Privacy Commissioner’s Office Officially Launches

Commemorative Events in Celebration of its 30^th Anniversary

The PCPD was established in August 1996, and this year marks its 30^th anniversary. Under the celebration theme of “Protecting Privacy ‧ Embracing Innovation”, the PCPD would roll out a series of educational and promotional initiatives throughout the year. These include a Touring Musical for Primary Schools, the PCPD 30^th Anniversary Radio Broadcast Campaign, AI Security and Cybersecurity Summit for Enterprises, the PCPD 30^th Anniversary Privacy Protection Summit, the AI and Privacy Protection Training Series, as well as other promotional and educational activities for organisations and members of the public. The PCPD seeks to work hand in hand with all sectors of the community to navigate the challenges and opportunities of the digital era.
 
On 21 January 2026, the Under Secretary for Constitutional and Mainland Affairs (USCMA), Mr Clement WOO Kin-man, MH, JP, attended the PCPD’s 30^th anniversary first celebratory event, namely, the performance of the Touring Musical for Primary Schools titled “Privacy Theatre: Stay Smart with AI”. Mr WOO took the opportunity to congratulate the PCPD on its 30^th anniversary and expressed gratitude for its dedication over the years in safeguarding the personal data privacy of citizens.

Touring Musical for Primary Schools titled “Privacy Theatre: Stay Smart with AI” Kicks Off the Celebratory Events
 
The first celebratory event is a brand-new touring musical for primary schools titled “Privacy Theatre: Stay Smart with AI”. The musical is about the story of a Primary Five student who faces cyberbullying after she has overlooked privacy risks when she used AI tools and social media, causing distress to herself, her family and friends. Through the musical, the PCPD hopes to guide students to learn how to use AI safely, to exercise caution when engaging with social media, and to say “NO” to cyberbullying and doxxing. The musical is one of the key initiatives of the PCPD 30^th Anniversary “Privacy Campaign for Primary Schools”. With the support of the Education Bureau, the musical would be performed in 30 primary schools across Hong Kong during this academic year.
 
The PCPD hosted a special musical performance on 21 January and invited the USCMA, Mr Clement WOO Kin-man, MH, JP, to officiate the event. Other guests included the School Principal of St. Francis’ Canossian School, Mrs Wendy TING, the Deputy Secretary for Constitutional and Mainland Affairs, Mr Raymond SY Kim-cheung, JP, members of the PCPD’s Personal Data (Privacy) Advisory Committee, Mr LAW Fai and Mr Joseph LIN Ho-man, MH, former member of the PCPD’s Standing Committee on Technology Development, Adjunct Professor Jason LAU and member Dr Welland CHU and the Curriculum Development Officer (Technology Education) of the Education Bureau, Ms FAN Hui-yee. The guests enjoyed the show together with over 330 Primary One to Three students. During the event, Privacy Commissioner Ms Ada CHUNG Lai-ling also led an interactive quiz session with the students and participated in the musical performance to enhance students’ awareness of the protection of personal data privacy.
 
30^th Anniversary Logo Design
 
The PCPD has introduced a new 30^th Anniversary logo, designed around a “lock” motif. The design signifies the PCPD’s role as a strong and resilient “lock” in safeguarding personal data privacy in an increasingly complex digital era. The lock also symbolises security, representing the PCPD’s commitment to promoting AI security and data security, assisting organisations and the public in using emerging technologies safely.

PCPD 30^th Anniversary –
Presents Premiere of Radio Broadcast Campaign

To raise public and organisations’ awareness of safeguarding personal data privacy, data security and artificial intelligence (AI) security, the PCPD launches a radio broadcast campaign on 26 January as one of the celebratory events of the 30^th Anniversary of the establishment of the PCPD.

The campaign comprises two series:

• Series One – “Happy Sharing on Digital Security”

The PCPD has invited representatives from the winning organisations of the “Privacy-Friendly Awards 2025” to engage in a dialogue with Mr Ken KWOK Chi-yan, Commercial Radio 1 (CR1) Program Host, to discuss their hands-on experiences in safeguarding data security and AI security. The representatives include Mr Leo YU Chun-keung, JP, Commissioner for Census and Statistics, Ms Karen SO, Chief Executive Officer of Swire Coca-Cola, Mr Raymond CHOI, Operations Director of The Hongkong Electric Company, Limited, Mr Thomas WAN, Managing Director of TOPPAN Edge (Hong Kong) Limited, and Mr Peter LAW, General Manager, Legal & Compliance and Operational Risk Management Department of Bank of China (Hong Kong) Limited. Privacy Commissioner Ms Ada CHUNG Lai-ling will also share some tips on how organisations can strengthen their protection of personal data privacy.

