to allude to their personal data.
 
All the complainants in the above-mentioned 24 complaints had previously purchased electrical appliances from “BUILT-IN PRO”. They subsequently received calls from individuals who claimed themselves to be staff of the retailer, alleging that the appliances they had purchased were defective and that compensation and product replacement could be arranged. However, they were requested to make payment upfront. Some complainants were deceived because the fraudsters were able to refer to the personal data that they provided at the time of purchase and details of purchase, and the complainants proceeded to make payments, resulting in financial losses. The losses ranged from over HK$6,000 to over HK$17,000 in individual cases.
 
To safeguard personal data privacy and property security, the PCPD reminds members of the public to pay attention to the following when they receive any calls purportedly made by merchants to follow up on purchased products:

1. Verify the identities of callers: Even if callers can allude to your personal data, you should think twice before disclosing any further personal data or making any payment to the callers if you are in doubt about their identities. Members of the public should verify the authenticity of the content of the call through the merchants’ official website, official customer service hotline or by visiting retail stores in person, and pay attention to any scam alerts issued by the merchants;
   
2. Reject any suspicious payment requests: When handling compensations or refunds, in general merchants will not require customers to make any upfront payment such as “deposits” or “handling fees” in advance, or to make any transfer for the purpose of verifying the bank account. Citizens should never disclose sensitive data such as online banking account details or passwords to others arbitrarily;
   
3. Retain communication records: Keep records of the incoming phone numbers and conversation details for reporting to the Police or relevant authorities where necessary; and
   
4. Stay alert to fraud prevention information: Pay attention to fraud prevention information published by the PCPD, the Police or other relevant organisations to enhance vigilance. Members of the public may also visit “Scameter” (https://cyberdefender.hk/en-us/scameter/) to check suspicious phone numbers, email addresses and websites, etc.
   

Anyone who suspects that his/her personal data has been misused may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk).  If there is any suspicion of fraud on personal data which involves criminal offence(s), one should immediately report the case to the Police.

PCPD Reminds Affected Organisations and the Public to Safeguard Personal Data Privacy in relation to the Canvas Data Breach Incident

As regards the data breach incident involving the online learning management platform Canvas, the PCPD has received data breach notifications from seven organisations — The Hong Kong Polytechnic University, The Hong Kong Institute of Construction, Hong Kong Education City Limited, The Hong Kong University of Science and Technology, The Hong Kong Academy for Performing Arts, Hong Kong Art School and City University of Hong Kong. Upon receipt of the data breach notifications, the PCPD has recommended the relevant organisations to promptly notify the affected data subjects, and has provided advice on the remedial measures that can be taken by the organisations to mitigate the possible impact of the incident.
 

Despite that the operator of the relevant platform announced that the unauthorised actor has returned the compromised data to them, the PCPD reminds users who are possibly affected by the incident to remain vigilant and guard against possible misuse of their personal data. To protect personal data privacy, the PCPD recommends affected users take the following measures:-

• Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, including text messages or emails purportedly sent from the Canvas platform, and refrain from opening attachments, links or disclosing personal data arbitrarily;
  
• Be vigilant against phishing or other possible scams;
  
• Consider changing the user credentials of their Canvas accounts and other online accounts, and enable multi-factor authentication function (if available);
  
• Beware of any unusual logins to their personal emails, Canvas accounts or other accounts; and
  
• If they suspect that they may be affected, they may make enquiries with the relevant organisations or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk).

If any organisations which suspect that they may be affected by the incident and require assistance, they are welcome to contact the PCPD. The PCPD also recommends that potentially affected organisations adopt the following remedial measures:-

• Conduct a comprehensive security review of their information systems (including the affected platform) before resuming use of the platform;
  
• Where practicable, segregate the affected platform from other information systems;
  
• Monitor relevant system logs for anomalous activities, including unusual login activities and large-scale data exports;
  
• Remove or minimise sensitive data stored on the platform; and
  
• Apply security scanning to all data or content exported from the affected platform.

Instagram Discontinues “End-to-end Encrypted Messaging” Feature; PCPD Reminds Users to Safeguard Personal Data Privacy

The PCPD noted that social media platform Instagram had ceased supporting “end-to-end encrypted messaging” feature with effect from 8 May. The purpose of the “end-to-end encrypted messaging” feature was to ensure that messages and calls between users could only be seen, heard or read by the communicating parties themselves. This update means that third parties (including the social media platform) may, in future, be able to read or access the contents of users’ messages, including photos, videos and voice messages.
 
The PCPD reminds users to note the aforesaid update from the relevant social media platform and to consider whether it is necessary to disclose their own or others’ personal data in messages and calls, in order to safeguard personal data privacy. Where necessary, users may download and back up their past chat records by following the steps set out in Annex 1.
 
