Privacy Commissioner’s Office Publishes
(1) Guidance on Handling Abuse of AI Deepfakes and
(2) Investigation Findings of a Case Involving the Use of CCTV

The PCPD published (1) Abuse of AI Deepfakes: Toolkit for Schools and Parents (Toolkit) and (2) the investigation findings of a case involving the use of CCTV on 17 December. 
 
(1) Abuse of AI Deepfakes: Toolkit for Schools and Parents
 
Artificial intelligence (AI) deepfakes have become increasingly common. Deepfakes can now convincingly imitate and replace a person’s face, voice or actions using personal data contained in images, videos and audio recordings. There are risks of deepfakes being abused in instances involving cyberbullying, scams, falsified intimate images and disinformation, which may cause harm to individuals, particularly children and young people.
 
The Toolkit introduces common types of deepfakes and typical scenarios of abusive deepfakes in the school environment. The recommendations for schools and parents are categorised into two sections, namely, How to Prevent the Creation of Abusive or Malicious Deepfakes and Tips on Protecting Personal Data Privacy and How Should Schools and Parents Handle Deepfake Incidents. Key recommendations from the Toolkit include (see Annex 1 for details):
 
How to Prevent the Creation of Abusive or Malicious Deepfakes: Tips on Protecting Personal Data Privacy

Schools

• Limit raw materials: Limit the publication of photos or videos that clearly identify individual students, where possible;
• Control access: Consider sharing students’ photos and videos on systems such as intranet and parent portal, and regularly remove content that is no longer necessary;
• Ensure data security;
• Devise a response plan: Establish clear procedures for responding to deepfake incidents; and
• Raise awareness: Provide teaching staff with regular training in managing online risks and provide students with workshops.

Parents

• Limit sharing: Think twice before posting your child’s photos or videos;
• Ensure data security;
• Communicate with your child: Educate your child on the responsible use of others’ personal data; and
• Stay informed.

How Should Schools Handle Deepfake Incidents
 
Abusive or malicious deepfake incidents may involve students as victims, perpetrators or both. In such cases, schools should respond by following existing school policies or procedures, such as crisis management or anti-bullying guidelines, where applicable. The well-being of affected students should be the primary concern. Engage professional support services where necessary.
 
How Should Parents Handle Deepfake Incidents
 
Discovering that your child has been involved in an abusive or malicious deepfake incident, whether as victim, perpetrator or recipient, can be overwhelming and distressing. Parents and guardians are advised to respond with care and support.
 
Download the “Abuse of AI Deepfakes: Toolkit for Schools and Parents”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_deepfake.pdf
 
(2) Investigation Findings on a CCTV Case (See Annex 2 for details)
 
The PCPD has completed its investigation into a case involving a fitness centre chain (the Centre) allegedly collecting images of its members by installing a CCTV camera in the proximity of a male restroom at a new branch of the Centre.
 
The investigation arose from a complaint received by the PCPD consequent upon the discovery by a member of the Centre on 16 July 2025 that a CCTV camera was installed in the proximity of a male restroom of the Ma On Shan branch (the Branch) of the Centre, causing him discomfort and concerns about being recorded while using the restroom. The said member therefore lodged a complaint with the PCPD on the next day.
 
The PCPD immediately conducted an onsite inspection at the Branch on 18 July 2025. It also made three rounds of enquiries with the Centre and reviewed the responses and information provided by the Centre. The investigation revealed that there was a public corridor in the men’s restroom area of the Branch leading to three male restrooms. The Centre stated that about a week prior to the commencement of operation of the Branch, a wooden door originally planned to be installed at the male restroom identified by the complainant was mistakenly installed at the entrance of the public corridor outside the men’s restroom area by the contractor, resulting in the restroom concerned not having its door installed. Under these circumstances, if the video recording function of the camera concerned had been activated, its location and filming angle could have captured images of the area inside the restroom concerned. In respect of this, the Centre confirmed to the PCPD that, at the material time, the camera concerned was still in the installation and system-testing phase, and its video and audio recording functions had not been activated nor had any images been collected. Following the enquiry made by its member on 16 July 2025, the Centre removed the camera on 17 July and covered the entrance of the restroom concerned with a black curtain as an interim measure.
 
Upon the PCPD’s intervention, the Centre implemented the following remedial actions:-

(1) Installed a wooden door at the entrance of the restroom concerned to fully enclose the interior of the restroom;
(2) Removed the door mistakenly installed at the entrance of the corridor and placed separate restroom signages outside the three male restrooms; and
(3) Repositioned the CCTV camera to the ceiling outside the entrance of the restroom, ensuring it would not capture any area inside the three restrooms.
 