 

The first episode of “Happy Sharing on Digital Security” features the Census and Statistics Department, winner of the Outstanding Gold Award and the Best Data Protection Officer Award at the “Privacy-Friendly Awards 2025”. The episode was first broadcast on 26 January during the programme “On a Clear Day” on CR1 and would be broadcast at other time slots.

• Series Two – “Privacy Classroom”

The PCPD has engaged Mr Stephen CHAN Chi-wan, CR1 Program Host, and Ms Bonnie WONG Ching-yi (Ah Jeng), CR2 Program Host, to play different roles on air so as to offer practical tips on topics like the use of AI, fraud prevention and combatting doxxing offences. The series aim to strengthen public awareness of personal data privacy protection. The “Privacy Classroom” will be broadcast on CR1 and CR2 starting from April. 

The “AI Security and Cybersecurity Summit for Enterprises”, co-organised by the PCPD and Hong Kong Internet Registration Corporation Limited (HKIRC), will be held on 31 March (Tuesday). Save the date and stay tuned for more details!

PRIVACY 101

Safeguarding Personal Data Privacy, Safeguarding Reputation: Why Organisations Need a Privacy Management Programme

As we usher in a new year, organisations are encouraged to re-examine and recalibrate their personal data privacy policies. In an era of heightened public awareness and rising expectations around personal data protection, it is no longer sufficient to regard privacy merely as a matter of regulatory compliance. 

Since 2014, the PCPD has been advocating that organisations should develop their own Privacy Management Programme (PMP). Organisations should embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, starting from the boardroom. 

The benefits of implementing a PMP are manifold. It enables organisations to manage the personal data they collect with greater efficiency, ensures compliance with the Personal Data (Privacy) Ordinance (PDPO), and minimises the risk of data breaches and the damages that may follow. Beyond risk mitigation, a PMP fosters trust with clients, strengthens organisational reputation, and enhances competitiveness in an increasingly data driven digital landscape.

Below are the recommended components for organisations to consider when developing a comprehensive PMP, including:

 

 1. Organisational Commitment

• Buy-in from the top;
• Appointment of Data Protection Officer/establishment of Data Protection Office; and
• Establishment of reporting mechanisms;

 2. Programme Controls

• Personal data inventory;
• Internal policies on personal data handling;
• Risk assessment tools;
• Training, education and promotion;
• Handling of data breach incident;
• Data processor management; and
• Communication.

 3. Ongoing Assessment and Revision

• Development of an oversight and review plan; and
• Assessment and revision of programme controls.

For more details, please refer to the “Privacy Management Programme: A Best Practice Guide”.

 

PRIVACY COMMISSIONER’S FINDINGS

A Former Employee of a Pet Grooming Company Accessed the Online Retail System via the Accounts of Existing Employees

Background

A pet grooming company (the Company) reported to the PCPD that a former employee had accessed its online retail system (the System), which contained the personal data of more than a thousand customers, by using the login credentials of existing employees. The former employee subsequently sent messages to the customers inviting them to patronise another pet grooming company. The personal data involved included names, Hong Kong Identity (HKID) Card numbers, dates of birth, email addresses, telephone numbers, employment records, and social media account information.

The Company revealed that the phone numbers of employees were used as default account passwords during account creation of the System. The employees, however, were verbally reminded to change the default passwords after the first login. The former employee, who was aware of the password management practice, exploited the passwords of other employees (i.e. their phone numbers) to gain remote access to the System after his departure from the Company.

Remedial Measures

Upon receipt of the notification from the Company, the PCPD initiated a compliance check and provided recommendations to the Company to ensure compliance with the provisions of the PDPO. To prevent the recurrence of similar incidents, the Company changed the account passwords of all employees, who would be further required to change their passwords under the witness of their supervisors on a half-yearly basis. In addition, randomly generated passwords comprising eight letters and numbers would be allocated to new recruits. Remote access to the System was also disabled.

Lessons Learnt

With regard to password management, organisations should avoid using personal data (such as names, dates of birth and phone numbers, etc.) of staff members as default account passwords and should implement effective measures to manage user passwords. This includes setting rules for password length, complexity, and history, and ensuring that users follow best practices for password security. Organisations should also consider setting an account lockout threshold policy to limit the number of failed logins to information and communications systems, and to lock out the user accounts for a pre-determined period of time when the threshold has been reached.