For enquiries, users may contact the relevant social media platform or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk).

A 23-year-old Female Arrested for Suspected Doxxing of Her Former Schoolmate Because of Personal Disputes

The PCPD arrested a Chinese female aged 23 in Kowloon on 29 April. The arrested person was suspected to have disclosed the personal data of a former schoolmate without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person were former secondary schoolmates and the two maintained contact after graduation. Their relationship later turned sour owing to some personal grudges.
 
In March 2026, messages were posted on personal accounts across two social media platforms on three occasions, disclosing the personal data of the victim alongside some negative comments against her. The personal data disclosed included the name of the victim’s social media platform account, her photos, partial name of her current company and its address, former occupation and work location, as well as partly redacted photos of the victim’s Hong Kong Identity Card (HKID card) and a medical report that the victim disclosed to the arrested person in 2023. The said HKID card photo disclosed the victim’s Chinese and English names, date of birth, gender and photo, whereas the photo of the medical report disclosed the victim’s English name and the content of the report.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflicts. Moreover, identity cards and medical reports both contain sensitive personal data, and any reckless or intentional disclosure of copies of identity cards or medical reports without the data subject’s consent may constitute a doxxing offence. An offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

 

   a. With an intent to cause any specified harm to the data subject or any family member of the data

       subject; or

   b. Being reckless as to whether any specified harm would be, or would likely be, caused to the data

       subject or any family member of the data subject.

 

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

 

   a. The person discloses any personal data of a data subject without the relevant consent of the data

       subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

   b. The disclosure causes any specified harm to the data subject or any family member of the data

       subject.

 

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

MAINLAND CORNER

Highlights of the “Draft Measures for the Administration of Digital Virtual Human Information Services” 
《數字虛擬人信息服務管理辦法（徵求意見稿）》的重點

To promote the healthy development and regulate the application of digital virtual human information services, the Cyberspace Administration of China released the “Draft Measures for the Administration of Digital Virtual Human Information Services” (Draft Measures) on 3 April 2026. The Draft Measures encourages the implementation and application of digital virtual human services across various sectors, while at the same time emphasising the protection of rights and interests, including the protection of personal information, personality rights, intellectual property rights, and the protection of minors. The Draft Measures applies not only to providers of digital virtual human information services, but also service users, technical support providers, and providers of online information content dissemination services. The consultation ended on 6 May 2026. This article provides an overview of the Draft Regulations.

 

為促進數字虛擬人信息服務健康發展和規範應用，國家互聯網信息辦公室於2026年4月3日發布《數字虛擬人信息服務管理辦法（徵求意見稿）》¹ 。《徵求意見稿 》鼓勵數字虛擬人服務在各領域的應用落地²，同時強調權益保護，涵蓋個人信息保護 、人格權、知識產權及未成年人的保護等，其規管對象除了數字虛擬人信息服務提供者，亦包括服務使用者、技術支持者，以及提供網絡信息內容傳播服務的服務提供者。徵求意見期已於2026年5月6日結束，《徵求意見稿》的重點如下：

 

適用範圍

《徵求意見稿》的規定適用於通過數字虛擬人向中國境內公眾提供互聯網信息服務的活動³。數字虛擬人是指存在於非物理世界，利用圖形學、數字圖像處理或者人工智能等技術，借助真人驅動或者計算驅動，模擬人類外貌，具備聲音、行為、交互能力或者性格等特徵的虛擬數字形象⁴。

 

權益保護

《徵求意見稿》重視權益保護，圍繞個人信息保護、人格權、知識產權及未成年人保護等提出多項規定。

 

《徵求意見稿》提出，使用自然人敏感個人信息用於建模、形象生成、場景構建等活動，應符合以下要求⁵：

• 取得自然人的單獨同意，並告知處理目的、必要性、對個人權益的影響等；
• 在自然人撤回同意後，採取刪除相關個人信息等方式消除影響，不得以任何形式留存個人信息或者用於其他用途⁶；
• 使用死者的個人信息開展相關活動的，死者近親屬為了自身的合法、正當利益，可以對死者的相關個人信息依法行使相應權利⁷。

 

在人格權方面，《徵求意見稿》規定，未經特定自然人同意，不得提供足以識別其身份的數字虛擬人服務，包括使用與其高度相似的肖像或者聲音等⁸。

 

《徵求意見稿》亦要求，若使用他人文字、美術、攝影、音樂、視聽等作品或者製品製作數字虛擬人，不得侵害他人依法享有的知識產權⁹。

 

為加強未成年人保護，《徵求意見稿》提出禁止誘導未成年人沉迷數字虛擬人服務，並且不得向未成年人提供虛擬親屬、虛擬伴侶等虛擬親密關係的數字虛擬人服務，以及含有可能引發或者誘導未成年人模仿不安全行為等可能影響未成年人身心健康的信息¹⁰。

