Fulfil Civic Responsibility – Privacy Commissioner Issues a Letter Urging Colleagues to Lead by Example and Actively Cast their Votes in the Legislative Council General Election

The 2025 Legislative Council General Election will be held on 7 December. Privacy Commissioner Ms Ada CHUNG Lai-ling issued a letter on 30 October, urging colleagues of the PCPD, their families and friends to actively cast their votes on the polling day to fulfil their civic responsibilities.

Privacy Commissioner’s Office Issues New Guidance and Leaflets
on the Use of CCTV System and Video Cameras on Drones and Vehicles

With the advancement of technology, the use of CCTV systems for purposes such as security and surveillance has become increasingly common across different industries. In tandem, the HKSAR Government has been actively driving the development of low-altitude economy. Pursuant to the strategic directions as set out in the Chief Executive's 2025 Policy Address, the Government is dedicated to building a low-altitude economy ecosystem and formulating the Action Plan on Developing Low-Altitude Economy, to propel Hong Kong as an Asia-Pacific hub for innovative low-altitude applications. In addition, the Government also plans to complete the installation of in-vehicle cameras in all taxis by 2026 to improve the overall quality of taxi services and protect the safety and interests of both drivers and passengers.
 
The “Guidance on the Use of CCTV Surveillance” provides an overview of the considerations for deploying CCTV systems and covers topics such as the lawful and fair collection of personal data, the necessity, proportionality and transparency of the use of CCTV systems, as well as the requirements for retention and security of CCTV footage. The guidance also offers practicable recommendations on conducting privacy impact assessments, providing clear notices, and the appropriate circumstances for using CCTV footage.
 
On the other hand, the “Guidance on the Use of Video Cameras on Drones and Vehicles” outlines the privacy risks associated with these video camera-based devices and sets out practicable guidance on avoiding excessive collection of personal data, notifying affected individuals and the security of recorded footage. The guidance also provides a sample sticker on the notice for in-vehicle cameras for use in passenger carrying vehicles.
 
Furthermore, to assist the public in understanding the key points regarding the use of CCTV systems, drones and in-vehicle cameras, the PCPD also published two information leaflets titled “Tips on the Use of CCTV Surveillance” and “Responsible Use of Drones and In-Vehicle Cameras” summarising the key points to note for data users (See Annex 1 for details).

Mid-Autumn Gathering with the Elderly –
Privacy Commissioner’s Office Volunteer Team Organises
a Caring Event and Fraud Prevention Seminar

The Volunteer Team of the PCPD hosted a caring event and fraud prevention seminar on 3 October at the Yue Wan Community Hall, engaging with around 200 elders from the Eastern District in celebration of the Mid-Autumn Festival. Privacy Commissioner Ms Ada CHUNG Lai-ling shared the latest information on fraud prevention with the elders, while renowned media professional Ms Candy CHEA Shuk-mui joined the event as guest host. The two interacted with the elders through lantern riddles and mini games to strengthen their awareness of fraud prevention.

In addition, renowned media professional Ms Candy CHEA Shuk-mui hosted a lively session featuring lantern riddles and quiz games, and invited the elderly to share their personal experiences on scams, with a view to fostering greater awareness while creating resonance with the participants. The event also featured a lucky draw, where several lucky ones received healthy mooncakes and gifts. Besides, the Volunteer Team presented Mid-Autumn gift bags to the elderly. The gift bags contained low-sugar mooncakes and seasonal fruits, conveying warmth and festive blessings to the elders. The atmosphere was joyful and lively, with laughter echoing throughout the event.

Since its establishment in 2022, the PCPD Volunteer Team has actively engaged with the community. The Team has conducted multiple visits to elderly centres, made home visits to elderly couples and elders who lived alone, and helped prepare meal boxes for the needy. During the COVID-19 pandemic, the Team donated anti-epidemic medical supplies to various social welfare organisations to spread good wishes and loving messages to the needy ones.

 

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Reporting to Legislative Council – Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Meeting of the Legislative Council Panel on Constitutional Affairs

The Secretary for Constitutional and Mainland Affairs (SCMA), Mr Erick TSANG Kwok-wai, GBS, IDSM, JP, attended the Policy Briefing meeting of the Legislative Council (LegCo) Panel on Constitutional Affairs on 2 October to brief Panel members on the Chief Executive’s 2025 Policy Address. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by members on the protection of personal data privacy and the work of the PCPD.

