PCPD and HKIRC Co-organise

AI Security and Cybersecurity Summit for Enterprises

In today’s digital world, cyberattacks on organisations’ information systems are not just occasional events; they have become a real threat which may lead to the leakage of personal data and financial and reputational damage. Meanwhile, as artificial intelligence (AI) continues to evolve at a rapid pace, organisations of all sizes are eager to harness its transformative potential. However, the application of AI carries challenges, as AI also introduces cybersecurity and personal data privacy risks that must be critically addressed by organisations.

 

The PCPD and the Hong Kong Internet Registration Corporation Limited (HKIRC) co-organise the AI Security and Cybersecurity Summit for Enterprises (Summit) today (31 March 2026). With the Digital Policy Office acting as a strategic partner, the Summit brings together leading experts, industry leaders, policymakers and company directors to explore the evolving AI security and cybersecurity threat landscape, exchange innovative solutions, and share insights into strengthening cybersecurity and data protection in the age of AI.

In Celebration of PCPD’s 30^th Anniversary
PCPD Publishes Chinese Storybook Titled

“Adventure in the AI Labyrinth” for Primary School Students

As one of the celebratory activities marking the 30^th anniversary of the establishment of the PCPD, the PCPD published a brand new Chinese storybook for primary school students titled “Adventure in the AI Labyrinth” (《AI迷城歷險記》) (Storybook) on 17 March. Through engaging and lively storylines, the Storybook seeks to provide guidance to primary school students to use AI properly and understand the importance of protecting personal data privacy. Other than being a celebratory activity of the PCPD’s 30^th anniversary, the publication of the Storybook is also a key initiative under the PCPD’s 30^th Anniversary “Privacy Campaign for Primary Schools”. With the support of the Education Bureau, the Storybook will be distributed to all primary schools in Hong Kong as teaching and learning materials for information literacy.
  
The Storybook adopts a virtual‑reality game adventure as its main storyline. Following the journeys of three primary school students exploring the “AI labyrinth”, the Storybook introduces a range of themes relating to the protection of personal data privacy, including the proper use of AI, safe use of social media, appropriate handling of and response to cyberbullying, as well as protecting personal accounts and respecting others’ privacy. The Storybook also includes post‑reading activities to facilitate extended learning in schools, guiding students to adopt good practice in protecting personal data privacy, both in and beyond classrooms, thereby strengthening their judgement and resilience in the digital environment.
 
Download the online version of the Storybook:
https://www.pcpd.org.hk/english/resources_centre/publications/books/files/AI_storybook.pdf

PRIVACY 101

HKID Card Numbers and Other Personal Identifiers: What Every Organisation Needs to Know

Organisations across a wide range of sectors — including financial services, telecommunications, property management and healthcare — may at times need to collect Hong Kong Identity Card (HKID card) numbers or copies from members of the public. This is often done to verify identity or to meet security and regulatory requirements. As the HKID card contains highly sensitive personal information, any unauthorised disclosure or mishandling could lead to identity theft or fraud. It is therefore essential that organisations, as data users, adopt a risk‑aware approach when collecting and handling HKID card data. They must also ensure compliance with the Personal Data (Privacy) Ordinance (PDPO) and the “Code of Practice on the Identity Card Number and other Personal Identifiers” (Code) issued by the PCPD.

 

More importantly, unless authorised by law, no organisation may compel an individual to provide his/her HKID card number. A data user may request it only in circumstances permitted under the Code. Before doing so, however, organisations should first consider whether less privacy‑intrusive alternatives are available.

 

The following step‑by‑step guide is designed to help organisations align their practices on collection, accuracy, retention, use and security with the Code, particularly in relation to HKID card numbers:

• Step 1: Consider alternatives to collecting HKID card numbers;
• Step 2: Check whether your collection of HKID card numbers comes under one or other of the circumstances where this is permitted in the Code;
• Step 3: Check whether the way you collect HKID card numbers ensures that they are truly the HKID card numbers of the individuals providing them;
• Step 4: Check that you use HKID card numbers only for one or other of the purposes permitted by the Code;
• Step 5: Check that you are not publicly displaying or disclosing HKID card numbers with the names of the HKID card holders and that you are not issuing cards such as staff cards with HKID card numbers printed on them;
• Step 6: Check that you do not keep records of HKID card numbers for longer than is necessary to fulfil the purpose for which they were collected.

 

For further details, please refer to the “Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users”.

 

PRIVACY COMMISSIONER’S FINDINGS

Excessive Collection of Personal Data for the Purposes of Preparing Car Insurance Quotation

The Complaint

The complainant intended to purchase a car insurance policy and sought a quotation via a car dealer. The complainant was requested by the car dealer to submit an insurance application form and his identification documents. The car dealer claimed that this was the requirement of the insurance company to provide a quotation. The complainant took the view that the car dealer and the insurance company had collected excessive personal data from him for the purposes of preparing a quotation.