TECH TALK

Guarding Your Digital Footprint: Tips for Personal Data Security

As the new year begins, individuals should take stock of their own digital practices. In an era where personal data has become a valuable asset, every careless click, unguarded password, or impulsive disclosure can open the door to fraud, identity theft, or reputational damage. The start of the year is therefore an ideal moment for each of us to pause, reflect, and adopt more responsible practices in handling our own personal data.

Below are practical Do’s and Don’ts designed to help you strengthen your personal data protection habits in everyday life.

Do’s for Handling Personal Data

• Handle your account and password with care;
• Encrypt sensitive personal data when transmitting personal data over public networks such as the Internet;
• Always be wary when giving out sensitive personal data or account information over the Internet; Banks and financial institutions seldom ask for your personal data or account information via email or over the web; and
• Verify the legitimacy of the websites of hosting organisations before giving information, e.g. check the website certificate before conducting online transactions or purchases. 

Don’ts for Handling Personal Data

• Don’t forget to check the privacy policies of websites to ensure that any personal data you provide will be properly used and protected;
• Don’t reply or click on any links embedded in unexpected emails e.g. emails asking you to log into your account in order to confirm its usage. If you are uncertain about such emails, check directly with the company or bank;
• Don’t store any personal data or sensitive information on a public computer, especially if it is shared with others;
• Don’t disclose personal data, such as your name, email addresses or passwords, in a careless manner;
• Don’t submit personal data online that is irrelevant to the stated purposes of collection; and
• Don’t post personal data in forums or chat areas that may be viewed by many people.

WHAT’S ON

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Introduce the PCPD’s 30^th Anniversary Celebratory Events

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 3’s “Backchat” on 28 January, where she introduced a series of celebratory events marking the PCPD’s 30^th anniversary.

 

This year witnesses the 30^th anniversary of the PCPD. During the interview, the Privacy Commissioner said that the PCPD has committed to discharging its roles and functions under the PDPO in order to actively safeguard the personal data privacy of members of the public. She noted that since the establishment of her Office in 1996, the number of complaints received by the PCPD has continued to rise. This reflected the PCPD’s success in building its public profile, which in turns encouraged members of the public to seek assistance from the PCPD, and laid a solid foundation for the protection of personal data privacy in Hong Kong.

 

The Privacy Commissioner pointed out that under the 30^th anniversary celebration theme “Protecting Privacy • Embracing Innovation,” the PCPD would roll out a series of educational and promotional initiatives throughout the year. These include a Touring Musical for Primary Schools titled “Privacy Theatre: Stay Smart with AI”, the PCPD 30^th Anniversary Radio Broadcast Campaign, AI Security and Cybersecurity Summit for Enterprises, the PCPD 30^th Anniversary Privacy Protection Summit, as well as the AI and Privacy Protection Training Series.

Reaching Out to the Community – Privacy Commissioner Interviewed by Sing Tao Daily – Reviewing 30 Years of the Work of the PCPD and Promoting “Protecting Privacy ‧ Embracing Innovation”

The PCPD will celebrate the 30^th anniversary of its establishment this August. During a recent interview by Sing Tao Daily, Privacy Commissioner Ms Ada CHUNG Lai-ling reviewed the PCPD’s work in protecting the personal data privacy of Hong Kong citizens over the three decades. She also outlined the development of the PCPD under the celebration theme of “Protecting Privacy ‧ Embracing Innovation”.
 
The Privacy Commissioner noted that since the PCPD’s establishment in 1996, the number of complaints received by the PCPD has continued to rise – from only 227 cases in 1997 to an average of around 3,500 cases annually in recent years. Data breach notifications have likewise increased, from 30 cases in 2010 to 246 cases in 2025. She said that over the years, the PCPD has established a comprehensive mechanism for handling complaints, public enquiries, conducting compliance checks and investigations, which enabled it to effectively handle major data breach incidents and other matters of public concern, including the Octopus case, the Cathay Pacific data breach incident and the 2019 doxxing cases.
 
The Privacy Commissioner added that the PDPO was amended twice over the past 30 years to strengthen the regulation of direct marketing and to combat doxxing. The amendments reflected the Government’s support and commitment to the protection of personal data privacy. At the same time, the role of the PCPD has evolved from that of a traditional regulator to being also a facilitator and an educator. Such roles can be demonstrated by the PCPD’s involvement in formulating the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong), which facilitates the cross-boundary flow of personal information. The PCPD also serves as co‑chair of the Ethics and Data Protection in Artificial Intelligence Working Group and the International Enforcement Cooperation Working Group of the Global Privacy Assembly, which helps to strengthen the position of Hong Kong and the Country on the international arena.
 