Relevant Requirements of the PDPO
 
Data Protection Principle (DPP) 1(1) of Schedule 1 to the Personal Data (Privacy) Ordinance (PDPO) provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user; and the data collected is necessary, adequate but not excessive in relation to that purpose. DPP 1(2) also provides that the means of personal data collection shall be lawful and fair in the circumstances of the case.
 
Having considered the circumstances of the case and the information obtained during the investigation, the Privacy Commissioner was of the view that, had the Centre not received the relevant enquiry made by its member, the video and audio recording functions of the relevant CCTV camera might subsequently have been fully activated, thereby collecting images of members inside the restroom concerned. Therefore, although the camera was not yet operational at the material time and thus did not involve the collection of “personal data”, the Privacy Commissioner nevertheless issued an advisory letter to the Centre, reminding it of the requirements under DPPs 1(1) and 1(2) of the PDPO when installing CCTV cameras.
 
With the advancement of technology, the use of CCTV systems for purposes such as security and surveillance has become increasingly common across different industries. The PCPD published a “Guidance on the Use of CCTV Surveillance” and “Tips on the Use of CCTV Surveillance” information leaflet earlier to provide practical guidance on how to use CCTV systems responsibly, so as to assist data users to make effective use of technology while ensuring the protection of personal data privacy and compliance with the relevant requirements under the PDPO.
 
The Guidance and the information leaflet provide an overview of the considerations for deploying CCTV systems, including installing CCTV systems to collect personal data only for lawful purposes directly related to a data user’s functions or activities, avoiding unfair surveillance, considering less privacy-intrusive alternatives, taking all practicable steps to inform potentially affected individuals, deleting footage in a timely manner, and implementing adequate security measures. 

PRIVACY 101

Strengthening Data Security: A Year‑End Review for Organisations

The close of a calendar year is an ideal time for organisations to review their data protection measures. With cyberattacks becoming more sophisticated, it is essential for data users to critically assess whether their current data security measures remain effective. A thorough review not only strengthens resilience against emerging threats but also reinforces trust with stakeholders who expect the highest standards of data security. What’s more, a robust data security system is an essential element of good data governance, which is increasingly considered an integral part of an organisation's overall corporate social responsibility.

To support this process, organisations should consider the following key areas when reviewing their data security measures: 

• Data Governance and Organisational Measures: Establish clear policies and procedures covering data governance and security, including “roles and responsibilities of staff”, “data security risk assessments”, etc. Adequate manpower and training for staff should also be prioritised;
• Risk Assessments: Conduct risk assessments for new systems and applications prior to launch. When necessary, engage third party specialists to identify vulnerabilities and ensure risks are addressed promptly;  
• Technical and Operational Security Measures: Implement comprehensive operational safeguards across computer networks, database management, access controls, firewalls and anti-malware solutions, emails and files transfers, and encryption;
• Data Processor Management: Before engaging data processors, assess their competency and reliability. Contracts should stipulate required security measures, and only minimal necessary data should be transferred;
• Remedial Actions in the Event of Data Security Incidents: Timely and effective remedial action can reduce the risks of unauthorised or accidental access, processing, or use of personal data, and mitigate harm to affected individuals. Measures may include stopping and disconnecting the affected systems, changing passwords or ceasing access, changing system configurations, reporting incidents to the PCPD and other law enforcement agencies or regulators; and
• Monitoring, Evaluation and Improvement: Commission an independent task force, such as an internal or external audit team, to monitor compliance with the data security policy and periodically evaluate the effectiveness of data security measures in place. Take corrective steps to address non compliance and strengthen weak practices. 

Organisations should also pay close attention to the use of cloud services, implement a clear “Bring Your Own Device” policy, and regulate the use of portable storage devices, as these can pose risks to data security.

For more details, please refer to “Guidance on Data Security Measures for Information and Communications Technology”, “Guidance on Cloud Computing” and “Bring Your Own Device (BYOD)” Information Leaflet.

 

PRIVACY COMMISSIONER’S FINDINGS

Unauthorised Access to Membership Database

Background

An education institution (the Institution) reported to the PCPD that a hacker had exploited a security vulnerability of its plugin software to gain unauthorised access to a membership database on its web server, thereby exfiltrating the personal data of around 1,000 members, including their names, addresses, email addresses and mobile phone numbers.

Remedial Measures

Upon receipt of the notification from the Institution, the PCPD initiated a compliance check and provided recommendations to the Institution to ensure compliance with the provisions of the PDPO. In response to the incident, the Institution suspended the use of the plugin software and ceased storing personal data in the database involved. In addition, the Institution conducted a review on all its plugin source code and patched the vulnerabilities, along with the deployment of a monitoring mechanism on the change of data in the membership database.

