Telling a Good Hong Kong Story – Promoting AI Security
Privacy Commissioner’s Office Receives
Asia Pacific GovMedia Awards 2025 Public Sector Initiative of the Year

The PCPD has won the “Hong Kong Public Sector Initiative of the Year – Regulatory” award in the Asia Pacific GovMedia Conference & Awards 2025 for its guidance “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework).
 
The Model Framework, which was published in June 2024, aims to assist organisations in complying with the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO) when procuring, customising, implementing, and using AI, including generative AI. The Model Framework provides a set of recommendations and best practices regarding governance of AI based on general business processes, enabling organisations to harness the benefits of AI while safeguarding personal data privacy.

The GovMedia Conference & Awards 2025 is an awards programme organised by Asia Pacific news platform GovMedia to recognise public sector projects that are transforming the Asia Pacific region and making a global impact. The awards celebrate innovative solutions, excellence in governance and impactful projects that enhance public services and improve the lives of the public.

“AI Security Matters for All”
Privacy Commissioner’s Office Launches a Series of Promotional and Educational Activities to Promote AI Security in 
Privacy Awareness Week 2025

The PCPD has launched the annual flagship event, “Privacy Awareness Week 2025” (PAW 2025), from 9 to 15 June. To enhance the awareness of the public and organisations to artificial intelligence (AI) security, the PCPD has launched a series of promotional and educational activities under the theme of “AI Security Matters for All”. These activities include the running of thematic trams for roving promotion, a newly launched “AI Security” thematic website, and a series of thematic seminars, all aimed at reminding all sectors of the society to safeguard personal data privacy when using AI. 
 
To raise public awareness of AI security, the PCPD has launched the running of thematic trams featuring “AI Security Matters for All” starting from 9 June until 4 July for roving promotion. The tram design prominently features a lock symbolising AI security, alongside various icons relating to personal data. It also includes information on the “AI Security” hotline (2110 1155) and a QR code linking to the newly launched “AI Security” thematic website, thereby enabling members of the public to easily access relevant information.
 
The newly launched “AI Security” thematic website (https://www.pcpd.org.hk/english/artificial_intelligence/index.html) serves as a one-stop platform providing information on the PCPD’s guidance materials on AI, educational materials, information on regulatory developments globally, and the PCPD’s news and activities on promoting AI security. The thematic website enables members of the public and organisations to conveniently access practical tips when using AI, and the latest developments in AI governance both in Hong Kong and around the world.
 
During the PAW 2025, the PCPD also collaborated with various organisations in organising a series of thematic seminars. These include:

• A seminar co-organised with the City University of Hong Kong Press on 10 June, titled “Protecting Personal Data Privacy – Challenges and Opportunities in the Digital Era”. The seminar explored the latest developments in the privacy landscape in Hong Kong. It also highlighted various guidelines on AI issued by the PCPD, the requirements under the PDPO for transferring personal data from Hong Kong, and the facilitation measure for promoting cross-boundary flow of personal information within the Greater Bay Area;
  
  
• The second training seminar of the “Data Security Training Series for SMEs” organised in collaboration with the Hong Kong Productivity Council (HKPC) on 13 June, titled “Understanding Data Security and Privacy Risks Related to AI for SMEs”. The seminar explored the applications of AI technology by SMEs in businesses, the data security and personal data privacy risks involved, as well as the best practices for SMEs in procuring, implementing and using AI systems, including generative AI; and
  
  
• A seminar co-organised with the Information Technology Services – Data Protection Office of the University of Hong Kong on 27 June, titled “AI Driven Education & Cybersecurity Challenges in AI: Balancing Innovation and Data Protection”. The seminar elaborated on the AI Guidelines recently published by the PCPD, and speakers shared their insights and the best practices in safeguarding personal data in the digital environment. Various industry professionals also engaged in a panel discussion over measures to cope with mistakes made by AI and data users.

Additionally, the PCPD also distributed the PAW 2025 posters to government departments, District Offices, community centres, chambers of commerce, different organisations, schools and members of the PCPD’s Data Protection Officers’ Club to promote the importance of AI security across various sectors of the society.
 
Privacy Awareness Week is an annual event jointly supported by members of the Asia Pacific Privacy Authorities (APPA) to raise public awareness of protecting and respecting personal data privacy. For details, please click here to visit the PAW 2025 website.