To mark its 30^th anniversary, the PCPD would roll out a series of celebratory events, including a Touring Musical for Primary Schools titled “Privacy Theatre: Stay Smart with AI”, the PCPD 30^th Anniversary Radio Broadcast Campaign, AI Security and Cybersecurity Summit for Enterprises, the PCPD 30^th Anniversary Privacy Protection Summit and an AI and Privacy Protection Training Series, etc. These events aim to further enhance public awareness of the importance of protecting and respecting personal data privacy.
 
Click here to read the Sing Tao Daily interview (Chinese only).

Reaching Out to the Insurance Sector – Privacy Commissioner Attends Hong Kong Federation of Insurers Cocktail Party 2026

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong Federation of Insurers (HKFI) Cocktail Party 2026 earlier and engaged with representatives from the political sector and leaders from the insurance sector. 
 
This year’s cocktail party, themed “A Grateful Beginning in Unity”, featured an address by the Secretary for Financial Services and the Treasury, Mr Christopher HUI Ching-yu, GBS, JP.

Reaching Out to the IT Sector – Privacy Commissioner Attends the Cybersecurity Symposium

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Cybersecurity Symposium (Symposium) on 20 January and engaged with members of the information technology sector. The theme of the Symposium was “Navigating Cybersecurity Trends, Strengthening Organisational Defence”.
 
Acting Chief Personal Data Officer (Compliance and Enquiries) of the PCPD Mr John LO Ho-wing also joined a panel discussion entitled “Building a Strong Defense for Data and Privacy Protection Together”.
 
The Symposium was organised by the Digital Policy Office and HKIRC. It aimed to foster collaboration between public bodies and private organisations to strengthen the city’s cybersecurity resilience and support Hong Kong’s growth as a leading digital economy.

Reaching Out to the Education Sector – Privacy Commissioner Speaks at the Education Seminar and the Inauguration Ceremony of the 22^nd Council of the Hong Kong Aided Primary School Heads Association

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Education Seminar and the Inauguration Ceremony of the 22^nd Council of the Hong Kong Aided Primary School Heads Association on 19 January and delivered a speech. Over 100 principals from aided primary schools attended the event.
 
In her speech titled “Handling Abuse of AI Deepfakes”, the Privacy Commissioner elaborated on the “Abuse of AI Deepfakes: Toolkit for Schools and Parents” (Toolkit) recently published by the PCPD and its advice, with a view to assisting schools and parents in preventing and handling deepfake incidents, thereby strengthening the protection of the personal data privacy of children and young people.
 
The Privacy Commissioner also introduced other AI-related guidelines published earlier by the PCPD, including the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines) and the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework).
 
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Speaks at the China Conference: Greater Bay Area

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the China Conference: Greater Bay Area (Conference) held in Qianhai and spoke as a panellist on 15 January.

In the panel discussion titled “Building the future – Data corridor linking Shenzhen and Hong Kong”, the Privacy Commissioner discussed the challenges and opportunities encountered in cross-boundary transfer of personal information in the Greater Bay Area. She also introduced the “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” as a breakthrough in achieving better harmonisation of rules and mechanisms under the “One Country, Two Systems” regime.
 
The Conference, organised by SCMP, attracted around 400 participants from various sectors, including government representatives.

Reaching Out to the Community – Privacy Commissioner Attends the Hong Kong Volunteer Award Presentation Ceremony cum Forum 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong Volunteer Award Presentation Ceremony cum Forum 2025 on 9 January and presented prizes at the ceremony.

Co-organised by the Home and Youth Affairs Bureau and the Agency for Volunteer Service, the Hong Kong Volunteer Award (the Award) aims to recognise the contributions and achievements of volunteers, youth, uniformed groups, corporations, organisations, estates and schools in serving the community. The Privacy Commissioner has been an honorary advisor to the Award since 2023.

Implementing the Spirit of the Fourth Plenary Session of 20^th CPC Central Committee – Privacy Commissioner Publishes an Article on Supporting the Proactive Integration into and Serving the Overall National Development

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article on supporting the proactive integration into and serving the overall national development.
 
