Happy YEAR OF THE horse!

Privacy Commissioner’s Office Reports on its Work in 2025 and
Intervenes in Three Data Security Incidents

The PCPD reported on its work in 2025 and three incidents involving the security of personal data on 3 February.
 
(1) PCPD’s Work in 2025

 

     1. Complaint Cases
In 2025, the PCPD received a total of 4,228 complaints, representing an increase of 23% when compared to 3,431 cases in 2024. About 90% of the complaint cases involved complaints against private organisations or individuals (3,838 cases), while the remaining 10% were against public organisations or government departments (390 cases). The proportions were broadly similar to those in 2024.

     2. Enquiries
The PCPD handled 17,691 public enquiries in 2025, representing a slight decrease of 2% from 18,125 enquiries in 2024. The PCPD received an average of around 1,500 public enquiries per month. Among the public enquiries received in 2025, 28% related to the collection and use of personal data (e.g. Hong Kong Identity Card (HKID card) numbers and/or copies). Other major categories of enquiries included the complaint handling policy of the PCPD (15%), access to and correction of personal data (6%), the handling of personal data in employment cases (5%) and the installation and use of CCTV (5%), etc.
 
In addition, the PCPD received 1,163 enquiries relating to suspected personal data frauds in 2025, which was comparable to 1,158 enquiries in 2024.

 

     3. Personal Data Breach Incidents
The PCPD received 246 data breach notifications in 2025, with 79 from the public sector and 167 from the private sector. The figure represented an increase of 21% from 203 data breach notifications in 2024. Among the 246 data breach notifications mentioned above, 92 were submitted by schools and non-profit-making organisations (accounting for 37% of all data breach incidents in 2025).
 
The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by email, post or fax, employee misconduct and system misconfiguration, etc. In 2025, there were 81 data breach incidents involving hacking (accounting for 33% of all data breach incidents). The figure represented an increase of 33% compared with 61 such cases in 2024 (accounting for 30% of all data breach incidents).
 
The PCPD initiated 435 compliance checks in 2025, representing an increase of 9% from 400 compliance checks in 2024.

     4. Anti-Doxxing Regime
The provisions criminalising doxxing acts under the Personal Data (Privacy) Ordinance (PDPO) came into effect on 8 October 2021. The amendments empower the Privacy Commissioner to adopt a “one-stop” approach in handling doxxing-related offences, from criminal investigation, collection of evidence to prosecution. In addition, the Privacy Commissioner is empowered to issue cessation notices to request the cessation of disclosure of doxxing messages.
 
Enforcement Actions in 2025
 

In 2025, the PCPD handled a total of 308 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The figure dropped by 30% compared with 442 cases in 2024. Of the 308 doxxing cases, 299 cases were doxxing complaints received by the PCPD. The nature of disputes leading to the doxxing acts included monetary disputes (45.2%), as well as family and relationship disputes (24.4%).
 
The PCPD initiated 147 criminal investigations in 2025 and referred 47 cases to the Police for further follow-up actions. The PCPD arrested a total of 18 suspects during the year. The suspected doxxers mainly engaged in doxxing through social media platforms and instant messaging applications (67%), while the remaining cases (33%) involved doxxing through posting leaflets and displaying banners. During the year, the PCPD issued 32 cessation notices to 13 online platforms to request the removal of 56 doxxing messages, with a compliance rate of over 98%.
 
Summary of Enforcement Actions under the New Anti-doxxing Provisions

 

From the commencement date (8 October 2021) of the anti-doxxing provisions to 31 December 2025, the PCPD handled a total of 3,634 doxxing cases. The PCPD also issued 2,104 cessation notices to 57 online platforms to request the removal of 33,743 doxxing messages. Notwithstanding most of the cessation notices were served on overseas operators of online platforms, the overall compliance rate on the removal of doxxing messages exceeded 96%. Apart from individual doxxing messages, 250 doxxing channels were also successfully removed by the cessation notices.
 
With the persistent and resolute enforcement, enhanced publicity and education efforts of the PCPD over the past four years, coupled with the society's transition from chaos to order, illegal doxxing acts have greatly ameliorated. In 2025, there were only nine doxxing cases uncovered by the PCPD’s proactive online patrols, representing a reduction of over 99% compared to 1,134 cases in 2022 (i.e. the first year after the commencement of the anti-doxxing provisions). The PCPD received 299 doxxing-related complaints in 2025, representing a decrease of over 50% (53%) compared to 630 complaints in 2022.
 