Winners of the PCPD’s Privacy-Friendly Awards 2025 will be announced at the Awards Presentation Ceremony, to be held on 10 July at the Hong Kong Convention and Exhibition Centre. All award-winning organisations will be invited to the Ceremony. Stay tuned for the updates!

PRIVACY 101

Mobile Apps in the AI Era: Meeting User Demands Responsibly

In a world where smartphones are ubiquitous, it has become essential for organisations across industries to develop dedicated mobile apps and seamlessly integrate them into their operational processes. Nowadays, consumers not only want mobile apps; they also desire an exceptional in-app experience that is real-time, responsive, and effortless. In the age of AI, organisations can leverage AI technologies within their apps to meet these expectations, particularly in consumer-driven sectors.

Yet, as the demand for enhanced app experiences grows, so does the need to balance user convenience with the protection of personal data privacy. How can organisations ensure they meet user expectations while safeguarding personal data? Here are some foundational principles to guide organisations in developing user-centric mobile apps:

• Data Minimisation: Reduce the collection of personal data, especially sensitive personal data, to the absolute minimum. This is a key element of Privacy by Design;
• Transparency: Be open to users about what information (both stored on mobile devices and gathered from users) will be accessed or used to earn trust; and
• Risk Minimisation: If data is transmitted and/or stored, implement adequate protection, in terms of encryption and access control, to prevent unauthorised access, disclosure or use.

Once the app is in place, organisations should consider these best practice recommendations:

• If your app requires user location data, consider asking users to consciously indicate their locations on a simplified map rather than obtaining this data automatically and continuously;
• Provide users with a means to delete their data (including any account or account-related data) stored on their mobile devices and in backend servers, especially when they wish to uninstall the app;
• Allow users to use your app anonymously without requiring them to log in;
• If you haven’t made this clear, do not combine data collected from one app with data from another app for the same user, or from other sources, to analyse user behaviour or preferences;
• If data accessed or collected data is used for gauging the collective preferences of groups of app users, assure them that it will not be used to profile or target individuals; and
• Use the default privacy policy link on the app installation page to inform users, prior to installation, about what data your app will access, transmit, store, share, and use, along with the reasons for this.

For more details on other recommendations, please refer to the “Best Practice Guide for Mobile App Development”.

PRIVACY COMMISSIONER’S FINDINGS

Unauthorised Circulation of Confidential Documents Containing Personal Data in Social Media Network

Background

A government department reported to the PCPD that a staff member had uploaded a memo containing the names, service numbers, ranks, positions, stationed units and examination dates of 138 service members who would sit for an internal examination in a WhatsApp group without authorisation.

This case originated from the staff member concerned, who noted that all those service members scheduled to sit for the examination were off duty when she received the memo. As she had been requested to disseminate the respective examination dates to the members concerned for preparation of the examination, she captured the relevant pages of the memo and shared the images to the members involved in the WhatsApp group to prevent unnecessary delay. Upon receipt of the images, one member in the WhatsApp group further forwarded the images to another WhatsApp group comprising his squad members.

Remedial Measures

To prevent recurrence of similar incidents, the department circulated e-memos to remind its service members to observe the safe use of social media networks and the proper handling of personal data and confidential documents. The department also enhanced staff awareness of personal data privacy protection by issuing another memo citing this incident as an example, briefing the relevant staff members on the importance of compliance with the e-memos, and providing ongoing training to all members concerned, etc.

Lessons Learnt

Instant messaging applications can enhance convenience for communication. However, improper use  may pose risks to the privacy of individuals, particularly relating to personal data. In this incident, the staff member obviously failed to give due consideration to the established protocols on the proper handling of confidential documents containing personal data when using social media networks. Such actions could result in unintended disclosure of personal data which should be avoided.

TECH TALK

A Shopper's Guide to Safeguarding Personal Data in an AI-Driven World

In today’s fast-paced digital landscape, online shopping has transformed into a remarkably convenient experience, driven by AI technologies that personalise and streamline the processes. Imagine browsing your favourite store and receiving tailored recommendations that align perfectly with your preferences, all the while enjoying a seamless checkout experience. With features like virtual assistants and smart search functions, shoppers can find exactly what they need in a fraction of the time. However, as we embrace these advancements, it’s essential to remain vigilant about the protection of personal data privacy.