In the article, the Privacy Commissioner pointed out that 2026 marks the beginning of the Country’s 15^th Five-Year Plan as we stride towards an important stage of further deepening reform and opening-up across the board. We should explore how to integrate our daily work into and serve the overall national development while implementing the two key objectives for 2026 set by the Chief Executive: focusing on improving people’s wellbeing and strengthening innovation and technology development.
 
The Privacy Commissioner also elaborated on the PCPD's work and how the PCPD could implement the Spirit of the Fourth Plenary Session of 20^th CPC Central Committee, including strengthening the protection of personal information, and promoting cybersecurity, data security and AI security. The Privacy Commissioner stated that the PCPD would continue to take a multi-pronged and proactive approach by leveraging Hong Kong’s distinctive advantage of enjoying strong support of the Country and being closely connected to the world to deepen international exchanges and co-operation, contribute to the development of the Guangdong–Hong Kong–Macao Greater Bay Area and proactively align with the national development opportunities.
 
The article was published in Ta Kung Pao and Sing Tao Daily on 8 January.
 
Please click here to read the article (Chinese only).

Promoting AI Security – Assistant Privacy Commissioner Speaks at AIM Conference

Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG attended the AIM Conference under the theme of “AI for Business: Empowering Hong Kong’s Next Wave of Growth” on 20 January. The event was organised by the Hong Kong Association of Interactive Marketing and attracted approximately 200 participants.
 
At the event, Ms WONG spoke on the panel titled “Responsible AI in Business Perspective” at the event, where she explored the interplay between AI and personal data privacy as well as the importance of the responsible use of AI to business development. She also introduced the guidance materials published by the PCPD in response to the development of AI, including the Model Framework and the Guidelines. 

Reaching Out to the Community – PCPD’s Representative Interviewed by Media to Explain New Guidance on Handling Abuse of AI Deepfakes

Senior Legal Counsel of the PCPD Ms Joyce LIU was interviewed by TVB News’ “A Closer Look” to explain the guidance on the Toolkit recently published by the PCPD.

Ms LIU pointed out that people with malicious intent may download students’ photos or videos from public platforms to create malicious deepfakes materials. To assist schools and parents in preventing and handling deepfake incidents, the PCPD has published the Toolkit to provide practical advice to them. She suggested that if schools need to publish students’ photos or videos, they should make decisions based on the nature of the activity and actual circumstances, in accordance with their school-based policy.
 
The interview by TVB News’ “A Closer Look” was broadcast on 24 December 2025.

MEDIA STATEMENT

As Chinese New Year Approaches, PCPD Urges Vigilance Against Fraudulent Advertisements Recruiting Construction Workers

As the Chinese lunar year draws to a close and the Year of the Horse approaches, fraudsters are becoming increasingly active amid the festive atmosphere, and they used various fraudulent tricks to swindle citizens out of personal data and/or money. Common scams include online romance fraud, online shopping scams, and recruitment scams. The PCPD received 42 complaints over the past two weeks which involved suspected personal data frauds using fraudulent recruitment advertisements for job vacancies in the construction industry. The PCPD urges construction workers to exercise vigilance in protecting their personal data privacy when applying for jobs, and verify the authenticity of recruitment advertisements and the identities of recruiters before they provide their personal data.

 

All the victims involved in the 42 cases were construction workers who came across messages about the recruitment of construction casual workers posted on various social media platforms and instant messaging groups (including WhatsApp, Facebook and WeChat groups). After expressing interest in the job vacancies, they provided their personal data to the publisher of the recruitment messages (the “Publisher”), including photos of their “Three Essentials for Construction Sites” (「地盤三寶」in Chinese), namely HKID Card, Construction Workers Registration Card and “Safety Card” (Construction Industry Safety Training Certificate). In some cases, victims also provided their bank account numbers. The Publisher subsequently requested the workers to gather at designated MTR station exits at specified times respectively. However, the Publisher failed to show up and could no longer be contacted. The construction workers were therefore concerned about their personal data being maliciously used by criminals or for other illegal purposes, so they lodged complaints with the PCPD.

 

Upon receipt of the complaints, the PCPD has been following up the cases in accordance with established procedures. The PCPD reminds the public to observe the following when applying for jobs through social media platforms and instant messaging groups to safeguard their personal data privacy:

1. Authenticate the identity of the recruiter or intermediary: Where possible, verify the authenticity of the recruiting company or intermediary through official or reliable channels. Avoid providing personal data to unknown parties;

2. Avoid disclosing personal data arbitrarily: Understand the purpose of data collection, only provide necessary information, and avoid submitting sensitive information such as bank account numbers prior to confirmation of employment offer;

3. Retain communication records: Retain records of all communications related to the recruitment process for future reference should any issues arise; and

4. Fraud prevention information: Pay attention to fraud prevention information published by the PCPD, the Police or relevant organisations to enhance the awareness of fraud prevention.