During the meeting, the Privacy Commissioner pointed out that the PCPD supports the development of smart city. The PCPD has always provided professional advice to the Government from the perspective of the protection of personal data privacy. She stated that there is no inherent conflict between advancing smart city initiatives and safeguarding personal data privacy; rather, the two can complement each other. The PCPD also welcomes the Chief Executive’s proposal in the Policy Address on the establishment of an inter-departmental working group by the Department of Justice to review the legal framework required for the broader application of artificial intelligence (AI). The PCPD is pleased to provide to the working group its views from the perspective of the protection of personal data privacy.

On combatting doxxing, the Privacy Commissioner stated that the PCPD has been taking robust enforcement actions against doxxing-related offences. The number of doxxing cases uncovered by the PCPD’s online patrols has dropped by 90% when compared to that of 2022. Cases of doxxing relating to political disputes have also significantly declined, now accounting for only 1% of the total. In addition, the PCPD has consistently carried out various publicity and educational activities to combat doxxing and cyberbullying. These include organising anti-doxxing school tours to deliver talks at secondary schools, as well as publishing informational leaflets. By the end of August 2025, over 24,900 students from 80 schools have participated in the aforesaid talks.
 
Please click here for the paper provided by the Constitutional and Mainland Affairs Bureau to the LegCo Panel on Constitutional Affairs.
Please click here for the opening remarks of the SCMA (Chinese only).

PRIVACY 101

Why Anonymisation Should Be Part of Your Data Protection Strategy

Data breaches are on the rise across organisations of all sizes, driven by increasingly sophisticated cyberattacks. Although awareness of data security has grown, hackers are evolving in parallel, exploiting systemic vulnerabilities and targeting high-value personal data. In today’s AI-driven economy, personal data has become more valuable and vulnerable than ever, as it can be used to train intelligent systems and refine predictive models.

 

While many organisations have fortified their cybersecurity infrastructure, safeguarding personal data demands more than technical defences. Another strategic measure is anonymisation – a process that transforms identifiable information into data that cannot be traced back to individuals. When implemented effectively, it also serves as a critical layer in a multi-faceted approach to personal data protection. For example, industries such as healthcare, finance, marketing and retail routinely process large volumes of personal data. Anonymisation offers a pragmatic way to reduce exposure to risk while preserving the utility of personal data for analysis, reporting, or innovation.

 

Here are the recommended steps for organisations to apply anonymisation in practice:

• Step 1 (Know Your Data): Before carrying out the anonymisation process, organisations must identify the nature of the data in question, including:
  • Direct Identifiers: Data that can be used to directly identify an individual, such as name and identity card number;
  • Indirect Identifiers: The data itself may not be unique, but it may be used to identify an individual when combined with other data, such as date of birth and gender; 
• Step 2 (Remove Direct Identifiers): Remove direct identifiers from the dataset;
• Step 3 (Apply Anonymisation Techniques): Apply anonymisation techniques to indirect identifiers to prevent others from identifying an individual by combining the indirect identifiers with other data;
• Step 4 (Assess Re-identification Risks): Assess whether any risk of identifying an individual remains in the anonymised data, and determine whether the anonymisation is sufficient based on the assessment results. If the relevant requirements are not met, repeat the above steps; and
• Step 5 (Manage Re-identification Risks): Address any residual risk following the application of anonymisation techniques by implementing corresponding risk mitigation measures, such as restricting the use of the data for intended purposes and access by intended personnel.
  

For more details, please refer to the “Guide to Getting Started with Anonymisation”.

 

PRIVACY COMMISSIONER’S FINDINGS

Collection and Disclosure of the Personal Data of Lucky Draw Participants

Background

 

A health products retail company (the “Company”) organised a lucky draw to promote its products. To ensure each participant had only one chance of winning, the Company collected participants' English names and the English letter(s) and first three digits of their Hong Kong Identity Card (HKID Card) numbers. Winners were required to present their identity documents for verification when collecting their prizes. Subsequently, the Company published a list of winners (the “List”) on its official website and in newspapers. The complainant noticed that the List contained the aforementioned personal data of the winners and lodged a complaint with the PCPD.