Lessons Learnt

While plugin software brings benefits and convenience to information systems, it also increases the risks of information security, including security vulnerabilities, malicious code and improper access control, which may lead to data breach incidents. Organisations with plugin software incorporated in their information systems should take measures to minimise such risks, including installing plugin software only from trusted sources, performing periodic updates and vulnerability scanning exercises for the plugin software, implementing effective access control, and evaluating whether the organisational and technical measures for data security that are originally in place are adequate to mitigate the extra risks associated with the use of plugin software.

TECH TALK

Protecting Yourself from Online Account Hijacking

As the year draws to a close, many of us are busy with festive preparations and planning for the new year. However, cybercriminals are just as active during this period, taking advantage of increased online activities to hijack vulnerable online accounts. Whether it’s your email, social media, or banking profile, the consequences of online account hijacking can be severe, ranging from financial loss to identity theft. 

Just as organisations are encouraged to review their data security measures, individuals should also take time to review their online safety practices. Here are some simple but effective steps to keep your online accounts secure and your personal data protected: 

• Enable two-factor authentication;
• Regularly review the devices linked to your account and log out any unknown connected devices;
• Set a strong password for your voicemail to prevent theft of voice one-time password;
• Bookmark frequently used websites instead of relying solely on search engines for trustworthy results;
• Beware of any abnormalities in text messages and websites, such as misspelled domains or a mixture of traditional and simplified Chinese characters;
• If you receive a message from a family member or a friend requesting help with bank transfers or remittances, always call to verify the identity and relevant requests;
• Avoid connecting to public Wi-Fi or logging into online accounts on public computers; and
• Avoid disclosing passwords and verification codes casually or scanning QR codes without verifying. 
  

WHAT’S ON

Advancing AI Security – Privacy Commissioner Publishes an Article in Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Safeguarding Personal Data Privacy in AI Era: Intersection between Global Developments and Local Efforts” in Hong Kong Lawyer.

In the article, the Privacy Commissioner elaborated on the global trend of anchoring AI innovation in security. The Privacy Commissioner also highlighted the efforts of the PCPD in advancing AI security worldwide, including signing the “Joint Statement on Building Trustworthy Data Governance Frameworks to Encourage Development of Innovative and Privacy-protecting AI” with 19 privacy or data protection authorities worldwide in September this year, as well as co-chairing the Global Privacy Assembly’s “Ethics and Data Protection in AI Working Group” to contribute to international discussions on AI security.

The Privacy Commissioner further pointed out that in active alignment with the national strategy to accelerate AI development, the Chief Executive’s Policy Address this year aptly advocates the wide-scale application and development of AI across different sectors to boost overall efficiency. Another welcome move is the tasking of the Department of Justice with co-ordinating the responsible bureaux to review the relevant law, complementing the development and need for wider application of AI.

Please click here to read the article.

Connecting with International Community – Privacy Commissioner Interviewed by GovInsider Women

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by GovInsider, an Asia-Pacific public sector media platform, for the 2025 report on “Women in GovTech” to share her insights and experiences in advancing digital transformation and promoting trustworthy emerging technologies.
 
The report interviewed over 100 women in the public sector from the Asia-Pacific region who have advanced or influenced the use of government technology in 2025.
 
In the interview, the Privacy Commissioner highlighted that as technology progresses rapidly, she advocates a proactive, balanced and flexible regulatory approach, recognising that the development and safety of new technologies are of equal importance and that it is crucial to prevent or pre-empt irregularities before they occur. To this end, the PCPD has launched multi-pronged initiatives to promote trustworthy emerging technologies, such as by publishing various AI-related guidelines, including the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) and the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines), as well as promoting the “Privacy-Friendly Awards 2025”. The Privacy Commissioner emphasised that protecting personal data privacy helps strengthen public trust in technology and is essential to driving success in innovation in the public sector. 
 
Please click here to read the interview.

Reaching Out to the IT Sector – Representatives of the PCPD Visit Cyberport

Privacy Commissioner Ms Ada CHUNG Lai-ling, together with representatives from the PCPD, visited Hong Kong Cyberport Management Company Limited (Cyberport) on 18 December to understand its latest developments. They also visited the “Digital Tech Centre” to experience how AI, blockchain and other cutting-edge technologies are integrated into our daily lives.