The car dealer stated that being an intermediary, it always followed the company’s instructions in collecting customers’ personal data. The insurance company stated that only basic information of the vehicle was required for preparing a quotation. The insurance company believed that the car dealer had mistakenly handled a request for quotation as an application for insurance.

Outcome

The PCPD considered that for the purposes of providing an insurance policy quotation, it was unnecessary for the insurance company to obtain a completed application form and identification documents from the complainant. Although the insurance company attributed the incident to the car dealer’s failure to adhere to its policy in handling a request for quotation, it did not extricate its liability (being the principal) in relation to the car dealer’s acts in this case.

After the PCPD’s intervention, the insurance company undertook to enhance its communications with the car dealer and provide regular training to its staff, so as to ensure that quotation enquiries were properly dealt with. The car dealer also confirmed that it had made clarification with the insurance company on the procedures for seeking quotations and the insurance company had provided written guidelines to its staff to follow.

Lessons Learnt

Intermediary services bring about business opportunities by bridging communications between companies and their clients. When an intermediary wrongfully handles customers’ personal data, the company commissioning the intermediary is also held liable for the intermediary’s negligence.

The insurance company in this case had obviously failed to take steps to issue clear personal data collection guidelines to the car dealer, or monitor its compliance with the guidelines. As a result, the car dealer collected personal data from potential clients seeking quotation information at a premature stage. Such collection of personal data was unnecessary.

Companies can take reference from this case as an example to establish an effective monitoring system, to ensure that their privacy policies are followed by the intermediaries commissioned. Otherwise, negligence of the intermediaries may indirectly damage the companies’ hard earned reputation.

TECH TALK

Your HKID Card Number and Your Privacy

Your HKID card number is often used by organisations to identify you and keep records of their dealings with you. Sometimes, they may even ask for a copy of your HKID card as evidence. While this can be necessary in certain situations, collecting HKID card numbers or copies without valid justification — or handling them carelessly — can put your privacy at risk and open the door to fraud.

That is why it is important to know your rights. To better understand when you may be asked for this information, and how you can respond, here are some practical actions you can take in everyday scenarios:

1. Requests to record your HKID card number: If you are uncomfortable providing your HKID card number, suggest reasonable alternatives. For example, you could offer another form of guarantee (such as a deposit) or ask someone already known to the organisation to confirm your identity;
   
2. Recording your HKID card number: If you believe an organisation has no valid reason to record your number, ask why it is necessary and whether the Code allows it;
   
3. Collecting a copy of your HKID card: If you feel a copy is not justified, question the organisation about why it is needed and whether the Code permits such collection;
4. Keeping a copy of your HKID card: If you hand over a copy in person, request that the word “copy” be marked clearly on it while you are present; and
   
5. Transmitting your HKID card copy: When sending a copy of your HKID card by post or email, place it in a sealed envelope or encrypt the file, and mark it “confidential” for the attention of the individual or unit responsible. If you are asked to send a copy by fax, email or other electronic means, consider asking what measures are in place to ensure its security once transmitted. Possible safeguards include access controls and the use of a dedicated email address or fax machine located in a secure area for receiving confidential documents.

For more details, please refer to the information leaflet of “Your Identity Card Number and Your Privacy”.

WHAT’S ON

Reaching Out to Education Sector – Privacy Commissioner and PCPD Representatives Speak on AI Security and Data Security

Privacy Commissioner Ms Ada CHUNG Lai‑ling, and representatives of the PCPD attended the workshop titled “Media and Information Literacy (MIL) Series: (6) Workshop on Responsible Information Handling Where Personal Data Meets Artificial Intelligence” on 26 March to elaborate on AI security and data security to teachers. The workshop was co‑organised by the Education Bureau and the Journalism Education Foundation.
 
The Privacy Commissioner delivered a presentation titled “Understanding AI Security and Privacy Risks in Schools”, explaining to participants the personal data privacy risks that may arise from the use of AI in schools, as well as how to prevent and handle AI deepfake incidents. She also shared recommendations for developing internal guidelines on the use of generative AI for teaching staff and students. In addition, Manager (Corporate Communications) of the PCPD Mr Eric PHENG introduced the Data Protection Principles and shared real-life cases of data breach incidents involving schools.
 
During the workshop, representatives of the PCPD also introduced the steps for anonymising personal data and guided participants to use the deepfake technology through trial-and-error to generate portraits of individual persons.
 
Please click here for the presentation deck (Chinese only).