 

Anyone who suspects that his/her personal data has been leaked may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk). If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police. Citizens may also visit “Scameter” (https://cyberdefender.hk/en-us/scameter/) to check suspicious phone numbers, email addresses and websites, etc.

HKMA and PCPD Strengthen Collaboration to Combat Fraud and Safeguard Personal Data

On 27 January, the Hong Kong Monetary Authority (HKMA) and the PCPD jointly announced a series of new measures to enhance collaboration in combatting fraud and strengthening the protection against misuse of personal data.
 
In view of the increasing sophistication of fraud, the HKMA and the PCPD have strengthened their cooperation to ensure that banks’ systems and safeguards against these risks are robust, and that best practices are shared with banks on a timely basis. These efforts will  include joint risk-based examinations of selected banks’ anti-fraud systems and controls, in which the HKMA will focus on assessing the effective implementation of anti-fraud measures set out in circulars issued in December 2024 and April 2025, whilst the PCPD will review the banks’ data security measures and access controls that are designed to safeguard personal data against misuse and leakage.
 
Moreover, the HKMA and the PCPD will strengthen joint publicity and educational efforts, and work closely with other key stakeholders including the Hong Kong Police Force, The Hong Kong Association of Banks and the industry to raise public awareness of the latest scam tactics and the importance of protecting personal data, including bank account information. These efforts will include outreach activities targeting members of the public and specific segments of society. 
 
Given the evolving nature of deception tactics, it is essential for the public to remain vigilant when providing personal data, including bank account information and login credentials, to prevent such data from being misused for deception or money laundering. Members of the public are also encouraged to stay informed about the latest fraud prevention information published by the HKMA, the PCPD and the Police.
 
Background
 
Fraud continues to grow in scale and complexity. During the first 10 months of 2025, a total of 35,831 deception cases were reported in Hong Kong, resulting in total losses amounting to HK$6.4 billion. To keep pace with the evolving nature of fraud, the HKMA has continued to strengthen the banking industry’s response to fraud and money laundering, with a number of measures introduced in April last year. These include expanded use of Scameter data, amendment of the Banking Ordinance to facilitate information sharing among banks, sharing of good anti-fraud practices with banks, thematic reviews on the effectiveness of banks’ anti-fraud measures, and enhanced publicity and education efforts on “Don’t Lend/Sell Your Account”. To further enhance the ecosystem approach, the HKMA is collaborating with the PCPD to combat fraud, and to strengthen the protection against misuse of personal data.
 
The protection of personal data privacy has always been one of the critical priorities in combatting fraud, as deception and financial crimes often involve malicious use of personal data. To address the evolving deceptive tactics employed by fraudsters, the PCPD continues to strengthen its efforts on public education and raising awareness against fraud. Apart from conducting anti-fraud talks for different stakeholders, the PCPD has published a new anti-fraud leaflet and poster with the theme “Too Good to be True” to enhance public awareness of fraud prevention and personal data protection. Both publications have been distributed to District Offices, community centres, elderly centres, banks and schools. Since 2022, the PCPD has set up the “Personal Data Fraud Prevention Hotline” (3423 6611) to handle public enquiries about fraud or suspected fraud cases from members of the public. The PCPD has also launched the webpage entitled “Anti-Fraud Tips”, with a view to providing a one-stop information portal for members of the public.

The PCPD Expresses Concern over AI Chatbot Grok Being Used to Generate Indecent Content and Reminds the Public to Use AI Safely

The PCPD noted that AI chatbot Grok can be used to generate indecent or malicious photos and videos. This issue has raised concerns in various jurisdictions. The PCPD is also concerned about the matter and is proactively contacting the relevant organisation to understand the situation.

 

The PCPD reminds members of the public that when providing personal data to AI chatbots to generate AI content, they must comply with the requirements of the PDPO and the relevant Data Protection Principles. Improper or malicious use of AI chatbots to generate indecent or malicious photos or videos may contravene the requirements of the PDPO and may constitute other criminal offences.