By following these tips, shoppers can take advantage of the convenience that AI offers while keeping their personal data secure:

• Provide the minimum amount of personal data: Only provide the minimum amount of personal data required for registration and transactions, or consider conducting transactions as a guest;
• Pay attention to direct marketing settings and make corresponding choices based on personal needs;
• Consider using third-party payment platforms: Use a reliable third-party payment platform to settle transactions;
• Read the privacy policy to understand the platform’s purposes and means of collecting personal data;
• Adjust privacy settings: Check default privacy and security settings, delete unnecessary tracking functions or refuse requests for access to personal data; and
• Delete unused accounts to avoid identity theft and reduce the risk of data leakage.

WHAT’S ON

Privacy Commissioner Attends the 5^th Anniversary Forum of the Promulgation and Implementation of Hong Kong National Security Law

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 5^th Anniversary Forum of the Promulgation and Implementation of the Hong Kong National Security Law on 21 June to further learn and understand the effect and significance of the promulgation and implementation of the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region for the past five years. 
 
Incidentally, cybersecurity, data security and AI security are the key components of national security. The PCPD will continue to strengthen relevant publicity, education and enforcement efforts to enhance public awareness of privacy protection and national security.

Enhancing Cyber Security – Privacy Commissioner Publishes an Article on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Staying Ahead of Cyber Threats in the Digital Age” on Hong Kong Lawyer.
 
In the article, the Privacy Commissioner highlighted that cyberspace is a key area for safeguarding national security and propelling economic and social development. Organisations as data users bear the responsibility of protecting the personal data they hold. The Privacy Commissioner emphasised that organisations can no longer ignore the risks looming in the cyberspace and should act proactively to defend against cyberattacks.
 
To assist organisations in enhancing their capabilities to safeguard cyber security, the PCPD rolled out a series of initiatives. These included hosting seminars and workshops, establishing a one-stop “Data Security” thematic webpage and launching a “Data Security Scanner” and “Data Security” Hotline (2110 1155). Organisations are encouraged to make use of these resources to proactively strengthen their defence against cyberattacks.
 
Please click here to read the article.

Promoting AI Security – Privacy Commissioner Speaks at Seminar on Media and Information Literacy

Privacy Commissioner Ms Ada CHUNG Lai-ling spoke at the “Media and Information Literacy (MIL) Series: Seminar on MIL for Smart Cities” jointly organised by the Education Bureau and Journalism Education Foundation on 18 June.

At the seminar, the Privacy Commissioner delivered two speeches, respectively entitled “Protecting Students’ Personal Data: Basic Principles and Case Sharing” and “The Personal Data Privacy Challenges of Using AI in Schools”, in which she highlighted how schools should protect the personal data privacy of students and the privacy risks posed by the use of generative AI (Gen AI) by schools. She also introduced the guidelines published by the PCPD, including the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines) and the Model Framework.

In addition, Personal Data Officer Ms Natalie YUNG Kit-ying shared some real-life case studies in schools with the participants.

The seminar was attended by around 300 participants from the education sector.
 
Please click here for the presentation deck (Chinese only).

Promoting AI Security – Privacy Commissioner Publishes an Article on HR e-Journal

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “PCPD’s Guidelines for Devising an Internal Gen AI Policy Creates a Win-Win Situation” on HR e-Journal of the Hong Kong Institute of Human Resource Management.

In the article, the Privacy Commissioner highlighted that while Gen AI has the potential to enhance organisational productivity, it also presents challenges to organisations in safeguarding data security and personal data privacy. To address these challenges, the Privacy Commissioner recommended that organisations refer to the Guidelines published by the PCPD earlier to formulate a clear internal policy or guideline on employees’ use of Gen AI, thereby fostering mutual trust and creating a win-win situation that is conducive to the success of the organisation.

Please click here to read the article.

Promoting AI Security – Privacy Commissioner Interviewed by Metro Finance’s “Finance Boulevard”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Metro Finance’s “Finance Boulevard” on 16 June to explain the privacy risks associated with the use of AI and the work of the PCPD in promoting AI security.