Promoting AI Security – Privacy Commissioner Publishes an Article on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Risks Brought by AI Deepfake” on Hong Kong Lawyer.
 
In the article, the Privacy Commissioner pointed out that when AI deepfake technologies are exploited for malicious purposes such as cyberbullying and scams, they can inflict profound and lasting harm to individuals.  She emphasised that any collection and use of personal data to create deepfakes is subject to the requirements of the PDPO.
 
The Privacy Commissioner also introduced the “Abuse of AI Deepfakes: Toolkit for Schools and Parents” (Toolkit) published by the PCPD in December 2025. The Toolkit provides practical recommendations to schools and parents, aiming to assist them in handling deepfake incidents involving children and young people, as well as safeguarding their privacy in relation to personal data.
 
Please click here to read the article.

Promoting AI Security – Privacy Commissioner Publishes an Article entitled “Privacy Safeguards are Vital for AI Use”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Privacy Safeguards are Vital for AI Use”.
 
In the article, the Privacy Commissioner pointed out that AI deepfake technologies can generate seemingly realistic but falsified images, audio and video, which can inflict profound and lasting harm on individuals when exploited for malicious purposes.
 
The Privacy Commissioner elaborated on the PCPD’s work in promoting AI security at the international level, including the signing of the “Joint Statement on Building Trustworthy Data Governance Frameworks to Encourage Development of Innovative and Privacy-protecting AI” at the 47^th Global Privacy Assembly Conference in September 2025 and issuance of the “Joint Statement on AI-Generated Imagery and the Protection of Privacy” together with 60 privacy or data protection authorities from around the world in February 2026.
 
The Privacy Commissioner used the recent emergence of agentic AI as an example, pointing out that despite the advancement of AI technologies, any collection and use of personal data is subject to the requirements of the PDPO.
 
The Privacy Commissioner emphasised that, in the race to tap into AI’s huge potential, we should proactively align with the 15^th Five-Year Plan and adhere to the principle of ensuring both development and security. The development and deployment of AI systems should from the outset, be guided by the principles of protecting personal data privacy to minimise the privacy risks involved.
 
The article was published in China Daily on 24 March.
 
Please click here to read the article.

Promoting the Safe Use of AI – Privacy Commissioner Attends the Launch Ceremony of the “JC GoAI” Project

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Launch Ceremony of the “JC GoAI” Project on 12 March.

The “JC GoAI” Project is a city-wide education project created and funded by The Hong Kong Jockey Club Charities Trust in collaboration with the Chinese University of Hong Kong. The project aims to empower teachers to confidently use AI to assist teaching across all subjects, while nurturing generative AI literacy and practical abilities in students. The PCPD participates in the work of “JC GoAI” Project’s Safety & Governance Sub-committee and provides recommendations from the perspective of personal data privacy on matters related to the safety, risks management, protection, policy, compliance and management of AI platforms under the project.

Event Organised in Celebration of PCPD’s 30^th Anniversary – Webinar on “AI Applications in Schools and Personal Data Protection”

To mark the 30^th anniversary of the PCPD, the PCPD is launching a series of seminars on data security and AI security. Among them, a webinar for the education sector entitled “AI Applications in Schools and Data Protection” was successfully held on 10 March. The webinar was co-organised by the PCPD together with the Hong Kong Association for Computer Education (HKACE), and was supported by the Education Bureau and Hong Kong Education City. The event attracted an audience of over 710 principals and teachers.
 
During the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling discussed the privacy risks arising from the use of AI in schools, and provided recommendations on the development of internal AI guidelines and considerations for AI governance. In addition, Mr CHU Ka-tim, Chairman of the HKACE and Principal of Shatin Pui Ying College; Mr CHOW Shu-on, Vice Chairman of the HKACE and Assistant Principal of PHC Wing Kwong College; and Mr Derek LUI, Head of Technology of Hong Kong Education City, shared their practical experiences on the use of AI in daily school operations and some recommended measures relating to information technology security.

Please click here to download the Privacy Commissioner’s presentation deck (Chinese only).
Please click here to download Mr LUI’s presentation deck (Chinese only).
Please click here to download Mr CHU’s presentation deck (Chinese only).
Please click here to download Mr CHOW’s presentation deck (Chinese only).

Safeguarding National Security – the PCPD Convenes Learning Session on White Paper on “Hong Kong: Safeguarding China’s National Security Under the Framework of One Country, Two Systems”

The PCPD convened a learning session on the white paper entitled “Hong Kong: Safeguarding China’s National Security Under the Framework of One Country, Two Systems” (White Paper) on 3 March. Privacy Commissioner Ms Ada CHUNG Lai-ling chaired the session, which was convened to enable colleagues of the PCPD to study and better comprehend the White Paper’s important contents and requirements, while enhancing their awareness on national security.
 
