Looking back, looking forward: Highlights and prospects in Hong Kong data privacy regulation

The Hong Kong data privacy landscape saw limited legislative reform in 2025. Yet, the year was far from static. 2025 marked a trend moving from principles to practical playbooks, driven by the rollout of Hong Kong’s first dedicated cybersecurity law and an active data privacy regulator (the Office of the Privacy Commissioner for Personal Data (“PCPD”). Together, these developments have matured Hong Kong’s data privacy and cybersecurity regimes, laying the foundation for further consolidation in 2026.

In this article, Pádraig Walsh from our Data Privacy practice reviews key 2025 Data Privacy developments and highlights potential developments for the year ahead.

2025 in review

Protection of Critical Infrastructure (Computer Systems) Ordinance (Cap. 653)

In last year’s “Looking Back, Looking Forward” article (link), we covered the Protection of Critical Infrastructure (Computer Systems) Bill (the “Bill”) introduced into the Legislative Council on 11 December 2024. The Bill passed without substantive amendment in early 2025. The Protection of Critical Infrastructure (Computer Systems) Ordinance (Cap. 653) (“PCICSO”) was gazetted on 28 March 2025 and came into force on 1 January 2026.

The PCICSO establishes a dedicated cybersecurity regime for designated Critical Infrastructure Operators (“CI Operators”), structured around three pillars:

1.       Organisational governance;

2.       Preventive and technical safeguards; and

3.       Incident reporting and response.

As signposted in 2024, the regime covers the following two areas. CI Operators may be designated from:

(a)     essential services across eight sectors: (i) energy; (ii) information technology; (iii) banking and financial services; (iv) land transport, (v) air transport, (vi) maritime, (vii) healthcare services and (viii) communications and broadcasting; and

(b)     other infrastructure operators that host key social or economic activities, such as major sports and performance venues.

The focus of the PCICSO is not primarily on personal data protection, which remains under the regulatory ambit of the PCPD. However, the activities of the Security Bureau in overseeing cybersecurity and implementing the PCICSO will likely lead to more regulatory activity conducted by the PCPD.

Guidelines on the use of Generative AI

Generative AI (“GenAI”) cemented itself as a mainstream enterprise tool in 2025. A number of Hong Kong authorities have issued various guidance to align use of GenAI tools with the Data Protection Principles of the PDPO.

PCPD Checklist

The “Checklist on Guidelines for the Use of Generative AI by Employees” (link) helps organisations develop internal policies that ensure compliance with the PDPO. In particular, the policies should specify the scope of permissible use, permissible inputs, storage of output information, embed privacy safeguards via data security measures, set ethical guardrails and identify consequences for breaches.

Digital Policy Office Guideline

The “Hong Kong GenAI Technical and Application Guideline” (link) frames five dimensions of governance for GenAI: (i) personal data privacy, (ii) intellectual property, (iii) crime prevention, (iv) reliability and (v) trustworthiness within a four-tier risk classification system (unacceptable, high, limited and low risk).

This is a technical guide with role-specific information for developers, intermediaries and enterprise users of GenAI. The guideline applies within government organisations but is also considered a general industry benchmark frequently referenced for practice standards.

Anonymisation Guide

The PCPD endorsed the cross-jurisdictional “Guide to Getting Started with Anonymisation” (link), offering a practical guide to its readers. To ensure data anonymisation in AI models, users are expected to (i) know your data, (ii) remove direct identifiers from the dataset; (iii) apply anonymisation techniques to indirect identifiers; (iv) assess re-identification risks; and (v) manage re-identification risks by implementing corresponding risk mitigation measures.

While not specific to Hong Kong, this Guide can serve as a concise blueprint for operationalising data minimisation and privacy-by-design in the use of AI models.

PCPD compliance check on use of AI

In our 2024 article, we noted the PCPD’s first compliance check on AI use across 28 organisations and suggested it would be an interesting trend if the exercise became annual. In May 2025, the PCPD published a new round of compliance checks (link) covering 60 organisations across a broader set of sectors. It reviewed adherence to the PDPO and PCPD published guidance.

Findings

The 2025 results show clear growth and maturing governance compared with 2024.

AI adoption grew. 80% of organisations reported using AI in day‑to‑day operations (up from 75% in 2024), and most had been using AI for over a year. Among the users who collected or used personal data via AI systems, all implemented security safeguards such as access controls, encryption and penetration testing. Significantly, 83% conducted PIAs pre-implementation, and 96% conducted pre-deployment testing for reliability, robustness and fairness. This is an uptick from the 2024 snapshot where only 8 of the 10 personal-data-using organisations conducted PIAs.