From the commencement date (8 October 2021) of the relevant provisions to 31 December 2025, the PCPD initiated criminal investigations into 519 doxxing cases and referred 150 cases to the Police for further follow-up actions. A total of 81 suspects were arrested (including three arrests made in the joint operations with the Police). 55 arrested persons were prosecuted, of whom 43 were convicted.
 
It is evident that the PCPD’s work on combatting doxxing acts has not affected freedom of speech of members of the public, nor has it impacted the lawful operation of online platforms in Hong Kong. The PCPD will continue to take resolute enforcement actions against doxxing acts to ensure that the personal data privacy of the public is adequately protected.
 
(2) Personal Data Security Incidents of Three Organisations (see Annex 1 for details)
 
The PCPD earlier intervened in three incidents involving the security of personal data. All of the organisations complained against in the cases were the employers of the complainants. Owing to various deficiencies of the organisations in the handling of employment data that resulted in the improper disclosure or unauthorised or accidental access, processing or use of personal data, the organisations in question were found to have contravened the relevant requirements of the PDPO.
 
Summaries of the Three Data Security Incidents

1. The complainant worked for a security service company. The complainant’s supervisor sent a notice of termination of employment containing the complainant’s HKID card number to a work-related chat group in an instant messaging application. This resulted in the disclosure of the complainant’s personal data to other staff members in the group.
2. The head of the security department of a hotel stored annual performance appraisal forms of departmental staff members in a desk drawer. As the desk was shared among staff members of the department and the department head did not lock the drawer in accordance with the hotel’s guidelines, the complainant (an employee of the hotel’s security department at the material time) inadvertently read the appraisal forms that contained the personal data of all the departmental staff members stored in the drawer while searching for other documents.
3. An administrative staff member of a social welfare organisation was responsible for scanning a dismissal document relating to the complainant. During the process, the staff member mistakenly saved the scanned copy in the department’s shared folder. As a result, the complainant’s personal data contained in the document was accessible to other staff members of the department.

Data Protection Principle (DPP) 3(1) of Schedule 1 to the PDPO stipulates that personal data shall not, without the prescribed consent of the data subject (namely, express consent voluntarily given by the data subject), be used (including disclosed or transferred) for a new purpose that is not or is unrelated to the original purpose when collecting the data. Furthermore, DPP 4(1) of Schedule 1 to the PDPO stipulates that all practicable steps shall be taken by a data user to ensure that any personal data held by the data user should be protected against unauthorised or accidental access, processing, erasure, loss or use.

 

In the above cases, having considered the circumstances of the individual incidents and the information obtained, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the organisations concerned had contravened DPP 3(1) of the PDPO concerning the use (including disclosure) of personal data, or DPP 4(1) of the PDPO concerning the security of personal data. The Privacy Commissioner has respectively served Enforcement Notice or warning letter on the three organisations, directing them to remedy and prevent recurrence of their respective contraventions.

 

Privacy Commissioner Ms Ada CHUNG Lai-ling urges employers to formulate clear policies to protect employees’ personal data in order to prevent security lapses caused by human error or insufficient awareness.  

 

Employers’ protection of employees’ personal data privacy is closely related to daily lives and forms part of employers’ statutory responsibilities. The PCPD encourages organisations to work hand in hand with employees to create a working environment that safeguards personal data privacy and data security. The PCPD offers the following five recommendations to employers:

1. Introduce a Personal Data Privacy Management System and formulate clear data security policies that embed personal data privacy protection into the core values of the organisations, so as to promote a top-down culture that prioritises personal data privacy and data security;
2. Develop robust workflows and procedures, and regularly remind staff of the key points of work procedures and policies to ensure compliance;
3. Implement ongoing monitoring mechanism to ensure consistent enforcement of personal data security policies by employees through technical checks or regular inspections, and conduct periodic reviews to optimise oversight procedures and maintain effective monitoring;
4. Provide training to employees: Provide targeted training to employees (particularly the employees responsible for handling sensitive data) to enhance their awareness and capability in safeguarding privacy; and
5. Actively engage with employees and work with them to examine the workflow involving the handling of personal data  in order to understand their concerns and challenges, so as to effectively develop policies, procedures and training programmes tailored to the daily operations and needs.

Reporting to Legislative Council – Privacy Commissioner Attends Meeting of Legislative Council Panel on Constitutional Affairs to Report on PCPD’s Work in 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the meeting of the Legislative Council (LegCo) Panel on Constitutional Affairs on 13 February to brief Members on the work of the PCPD in 2025.