At the session, colleagues of the PCPD learnt and discussed the contents of the White Paper, including the fight for safeguarding national security in Hong Kong; the respective responsibilities of the Central Government and the HKSAR in safeguarding national security under “One Country, Two Systems”; Hong Kong’s transformation from disorder to stability and prosperity; and the six principles required in creating high-standard security for the high-quality development of the “One Country, Two Systems” policy.

PCPD Publishes Investigation Findings on an Incident Relating to the Wrongful Disclosure of Personal Data Through Sample Forms by an Airline Company

The PCPD has completed its investigation into an incident relating to the wrongful disclosure of customers’ personal data through sample forms by an airline company. 
 
The investigation arose from a complaint received by the PCPD in which a passenger of the airline company (the Complainant) alleged that the personal data of two passengers and two related persons were disclosed to him through sample forms attached to an email sent by a ground service agent of the airline company stationed in Phu Quoc in Vietnam.
 
The PCPD has commenced an investigation into the incident and conducted five rounds of enquiries with the airline company. According to the information obtained during the investigation, the Complainant claimed compensation from the relevant airline company for delayed baggage regarding the flight that he took from Hong Kong to Vietnam and received an email from its ground service agent at the outport in Phu Quoc in Vietnam. Two sample forms were attached to the relevant email for the Complainant to make reference to when completing the forms for the settlement of his compensation claim, and real personal data of two passengers and two related persons were contained in the sample forms which included their names, flight details and/or bank account details. The relevant airline company admitted that the staff in question did not follow the instructions set out in the Ground Operations Manual and the training materials.

Having considered the circumstances of the incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of the airline company were the main contributing factors of the occurrence of the incident:-

1. Failure to take effective measures to raise the awareness of the staff members of the ground service agent of the requirements relevant to personal data privacy as set out in the Ground Operations Manual, and of the need to protect personal data privacy;
    
   
2. Failure to provide sufficient and regular training to the staff members of the ground service agent; and  
    
   
3. Failure to monitor the performance of ground handling agents.
   

The Privacy Commissioner found that the airline company had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the PDPO concerning the security of personal data. 
 
The Privacy Commissioner has served an Enforcement Notice on the airline company, directing it to take measures to remedy the contravention and to prevent recurrence of similar contraventions in future.
 
The full version of the investigation findings can be downloaded here.

Reaching Out to the IT Sector – Assistant Privacy Commissioner Speaks at the Luncheon Meeting of the Hong Kong China Network Security Association

The Assistant Privacy Commissioner for Personal Data (Legal) of the PCPD Ms Fiona LAI Ho-yan delivered the opening remarks at the “AI & Data Privacy Luncheon” organised by the Hong Kong China Network Security Association on 25 March.
 
At the luncheon meeting, Ms LAI discussed how enterprises could address the privacy risks arising from the use of AI.  She also introduced the recommendations on AI governance and the best practices provided in the “Artificial Intelligence: Model Personal Data Protection Framework” published by the PCPD, along with the recommendations for developing internal policies or guidelines on the use of generative AI by employees set out in the “Checklist on Guidelines for the Use of Generative AI by Employees”.
 
Please click here for the presentation deck.

Reaching Out to the Property Management Sector – Assistant Privacy Commissioner Speaks at a Seminar on “Low-Altitude Economy – Opportunities and Outlook for Smart Property Management”

The Assistant Privacy Commissioner for Personal Data (Legal) of the PCPD Ms Fiona LAI Ho-yan delivered a speech at a seminar on “Low-Altitude Economy – Opportunities and Outlook for Smart Property Management” jointly organised by the City University of Hong Kong, the Greater Bay Area Low Altitude Economy Alliance and the Smart City Consortium on 13 March.
 
At the seminar, Ms LAI introduced the “Guidance on the Use of Video Cameras on Drones and Vehicles” and the “Guidance on the Use of CCTV Surveillance” issued by the PCPD.  She also shared practical recommendations and best practices set out in the guidances on using drones for surveillance, to assist organisations in complying with the relevant requirements under the PDPO while making effective use of these technologies.
 
Please click here for the presentation deck (Chinese only).

Telling a Good Hong Kong Story – PCPD Receives Delegation of Mainland Legal Officials

The PCPD received a delegation of Mainland legal officials on 9 March. The delegation comprised 12 officials representing the Justice Departments/Bureaux of seven Mainland provinces and municipalities, the Hong Kong and Macao Affairs Office of the State Council, and the Legal Affairs Bureau of Macao SAR Government.
 