 

Outcome

 

Upon intervention by the PCPD, the Company confirmed that the List had been removed from its official website and the webpages of the relevant newspapers, and the personal data of all lucky draw participants had been destroyed. Additionally, the Company issued internal guidelines instructing its staff that, for future product promotion lucky draws, participants would only be required to provide the serial numbers of their product purchase receipts. The Company would no longer collect the names and HKID Card numbers of the participants.

 

Lessons Learnt

 

Lucky draws are a commonly used marketing tool. To protect the interests of participants, while organisers of lucky draw events have legitimate needs to correctly identify winners to ensure prizes are not wrongly distributed, this does not necessarily justify the collection of HKID Card numbers. Relevant organisations should note that they should not collect the HKID Card number of any individual unless the requirements under the Personal Data (Privacy) Ordinance (Ordinance) (PDPO) are complied with and the situations specified in the “Code of Practice on the Identity Card Number and Other Personal Identifiers: Compliance Guide for Data User” issued by the PCPD are applicable.

 

Furthermore, when announcing the winners, event organisers should consider the types of personal data to be disclosed and the extent of disclosure. Data users should take all reasonably practicable steps to ensure that the HKID Card number and the name of the holder are not displayed together publicly.

TECH TALK

Tips for Protecting Your Online Privacy and Maintaining Anonymity

While organisations continue to strengthen digital security measures, individuals can also take proactive steps to limit what others can discover about them online. One effective approach is to maintain anonymity, by minimising the personal information you share, such as your name, email address, location, or other identifying details.

 

Below are some practical tips to help reduce your digital footprint and make it more difficult for others to track your online activities:

• Avoid Oversharing: Refrain from using your real name, home address, or contact details on social media profiles and websites. Consider adopting distinct personas or aliases across different platforms to prevent easy identification;
• Use Strong and Unique Passwords: Using the same password across multiple accounts increases vulnerability. If one account is compromised, others may follow. Always create robust and unique passwords for each account to enhance security;
• Enable Incognito or Private Browsing Modes: When browsing in these modes, your device does not retain history, cookies, or temporary internet files. This helps protect your activities from casual snooping; and
• Avoid Clicking Suspicious Links: Unless you are absolutely certain of a link’s authenticity, steer clear. Fraudulent links are often used by attackers to trick individuals into revealing sensitive personal or business information, potentially leading to identity theft.

Practising anonymity alongside other sound privacy protection measures can enhance your online privacy. However, it’s vital to remember that anonymity is a tool for safeguarding privacy but not a practice for unlawful behaviours. By applying these tips, you have greater control over your personal data and can better protect your privacy in the digital world.

WHAT’S ON

Promoting AI Security – Privacy Commissioner Speaks at High-Level Forum on Generative AI Governance and Cultural Co-Creation

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the High-Level Forum on Generative AI Governance and Cultural Co-Creation on 30 October 2025 to deliver a keynote speech and to participate in a panel discussion. The Forum was organised by the Academy of Interdisciplinary Studies of the Hong Kong University of Science and Technology.
 
In her keynote speech titled “AI Governance and Next Chapter in Privacy Protection”, the Privacy Commissioner outlined the global solutions to balancing the development and security of AI advocated by the Country and the PCPD’s efforts in promoting AI governance on both global and local fronts. The Privacy Commissioner pointed out that the term AI was mentioned approximately 70 times in this year’s Policy Address, which reflected the current administration’s determination and emphasis on the development and use of AI. She believed that, under the policy direction of the Policy Address, Hong Kong would witness another wave of AI development in the coming one to two years, and must work with the international community to collectively promote AI governance.
 
In the panel discussion titled “Policy and Regulatory Frameworks for Generative AI”, the Privacy Commissioner shared the multi-pronged approach of the PCPD in assisting enterprises in ensuring AI security.
 
Please click here for the Privacy Commissioner’s presentation deck.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain New Guidance on the Use of CCTV System and Video Cameras on Drones and Vehicles

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” and Commercial Radio’s “On a Clear Day” on 28 October. In the interviews, she explained the “Guidance on the Use of CCTV Surveillance” and the “Guidance on the Use of Video Cameras on Drones and Vehicles” issued by the PCPD.