During the visit, the Privacy Commissioner exchanged views with Mr Simon CHAN Sai-ming, BBS, JP, Chairman of Cyberport, and Dr Rocky CHENG Chung-ngam, JP, Chief Executive Officer of Cyberport, on advancing Hong Kong’s digital economy and fostering AI safety and development.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain Guidance on Handling Abuse of AI Deepfakes and Investigation Findings of a Case Involving the Use of CCTV

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 1’s “HK2000”, RTHK Radio 3’s “Backchat”, Commercial Radio’s “On a Clear Day” and Now News’ “News Magazine” on 18 December. In these interviews, she explained the Toolkit and the investigation findings of a case involving the use of CCTV published by the PCPD.

The Privacy Commissioner noted that children and young people generally lack cybersecurity awareness and, as their cognitive abilities are still developing, they may have limited capacity to distinguish between genuine and false information. To strengthen the protection of their personal data privacy, the PCPD issued the Toolkit to provide schools and parents with advice on how to prevent and respond to deepfake incidents. She added that the PCPD regularly offers relevant training to the education sector, and the training has been well received. This year, the PCPD received five complaints and two enquiries concerning AI deepfakes, some involving individuals creating images using AI deepfakes and seeking the PCPD’s assistance to contact platforms to remove such contents.

Separately, the PCPD has concluded its investigation into a case involving a fitness centre chain (the Centre) which installed a CCTV camera in the proximity of a male restroom at a branch of the Centre. Upon the PCPD’s intervention, the Centre implemented a series of remedial actions. The Privacy Commissioner considered that the incident reflected a lack of awareness of personal data protection of the Centre.

In addition, Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Ms Rebecca HO Kan-yeuk was interviewed by RTHK Radio 3’s “Hong Kong Today” on the investigation findings of the CCTV case.

The interview by RTHK Radio 3’s “Backchat” can be listened here (01:14-13:58).
The interview by RTHK Radio 3’s “Hong Kong Today” can be listened here (07:54-09:26, 01:09:07-01:12:04).
The interview by RTHK News’ “Hong Kong Today” can be listened here (01:04:47-01:10:02) (Chinese only).
The interview by Now News’ “News Magazine” can be viewed here (Part 1, Part 2) (Chinese only).

Reaching Out to Legal Professionals – Privacy Commissioner Attends the Pro Bono and Community Service Award Ceremony 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Pro Bono and Community Service Award Ceremony 2025 of the Law Society of Hong Kong (Law Society) on 12 December and presented prizes at the ceremony.
 
The Law Society has organised the Pro Bono and Community Work Recognition Programme (Programme) since 2010. The key objectives of the Programme are to raise public awareness of the pro bono work provided by members of the Law Society, trainee solicitors, registered foreign lawyers and university law students, as well as recognising their pro bono efforts and contributions to society. The Privacy Commissioner has been serving as a member of the judging panel for Distinguished Pro Bono Service Award for years.

Reaching Out to the Education Sector – Privacy Commissioner Speaks at the 14^th Joint Education Conference

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 14^th Joint Education Conference organised by the Union of Government Primary School Headmasters and Headmistresses and the Union of Deputy Heads of Government Primary Schools on 12 December and delivered a keynote speech. The event attracted over 100 headmasters, headmistresses and deputy heads from Government primary schools to attend.

In the speech titled “Strategies for Enhancing AI Governance and Preventing Personal Data Breaches in the Education Sector”, the Privacy Commissioner elaborated on the risks posed to personal data privacy in the use of AI by schools, and introduced the Guidelines and the Model Framework published by the PCPD. In addition, she shared lessons learnt from some data breach cases involving schools, and explained the causes of the data breach and the remedial measures taken.

 

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Implementing the Spirit of the Fourth Plenary Session of 20^th CPC Central Committee – PCPD Convenes Learning Session on the Spirit of the Fourth Plenary Session of 20^th CPC Central Committee and Recommendations for the 15^th Five-Year Plan

The PCPD convened a learning session on the spirit of the Fourth Plenary Session of 20^th Central Committee (Plenary Session) of the Communist Party of China (CPC) and the Recommendations for Formulating the 15^th Five-Year Plan (Recommendations) on 10 December. Privacy Commissioner Ms Ada CHUNG Lai-ling and the Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Ms Joanne WONG spoke at the session, enabling colleagues of the PCPD to gain a deeper understanding of the spirit of the Plenary Session and the key contents of the Recommendations.
 
At the session, colleagues of the PCPD learnt and discussed the contents of the “Recommendations of the CPC Central Committee for Formulating the 15^th Five-Year Plan for National Economic and Social Development” deliberated and adopted at the Plenary Session, including the Country’s major achievements during the 14^th Five-Year Plan period, the major objectives and key tasks for economic and social development for the 15^th Five-Year period. The Privacy Commissioner also highlighted aspects such as personal information protection, cybersecurity and AI governance in the Recommendations, and explained how to implement the relevant Recommendations in PCPD’s daily work.