PCPD’s representatives, Senior Legal Counsel Ms Clemence WONG and Head of Corporate Communications Ms Phoebe CHOW delivered a presentation to the delegates. The presentation provided an overview of Hong Kong’s law protecting personal data privacy, the roles and functions of the PCPD, and outlined the PCPD’s work in handling complaints, combating doxxing offences and promoting the protection of personal data privacy.

MEDIA STATEMENT

PCPD Joins Global Privacy Enforcement Network in Examining Websites and Apps Used by Children

The PCPD collaborated with 26 privacy enforcement authorities around the world in carrying out the 2025 Global Privacy Enforcement Network (GPEN) Sweep earlier under the theme of “Children’s Privacy”. The exercise examined almost 900 websites and mobile applications (apps) used by children, and a global joint report was issued on 25 March. The participating authorities included those from Australia, Canada, France, Macao SAR China, New Zealand and the United Kingdom.
 
The purpose behind the GPEN Sweep is to encourage organisations to comply with privacy and data protection legislation, while promoting cooperation between privacy enforcement authorities across the globe.
 
During the Sweep period between 3 and 7 November 2025, participating authorities examined 876 websites and mobile apps designed specifically for children or popular with them across multiple sectors, including education, gaming, social media, shopping, video streaming, health and fitness, music streaming, and photo editing. The Sweep evaluated these websites and mobile apps based on five indicators, namely (i) age assurance; (ii) collection of children’s data; (iii) protective controls; (iv) account deletion; and (v) inappropriate content and high-risk design features, and compared the results to a similar sweep conducted by the GPEN in 2015.
 
The Sweep found that some platforms adopted good practices to protect children and their personal data, such as providing notifications advising children not to use their real names or upload images. However, some practices raised concerns about children’s privacy, and that some risks may have increased, compared with 2015. For example, more online services used by children now require users to provide their personal data to access the full functionality of the platform. Compared with 2015, there was an increase in the mandatory collection of certain types of children’s personal data, including names (from 29% to 41%) and phone numbers (from 12% to 18%). Most platforms also indicated in their privacy policies that they may share children’s personal data with third parties (from 51% to 85%).
 
Privacy Commissioner Ms Ada CHUNG Lai-ling fully supports closer collaboration of the global privacy protection community to protect the fundamental rights of children. 
 
The salient findings of the Sweep based on five indicators include the following:

• Age assurance: 45% of websites and apps reviewed deployed some forms of age assurance, which represented an increase of 30% from 15% in 2015. For 72% of websites and mobile apps reviewed, age assurance measures could be circumvented, most often where self-declaration was used;
  
• Collection of children’s data: 96% of websites and mobile apps had privacy policies in place, while only 56% had the personal data collected set to private by default. More than half (59%) of the websites and mobile apps required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, there was an increase in the collection of certain types of personal data, such as names (from 29% to 41%) and phone numbers (from 12% to 18%), compared with 2015;
  
• Protective controls: 71% of the websites and mobile apps did not provide information about protective controls and privacy protective practices that were tailored to children;
  
• Account deletion: More than one third (36%) of the websites and mobile apps did not provide an accessible way to delete accounts; and
  
• Inappropriate content and high-risk design features: Bullying, abusive or hateful content was found in 15% of services, while sexual content appeared in 11% of services. Only 35% of the websites and apps identified as having high-risk data processing and design features for children had privacy communications, such as pop-up messages, directing children to seek permission from their parents to continue using the website or mobile app.

The participating authorities encourage websites and mobile apps, particularly those designed for, or popular with, children to adopt child-friendly and privacy-protective practices to contribute to children’s well-being online, including the following:
(i)    limiting the collection of personal data;
(ii)   designing the services to be privacy-protective by design and by default; and
(iii)  using age assurance mechanisms appropriate to the level of risk on their platforms.
 
Download the Sweep report (available in English and French): https://privacyenforcement.net/node/1598

 

About Global Privacy Enforcement Network (GPEN)
Founded in 2010, the GPEN aims to facilitate cross-border cooperation among privacy enforcement authorities. The PCPD has been a member of the GPEN since 2014 and has continued to be a member of the Executive Committee of the GPEN since 2016.

PCPD Issues Alert over the Privacy Risks of OpenClaw and Agentic AI and Reminds Organisations and the Public to Use AI Safely

The PCPD noted that the security risks related to the use of OpenClaw and other agentic AI have provoked discussion recently. The PCPD is also concerned about the matter and reminds organisations and members of the public that before deploying or using OpenClaw and other agentic AI, they should pay attention to and understand the personal data privacy and security risks involved to avoid personal data breaches, malicious system takeovers and cybersecurity threats. They are also reminded to adopt adequate and effective security measures to safeguard personal data privacy.
 