During the interview, the Privacy Commissioner pointed out that the use of AI may pose privacy risks and lead to data breach incidents. She reminded organisations of the importance of complying with the requirements of the PDPO when using AI to process personal data. The Privacy Commissioner also introduced the AI guidelines published by the PCPD, including the Guidelines and the contents of the Guidelines.
 
To enhance the promotion of AI security, the PCPD has launched a thematic webpage on “AI Security”. Organisations may also contact the PCPD vide “AI Security” hotline 2110 1155 if they have any enquiries.
 
Please click here to listen Metro Finance’s “Finance Boulevard” (Chinese only).

Reaching Out to the Community – PCPD and City University of Hong Kong Press Jointly Organise a Seminar 

The PCPD and City University of Hong Kong Press jointly organised a seminar titled “Protecting Personal Data Privacy – Challenges and Opportunities in the Digital Era” on 10 June, attracting about 120 participants.

At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling discussed the latest developments in Hong Kong’s privacy landscape, covering recent data breach incidents, the PCPD’s guidelines on AI, and the new anti-doxxing regime. Professor ZHU Guobin of the School of Law of City University of Hong Kong was also invited to speak at the seminar on the key aspects and recent developments of data protection laws in the Mainland. In addition, Ms Joanne WONG, Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD, also elaborated on the requirements for transferring personal data from Hong Kong and the facilitation measures for promoting cross-boundary flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area.

The seminar was one of the key events of the PCPD’s PAW 2025, held from 9 to 15 June under the theme “AI Security Matters for All”.

Please click here for the Privacy Commissioner’s presentation deck.

Please click here for Professor Zhu’s presentation deck.

Please click here for Ms Wong’s presentation deck.

Promoting AI Security – Privacy Commissioner Publishes “Hong Kong Letter”

Privacy Commissioner Ms Ada CHUNG Lai-ling published a “Hong Kong Letter” on RTHK Radio 1 on 7 June 2025 to elaborate on the importance of organisations formulating internal policies or guidelines on AI. The Privacy Commissioner pointed out that the use of generative AI by employees without proper guidance would not only pose risks to personal data privacy but may also compromise the organisation’s own interests.

The Privacy Commissioner stated that the PCPD published the Guidelines in March 2025 to assist organisations in developing policies or guidelines for the use of AI. The Guidelines enable employers and employees to leverage the convenience and benefits of technology while safeguarding personal data privacy.

Please click here to read the “Hong Kong Letter” (Chinese only).

Reaching Out to Enterprise – Privacy Commissioner Visits Huawei Shenzhen Headquarters and Dongguan Base Camp

Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD visited the Headquarters of Huawei Technologies Co., Ltd. in Shenzhen and its Dongguan Base Camp on 4 June to understand Huawei’s latest technological innovations, especially in the field of AI and cloud storage, as well as their cybersecurity and privacy protection governance policies.
 
During the visit, the Privacy Commissioner met with Mr Ambrose TANG, the Deputy Managing Director and Chief Cyber Security and Privacy Officer of Huawei (Hong Kong) and other representatives of Huawei to discuss the latest technological developments in the Mainland, including that of Huawei Cloud.

Promoting AI Security – Privacy Commissioner Speaks at the Hong Kong AI Governance Conference

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong AI Governance Conference themed “Shaping the Future of Responsible GenAI in Hong Kong” on 30 May and delivered a keynote speech titled “New Horizons of Privacy Protection in the Era of GenAI”.

In her speech, the Privacy Commissioner discussed the privacy risks associated with the use of AI and introduced the various guidelines published by the PCPD, including the Guidelines and the Model Framework.

The conference was organised by the Hong Kong Association of Interactive Marketing and was attended by around 150 stakeholders from the government, business sectors, information technology and marketing sectors.

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Reaching out to SMEs – PCPD and HKPC Jointly Organise a Seminar

To assist small and medium-sized enterprises (SMEs) in enhancing their data security, the PCPD and the HKPC jointly launched the “Data Security Training Series for SMEs”. The second seminar of the training series, titled “Understanding Data Security and Privacy Risks Related to AI for SMEs”, was successfully held on 13 June, attracting over 400 participants.
 