The PCPD received 4,228 complaints in 2025, representing a 23% increase compared to 3,431 cases in 2024. In combatting doxxing offences, the PCPD handled 308 doxxing cases in 2025 (including doxxing cases uncovered by the PCPD’s proactive online patrols and doxxing-related complaints received). The figure dropped by 30% when compared to 442 cases in 2024, amongst which the number of doxxing cases uncovered through online patrols has dropped significantly from 87 cases in 2024 to nine cases in 2025.

Over the past four years, with the PCPD’s persistent and resolute enforcement, enhanced publicity and education efforts, the society’s transition from chaos to order, the doxxing problem has been greatly ameliorated. The number of doxxing cases uncovered by the PCPD’s proactive online patrols in 2025 was only nine, representing a reduction of over 99% compared to 1,134 cases in 2022 (i.e. the first year after the commencement of the anti-doxxing provisions). Meanwhile, the PCPD received 299 doxxing-related complaints in 2025, representing a decrease of over 50% (53%) compared to 630 complaints in 2022.

On the other hand, the PCPD received 246 data breach notifications in 2025, representing an increase of 21% compared to 203 data breach notifications in 2024. To assist organisations in preventing data breaches and enhancing their awareness of data security, the PCPD launched a series of seminars and training courses, as well as strengthened collaboration and exchanges with the industry, and recognised outstanding performance in personal data protection through organising the “Privacy-Friendly Awards”.

Looking ahead, the PCPD’s strategic focus for the coming year includes continuing to promote data security. The PCPD will also proactively align with the Country’s “15^th Five‑Year Plan”, support the Government in fostering the advancement of digital economy, and addressing the challenges posed by emerging technologies. The PCPD will also continue to leverage Hong Kong’s distinctive advantages of enjoying strong support of the Country while being closely connected to the world under the “One Country, Two Systems” regime to actively participate in various international and regional organisations.

Please click here for the Privacy Commissioner’s opening remarks (Chinese only).
Please click here for the paper submitted by the PCPD to the LegCo Panel on Constitutional Affairs.

PCPD and HKIRC Co-organise
“AI Security and Cybersecurity Summit for Enterprises”

Joining Hands to Build a Safer Digital Hong Kong

Registration Now Open

In today’s digital world, cyberattacks on organisations’ information systems are not just occasional events; they have become a real threat which may lead to the leakage of personal data and financial and reputational damage. Meanwhile, as artificial intelligence (AI) continues to evolve at a rapid pace, organisations of all sizes are eager to harness its transformative potential. However, the application of AI carries challenges, as AI also introduces cybersecurity and personal data privacy risks that must be critically addressed by organisations. In light of this, the PCPD and the Hong Kong Internet Registration Corporation Limited (HKIRC) will co-organise the “AI Security and Cybersecurity Summit for Enterprises” (Summit) on 31 March, with the Digital Policy Office acting as a strategic partner. The Summit aims to raise the awareness and readiness of organisations, including small and medium-sized enterprises, to address AI security and cybersecurity risks in the business environment, thereby building a safer and more resilient digital Hong Kong. Registration for the Summit is now open to all sectors.
 
The Summit will be held at the Hong Kong Convention and Exhibition Centre and will feature two key thematic areas – “AI Security” and “Cybersecurity” – each presenting dedicated keynote presentations and panel discussions. The event will bring together leading experts, industry leaders, policymakers and company directors to explore the evolving AI security and cybersecurity threat landscape, exchange innovative solutions, and share insights into strengthening cybersecurity and data protection in the age of AI.
 
The Summit is free of charge and open for registration on a first-come first-served basis. For details, please visit the event website https://pcpd.org.hk/ai_cybersecurity_summit/en/index.html. Interested parties are requested to complete and submit the online registration form on the Summit website by 5:00 pm on 27 March.

PRIVACY 101

From Adoption to Protection: Governing AI Responsibly and Securely

As organisations accelerate the adoption of AI, the risk of AI-related security incidents is also rising. AI systems are often trained on dynamic datasets – sometimes even on data generated in real time – which can alter functionality in ways that are difficult to anticipate or fully comprehend. Meanwhile, malicious actors are developing increasingly sophisticated techniques to compromise AI models, manipulate training data, and exploit vulnerabilities inherent in machine learning pipelines. 

Organisations should therefore recognise the growing importance of AI security. With AI systems now embedded across sectors, ranging from financial services to healthcare diagnostics, robust security frameworks have become indispensable. To mitigate risks and avoid costly incidents, organisations are encouraged to establish a clear AI strategy and governance structure before embarking on procurement, implementation, or integration into business processes.