The Privacy Commissioner stated that the PCPD received 995 enquiries regarding the installation of CCTV systems in the first nine months of this year, the vast majority of which involved disputes between neighbours arising from the use of CCTV systems. She reminded members of the public to consider the necessity of installing CCTVs, whether the location concerned is a private space, and whether less privacy-intrusive alternatives are available. She also recommended posting notices to inform individuals who are being monitored.

Regarding the installation of in-vehicle cameras, the Privacy Commissioner noted that vehicle compartments are semi-private spaces, and recommended notices be posted by operators of in-vehicle cameras to notify passengers of the existence and functions of the cameras. The newly issued guidance also includes a sample sticker on the notice for in-vehicle cameras for use in passenger-carrying vehicles. In addition, footages captured must be properly handled, including specifying data retention periods and access controls.

The Privacy Commissioner also pointed out that drones have a wide coverage area, and therefore require extra caution during operation. This includes planning flight paths carefully, using flashing lights, as well as placing notices or large banners at launch sites to inform affected individuals about the drone operations.

Promoting AI Security – Privacy Commissioner Publishes an Article on Data Protection Leader

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “How Hong Kong PCPD’s latest guidelines strengthen AI security in the workplace” in Data Protection Leader, the bi-monthly magazine of OneTrust DataGuidance.
 
In the article, the Privacy Commissioner introduced the PCPD’s multi-pronged approach to fostering AI security in Hong Kong, which included conducting compliance checks, setting up a dedicated “AI Security” thematic website and publishing various guidelines. Notably, the Privacy Commissioner provided an overview of the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines), which was published earlier by the PCPD to assist organisations in formulating clear internal AI policies or guidelines on employees’ use of generative AI.
 
Please click here to read the article.

Fulfil Civic Responsibility – Privacy Commissioner Urges Colleagues and Voters to Actively Cast their Votes in the Legislative Council General Election

The 2025 Legislative Council General Election (LCGE) will be held on 7 December. Privacy Commissioner Ms Ada CHUNG Lai-ling attended the LCGE kick-off ceremony organised by the Government of the Hong Kong Special Administrative Region on 23 October. She calls on colleagues of the PCPD and voters to actively cast their votes to fulfil their civic responsibility.

 

The nomination period for the LCGE will run from 24 October to 6 November. Voters may cast their votes at their designated polling stations between 8:30am and 10:30pm on 7 December, the polling day.

Promoting AI Security – Privacy Commissioner Speaks at SocTech Symposium 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a keynote speech titled “A New Milestone for Privacy Protection in the Era of Gen AI” at the SocTech Symposium 2025 organised by the Hong Kong Council of Social Service on 20 October.
 
In her speech, the Privacy Commissioner outlined the use of AI in non-profit organisations and illustrated the risks posed to personal data privacy in the use of AI with real-life examples. She also introduced the Guidelines and the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) published by the PCPD.
 
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Enhancing Data Security for Schools – PCPD Organises Webinar on “Data Security and Risk Management in Schools” 

The PCPD organised a webinar for the education sector titled “Data Security and Risk Management in Schools” on 9 October, which attracted around 700 primary and secondary school principals and teachers to attend.
 
During the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling shared the lessons learnt from some data breach cases involving schools, and elaborated on the causes of the data breach incidents and the remedial measures taken. She also provided practical recommendations for strengthening data security measures and highlighted the key points for preventing and handling data breach incidents. In addition, Mr CHU Ka-tim, Chairman of the Hong Kong Association for Computer Education (HKACE) and Principal of Shatin Pui Ying College, and Mr FONG Ting-hei, Council Member of the HKACE and Vice Principal of Pope Paul VI College, shared some best practices for handling personal data in schools with the participants.

Please click here to download the Privacy Commissioner’s presentation deck (Chinese only).
Please click here to download the presentation deck of Mr Chu and Mr Fong (Chinese only).

Promoting AI Security – Privacy Commissioner Publishes an Article Entitled “Actively Promote the Safe Development of AI and Integrate into the Overall National Development”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Actively Promote the Safe Development of AI and Integrate into the Overall National Development”.
 