Data governance also matured. Most organisations established AI governance structures with board-level oversight. Data breach response plans were common, with PCPD guidance widely referenced and adopted within. A growing subset of such plans expressly covered AI-related incidents. As in 2024, no PDPO contraventions were found in this check.

The 2025 compliance check provides a positive signal that organisations using AI are increasingly adopting good governance, and are adopting data minimisation and privacy-enhancing principles and technologies.

PCPD Inspection and Investigation Reports

In August 2025, the PCPD released a set of investigation reports into major data breaches involving (i) Kwong’s Art Jewellery Trading Company Limited together with My Jewelry Management Limited, and (ii) Adastria Asia Co., Limited. We summarised those findings in a previous article (link).

Later in November 2025, the PCPD published a report on a set of inspections into data breaches following initial compliance checks. This involved the personal data systems of HKICC Lee Shau Kee School of Creativity (HKICC) and the Hong Kong College of Technology (HKCT). Originally, the PCPD received data breach incident notifications from both institutions. They initiated a compliance check.

In the investigations, the PCPD found contraventions of DPP4 (security of personal data) due to fundamental failures and the entities had not taken all practicable steps to ensure the security of personal data. Enforcement notices were issued.

In the inspections, the PCPD considered the entities compliant with DPP4, especially considering the fact that both HKICC and HKCT had significantly strengthened their security after the initial Data Breach incident. The PCPD additionally highlighted areas of improvement, such as adopting real-time monitoring with alerts and conducting regular security audits.

In the investigation cases, the root-cause failures were longstanding, considered to be egregious and directly facilitated the breaches. In the inspection cases, there existed a demonstrable governance framework and evidence of structured accountability. Organisations that commit to adopting and implementing a privacy management programme will be better positioned to emerge favourably from a PCPD investigation or inspection.

The practical implication for Hong Kong organisations is that the DPP4 standard of taking “all practicable steps” to protect personal data is a living standard. A data breach incident does not automatically result in contravention of the principle. Credible internal policies and timely remediation can support a finding of compliance with DPP4, even though a personal data breach has occurred. Conversely, the absence of basic and widely available protections will more likely lead to an investigation and subsequent enforcement measures by the PCPD.

2026 in prospect

2025 was a year of transition. Looking ahead, 2026 could also be a pivotal year.

PCICSO

The core focus and regulatory activity will be on the PCICSO and its implementation. Now that the Commissioner of Critical Infrastructure (Computer-system Security) (“Commissioner”) has been appointed, we expect CI Operators to be designated in the early stages of 2026 and for the first wave of compliance to commence. While 2025 delivered relatively few headline developments, the implementation phase in 2026 should bring clarity and momentum. Currently, the Commissioner has published a Code of Practice (link) and FAQ as early guidance on the PCICSO (link).

The Commissioner and a designated authority (i.e., existing sector regulators such as the Monetary Authority and Communications Authority) may designate an organisation that operates specified critical infrastructure as a CI Operator. Those organisations will receive written notice from the relevant authorities, setting out the effective date for compliance and the critical computer systems covered. The list of CI Operators will not be made public. The rationale being to prevent such CI Operators from becoming targets of attacks.

We anticipate that designations will be issued in phases from early 2026, beginning with larger or higher-impact operators in the named sectors. The Commissioner or the designated authorities may have already begun approaching such organisations. In any event, for those likely to be designated, early action in 2026 will make day one compliance achievable.

AI Adoption

AI adoption will continue to expand across sectors. There is already a substantial existing body of guidance in place. For organisations charting their 2026 AI roadmaps, the direction of travel is clear. The PCPD is likely to shift emphasis to enforcement. They have informed organisations of their expectations, it is now up to the organisations to deliver.

Conclusion

Hong Kong’s data privacy and cybersecurity regimes continued to mature in 2025, marked by the transition from education to enforcement. With the commencement of the PCICSO and the PCPD’s hands-on approach to governance, organisations can anticipate a year of continued consolidation and stricter expectations. As these regimes continue to take shape, 2026 will be another pivotal year for businesses to strengthen their compliance foundations and prepare for a more active enforcement environment.

We have much to keep track of and to look forward to in the coming 12 months.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 29 January 2026.