When establishing an AI strategy and governance framework, organisations should carefully consider the following areas:

• Purpose of using AI;

• Privacy and security obligations and ethical requirements;

• Internal technical and governance standards;

• Criteria and procedures for reviewing AI solutions;

• Data processor agreements;

• Policy on handling output generated by the AI system;

• Plan for continuously scrutinising changing landscape;

• Plan for monitoring, managing and maintaining AI solution; and

• Evaluation of AI suppliers.

 

For further guidance, please refer to “Artificial Intelligence: Model Personal Data Protection Framework”. 

 

In addition, organisations seeking to strengthen AI security are warmly invited to join the upcoming “AI Security and Cybersecurity Summit for Enterprises” on 31 March, co-organised by the PCPD and HKIRC. Registration is now open on a first-come first-served basis. Please visit the event website for details and registration.

 

PRIVACY COMMISSIONER’S FINDINGS

Data Leakage via a Phishing Email Involving 6,131 Members of an Institute

Background

An institute reported to the PCPD that it had inadvertently sent a list containing the name with suffix and email address of 6,131 members to a deceptive phishing email, which purported to be the Chief Executive of the institute requesting for members’ information.

The institute explained that the “phishing email” requested the information to be sent to two specified email addresses, one being the Chief Executive’s official email address while the other purporting to be his personal email address. Since the staff member who received the request believed that the information was urgently required by the Chief Executive, he complied with the request and hence caused the leakage. The institute further explained that although its membership database was password-protected and encrypted, the list generated from the database in the incident was not secured by any measures.

Remedial Measures

The institute subsequently took the following remedial actions to prevent recurrence of the incident:

1. Requiring all staff to protect files containing personal data by password for email communications and restricting the use of personal email accounts for business-related matters;
2. Reminding all staff to strictly adhere to the requirements stipulated in its Information Security Policy and Acceptable Use Policy;
3. Providing training to enhance staff awareness of information technology (IT) security; and
4. Engaging an external IT consultant to provide continuous security monitoring and consultation on IT and data protection matters.

TECH TALK

Staying Safe with AI: Practical Tips for Everyday Use

AI is becoming part of everyday life, helping us draft content, conduct research, automate tasks, and navigate digital tools more efficiently. While these technologies offer significant convenience, they also come with risks if used without care. Oversharing personal information, connecting through unsecured networks, or relying blindly on AI-generated outputs can lead to personal data leakage, cyber threats, or inaccurate and misleading results.

The good news is that protecting yourself is simple and straightforward. By adopting a few practical habits, you can safeguard your personal data, secure your devices, and ensure AI remains a helpful and reliable tool. These measures help keep your online activity safe, controlled, and resilient against potential threats.

• Use a trusted AI tool: Access AI tools only via their official websites or verified applications. Install software exclusively from reputable publishers through recognised app stores;
• Use unique and strong passwords: Create unique and complex passwords for each account and enable two factor authentication wherever possible;
• Use a secure network: Avoid connecting to public Wi-Fi or other unsecured networks when using AI tools or handling sensitive information;
• Avoid sharing personal or sensitive data: Do not input sensitive personal data such as identification details, financial records, or login credentials into AI systems;
• Clear your browser history regularly: Delete your browsing history, cache and cookies to reduce stored records of your online activities;
• Validate AI-generated outputs: Treat AI generated results as drafts. Always verify facts, review recommendations, and check any code for errors or potential security risks before using it;
• Keep your operating system and software up-to-date: Ensure your operating system, applications, and security software are updated to their latest versions to protect against vulnerabilities; and
• Stay alert to phishing attempts: Confirm that you are interacting with legitimate AI platforms, and avoid clicking suspicious links or downloading unexpected attachments.

WHAT’S ON

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain the Global Joint Statement on AI-Generated Imagery Issued by the PCPD

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today” on 23 February to explain the “Joint Statement on AI-Generated Imagery and the Protection of Privacy” (Joint Statement) issued by the PCPD and 60 privacy or data protection authorities around the world.
 
During the interview, the Privacy Commissioner noted that the use of AI systems to generate indecent or malicious images and videos of individuals, especially children, has recently raised concerns of regulatory authorities in Hong Kong and other areas worldwide. As the co-chair of the Global Privacy Assembly’s International Enforcement Cooperation Working Group, the PCPD initiated the joint action to remind all organisations to develop and use AI content generation systems lawfully and safely. She emphasised that the Joint Statement reminds organisations to adopt a series of effective measures to protect the fundamental rights of data subjects, in particular children and vulnerable groups.