In the article, the Privacy Commissioner pointed out that the Country is implementing the “AI Plus” initiative and calling for a global approach that balances development and security of AI. She noted that the Chief Executive’s recent Policy Address not only actively promotes the development of AI, but also places emphasis on AI security and risk management. This demonstrates a precise alignment with national strategies and echoes the objectives of the PCPD in promoting AI security.
 
The Privacy Commissioner urged for collective efforts to ensure high-quality development with high-quality security, while embracing the role of a reformer to proactively identify, respond to and steer changes to guide AI’s development in Hong Kong towards a beneficial, safe and fair direction, with a view to integrating into the overall national development.
 
The article was published in HK01, Hong Kong Economic Journal, Hong Kong Economic Times, Ming Pao, Sing Tao Daily and Ta Kung Pao on 8 October.
 
Please click here to read the article (Chinese only).

Promoting AI Security – Privacy Commissioner Speaks at “Navigating the Governance Challenge in the Digital Era” Seminar

Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a keynote speech titled “Key Governance Principles for Responsible AI” at a seminar organised by the Hong Kong Council of Social Service on 30 September.
 
In her presentation, the Privacy Commissioner discussed the application of AI in the social service sector and introduced the various AI-related guidance materials published by the PCPD, including the Guidelines and the Model Framework.
 
In addition, Senior Legal Counsel (Global Affairs and Research) of the PCPD Ms Joyce LIU participated in a panel discussion at the Seminar and shared with the audience how the PCPD’s guidance materials and training can support organisations in safeguarding personal data privacy and enhancing governance effectiveness when using AI systems.
 
Please click here for the Privacy Commissioner’s presentation deck.

Promoting AI Security – Assistant Privacy Commissioner Speaks at the 2025 Annual Conference of Practising Governance

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG attended the 2025 Annual Conference of Practising Governance on 24 October.
 
Ms WONG spoke as a panellist in a session titled “AI at Work: from Practical Insights to What’s Next”, where she underscored the importance of establishing a robust AI governance framework and introduced various AI-related guidance materials published by the PCPD, including the Model Framework and the Guidelines.
 
Please click here for the presentation deck.

Promoting AI Security – Acting Assistant Privacy Commissioner Speaks at the AI+ New Generation Summit

The Acting Assistant Privacy Commissioner for Personal Data (Legal) of the PCPD Ms Fiona LAI delivered a presentation at the AI+ New Generation Summit on 9 October. The Summit was organised by the Organising Committee for National Day Celebratory Events of Hong Kong Technology and Innovation Sector on 9 October.
 
In her presentation, Ms Lai outlined the overall strategy in the Country’s “AI Plus” initiative and the PCPD’s achievements in promoting AI security on a global scale. She also introduced the various AI-related guidance materials published by the PCPD, including the Model Framework and the Guidelines.
 
Please click here for the presentation deck (Chinese only). 

Enhancing Cybersecurity – PCPD Representative Attends “BugHunting Campaign 2025” Awards Gala

Acting Chief Personal Data Officer (Compliance and Enquiries) of the PCPD Mr John LO attended the Awards Gala of the “BugHunting Campaign 2025” (the Campaign) on 3 October to present awards and share the latest trends in data breach incidents.
 
The PCPD is the Strategic Partner of the Campaign, which is co-organised by the Cyber Security and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force and Cyberbay. The Campaign this year employs AI technology to assist participating organisations to identify vulnerabilities within their corporate systems, and to conduct security audits on their AI applications to prevent data breaches. The Campaign attracted a total of 185 participating organisations.

PCPD Publishes 2024-25 Annual Report

The 2024-25 Annual Report of the PCPD was tabled in the Legislative Council on 22 October.
 
Themed “Leveraging Artificial Intelligence for a New Digital Privacy Era”, our 2024-25 Annual Report centres on the dual interpretations of AI – Accomplishments and Impacts, and Artificial Intelligence. It showcases the PCPD’s achievements and the profound impacts of our work, underscoring our commitment to proactively identifying, responding to and steering changes in the rapidly evolving digital landscape. 
 