 

The PCPD provides the following tips to members of the public for the safe use of AI chatbots to safeguard personal data privacy:

• Do not share your own and others’ personal data with AI chatbots arbitrarily. If you need to use others’ personal data to generate AI content, you should first obtain their express and voluntary consent. Using others’ images to create and/or publish AI-generated content without the consent of the individuals concerned may contravene the PDPO;
• Never use AI chatbots to generate illegal content, such as child pornography. Producing or publishing child pornography may violate the Prevention of Child Pornography Ordinance;
• Read the Privacy Policy and the Terms of Use of Al chatbots to understand how personal data would be collected, stored, used and shared; and
• Be cautious about using the content generated by AI chatbots. Beware of illegal, inaccurate, infringing copyright, biased or discriminatory generated content.

The PCPD has earlier published a leaflet entitled “10 TIPS for Users of AI Chatbots” and the Toolkit to help users protect their own and others’ personal data privacy and to use AI chatbots more safely.
 
Download the “10 TIPS for Users of AI Chatbots”:
https://www.pcpd.org.hk//english/resources_centre/publications/files/ai_chatbot_leaflet.pdf

Download the Toolkit:
https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_deepfake.pdf

A 46-year-old Male Arrested for Suspected Doxxing of a Person Engaged in Cross-boundary Vehicle Business

The PCPD arrested a Chinese male aged 46 in the New Territories on 8 January. The arrested person was suspected to have disclosed the personal data of the data subject without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim is engaged in cross-boundary vehicle business, including leasing cross-boundary vehicles and handling licence applications for customers. In late November 2025, a total of four messages, including video clips, containing the victim’s personal data and negative comments against him were posted and forwarded to two chat groups comprising members of the same trade on an instant messaging application.
 
The personal data disclosed included the victim’s Chinese and English surnames, English alias, his account name and profile picture of one instant messaging application, the registration numbers of his vehicle in Guangdong and Hong Kong, as well as photos of the victim’s HKID Card, Macao Resident Identity Card, Mainland Travel Permit for Hong Kong and Macao Residents, Hong Kong Driving Licence and Driving License of Chinese Mainland, which collectively showed his Chinese and English names, relevant identity card numbers, date of birth, gender, height, address, nationality, signature specimen and photos.

 

The PCPD reminds members of the public that they should not dox others because of personal or business disputes. Doxxing is not a means to resolve disputes as it would only escalate conflicts. Moreover, identity cards and other identification documents contain sensitive personal data. Any reckless or intentional disclosure of copies of identification documents without the data subjects’ consents may constitute a doxxing offence. An offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

 

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

MAINLAND CORNER

Highlights of the “Draft Interim Measures on the Administration of Human-like Interactive Artificial Intelligence Services”
《人工智能擬人化互動服務管理暫行辦法（徵求意見稿）》的重點

To promote the healthy development and regulate the application of human-like interactive AI services, the Cyberspace Administration of China released the “Draft Interim Measures on the Administration of Human-like Interactive Artificial Intelligence Services” (Draft Measures) for public consultation on 27 December 2025. The Draft Measures sets out, among others, requirements towards the relevant services from different perspectives such as content safety, management of training data, and personal information protection. The consultation period ended on 25 January 2026. This article provides an overview of the Draft Measures.
 
為了促進人工智能擬人化互動服務健康發展和規範應用，國家互聯網信息辦公室（網信辦）於2025年12月27日發布《人工智能擬人化互動服務管理暫行辦法（徵求意見稿）》¹ 。《徵求意見稿》對有關服務的內容安全、訓練數據管理、保障個人信息等各方面提出了多項要求。徵求意見期已於2026年1月25日結束，《徵求意見稿》的重點如下：

甚麽是擬人化互動服務
根據《徵求意見稿》第二條，擬人化互動服務是指利用人工智能技術，向中國境內公眾提供模擬人類人格特徵、思維模式和溝通風格，通過文字、圖片、音頻、視頻等方式與人類進行情感互動的產品或者服務。

內容安全及禁止活動²
《徵求意見稿》規定，提供和使用擬人化互動服務，應當遵守法律、行政法規等，而且不得開展特定活動，包括：生成、傳播危害國家安全、教唆犯罪、誹謗他人等內容；通過鼓勵、美化、暗示自殺自殘等方式損害用戶身體健康；以及通過算法操縱、設置情感陷阱等方式，誘導用戶作出不合理决策等等。

訓練數據管理³
《徵求意見稿》要求提供者開展預訓練、優化訓練等數據處理活動時，應當加強訓練數據管理，例如對訓練數據開展清洗、標注，增強訓練數據的透明度、可靠性；保障訓練數據來源合法、可追溯，採取必要措施保障數據安全，防範數據洩露風險等等。