Click here to listen to the interview by RTHK News’ “Hong Kong Today” (48:52-54:18) (Chinese only).

Reaching Out to the Community – Privacy Commissioner Interviewed by Commercial Radio’s “Saturday Forum” to Report on the PCPD’s Work in 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Commercial Radio’s “Saturday Forum” on 21 February, where she discussed the PCPD’s work in 2025.

During the interview, the Privacy Commissioner noted that about 30% of last year’s data breach incidents were caused by hacking, while around 60% resulted from human error, including employees sending emails to wrong recipients or clicking on phishing links. She said that the PCPD has been organising seminars for organisations across various sectors, and has also set up the “Data Security Hotline” and thematic website to raise the awareness of organisations on data security. She added that the PCPD receives an average of around 15 complaints and 50 to 60 enquiries each day, reflecting the public’s concern on protecting personal data privacy. She reminded members of the public that if they inadvertently disclose their personal data to an unknown caller, they should consider changing online bank account passwords and stay alert to possible email scams or other fraudulent activities.

Regarding parents’ enthusiasm for sharing photos of their children on social media platforms, the Privacy Commissioner cautioned that once images or videos are uploaded online, they may not be completely removable. She advised parents to consult their children before sharing any such photos and to make good use of the privacy settings of social media platforms, so as to restrict access to their families and friends.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Report on the PCPD’s Work in 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Metro Finance’s “Finance Boulevard” and Hong Kong Economic Journal on 9 and 11 February respectively to outline the PCPD’s work in 2025.

During the interviews, the Privacy Commissioner pointed out that the number of complaints received by the PCPD last year increased by 23% year‑on‑year, reflecting the public’s heightened awareness of privacy protection. Among these, complaints related to the property management sector recorded a 50% surge, including cases where security personnel disclosed residents’ personal data to third parties without consent. The PCPD has already organised workshops for the property management sector to help compliance by the sector.

As the use of AI becomes increasingly prevalent, the Privacy Commissioner observed that many organisations are increasingly adopting AI, such as deploying AI chatbots to respond to customer enquiries or using AI for data analysis. She reminded organisations that if they use public AI systems to process customers’ personal data, such data may be used to train the AI models. Therefore, organisations must assess the necessity and risks of using AI systems to process personal data. Last year, the PCPD published the “Checklist on Guidelines for the Use of Generative AI by Employees” to help organisations use AI safely.

She also reminded members of the public that personal data is valuable. As organisations often store personal data in information systems, it is necessary to strengthen data security, such as by formulating relevant data security policies and providing training to staff, etc.

Click here to listen to the interview by Metro Finance’s “Finance Boulevard” (10:33-28:33) (Chinese only).

Reaching Out to the Community – Privacy Commissioner Attends “10 Issues of Most Concern Perceived by the HK Commercial Sector in 2025” Prize Presentation Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the prize presentation ceremony (Ceremony) on “10 Issues of Most Concern Perceived by the HK Commercial Sector in 2025” on 10 February. The Ceremony was jointly organised and supported by various local associations, chambers of commerce, the Hong Kong Commercial Daily and other media outlets. The Privacy Commissioner was invited as a guest to announce one of the most concerned issues.

First launched in 2006, the event selects major news of most concern to the Hong Kong commercial sector, reflecting the sector’s perspectives, policy concerns and aspirations.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Report on the PCPD’s Work in 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 3’s “Hong Kong Today” , RTHK Radio 1’s “HK2000” and i-Cable News’ “Let’s Talk” on 3, 4 and 6 February respectively to report on the PCPD’s work in 2025.
 
In 2025, the number of complaint cases received by the PCPD increased by 23%, as compared to 2024. During the interviews, the Privacy Commissioner explained that the increase reflects the rising public awareness of personal data protection. In addition, the PCPD received 246 data breach notifications last year, of which 37% came from schools and non-profit-making organisations. The Privacy Commissioner pointed out that the rise in data breaches involving these sectors is a global trend. With limited resources, such organisations are more vulnerable to cyberattacks and must therefore enhance staff awareness of data security. She stated that the PCPD has continued to support the education sector and non-profit-making organisations through various publicity and educational initiatives, including organising talks and seminars, as well as launching the Data Security Package. She said that the PCPD would continue its efforts to raise organisations’ awareness of the protection of personal data privacy in the future.
 