At the seminar, Ms Joanne WONG, Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research), and Ir Alex CHAN, General Manager of the Digital Trust and Transformation Division of the HKPC, shared with participants the best practices for procuring, implementing and using AI systems (including generative AI). They also discussed their perspectives on ensuring data security and protecting personal data privacy when using AI.
 
The seminar was one of the key events of the PCPD’s PAW 2025, held from 9 to 15 June under the theme “AI Security Matters for All”.

Please click here for Ms Wong’s presentation deck (Chinese only).
Please click here for Ir Chan’s presentation deck (Chinese only).

Telling a Good Hong Kong Story – PCPD Receives Delegation of Mainland Legal Officials

The PCPD received a delegation of Mainland legal officials on 5 June. During the meeting with Mainland officials, representatives of the PCPD introduced Hong Kong’s personal data protection laws, the PCPD’s role, functions, and ongoing efforts in protecting personal data privacy. The delegation comprised 21 Mainland officials currently enrolled in the Master of Laws programme in Common Law at the University of Hong Kong and the Chinese University of Hong Kong under the Training Scheme in Common Law for Mainland Legal Officials organised by the Department of Justice.

Telling a Good Hong Kong Story – Assistant Privacy Commissioner Speaks at the 8^th National Data Privacy Conference of the Philippines

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Ms Joanne WONG, along with a representative of the PCPD attended the 8^th National Data Privacy Conference from 27 to 29 May in Metro Manila, the Philippines. The conference was themed “Global Privacy Matters: Navigating a Borderless Digital World and Expanding New Professional Horizons”.
 
Ms Wong spoke at a panel titled “Accountable AI and Data Protection: Building Foundations for Workforce Transformation” on 28 May, where she discussed the potential privacy risks posed by the increasing adoption of AI. She also introduced the AI guidelines published by the PCPD, including the Model Framework and the Guidelines.
 
The conference was organised by the National Privacy Commission of the Philippines as part of its PAW 2025. PCPD executed a Memorandum of Understanding (MOU) with the National Privacy Commission of the Philippines in 2023 to foster closer cooperation and to facilitate communication between the two authorities.

MEDIA STATEMENT

Telling a Good China Story; Telling a Good Hong Kong Story – Privacy Commissioner Attends the 63^rd Asia Pacific Privacy Authorities Forum

Privacy Commissioner Ms Ada CHUNG Lai-ling and senior officers of the PCPD attended the 63^rd Asia Pacific Privacy Authorities (APPA) Forum held by video conference earlier, from 11 to 12 June.
 
The Forum brought together representatives from 14 APPA members to exchange views on various topical privacy issues, share regulatory experiences and discuss enforcement challenges.
 
At the Forum, the Privacy Commissioner provided an overview of the Guidelines published by the PCPD, and introduced the standard contractual measures in facilitating the cross-boundary flow of personal information in the Guangdong-Hong Kong-Macao Greater Bay Area. Assistant Privacy Commissioner of the PCPD Ms Joanne WONG Nga-wun also presented the key findings from the PCPD’s compliance checks on the use of AI in Hong Kong. In addition, as the co-chair of the International Enforcement Cooperation Working Group of the Global Privacy Assembly, the PCPD reported on the work of the Working Group to attendees of the Forum. 
 
Major themes discussed at the 63^rd APPA Forum included:

• AI and emerging technologies;
• Legislative and enforcement updates;
• Data minimisation, protection frameworks and data protection networks;
• Biometrics for retail crime and public safety;
• Privacy enhancing technologies;
• Data breach notifications; and
• Privacy law reform.

Founded in 1992, APPA serves as the principal forum for privacy and data protection authorities in the Asia Pacific region to form partnerships, discuss best practices and share information on emerging technologies as well as trends in privacy regulation. The 63^rd APPA Forum was hosted by the Office of the Privacy Commissioner, New Zealand.

A Debt Collection Agency Convicted of Direct Marketing Offences; Privacy Commissioner Welcomes the Court’s Ruling

On 11 June, the West Kowloon Magistrates’ Court convicted Credit Base (HK) Limited (the Company) of two charges of direct marketing offences under the PDPO. The Company was fined HK$2,500 in respect of each charge, which amounted to HK$5,000 in total. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling.
 