The reporting year was marked by intense discussions on generative AI, accompanied by a surge in AI-related privacy risks. In 2024, the PCPD issued the Model Framework – one of the first frameworks on AI in the privacy landscape in the Asia-Pacific region. The PCPD further issued the Guidelines this year. Both publications underscore a high reference value and a strong impact at both local and global levels.
 
The PCPD achieved significant results in our enforcement actions against doxxing over the past year, with a notable decline in both doxxing related cases and complaints. The number of doxxing cases uncovered by the PCPD’s proactive online patrols dropped by 92%, from 841 cases in 2022-23, the first year after the commencement of the new anti-doxxing regime, to 65 cases in the reporting year. The number of doxxing complaints also decreased by 55%, from 676 to 305.
 
Within the Greater Bay Area (GBA), the PCPD actively facilitated cross-boundary flows of personal information, which helps promote the high-quality development of digital economy in the GBA and contributes to Hong Kong’s further integration into the overall development of the Country.
 
Please click here to download the Annual Report.

Raising Awareness of Fraud Prevention – PCPD Publishes Anti-fraud Leaflet and Poster 

The PCPD has published a new anti-fraud leaflet and poster to enhance public awareness of fraud prevention and personal data protection.

With the theme “Too Good to be True?”, the leaflet and poster remind members of the public that there is no such thing as a “free lunch”, and the public should stay vigilant against fraud. The leaflet outlines common types of scam, and provides practical tips and useful information to help guard against fraud. Both publications will be distributed to District Offices, community centres, elderly centres, banks and schools, and will also be featured on various social media and online platforms.

Additionally, starting from October, the PCPD has collaborated with the Office of the Communications Authority to organise exhibitions on fraud prevention and personal data privacy protection at the Hong Kong Shue Yan University, the Education University of Hong Kong, and the Hong Kong University of Science and Technology. The exhibitions aim to deliver anti-fraud messages to students.

Download the anti-fraud promotional leaflet (Chinese only):
https://www.pcpd.org.hk/english/resources_centre/publications/files/anti_fraud_leaflet2025.pdf

Download the anti-fraud promotional poster:
https://www.pcpd.org.hk/english/resources_centre/publications/files/anti_fraud_poster2025.pdf

MEDIA STATEMENT

LinkedIn Will Commence Using Users’ Personal Data for Training Generative AI Models from 3 November; PCPD Reminds Users to Heed the Relevant Changes

The PCPD noted the employment-oriented social media platform LinkedIn would begin using users’ personal data to train its generative AI models from 3 November this year. Such data includes detailed information from users’ profiles on the platform and public content posted on LinkedIn. LinkedIn would also update its privacy policy on the same day, and the updated policy would apply to users in the EU, the European Economic Area, Switzerland, Canada, and Hong Kong.

Privacy Commissioner Ms Ada CHUNG Lai-ling reminds LinkedIn users to pay attention to the changes in LinkedIn’s privacy policy and to understand its relevant contents, in particular those relating to the use of users’ personal data for training generative AI models, in order to decide whether to consent to such use. If users do not wish to authorise LinkedIn to use their personal data for training generative AI models, they may follow the steps in Annex 1 to change the default settings to withdraw their consent.

In mid-September last year, LinkedIn updated its privacy policy to allow its use of users’ personal data and content on the platform to train generative AI models for content creation. Following the intervention of the PCPD, LinkedIn suspended the use of personal data from Hong Kong users for the aforementioned purpose starting from 11 October, 2024. Between October 2024 and April 2025, the PCPD engaged with LinkedIn to understand the situation and review the details of its proposal. LinkedIn has committed to ensuring that Hong Kong users will retain control over the use of their personal data for generative AI models training purposes, and that such use will be in compliance with the PDPO.

The PCPD has already provided LinkedIn with recommendations to safeguard personal data privacy and will continue to monitor the situation to ensure that the personal data privacy of Hong Kong users is safeguarded.

In addition, at the international level, in response to the growing trend of using personal data to train AI models, the PCPD co-sponsored the “Resolution on the Collection, Use and Disclosure of Personal Data to Pre-train, Train and Fine-tune AI Models” with other privacy protection authorities at the annual conference of the Global Privacy Assembly earlier. The resolution reaffirmed that the use of personal data for training AI models must comply with relevant laws and data protection and privacy principles, and emphasised the need to strengthen cross-border enforcement cooperation, etc. The resolution was unanimously adopted by more than 130 members at the conference. 