The PCPD pointed out that compared to AI chatbots, which are generally used for text replies, content summary or content generation, agentic AI is more versatile in terms of functionality. Agentic AI is usually an agentic AI tool with high-level access that can be deployed on local device or server. It can read and write local files, allocate system resources, handle external services, or even autonomously act on behalf of the user to execute tasks with multiple steps according to pre-defined workflow, such as handling emails, making restaurant reservations and settling payments. The relevant processes do not require real time involvement of users.
 
Therefore, from the perspective of protecting personal data privacy, agentic AI generally poses higher risks than ordinary AI chatbots. For instance:

• The default access right of agentic AI is generally higher than that of AI chatbots, allowing it to access files, emails, account credentials of devices and contents saved in browsers, etc. If the settings of the relevant access rights lack stringent restrictions, the agentic AI may access a vast amount of the personal data of users or other individuals, resulting in increased risks of unauthorised access or reproduction of personal data by third parties, and even data breaches. At the same time, agentic AI may also misinterpret the commands from users and mistakenly delete their important data, such as mistakenly deleting all email records of the users;
  
• If there are any vulnerabilities in the system design or safety control on these agentic AI with high-level access and access to multiple systems and data sources, it will pose significant risks to personal data privacy and data security as a whole; and
  
• If the agentic AI allows users to install Plugins or Skills, and some of the Plugins or Skills have not undergone rigorous security reviews, malicious codes might be embedded in those Plugins or Skills. Hackers may then exploit the vulnerability(ies) to gain unauthorised access and take over user accounts, or further take control of the entire computer system, leading to leakage of personal data or other sensitive data.
  

The PCPD suggests that when collecting, using and processing personal data with agentic AI, organisations and members of the public should pay particular attention to the followings:-

• Grant the minimum access right to agentic AI: Users should carefully consider the nature and sensitivity of the personal data involved. Do not provide your personal data to agentic AI arbitrarily, especially when this involves confidential or sensitive personal data, such as identification documents, bank account numbers and passwords. Only the minimum access rights necessary to complete the tasks should be granted to agentic AI. Avoid granting administrator account rights to AI;
  
• Use the latest official version: Users should only download the latest versions of agentic AI from official channels and should avoid using third-party versions or outdated versions to reduce the risks of data breach incidents arising from unpatched system vulnerabilities;
  
• Adopt adequate measures to ensure system security and data security, such as separating the runtime environment of agentic AI from local devices or servers, strengthening network controls, strictly managing Internet-facing surfaces, lowering access rights and establishing effective protection mechanisms;
  
• Install and use Plugins or Skills with caution: Verify that the relevant programmes are the official versions to ensure their security; review the programmes to check if malicious codes are embedded and refrain from using them if their security cannot be ascertained; and
  
• Conduct continuous risk assessments: Users should continuously assess the risks involved in using agentic AI and watch out for any request by the agentic AI to execute high risk operations. If the decisions made by agentic AI are likely to have a significant impact on individuals, users should consider adopting a “human-in-the-loop” approach to retain the final control in decision-making processes, such as transmission of data and modification of system configurations.
  

Organisations can refer to the guidance titled “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) published by the PCPD when collecting, using and processing personal data with AI tools. The Model Framework reflected international prevailing norms and best practices, including recommendations on formulating policies and frameworks on AI governance with a view to enhancing the protection of personal data privacy and complying with the relevant requirements of the PDPO.

Two Men Arrested for Suspected Doxxing Arising from Monetary Disputes

The PCPD arrested a Chinese male aged 48 (arrested person A) and a Chinese male aged 20 in the New Territories and Kowloon respectively on 10 March. The two arrested persons were suspected to have disclosed the personal data of the data subject without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim operates a real estate agency business. In 2025, arrested person A and the victim jointly purchased a unit of a village house as an investment. Shortly thereafter, arrested person A sought to withdraw from the investment and requested the victim to refund his contribution with interest, but no agreement could be reached between them. In January 2026, two different flyers were posted outside the premises of the victim’s company, alongside some negative comments against the victim, accusing him of failing to repay a debt and disclosing the victim’s personal data including the victim’s Chinese name and photos, including a photo of the victim’s family members.
  
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is not a means to resolve disputes as it would only escalate conflicts. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

 

   a. With an intent to cause any specified harm to the data subject or any family member of the data

       subject; or

   b. Being reckless as to whether any specified harm would be, or would likely be, caused to the data

       subject or any family member of the data subject.

 

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

 

   a. The person discloses any personal data of a data subject without the relevant consent of the data

       subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

   b. The disclosure causes any specified harm to the data subject or any family member of the data

       subject.