Earlier in March 2025, the Police laid two charges under sections 35C(1) and 35F(1) of the PDPO against the Company, and the Company pleaded guilty on 11 June to the charges. The Police investigation revealed that in November 2023, the Company obtained the data subject’s personal data from the District Court’s filings but failed to take the necessary actions to notify the data subject and obtain his consent before using his personal data in direct marketing for promoting debt collection services. The Company also failed to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request the Company to cease to use his personal data in direct marketing without charge.
 
Background of the Case
 
The case originated from a complaint received by the PCPD in November 2023.
 
The complainant received a marketing letter from Credit Base (HK) Limited by post in November 2023. The letter contained the complainant’s Chinese full name and residential address. The complainant called the Company to make enquiries and was told that the Company noted that he had filed a claim with the District Court. Therefore the Company contacted the complainant to see whether he needed its debt collection services. The complainant considered that the Company had used his personal data for direct marketing without his consent. He therefore lodged the complaint with the PCPD.
 
As the PCPD considered that the case involved contraventions of the direct marketing requirements under the PDPO after making some preliminary enquiries, the PCPD referred the case to the Police for criminal investigation and consideration of prosecution.
 
Relevant Statutory Provisions
 
Section 35C(1) of the PDPO requires a data user who intends to use a data subject’s personal data in direct marketing to take a number of specified actions, including notifying the data subject that the data user intends to so use the personal data; that the data user may not so use the data unless the data user has received the data subject’s consent; of the types of personal data that will be used; the classes of goods or services that will be marketed and a response channel through which the data subject can communicate his/her consent.
 
Pursuant to section 35F(1) of the PDPO, the data user must, when using a data subject’s personal data in direct marketing for the first time, inform the data subject of his/her right to request the data user to cease to so use the data, without charge to the data subject.
 
Failure to comply with the requirements of section 35C(1) and 35F(1) constitutes a criminal offence. The offender is liable to a fine up to HK$500,000 and imprisonment for three years.

Beware of Fraudulent Phone Calls Impersonating PCPD Officers

The PCPD appealed to members of the public to be vigilant of fraudulent phone calls claiming to be made by the PCPD.
 
The PCPD has received a number of public enquiries on 11 June regarding phone calls received from individuals posing as PCPD officers. The fraudsters informed the recipients that they had contravened the PDPO and requested that they should attend the PCPD’s office to assist the PCPD with its investigations.
 
The PCPD clarifies that its staff have not made any of the calls in question. If members of the public receive any suspicious phone calls or SMS messages, they should remain vigilant and verify the identities of the callers or senders. They should not disclose personal data to others arbitrarily or click on suspicious links.
 
Anyone who receives suspected fraudulent phone calls or SMS messages may make enquiries with the PCPD (Hotline: 2827 2827 or email: communications@pcpd.org.hk). If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police. Citizens may also visit “Scameter” (https://cyberdefender.hk/en-us/scameter/) to check suspicious phone numbers, email addresses and websites, etc.

A 23-year-old Female Arrested for Suspected Doxxing of Ex-boyfriend Arising from Relationship Entanglements

The PCPD arrested a Chinese female aged 23 in the New Territories on 3 June. The arrested person was suspected to have disclosed the personal data of her ex-boyfriend without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person once had an intimate relationship which terminated in mid-April 2025. Thereafter, the victim started another relationship with another female. In late April 2025, three posts containing the personal data of the victim were posted in a personal account on a social media platform, alongside some negative comments against him and netizens were incited to “like” the posts in exchange of further disclosure of the victim’s personal data. The personal data disclosed included the victim’s Chinese name, partial English name, gender, photos, username of his social media account, the names of the universities and courses he attended, his occupation at the material time, as well as a photo of the victim’s university student card showing his Chinese name, English name, photo, the name of the university and the course that he enrolled. The victim lodged a complaint with the PCPD subsequently.
 
The PCPD reminds members of the public that they should not dox others because of relationship disputes, and should also not incite netizens to endorse illegal doxxing acts. Doxxing is a serious offence and the offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

MAINLAND CORNER

Highlights of the “Measures for the Administration of National Cyberspace Identity Authentication Public Services” 
《國家網絡身份認證公共服務管理辦法》的重點

The Ministry of Public Security and the Cyberspace Administration of China jointly released the “Draft Measures for the Administration of National Cyberspace Identity Authentication Public Services” (Draft Measures) on 26 July 2024 for public consultation. As featured in the August 2024 issue of this column, the Draft Measures proposed that individuals could voluntarily apply for cyberspace IDs via a national public service platform (Public Service Platform). This initiative aims to avoid providing personal information in plaintext (e.g. their government-issued ID card numbers) to internet service providers during account registration and identity authentication.