Caring the Community – Privacy Commissioner Shares the Latest Information on Fraud Prevention with the Elderly

Privacy Commissioner Ms Ada CHUNG Lai-ling, together with the Volunteer Team of the PCPD, attended the Members’ Assembly of the Wan Chai Methodist Centre for the Seniors on 3 December to show their care for the elderly. In the event, the Privacy Commissioner shared the latest information on fraud prevention and practical tips with around 200 elders to enhance their vigilance. She also highlighted the recent emergence of phishing SMS messages impersonating charitable organisations and purporting to solicit donations for victims of the Tai Po fire disaster in an attempt to lure the public into clicking embedded links that lead to fraudulent fundraising websites designed to rip off donations.

Promoting the Responsible Use of CCTV Systems, Drones and In-Vehicle Cameras – Privacy Commissioner Publishes an Article on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Safeguarding Privacy in a Tech-Driven World: The PCPD’s New Guidelines on the Use of CCTV Surveillance and Video Cameras on Drones and Vehicles” on Hong Kong Lawyer earlier.
 
In the article, the Privacy Commissioner introduced the “Guidance on the Use of CCTV Surveillance” and the “Guidance on the Use of Video Cameras on Drones and Vehicles” published by the PCPD in view of the rapid development of low-altitude economy and smart surveillance technologies. The Privacy Commissioner highlighted the practical recommendations and best practices for safeguarding personal data privacy in compliance with the relevant requirements of the PDPO when using CCTV systems, drones and in-vehicle cameras. 
 
Please click here to read the article.

Promoting AI Security – PCPD Produces a Short Video on “Checklist on Guidelines for the Use of Generative AI by Employees”

The PCPD has produced a short video to promote the Guidelines published by the PCPD earlier. 

 

The video adopts a lively format, with explanations provided by an animated mascot “Data Guardian” to illustrate the recommended aspects that organisations should cover in their internal policies or guidelines on the use of generative AI by employees The aspects include:

• Scope of permissible use of Gen AI;

• Protection of personal data privacy;

• Lawful and ethical use and prevention of bias;

• Data security; and

• Consequences for violations of policies or guidelines.

The video can be viewed on the PCPD’s website, YouTube channel and social media platforms.

 

Please click here to watch the video.

Enhancing Data Security – PCPD Organises Experience Sharing Session on Data Governance by Privacy-Friendly Awardees

To promote strong data governance and foster a privacy-centric culture within enterprises, the PCPD has launched a series of experience sharing sessions for organisations featuring Outstanding Gold Awardees of the “Privacy-Friendly Awards 2025”. The first session, titled “From Policy to Practice: Experience Sharing Session on Data Governance by Privacy-Friendly Awardees 2025” (Sharing Session), was successfully held on 2 December, attracting nearly 200 participants from various sectors, including government/public bodies, property management, banking, insurance and information technology sectors.
 
At the Sharing Session, representatives of the Outstanding Gold Awardees of the “Privacy-Friendly Awards 2025”, including Census and Statistics Department, Digital Policy Office, Hong Kong Genome Institute and the Hongkong Electric Company, Limited, shared their hands-on experiences and practical insights in implementing data governance policies to responsibly manage vast amount of personal data of members of the public. They also demonstrated how privacy protection is embedded into their daily operations, with measures introduced to strengthen data security in response to emerging privacy challenges.
 
Please click here for the presentation deck of Census and Statistics Department (Chinese only).
Please click here for the presentation deck of Digital Policy Office.
Please click here for the presentation deck of Hong Kong Genome Institute.
Please click here for the presentation deck of the Hongkong Electric Company, Limited.

Promoting AI Security – Assistant Privacy Commissioner Speaks at the Roundtable on AI Entrepreneurship & Law

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG attended the Roundtable on AI Entrepreneurship & Law under the theme of “Navigating the Legal Frontier: Building and Regulating AI Ventures in Hong Kong” on 17 December. The event was co-organised by eBRAM International Online Dispute Resolution Centre Limited and the Education University of Hong Kong.
 
At the event, Ms WONG spoke on the panel titled “the Regulatory Tightrope: Liability, Ethics, and Governance”, where she provided an overview of the six DPPs under the PDPO. She also explored the interplay between artificial intelligence and personal data privacy, and highlighted the key recommendations and best practices from the PCPD’s Model Framework.