On combatting doxxing, the Privacy Commissioner mentioned that in 2025, doxxing cases involving political disputes accounted for only 1.3% of the total, marking a four-year low. Since the anti-doxxing provisions came into effect, illegal doxxing acts have significantly ameliorated over the past 4 years, with a drop of over 99% in doxxing cases uncovered by the PCPD’s proactive online patrols. In addition, the doxxing-related complaints received by the PCPD has decreased by over 50%.
 
As the lunar year draw to a close, the Privacy Commissioner reminded the public to stay alert to fraudulent recruitment advertisements that trick people into providing their personal data. The Privacy Commissioner noted that in the past month, 126 complaints relating to fraudulent recruitment advertisements for job vacancies in the construction industry were received, and reminded construction workers not to disclose their personal data to others arbitrarily.
 
Click here to listen RTHK Radio 3’s “Hong Kong Today” (48:14-51:53).
Click here to listen RTHK News’ “Hong Kong Today” (54:15-59:44) (Chinese only).
Click here to listen RTHK Radio 1’s “HK2000” (Chinese only).
Click here to watch i-Cable News’ “Let’s Talk” (Chinese only).

Event Organised in Celebration of PCPD’s 30^th Anniversary – A Seminar on “Understanding the Protection of Critical Infrastructures (Computer Systems) Ordinance and Data Security”

To mark the 30^th anniversary of the PCPD, the PCPD would launch a series of seminars on data security and AI security. The first seminar in the series, titled “Understanding the Protection of Critical Infrastructures (Computer Systems) Ordinance to Enhance Data Security”, was successfully held on 5 February, attracting over 550 participants.
 
At the seminar, Mr Francis CHAN Wing-on, Commissioner of Critical Infrastructure (Computer-system Security), provided an overview of the Protection of Critical Infrastructures (Computer Systems) Ordinance and the responsibilities of critical infrastructure operators. In addition, Privacy Commissioner Ms Ada CHUNG Lai-ling also shared some case studies on data breach incidents, as well as practical advice on preventing and handling data breach incidents. 
 
Please click here to download Mr Chan’s presentation deck (Chinese only).
Please click here to download the Privacy Commissioner’s presentation deck (Chinese only).

Reporting to LegCo – Acting Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Meeting of the LegCo Panel on Constitutional Affairs

The Acting Secretary for Constitutional and Mainland Affairs (Ag SCMA), Mr Clement WOO Kin-man, MH, JP, attended the Policy Briefing meeting of the LegCo Panel on Constitutional Affairs on 30 January to brief Panel Members on the major policy measures of the Constitutional and Mainland Affairs Bureau (CMAB). Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by Members on the work of the PCPD.
 
During the meeting, the Privacy Commissioner briefed LegCo Members on the work of the PCPD, and pointed out that over the past three years, the PCPD received an average of about 200 data breach notifications and conducted around 400 compliance checks each year. From the implementation of the Personal Data (Privacy) (Amendment) Ordinance 2021 on 8 October 2021 to the end of 2025, the PCPD handled a total of 3,634 doxxing cases.
 
The Privacy Commissioner stressed that the PCPD has been actively promoting the protection of personal data privacy, including enhancing data security, AI security and combating doxxing. The PCPD has also actively participated in various associations and forums of international and regional regulatory authorities, fulfilling its role of “leveraging strong support of the Country while being closely connected to the world”.
 
Please click here for the paper provided by the CMAB to the LegCo Panel on Constitutional Affairs.
Please click here for the opening remarks of the Ag SCMA (Chinese only).
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Reaching Out to the Community – Assistant Privacy Commissioner Interviewed by Media to Remind Public to Stay Vigilant Against Fraudulent Advertisements Recruiting Construction Workers

The Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Ms Rebecca HO Kan-yeuk was interviewed by RTHK News’ “Hong Kong Today” and RTHK Radio 1’s “HK2000” on 29 and 30 January respectively to explain the complaint cases received by the PCPD relating to fraudulent recruitment advertisements. 
 
During the interview, the Assistant Privacy Commissioner pointed out that the PCPD received 42 complaints earlier, all of which related to suspected personal data frauds using fraudulent recruitment advertisements for job vacancies in the construction industry. In these cases, the construction workers concerned came across messages about the recruitment of construction casual workers posted on various social media platforms and instant messaging groups (including WhatsApp, Facebook and WeChat groups) and provided their personal data to the publisher of the recruitment messages (Publisher), but subsequently the Publisher could no longer be contacted.
 
She reminded members of the public to authenticate the identities of recruiters or intermediaries, avoid disclosing personal data arbitrarily, retain records of all communications related to the recruitment process and pay attention to fraud prevention information published by the authorities.
 