On 23 May 2025, the finalised “Measures for the Administration of National Cyberspace Identity Authentication Public Services” (Measures) was issued and will become effective on 15 July 2025. This article provides an overview of the key differences between the Measures and the Draft Measures, the current usage of the Public Service Platform and the data security measures adopted by it.

本欄曾於2024年8月介紹公安部及國家互聯網信息辦公室（網信辦）於2024年7月26日發布的《國家網絡身份認證公共服務管理辦法（徵求意見稿）》（《徵求意見稿》）¹。《徵求意見稿》提出，公眾可自願透過國家統一建設的網絡身份認證公共服務平台（公共服務平台），申領網號、網證，從而避免在互聯網平台進行用戶登記、核驗真實身份信息時，向互聯網平台提供身份證號碼等明文身份信息。

事隔近一年，《國家網絡身份認證公共服務管理辦法》（《辦法》）²在2025年5月23日正式發布，並將於2025年7月15日實施。下文將簡述《辦法》與《徵求意見稿》的分別、公共服務平台現時的使用情況，以及其採取的數據安全措施等等。

《辦法》與《徵求意見稿》的分別

與《徵求意見稿》相比，《辦法》的主要修訂如下：

• 進一步確保網號、網證使用的自願性：《辦法》鼓勵按照自願原則推廣應用網號、網證，第六條進一步補充「有關主管部門、重點行業在管理、服務中，應當保留、提供現有的或者其他合法方式進行登記、核驗真實身份」，強調用戶仍然可選擇透過其他方式進行身份認證。
• 確保未使用網號網證用戶享有同等服務：修改第七條，列明「互聯網平台應當保障未使用網號、網證但通過其他方式登記、核驗真實身份的用戶與其他與使用網號、網證的用戶享有同等服務。」
• 加強未成年人權益保護：《辦法》新增第十條，列明「涉及未成年人、老年人等用戶的，公共服務平台可以依法向互聯網平台提供年齡標識信息，用於支持互聯網平台履行相應的法律義務。」
• 加強公共服務平台數據安全監管：《辦法》就此在第十二條新增多項要求，包括：
  • 加強網絡運行安全，完善監督制度，有效保護網絡運行安全、數據安全和個人信息權益；
  • 重要數據和個人信息應當在境內存儲；因業務需要確需向境外提供的，應當按照國家有關規定進行安全評估；及
  • 發生網絡運行安全、數據安全事件的，應當按照國家有關規定，立即啟動應急預案，採取必要措施消除安全隱患，及時告知用戶並向有關部門報告。

公共服務平台

使用情況

據公安部主辦的《人民公安報》2025年5月24日的報道，國家網絡身份認證公共服務自2023年6月27日上線以來，已在主要互聯網平台和政務服務、教育考試、文化旅遊等行業領域開展試點應用，國家網絡身份認證應用程式已累計下載1600萬次，累計申領開通600萬人，提供認證服務1200萬次，公共服務平台已形成不低於30萬次/秒、1.2萬億次/年的身份認證支撐能力³。

保障數據安全的措施

如上述，《辦法》規定公共服務平台應有效保護網絡運行安全、數據安全和個人信息權益。 公安部就此採取了下列四方面的措施⁴：

1. 通過匿名化技術保護公民身份信息、數據，實現「數據可用不可見」；
2. 通過體系化的數據安全方案實現數據的全生命週期安全保護，從業務性質、使用範圍、關聯影響、合規要求等維度對數據進行分級分類；
3. 建立完善的數據運維安全流程，嚴格數據訪問控制和審批管理，對數據使用全程審計，以及確保數據訪問行爲全程可追溯等等；及
4. 週期性開展實網攻防演練、安全風險評估、等級保護測評、商用密碼評估等工作，並且及時發現和修補安全漏洞等等。