 

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

MAINLAND CORNER

Highlights of the “Draft Regulations on the Collection and Use of Personal Information by Internet Applications”
《互聯網應用程序個人信息收集使用規定（徵求意見稿）》 的重點 

To regulate the collection and use of personal information by internet applications, protect rights and interests on personal information, and promote the reasonable use of personal information, the Cyberspace Administration of China issued the “Draft Regulations on the Collection and Use of Personal Information by Internet Applications” (Draft Regulations) for public consultation on 10 January 2026. The consultation period ended on 9 February 2026. The Draft Regulations sets out specific obligations for internet application operators, SDK operators, application distribution platform operators and smart terminal manufacturers. This article provides an overview of the Draft Regulations.

為規範互聯網應用程序個人信息收集使用活動，保護個人信息權益，促進個人信息合理利用，國家網信辦在2026年1月10日發布了《互聯網應用程序個人信息收集使用規定（徵求意見稿）》（《徵求意見稿》）¹，徵求意見期已於2026年2月9日結束。《徵求意見稿》分別對互聯網應用程序運營者、軟件開發工具包運營者、分發平台運營者及智能終端廠商提出了具體要求。《徵求意見稿》的重點如下：
 
適用範圍²
《徵求意見稿》指出，在中國境內運營互聯網應用程序（下稱應用程序）過程中收集使用個人信息，以及軟件開發工具包（ 協助軟件開發的軟件庫，下稱SDK）、分發平台（例如應用商店、小程序平台）、智能終端（可由用戶自行安裝和卸載應用軟件的移動通信終端產品）等為應用程序收集使用個人信息活動提供服務的，均應遵守其規定。應用程序在境外收集使用境內自然人個人信息的活動，亦同樣適用。
 
總則
《徵求意見稿》強調收集使用個人信息應當遵循合法、正當、必要和誠信原則；應當向個人信息主體充分告知收集使用規則並取得其同意；不得超範圍收集等等³。

《徵求意見稿》提出，應用程序及SDK運營者分別對所運營的應用程序及SDK的個人信息收集使用活動及安全保護承擔主體責任。另一方面，應用程序運營者對嵌入的SDK、分發平台運營者對分發的應用程序、智能終端廠商對預置的應用程序依法履行審核義務⁴。
 
各主體的安全管理要求
《徵求意見稿》對各主體提出了相應的安全管理要求，重點摘錄如下：

 

應用程序

• 制定公開個人信息收集使用規則，列明每項功能服務收集使用個人信息的目的、方式、種類，以及調用權限名稱、頻度等⁵。
• 註冊用戶5000萬以上或者月活躍用戶1000萬以上、業務類型複雜的應用程序更新個人信息收集使用規則，應當公開徵求意見⁶。
• 應當在首次啓動時，通過彈窗等顯著方式向用戶告知個人信息收集使用規則，並取得用戶知情、明確的同意⁷。
• 不得通過調用通訊錄、通話記錄、短信權限收集使用用戶以外其他個人信息主體的個人信息⁸。
• 調用權限需與當前功能場景直接相關，應當僅在用戶使用具體功能時以所需的最低頻度、最小範圍收集個人信息⁹。
• 當用戶註銷賬號，除確有必要用於防範黑灰產等情形，不得要求用戶新增提供人臉、手持身份證照片等超出已收集範圍以外的個人信息¹⁰。
• 若同一集團旗下多款應用程序採用統一賬號，應當允許用戶選擇註銷其中一款應用程序賬號，或關閉該賬號在此應用程序的使用權限¹¹。
• 應當與嵌入的SDK約定收集使用個人信息的目的、方式、種類和安全保護責任及違約責任，並進行審核，確保SDK實際個人信息收集和權限調用行為與應用程序個人信息收集使用規則中聲明的相關內容保持一致¹²。

 
SDK

• 若SDK收集使用個人信息，應當制定個人信息收集使用規則並在產品官方網站公開¹³。不得超出收集使用規則聲明的範圍，或超出實現業務功能的最小範圍和最低頻度收集使用個人信息¹⁴。
• 應當允許應用程序按照不同功能需要對SDK個人信息收集行為進行管理配置¹⁵。
• 應建立有效方式和途徑，直接響應用戶查閱、更正、刪除等處理個人信息的請求¹⁶。

 
分發平台

• 應用程序無個人信息收集使用規則、無賬號註銷功能或者刪除個人信息途徑的，不予上架¹⁷。
  
• 對有關部門認定存在違法違規收集使用個人信息行為的應用程序，分發平台應當積極配合採取警示、不予分發等處置措施¹⁸。
   
  