Promoting Cross-Boundary Flow of Personal Information – Assistant Privacy Commissioner Speaks at the “Guangdong-Hong Kong-Macao Personal Information Protection Exchange Conference”

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Ms Joanne WONG attended the “Guangdong-Hong Kong-Macao Personal Information Protection Exchange Conference” (Conference) on 26 November and delivered a speech. The Conference was organised by the Guangdong Cyber Data Security and Personal Information Protection Association. The theme of the Conference was “Safeguarding Personal Information, Building a Secure Bay Area”.
 
In her speech, Ms WONG explained the importance of safe cross-boundary flow of personal data in contributing to the development of a digital economy in the Greater Bay Area and introduced to the participants the essential parts of the “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”. 

MEDIA STATEMENT

A Debt Collector Arrested for Suspected Doxxing

The PCPD arrested a 41-year-old Chinese male in the New Territories on 29 December. The arrested person was suspected to have disclosed the personal data of the data subject without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim borrowed a loan from another person (the Lender) in 2007 for business needs, and the loan was later repaid with interest in the next few years. The Lender passed away in 2023, and his family member subsequently demanded an additional repayment of HK$6,000,000 from the victim as interest and to reflect exchange rate fluctuations, which the victim was unable to pay. In August 2025, a banner and flyers containing the personal data of the victim were displayed on two occasions outside the residential estate where the victim resided, making negative comments against the victim and alleging that the victim failed to repay his debt. The personal data disclosed included the victim’s Chinese name, residential address and photo, as well as a partly redacted copy of the victim’s Hong Kong Identity Card showing his Chinese and English names, date of birth, gender and photo.
 
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is not a means to resolve disputes as it would only escalate conflicts. Moreover, identity cards contain sensitive personal data. Any reckless or intentional disclosure of copies of identity cards without the data subjects’ consents may constitute a doxxing offence. An offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

 

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

      a. Harassment, molestation, pestering, threat or intimidation to the person;

      b. Bodily harm or psychological harm to the person;

      c. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or

      d. Damage to the property of the person.

Appointments of Two New Members to the Standing Committee on Technological Developments of the PCPD

On 29 December, Privacy Commissioner Ms Ada CHUNG Lai-ling announced the appointment of Dr Welland CHU and Mr Edmond LAI as members of the Standing Committee on Technological Developments (SCTD) of the PCPD for a term of two years from 1 January 2026 to 31 December 2027.
 
Dr Welland CHU is a cybersecurity specialist. With over 32 years of experience in the cyber security industry, Dr CHU’s work involves execution of cloud migration, the conduct of independent cybersecurity and privacy impact assessments, implementation of fintech and traditional payment systems, and protection of personal data privacy programme.
 
Mr Edmond LAI is the Chief Digital Officer of the Hong Kong Productivity Council. He is an expert in the application of Industry 4.0 (i4.0) and smart technologies with over 20 years of experience at a multinational corporation. Mr LAI is familiar with the trends of digital market and emerging industries, and possesses extensive experience in local and overseas business expansion.
 
Separately, three incumbent members, namely Dr Gregg LI, Prof the Hon William WONG Kam-fai, MH and Prof S M YIU, have been re-appointed to the SCTD as members for the period from 1 January 2026 to 31 December 2027.
 
The Privacy Commissioner would also like to take the opportunity to express her sincere gratitude to all members of the SCTD, in particular the outgoing members, Ir Alex CHAN and Adjunct Prof Jason LAU, for their invaluable contributions and advice to the SCTD over the years.
 
With effect from 1 January 2026, the members of the SCTD (in alphabetical order of surname) are as follows:

• Ms Ada CHUNG Lai-ling, SBS (Privacy Commissioner) (Co-chairperson)
• Ms Joanne WONG (Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research)) (Co-chairperson)
• Dr Alan CHEUNG
• Dr Welland CHU (new member)
• Mr Edmond LAI (new member)
• Prof Gregg LI
• Prof the Hon William WONG Kam-fai, MH
• Prof Dit-yan YEUNG
• Prof S M YIU

The SCTD was established to advise the Privacy Commissioner on, among other things, the impacts of the developments in the processing of data and information technology on the privacy of individuals in relation to personal data. It comprises distinguished external members of exceptional calibre from the information and communications technology industry, particularly experts in fields such as information security, cybersecurity and artificial intelligence. The diversity of experts from academic and corporate backgrounds also ensures a broad representation of perspectives and insights, which assists the Privacy Commissioner in formulating policies and recommendations to address technological developments while safeguarding privacy in relation to personal data.

PCPD Urges the Public to Beware of Fraudsters Exploiting the Tai Po Fire Disaster

The PCPD has noted that fraudsters are exploiting the Tai Po fire disaster by impersonating volunteers and using fraudulent “Tai Po Wang Fuk Court Victims Registration Form” to defraud victims of their personal data, including Chinse and English names, Hong Kong Identity Card numbers, telephone numbers, as well as bank accounts and credit cards information, such as account numbers, credit card numbers, ATM card numbers and verification codes.
 