總結

總括而言，因應外界在《徵求意見稿》發布後提出的意見，《辦法》更為強調網號及網證的自願使用原則、未使用網號及網證的用戶享有同等服務、加強未成年人權益保護，以及加強公共服務平台數據安全監管。公共服務平台亦已採取一系列數據安全措施，確保個人信息獲妥善保障。

¹ 全文：https://www.cac.gov.cn/2024-07/26/c_1723675813897966.htm

² 全文：https://www.cac.gov.cn/2025-05/23/c_1749711107835487.htm

³《人民公安報：為身份信息 “上鎖” 保護個人信息安全 權威解讀國家網絡身份認證公共服務建設應用情況》。全文：https://www.mps.gov.cn/n2255079/n4242954/n4841045/n4841050/c10088131/content.html

⁴ 公安部有關部門負責人就《國家網絡身份認證公共服務管理辦法》答記者問。全文：https://www.cac.gov.cn/2025-05/23/c_1749711107832483.htm。

RECOMMENDED TRAININGS

Professional Workshop on Recent Court and Administrative Appeals Board Decisions

Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, the PCPD lawyer will give you a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening your understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.

Date: 16 July 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: English

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers and compliance officers, company secretaries and administration managers

Professional Workshop on Data Protection in Insurance

Insurance practitioners handle a large amount of customers’ personal data, including customers' names, telephone numbers, addresses, identity card numbers, etc. in their daily operation. Therefore, a proper understanding of the requirements under the PDPO is necessary. 

This workshop will examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight potential problems and their resolution. Participants will also engage in discussion of real cases relating to the handling of personal data in different aspects of insurance work.

Date: 23 July 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry

New Series of Professional Workshops on Data Protection from Aug to Sep 2025:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

PCPD Supports the Hong Kong Institute of Bankers Annual Banking Conference 2025

The Hong Kong Institute of Bankers (HKIB) Annual Banking Conference 2025 is the premier event for banking professionals seeking to thrive in today's rapidly evolving financial landscape. Organised by the HKIB, the conference will bring together industry leaders, regulators, and experts to explore the latest trends, innovative strategies, and critical challenges shaping the future of banking.

Under the theme “NextGen Banking: Adapting, Innovating, Thriving”, the conference will take place on 26 September at the Hong Kong Convention and Exhibition Centre. Through keynote speeches, interactive panels, and extensive networking opportunities, attendees will gain valuable knowledge and strategies to navigate change and lead their organisations into the next era of banking.

Please click here for the details and registration.

PCPD Supports the BugHunting Campaign 2025

The PCPD participates in the “BugHunting Campaign 2025” (Campaign) as a Strategic Partner. The Campaign is co-organised by the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and a crowdsourced cybersecurity company, Cyberbay, which leverages a specialised crowdsourced vulnerability detection platform, recruiting experts through bounty rewards to provide participating organisations with free cybersecurity testing. The Campaign also employs AI-powered security assessments, which not only focuses on detects vulnerabilities within corporate systems but also carries out security audits on AI applications, to prevent data breaches and offer comprehensive protection against emerging cyber threats.

The Campaign is now open to organisations for registration. Please click here for the details.

PCPD Supports the HKIoD Award for Director Excellence 2025

The “HKIoD Award for Director Excellence 2025” organised by The Hong Kong Institute of Directors (HKIoD) is now open for nominations. The PCPD is pleased to be one of the supporting organisations of this prestigious awards.

“Redefining Leadership for the New Era” is the theme of the Awards this year. Nomination for the Awards will be closed on 31 July.

Please click here for the Awards nomination form and related information on the HKIoD’s website.

PCPD Supports the Cyber Security Staff Awareness Recognition Scheme 2025

The PCPD is delighted to be one of the scheme partners of the Cyber Security Staff Awareness Recognition Scheme 2025 (Scheme). Co-organised by Hong Kong Internet Registration Corporation Limited and ISACA China Hong Kong Chapter, the Scheme aims to promote “Human Firewall” concept among the industry by raising cyber security staff awareness on top of technical protection as a second level defence line, and to enhance organisations’ protection level by encouraging the organisations to raise staff awareness by multiple channels. Applications are now open for the upcoming round of the Scheme for 2025.

Please click here for the Scheme details and application.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.