 

Global Privacy Assembly’s “Resolution on the Collection, Use and Disclosure of Personal Data to Pre-train, Train and Fine-tune AI Models”
https://globalprivacyassembly.com/wp-content/uploads/2025/10/Resolution-on-the-collection-use-and-disclosure-of-personal-data-to-pre-train-train-and-fine-tune-AI-models.pdf

PCPD Staff Members Participate in National Studies Course at Zhejiang Institute of Administration

The PCPD arranged for 10 staff members from various divisions to participate in a National Studies Course (Course) organised by the Zhejiang Institute of Administration (ZIA) in Hangzhou from 12 to 17 October, with a view to deepening their understanding of the Chinese Mainland’s systems and development, and enhancing their knowledge of the latest situations of the Chinese Mainland in areas such as the rule of law, economy, technology and people’s livelihood. The Course also enabled participants to stay abreast of the Country’s high-quality development strategies. Alongside the PCPD, other participating statutory bodies included the Equal Opportunities Commission and the Office of The Ombudsman.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling expressed her gratitude to the Liaison Office of the Central People’s Government in the Hong Kong Special Administrative Region for arranging the Course. 
 
The Course featured lectures, discussions and on-site learning sessions delivered by professors from the ZIA and experts from various disciplines, with the discussions focusing on the Country’s development strategies and the latest national developments across various sectors. Participants also visited the ZJU-Hangzhou Global Scientific and Technological Innovation Center, the National Archives of Publications and Culture in Hangzhou and the headquarters of Alibaba Group in Hangzhou, among others.

MAINLAND CORNER

Highlights of the “Draft Regulations on the Establishment of Personal Information Protection Supervisory Committees by Large Online Platforms”

《大型網絡平台設立個人信息保護監督委員會規定（徵求意見稿）》的重點

To guide and regulate the establishment and operation of personal information protection supervisory committees by large online platforms, the Cyberspace Administration of China issued the “Draft Regulations on the Establishment of Personal Information Protection Supervisory Committees by Large Online Platforms” (Draft Regulations) for public consultation on 12 September 2025. The Draft Regulations provides detailed requirements for large online platforms to set up personal information protection supervisory committees, including their composition and responsibilities, as well as the obligations of the large online platforms. The consultation period ended on 12 October 2025. This article provides an overview of the Draft Regulations.

為指導規範大型網絡平台設立及運行個人信息保護監督委員會（監督委員會），國家互聯網信息辦公室（網信辦）於2025年9月12日發布《大型網絡平台設立個人信息保護監督委員會規定（徵求意見稿）》¹ 。《徵求意見稿》闡明了大型網絡平台設立監督委員會的詳細要求，包括其組成及職責、平台的義務等等，徵求意見期已於2025年10月12日結束。《徵求意見稿》的重點如下：

 

大型網絡平台服務提供者
根據《個人信息保護法》第五十八條，提供重要互聯網平台服務、用戶數量巨大、業務類型複雜的個人信息處理者，應當按照國家規定建立健全個人信息保護合規制度體系，成立主要由外部成員組成的獨立機構對個人信息保護情況進行監督。《徵求意見稿》將符合上述條件的個人信息處理者界定為大型網絡平台²服務提供者，並要求這些服務提供者設立及運行監督委員會。《徵求意見稿》亦進一步指出，國家網信部門將聯同國務院公安部門等有關部門制定發布大型網絡平台清單³。
 
監督委員會的組成
《徵求意見稿》提出，監督委員會的成員人數應與大型網絡平台業務規模、用戶數量等相匹配，一般不得少於七人，外部成員佔比不低於三分之二⁴。負責監督委員會工作的委員會主任，須由外部成員擔任⁵。監督委員會的外部成員應從事個人信息保護相關工作不少於三年⁶，並且在受聘期間保持身份和履行職責獨立性⁷。