針對未成年人及老年人的保護措施
《徵求意見稿》尤其強調提供者應保障未成年人及老年人用戶。舉例而言，提供者應當在註冊環節要求用戶填寫監護人、緊急聯繫人等信息⁴。若提供者發現老年人使用期間出現危害生命健康和財產安全，應及時通知緊急聯繫人，提供者亦不得提供模擬老年人用戶親屬、特定關係人的服務⁵。

保障未成年人方面，《徵求意見稿》規定提供者應當具備識別未成年人身份的能力，亦應向用戶提供未成年人模式切換、定期現實提醒、使用時長限制等個性化安全設置選項；提供者向未成年人提供情感陪伴服務時，應當取得其監護人的明確同意；提供者亦應提供監護人控制功能⁶。

預防及干預極端情境
《徵求意見稿》明確要求提供者不得將替代社會交往、控制用戶心理、誘導沉迷依賴等作為設計目標⁷，並且應當顯著提示用戶正在與人工智能而非自然人進行交互⁸。

如發現用戶存在極端情緒和沉迷，提供者應採取必要措施予以干預，包括預設回復模板，如發現涉及威脅用戶生命健康和財產安全的高風險傾向時，及時輸出安撫和鼓勵尋求幫助等內容；建立應急響應機制，如發現用戶明確提出實施自殺、自殘等極端情境時，應當由人工接管對話，並及時聯絡用戶監護人、緊急聯繫人⁹。

保障個人信息
《徵求意見稿》規定提供者應建立健全網絡安全、數據安全、個人信息保護等管理制度¹⁰，亦應當採取數據加密、安全審計、訪問控制等措施保護用戶交互數據安全¹¹。除法律、行政法規另有規定或者取得用戶單獨同意外，提供者不得向第三方提供用戶交互數據，亦不得將用戶交互數據、敏感個人信息用於模型訓練¹²。提供者亦應當每年對其處理未成年人個人信息遵守法律、行政法規的情況進行合規審計¹³。

此外，《徵求意見稿》要求提供者在評估用戶情緒及對產品和服務的依賴程度，或識別用戶是否為疑似未成年人時，應以保護用戶個人隱私為前提¹⁴。

安全評估及監督檢查
提供者在特定情況下（例如具有擬人化互動服務的功能上線、註冊用戶達100萬以上或者月活躍用戶達10萬以上、可能存在影響國家安全等情況），應當按照國家有關規定開展安全評估，重點評估用戶規模、用戶高風險傾向識別情况及應急處置措施等等，並向屬地省級網信部門提交評估報告¹⁵。此外，提供者亦應當按照《互聯網信息服務算法推薦管理規定》履行算法備案¹⁶。省級網信部門如發現擬人化互動服務存在較大安全風險或者發生安全事件的，可以對提供者進行約談、要求整改¹⁷。

總結
《徵求意見稿》對人工智能擬人化互動服務提出了詳細的服務規範，從而保障用戶的身心健康，促進人工智能的健康發展。有關提供者宜細閱當中的要求，於《徵求意見稿》定稿後採取相應措施。

 

 

 

 

 

1 全文：https://www.cac.gov.cn/2025-12/27/c_1768571207311996.htm

2《徵求意見稿》第七條。

3 《徵求意見稿》第十條。

4 《徵求意見稿》第十一條。

5 《徵求意見稿》第十三條。

6《徵求意見稿》第十二條。

7《徵求意見稿》第九條。

8《徵求意見稿》第十六條。

9《徵求意見稿》第十一條。

10《徵求意見稿》第八條。

11 《徵求意見稿》第十四條。

12 《徵求意見稿》第十四條及第十五條。

13 《徵求意見稿》第十五條。

14 《徵求意見稿》第十一條及第十二條。

15 《徵求意見稿》第二十一條及第二十二條。

16 《徵求意見稿》第二十五條。

17 《徵求意見稿》第二十八條。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Human Resource Management

Since job applicants, current and former employees may request access to their personal data kept by organisations from time to time, employers or human resource management professionals have to ensure compliance with the requirements of the PDPO when they collect and handle data of their employees. On the other hand, employers should meet public expectations to constantly protect and respect their employees’ personal data privacy. This workshop enables participants to learn how to handle different scenarios and strengthen their knowledge of data protection in human resource management.

 

Date: 4 February 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents

New Series of Professional Workshops on Data Protection in Mar 2026:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.