智能終端

• 應用程序索要相機、通訊錄、位置等權限時，智能終端操作系統應彈窗徵得用戶同意，並提供基於時間、頻度、精度等精細化授權模式選項¹⁹。
  
• 應當在屏幕頂部等顯著位置，以顯著標識向用戶提示當前正在調用的麥克風、攝像頭、位置等權限；亦應當如實記錄並集中展示應用程序調用權限等情況²⁰。
  
  

監督管理
《徵求意見稿》除了提及國家網信部門和其他主管部門的監督職責分工，亦規定應用程序運營者應當受理用戶對SDK的個人信息問題舉報及督促SDK運營者進行整改；而分發平台運營者、智能終端廠商亦應當受理對於應用程序的舉報並督促應用程序運營者進行整改²¹。

總結
《徵求意見稿》圍繞應用程序的個人信息收集使用，釐清了應用程序運營者、SDK運營者、分發平台運營者及智能終端廠商應當承擔的責任，並提出了詳盡的安全管理要求。有關運營者和廠商宜細閱當中的要求，於《徵求意見稿》定稿後採取相應措施。

 

¹ 全文： https://www.cac.gov.cn/2026-01/10/c_1769603446094128.htm
² 徵求意見稿》第二條及第三十八條。
³《徵求意見稿》第三條。

⁴《徵求意見稿》第四條。
⁵《徵求意見稿》第七條。
⁶《徵求意見稿》第八條。
⁷《徵求意見稿》第九條。
⁸《徵求意見稿》第十條。
⁹《徵求意見稿》第十三條。
¹⁰《徵求意見稿》第十八條。
¹¹ 同上。
¹²《徵求意見稿》第十九條。
¹³《徵求意見稿》第二十二條。
¹⁴《徵求意見稿》第二十三條。
¹⁵《徵求意見稿》第二十四條。
¹⁶《徵求意見稿》第二十五條。
¹⁷《徵求意見稿》第二十六條。
¹⁸《徵求意見稿》第二十八條。
¹⁹《徵求意見稿》第三十條。
²⁰《徵求意見稿》第三十二條。
²¹《徵求意見稿》第三十四條。

 

RECOMMENDED TRAININGS

PCPD 30^th Anniversary Presents – Effective Data Governance in Action: Experience Sharing Session by Privacy-Friendly Awardees 2025

As one of the events to commemorate its 30^th Anniversary, the PCPD will organise an experience sharing session featuring Outstanding Gold Awardees of the “Privacy-Friendly Awards 2025”, with a view to assisting enterprises in adopting strong data governance and fostering a privacy centric culture. The invited organisations, covering banking, insurance and data management sectors, will share their hands-on experiences and practical insights in implementing robust data governance policies, including managing and safeguarding sensitive customers’ personal data at scale. Through real-life examples, they will also highlight the measures they have undertaken to strengthen data security and showcase how technology can be leveraged to enhance privacy protection.

Data protection officers, data security practitioners, compliance officers, legal professionals and organisations who are interested in enhancing data governance and data security are welcome to attend.

 

Date: 14 April 2026 (Tuesday)

 

Time: 3:30pm – 5:30pm

 

Mode: Hybrid (*Light refreshments will be served at the physical venue.)

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $200/free of charge*
(*Members of the DPOC and awardees of the Privacy-Friendly Awards 2025 may enjoy the free offer)

  

Who should attend: Data protection officers, data security practitioners, compliance officers, legal professionals and organisations who are interested in enhancing data governance and data security

Professional Workshop on Data Protection in Property Management Practices

Property management practitioners often face challenges in personal data protection in their daily operations as many aspects of their work involve the collection and use of personal data of flat owners, residents, car park users and others. This workshop aims to assist property management practitioners in understanding the application of the PDPO in their daily work, and to provide practical guidance to the participants on how to comply with the requirements under the PDPO. 

 

Date: 15 April 2026 (Wednesday)

 

Time: 2:15pm – 4:15pm

  
Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 2 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Property management personnel, data protection officers, compliance officers, solicitors, members of owner’s corporation

Practical Workshop on Data Protection Law

With the growing public awareness of and expectations for the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. 

This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.

 

Date: 22 April 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $950/$760*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers, compliance officers

New Series of Professional Workshops on Data Protection in May and Jun 2026:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

PCPD Supports the “Stand Out!” Hong Kong Choreography Competition

The “Stand Out!” Hong Kong Choreography Competition Final, organised by the School of Creative Arts (SCA), Hong Kong Baptist University, will be held on 7 April at 19:00 at Youth Square Y Theatre! Young dancers will showcase original choreography interpreting the “Power of the Bystander” to raise awareness about cyberbullying. Join the SCA in witnessing how dance speaks for society and support youth creativity!

Please click here for more details.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.