 

服務規範

《徵求意見稿》列出了多項提供、使用數字虛擬人服務時不得從事的活動，包括¹¹：

• 按法律、行政法規要求提供真實身份信息時，利用數字虛擬人繞過人臉識別、語音識別等身份認證機制；
• 侵害真人驅動數字虛擬人¹²的真人驅動方個人信息等合法權益。

 

《徵求意見稿》亦對數字虛擬人服務提供者（服務提供者）、技術支持者、服務使用者以及提供網絡信息內容傳播服務的服務提供者（傳播服務提供者）提出了一系列要求，例如：

• 服務提供者、服務使用者及傳播服務提供者應當在數字虛擬人展示區域全程持續顯示含有「數字人」字樣的顯著提示標識，並符合國家人工智能生成合成內容標識有關規定¹³；
• 服務提供者和服務使用者應當在特定目的和範圍內開展數據處理活動，使用具有合法來源的數據並落實數據安全保護責任¹⁴；
• 服務提供者應當與技術支持者、服務使用者簽訂服務協議，明確保障內容安全，以及數據收集、使用、存儲規範等權利義務內容¹⁵。

 

此外，《徵求意見稿》規定，在政務服務、公共管理、司法活動等領域使用數字虛擬人服務時，應當遵守合法、合理、正當、必要原則，設置人工監督與審核機制，用戶亦有權拒絕數字虛擬人服務¹⁶。

 

總結

《徵求意見稿》因應數字虛擬人可能帶來的風險，明確要求保障多種合法權益，亦釐清了各類主體的義務。服務提供者、服務使用者等各方宜細閱當中要求，於《徵求意見稿》定稿後採取相應措施。

 

 

 

 

¹ 全文：https://www.cac.gov.cn/2026-04/03/c_1776952992709096.htm
² 《徵求意見稿》第五條。
³ 《徵求意見稿》第二條。
⁴ 《徵求意見稿》第二十五條。
⁵ 《徵求意見稿》 第七條。
⁶ 法律、行政法規另有規定的除外。
⁷ 死者生前另有安排的除外。
⁸ 《徵求意見稿》第八條。
⁹ 《徵求意見稿》第九條。
¹⁰ 《徵求意見稿》 第十條。
¹¹ 《徵求意見稿》第十一條。
¹² 《徵求意見稿》第二十五條指出，真人驅動數字虛擬人是指通過動作捕捉技術實時映射真人表情、動作和語音的虛擬數字形象。
¹³ 《徵求意見稿》第十三條。
¹⁴ 《徵求意見稿》第十四條。
¹⁵ 《徵求意見稿》第十六條。
¹⁶ 《徵求意見稿》第十九條。

RECOMMENDED TRAINING

Professional Workshop on Data Protection in Banking/Financial Services

The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary.

This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively. It is particularly suitable for data protection officers, compliance officers, banking/financial practitioners, company secretaries and solicitors.

 

Date: 3 June 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

  

Mode: Online
 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Hong Kong Institute of Bankers)

 

Who should attend: Data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry.

New Series of Professional Workshops on Data Protection from Jul to Sep 2026:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

PCPD Supports the Cyber Security Staff Awareness Recognition Scheme 2026/27

The PCPD is delighted to be one of the scheme partners of the Cyber Security Staff Awareness Recognition Scheme 2026/27 (the Scheme). Co-organised by the Digital Policy Office (DPO), Hong Kong Internet Registration Corporation Limited and ISACA China Hong Kong Chapter, the Scheme aims to promote “Human Firewall” concept among the industry by raising cyber security staff awareness on top of technical protection as a second level defense line, and to enhance organisations’ protection level by encouraging the organsations to raise staff awareness by multiple channels, e.g. training, policy, communication, drill, etc. The Scheme is now open for application until 14 August.

Please click here for the Scheme details and application.

PCPD Supports the Hong Kong ICT Awards 2026 – FinTech Award and Smart Business Award 

Since 2006, the Hong Kong ICT Awards have been recognising and promoting outstanding innovation and excellence in the information and communications technology field. Steered by the DPO and organised by industry associations and professional bodies, the internationally acclaimed Awards recognise creativity and practical solutions that address business and social needs. 

The PCPD is delighted to support the Hong Kong ICT Awards 2026 – FinTech Award, where The Hong Kong Institute of Bankers has been appointed as the Leading Organiser.

In addition, the PCPD is also the supporting organisation of the Hong Kong ICT Awards 2026 – Smart Business Award, where the HKCS has been appointed as the Leading Organiser.

For details, please click here for the FinTech Award and here for the Smart Business Award.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.