Furthermore, some members of the public have received phishing SMS messages purporting to be from charitable organisations soliciting donations for victims of the Tai Po fire disaster. These messages attempt to lure members of the public into clicking embedded links that lead to fraudulent fundraising websites designed to rip off donations.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling strongly condemns fraudsters for exploiting the disaster to perpetuate frauds and reminds the victims and the public to stay vigilant. They should verify the authenticity of the relevant registration forms and should never provide any bank account passwords or verification codes. Victims can apply for relevant assistance through the “one social worker per household” service. Members of the public who receive suspected fraudulent SMS messages or telephone calls should verify the authenticity of the senders or relevant organisations. Citizens who wish to make donations to the victims are advised to do so only through the bank accounts provided by official channels (such as the bank account set up by the HKSAR Government for the “Support Fund for Wang Fuk Court in Tai Po”
https://www.info.gov.hk/gia/general/202511/27/P2025112700767.htm).
 
The PCPD offers the following tips to the public to safeguard their personal data privacy and property, and to stay vigilant against scams:

1. Be vigilant: Think twice before providing any personal data. Avoid clicking on or scanning suspicious links and QR codes, or logging into any suspicious websites;
2. Authenticate the identities of senders: Even if the senders can provide your personal data in their SMS messages, if you are in doubt about their identities, you should verify the authenticity of the senders or relevant organisations through other contact methods;
3. Protect your account information: Never disclose your bank account verification codes, passwords and credit card security codes to anyone. If you are in doubt, change the passwords of your online banking accounts immediately and enable two-factor authentication (if available); and
4. Fraud prevention information: Pay attention to the fraud prevention information published by the PCPD, the Police or relevant organisations. Share the information with friends and relatives to enhance their awareness of fraud prevention.

Anyone who receives suspected fraudulent SMS messages or telephone calls may make enquiries or lodge complaints with the PCPD (Telephone: 2827 2827 or email: communications@pcpd.org.hk). If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police. Citizens may also visit “Scameter” (https://cyberdefender.hk/en-us/scameter/) to check suspicious phone numbers, email addresses and websites, etc.
 
The PCPD expresses profound grief over the serious casualties caused by the Tai Po fire disaster and extends heartfelt condolences to the deceased and to the firefighter who made the ultimate sacrifice in the line of duty. We extend our deepest sympathies to all affected families and wish the injured a speedy recovery. The PCPD also pays the highest tribute to the firefighters and rescue personnel for their selfless dedication. The PCPD remains committed to providing the assistance and support needed during this difficult period.

MAINLAND CORNER

Highlights of the “Draft Regulations on Personal Information Protection of Large Online Platforms”
 《大型網絡平台個人信息保護規定（徵求意見稿）》的重點

To regulate the personal information processing activities of large online platforms, the Cyberspace Administration of China and the Ministry of Public Security jointly released the “Draft Regulations on Personal Information Protection of Large Online Platforms” (Draft Regulations) for public consultation on 22 November 2025. The Draft Regulations requires large online platforms to appoint a personal information protection officer and establish a data protection unit. It also sets out detailed requirements on the storage of data, data portability rights, and personal information compliance audits and risk assessments. The consultation period ended on 22 December 2025. This article provides an overview of the Draft Regulations.

 

為規範大型網絡平台的個人信息處理活動，國家互聯網信息辦公室（網信辦）及公安部於2025年11月22日發布《大型網絡平台個人信息保護規定（徵求意見稿）》¹ 。《徵求意見稿》要求大型網絡平台指定個人信息保護負責人、設立個人信息保護工作機構，亦對數據存儲、個人信息可攜權，以及個人信息合規審計及風險評估等提出詳細要求。徵求意見期已於2025年12月22日結束，《徵求意見稿》的重點如下：

 

大型網絡平台的定義²

《徵求意見稿》對大型網絡平台的認定主要考慮以下因素：

• 註冊用戶5000萬以上或者月活躍用戶1000萬以上；
• 提供重要網絡服務或者經營範圍涵蓋多個類型業務；
• 掌握處理的數據一旦被洩露、篡改、損毀，對國家安全、經濟運行、國計民生等具有重要影響。

《徵求意見稿》亦提到，國家網信部門會同國務院公安部門等有關部門制定發布大型網絡平台目錄並動態更新。

 