The interview by RTHK News’ “Hong Kong Today” can be listened here (54:51-59:39) (Chinese only).
The interview by RTHK Radio 1’s “HK2000” can be listened here (Chinese only).

MEDIA STATEMENT

AI-Generated Harmful Imagery Raises Concerns Worldwide; PCPD, together with 60 Privacy Protection Authorities, Issue a Global Joint Statement 

The PCPD, together with 60 privacy or data protection authorities around the world, issued the “Joint Statement on AI-Generated Imagery and the Protection of Privacy” (Joint Statement) on 23 February. The signatories include privacy or data protection authorities from Canada, France, Germany, Italy, Korea, New Zealand, Singapore and the United Kingdom. While expressing their concern about AI systems that generate realistic images and videos depicting identifiable individuals without their knowledge and consent and other harmful content featuring real individuals, the co-signatories remind all organisations to develop and use AI content generation systems lawfully and to adopt a series of measures to protect the fundamental rights of data subjects, in particular children and vulnerable groups.
 
The Joint Statement was initiated and coordinated through the Global Privacy Assembly’s International Enforcement Cooperation Working Group. 
 
The co-signatories remind all organisations to develop and use AI content generation systems lawfully and to adopt a series of measures to protect the fundamental rights of data subjects, in particular children and vulnerable groups, including:

• Implement robust safeguards to prevent the misuse of personal information and generation of non-consensual intimate imagery and other harmful materials, particularly where children are depicted;
  
• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse;
  
• Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests; and
  
• Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators.
  

The Joint Statement can be downloaded here.

 

Background
The GPA is the premier international forum for privacy or data protection authorities worldwide. The IEWG, a working group under the GPA, promotes cross-jurisdictional cooperation among privacy or data protection authorities and drives cross-jurisdictional enforcement collaboration. The PCPD is the co-chair of the IEWG.

MAINLAND CORNER

Highlights of the “Measures on the Classification of Online Information that May Affect the Physical and Mental Health of Minors”
《可能影響未成年人身心健康的網絡信息分類辦法》的重點 

To create an online environment that is beneficial to the physical and mental health of minors, the Cyberspace Administration of China, together with seven other government departments, released the “Measures on the Classification of Online Information that May Affect the Physical and Mental Health of Minors” (Measures) on 23 January 2026. The Measures outlines specific categories, scope, assessment criteria and labeling requirements for online information that may affect the physical and mental health of minors. This article provides an overview of the Measures.

 

為了營造有利於未成年人身心健康的網絡環境，國家互聯網信息辦公室等8個部門於2026年1月23日發布《可能影響未成年人身心健康的網絡信息分類辦法》¹。《辦法》闡明可能影響未成年人身心健康的網絡信息的具體種類、範圍、判斷標準和提示辦法。《辦法》的重點如下：

 

背景

2024年實施的《未成年人網絡保護條例》（《條例》）²第二十三條規定，若網絡產品和服務中含有可能影響未成年人身心健康的信息³，製作、複製、發布、傳播該信息的組織和個人應當在信息展示前予以顯著提示；至於有關信息的具體種類、範圍、判斷標準和提示辦法，則由國家網信等部門確定。因此，網信辦發布《辦法》，以落實上述要求。

 

具體種類

《辦法》將可能影響未成年人身心健康的網絡信息界定為四大類，各分類及其例子摘錄如下：

 

  1. 可能引發或者誘導未成年人模仿或者實施不良行為的信息⁴

• 帶有性暗示、性挑逗等易使人產生性聯想；
• 存在指責嘲諷、貶低歧視等涉網絡暴力不良信息；
• 誘導未成年人進行充值、打賞等非理性消費行為。

 

  2. 可能對未成年人價值觀造成負面影響的信息⁵

• 宣揚奢靡享樂、炫富拜金、消極頹廢等不良價值觀；
• 宣揚畸形審美、低俗惡俗文化。

 

  3. 不當使用未成年人形象的信息⁶

• 利用未成年人形象擺拍演繹含有不良價值觀的劇情內容；
• 通過惡搞未成年人、利用未成年人打造爭議人設等方式博取關注。

 

  4. 不當披露和使用未成年人個人信息⁷

• 未經監護人同意，不當展示不滿十四周歲的未成年人學習、生活等可能暴露未成年人個人信息；
• 誘導未成年人發布可能洩露本人或者他人個人信息。

 

有關標識及推送的要求

《辦法》基於《條例》的規定，對可能影響未成年人身心健康的網絡信息的標識及推送等提出了更詳細的要求。

 