監督委員會的監督管理工作
《徵求意見稿》規定了監督委員會的監督管理工作，重點要求如下。

職責⁸
監督委員會需重點監督大型網絡平台的14個事項，包括個人信息保護合規制度體系建設情況、個人信息保護影響評估開展情況、個人信息保護合規審計開展情況；以及向境外提供個人信息合規情況等。監督委員會亦應當建立與平台用戶常態化的溝通機制，回應用戶關切。

 

會議及監督意見的要求
監督委員會應至少每三個月召開一次定期會議，審議大型網絡平台個人信息保護監督事項，並作出監督意見⁹。監督意見應取得全體成員三分之二以上同意，並及時將有關意見通知大型網絡平台服務提供者¹⁰。

向網信部門報送履行職責情況報告
監督委員會應每年向所在地省級網信部門報送履行職責情況報告¹¹。若監督委員會履行職責不到位，導致大型網絡平台出現重大個人信息安全事件等情況，網信部門應要求平台解散並重新成立監督委員會¹²。

就平台違法違規行為提出書面建議
《徵求意見稿》規定，若監督委員會成員發現大型網絡平台違法違規收集處理個人信息等問題，應當向監督委員會和平台服務提供者提出書面建議，若兩者未有處理，或成員對處理結果有異議，成員應當向網信部門報告¹³。

 

大型網絡平台服務提供者的義務
與此同時，《徵求意見稿》亦要求大型網絡平台服務提供者積極配合監督委員會的職責，提供他們履行職責所需的工作條件和協助，不得惡意拒絕、阻礙或隱瞞¹⁴。具體而言，平台服務提供者的個人信息保護負責人應當每三個月向監督委員會報告平台個人信息保護有關情況¹⁵，並在收到監督委員會作出的監督意見之日起10個工作日內處理相關意見¹⁶。

 

總結
《徵求意見稿》落實《個人信息保護法》關於大型網絡平台內設立獨立個人信息保護監督機構的要求，亦為監督委員會的組成及職責等提供了具體指引。有關平台服務提供者宜細閱當中的要求，於《徵求意見稿》定稿後採取相應措施。

 

 

 

 

 

¹ 全文：https://www.cac.gov.cn/2025-09/12/c_1759395487456327.htm

² 根據《網絡數據安全管理條例》，大型網絡平台是指註冊用戶5000萬以上或者月活躍用戶1000萬以上，業務類型複雜，網絡數據處理活動對國家安全、經濟運行、國計民生等具有重要影響的網絡平台。
³ 《徵求意見稿》第二條。
⁴ 《徵求意見稿》第三條。
⁵ 《徵求意見稿》第九條。
⁶ 《徵求意見稿》第五條。
⁷ 有關身份和履行職責獨立性的詳盡要求，見《徵求意見稿》第四條。
⁸ 《徵求意見稿》第十三條。

⁹ 《徵求意見稿》第十五條。
¹⁰ 《徵求意見稿》第十八條。
¹¹ 《徵求意見稿》第二十五條。
¹² 《徵求意見稿》第二十七條。
¹³ 《徵求意見稿》第二十條。
¹⁴ 《徵求意見稿》第二十二條及第二十三條。
¹⁵ 《徵求意見稿》第二十三條。
¹⁶ 《徵求意見稿》第十九條。

 

RECOMMENDED TRAININGS

Practical Workshop on Data Protection Law

With the growing public awareness of and expectations for the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. 

This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.

 

Date: 19 November 2025 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $950/$760*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers, compliance officers

Professional Workshop on Data Protection in Dec 2025:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

PCPD Supports the Ethical Phishing Email Campaign 2025

To enhance staff awareness against suspicious emails, the Hong Kong Internet Registration Corporation Limited and the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force are jointly organising the “Ethical Phishing Email Campaign 2025” (Campaign) and invite organisations to participate. The Campaign is supported by the PCPD.

The exercise aims to educate employees on identifying suspicious emails and strengthen the cybersecurity resilience of participating organisations. It is expected to run from November to December 2025 at no cost. During this period, participating organisations will receive simulated phishing emails at the provided email addresses to test their employees’ cybersecurity awareness. Upon completion, each organisation will receive a detailed report summarising their staff’s performance in handling suspicious emails.

 

Please click here for more details.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.