個人信息保護負責人³

根據《個人信息保護法》，如個人信息處理者處理個人信息的數量達到國家網信部門的規定，應當指定個人信息保護負責人⁴。《徵求意見稿》則對其資格及職責提出更詳細的規定，例如應當由大型網絡平台服務提供者管理層成員擔任、具有中國國籍、無境外永久居留權，以及從事相關工作5年以上；其職責則包括指導大型網絡平台合規開展個人信息處理活動、參與平台個人信息處理事項相關决策等。個人信息保護負責人可以直接向國家網信等部門報告平台服務提供者的個人信息保護有關情況。

 

個人信息保護工作機構

《徵求意見稿》要求大型網絡平台服務提供者明確個人信息保護工作機構，在個人信息保護負責人領導下開展個人信息保護相關工作，例如制定實施內部個人信息保護管理制度、開展個人信息安全風險評估，以及對履行個人信息保護義務情况進行監督等⁵。大型網絡平台服務提供者應當為個人信息保護負責人、個人信息保護工作機構履行職責提供必要支持，並及時向國家網信部門報送相關信息⁶。

 

有關數據存儲及數據中心的要求

《徵求意見稿》規定大型網絡平台服務提供者應當將在中國境內運營中收集和產生的個人信息存儲在中國境內的數據中心，數據中心的安全性應符合國家有關標準要求，其主要負責人亦應具有中國國籍、無境外永久居留權⁷。數據中心應當協助大型網絡平台服務提供者履行個人信息保護義務，例如發生個人信息安全事件時立即通報其個人信息保護負責人、及時啟動應急處置預案⁸。大型網絡平台服務提供者委托第三方數據中心存儲個人信息，應當與其簽訂合同，明確履行《徵求意見稿》列出的安全要求及職責⁹。

 

個人信息可攜權的詳細規定¹⁰

《徵求意見稿》亦為落實個人信息可攜權¹¹提供更詳細的規範，譬如大型網絡平台服務提供者應當在接到請求後30個工作日內將個人信息通過通用、機器可讀的格式進行轉移。若個人重複轉移個人信息，平台服務提供者可以根據轉移的成本收取必要費用。

 

個人信息合規審計及風險評估

《徵求意見稿》提出，大型網絡平台服務提供者應當按照國家有關規定¹²自行或者委託第三方專業機構開展個人信息保護合規審計、風險評估等活動，並對發現的問題進行整改¹³。受委託的第三方專業機構應當註冊在中國境內¹⁴，若發現大型網絡平台服務提供者的個人信息處理活動存在較大安全風險或者存在違法違規情形，可以直接向國家網信部門和公安機關報告或報案¹⁵。

 

總結

《徵求意見稿》對大型網絡平台提出了多項規定，涵蓋內部管治、數據安全、個人信息轉移，以及合規審計等多個方面，從而規範大型網絡平台的個人信息處理活動、保護個人信息合法權益、促進平台經濟健康發展。有關平台服務提供者宜細閱當中的要求，於《徵求意見稿》定稿後採取相應措施。

 

 

 

 

 

¹ 全文： https://www.cac.gov.cn/2025-11/22/c_1765543463511624.htm

²《徵求意見稿》第三條。

³《徵求意見稿》第五條。

⁴ 《個人信息保護法》第五十二條。

⁵《徵求意見稿》第六條。

⁶《徵求意見稿》第七至八條。

⁷《徵求意見稿》第十條。

⁸《徵求意見稿》第十一條。

⁹《徵求意見稿》第十二條。

¹⁰《徵求意見稿》第十四條。

¹¹《個人信息保護法》第四十五條規定：「個人請求將個人信息轉移至其指定的個人信息處理者，符合國家網信部門規定條件的，個人信息處理者應當提供轉移的途徑。」

¹²《個人信息保護法》、《網絡數據安全管理條例》及《個人信息保護合規審計管理辦法》等均有提及關於個人信息保護合規審計的規定。詳情請參閱本欄2025年3月的文章。

¹³《徵求意見稿》第十五條。

¹⁴ 《徵求意見稿》第十六條。

¹⁵《徵求意見稿》第十七條。 

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Insurance

Insurance practitioners handle a large amount of customers’ personal data, including customers' names, telephone numbers, addresses, identity card numbers, etc. in their daily operation. Therefore, a proper understanding of the requirements under the PDPO is necessary. 

This workshop will examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight potential problems and their resolution. Participants will also engage in discussion of real cases relating to the handling of personal data in different aspects of insurance work.

 

Date: 7 January 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Hong Kong Institute of Bankers)

 

Who should attend: Insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

 

Date: 14 January 2026 (Wednesday)

 

Time: 2:15pm – 4:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 2 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities.

 

Date: 28 January 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers) 

 

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals

New Series of Professional Workshops on Data Protection from Feb to Mar 2026:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.