《辦法》提出，網絡產品和服務提供者應當為用戶提供添加顯著提示效果的標識功能，並引導和規範用戶對可能影響未成年人身心健康的網絡信息作出提示，《辦法》亦規定了具體的提示方式，包括在文本、音頻、圖片、視頻和虛擬場景等各類型內容的適當位置添加顯著的提示標識⁸。值得留意的是，《辦法》提出的提示方式，與《人工智能生成合成內容標識辦法》⁹中有關顯式標識的格式要求大同小異。

 

此外，《條例》規定任何組織和個人不得向未成年人推送可能影響未成年人身心健康的網絡信息¹⁰。因應人工智能等技術的發展，《辦法》將其擴展成「提供算法推薦、生成式人工智能等服務的，應當建立健全安全管理制度和技術措施，不得向未成年人推送可能影響其身心健康的網絡信息。」¹¹

 

重申現有法律法規的要求

《辦法》亦重申了《條例》的其他規定，例如網絡產品和服務提供者不得在首頁首屏、熱搜等醒目位置呈現可能影響未成年人身心健康的網絡信息；任何組織和個人不得在專門以未成年人為服務對象的網絡產品和服務中，製作、複製、發布、傳播有關信息等¹²。

 

《辦法》同時要求網絡信息內容生產者以及網絡產品和服務提供者落實其他現有法律法規的規定，包括《網絡信息內容生態治理規定》及《網絡暴力信息治理規定》等，對可能影響未成年人身心健康的網絡信息採取防範和抵制措施¹³。

 

總結

《辦法》對《條例》有關可能影響未成年人身心健康的網絡信息的規定，提出了具體的實施規範，為網站平台、內容創作者等各方提供了清晰明確的指引，有助加強未成年人網絡保護。

 

 

 

 

¹ 全文： https://www.cac.gov.cn/2026-01/23/c_1770728781060093.htm。

² 全文： https://www.cac.gov.cn/2023-10/24/c_1699806932316206.htm。本欄亦曾於2024年1月介紹《條例》的重點要求。

³ 例如可能引發或者誘導未成年人模仿不安全行為、實施違反社會公德行為、產生極端情緒、養成不良嗜好等信息。

⁴ 《辦法》第三條。

⁵ 《辦法》第四條。

⁶ 《辦法》第五條。

⁷ 《辦法》第六條。

⁸ 《辦法》第八條。

⁹ 見《人工智能生成合成內容標識辦法》第四條。全文： https://www.cac.gov.cn/2025-03/14/c_1743654684782215.htm。

¹⁰ 《條例》第二十五條。

¹¹ 《辦法》第九條。

¹² 《辦法》第九條。

¹³ 《辦法》第七條。

RECOMMENDED TRAININGS

PCPD 30^th Anniversary Presents – Webinar on “AI Applications in Schools and Data Protection”

AI technology has developed rapidly and has been increasingly adopted in the education sector. To assist school management and teachers in the proper and responsible use of AI technologies, the PCPD, in collaboration with the Hong Kong Association for Computer Education (HKACE), organise this webinar to examine the privacy risks arising from the use of AI in schools, provide recommendations on developing internal guidelines and considerations for AI governance, and share practical experiences and recommended measures relating to IT security and daily school operations.
 
Principals and teachers from primary and secondary schools are welcome to attend. The event is supported by the Education Bureau (EDB). Attendees will receive 1.5 CPD hours from the EDB.

 

Date: 10 March 2026 (Tuesday)

 

Time: 4:00pm – 5:30pm

 

Mode: Online

 

Language: Cantonese

 

Fee: Free-of-charge
 

Accreditation: 1.5 CPD hours by the EDB

 

Who should attend: Principals and teachers of primary and secondary schools

Professional Workshop on Recent Court and Administrative Appeals Board Decisions

Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, the PCPD lawyer will give you a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening your understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.

 

Date: 4 March 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $950/$760*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers and compliance officers, company secretaries and administration managers

Professional Workshop on Data Protection in Banking/Financial Services

The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary.

This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively. It is particularly suitable for data protection officers, compliance officers, banking/financial practitioners, company secretaries and solicitors.

 

Date: 11 March 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Hong Kong Institute of Bankers)

 

Who should attend: Data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry

Professional Workshop on Data Protection and Data Access Request

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations.

This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR. 

 

Date: 18 March 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel

New Series of Professional Workshops on Data Protection from Apr to Jun 2026:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.