juillet 03 2026

Hong Kong Privacy Commissioner for Personal Data Completes its 2026 AI Compliance Checks: Findings, Trends and the Rise of Agentic AI

Share

Artificial Intelligence ("AI") is no longer the future on the horizon for businesses in Hong Kong, but the present-day reality. In just a few years, AI has moved from the margins of corporate operations to their core, and the Office of the Privacy Commissioner for Personal Data ("PCPD") has been watching closely. Its latest round of compliance checks, published in May 2026, offers a revealing snapshot of how 60 organisations across different sectors in Hong Kong are putting AI to work, and how well they are protecting personal data while doing so. What emerges is a portrait of an enterprise technology advancing at speed: adoption is now extensive, yet several of the AI governance measures one would expect to take firmer root appear to be weakening. Against this backdrop, and following the PCPD's separate alert on the privacy risks of agentic AI, this update revisits where Hong Kong businesses stand a year on from the last compliance check in 2025 (see our Legal Update, Hong Kong Privacy Commissioner for Personal Data Completes Compliance Checks on the Use of AI and Data Privacy), and what they should be doing now.

Background and Scope

The 2026 compliance checks were expressly framed to align with the National "15th Five-Year Plan" and the Hong Kong Government "AI Plus" policy direction, and to promote the more secure and responsible use of AI across sectors. They follow the two earlier rounds completed in 2024 and 2025.

In the 2026 compliance check, the PCPD assessed organisations' compliance with the Personal Data (Privacy) Ordinance ("PDPO") in the collection, use and processing of personal data through AI systems, and examined organisations' implementation of the "Artificial Intelligence: Model Personal Data Protection Framework" ("Model Framework") and the "Checklist on Guidelines for the Use of Generative AI by Employees" ("Gen AI Checklist"). This year of review again covered 60 organisations but widened the sector net: in addition to the banking and finance, beauty services, education, government departments, insurance, medical services, public utilities, retail, social services, telecommunications and transportation sectors reviewed in 2025, the 2026 exercise added the accounting, food and beverage, innovation and technology, logistics, and property management sectors. Half of the organisations reviewed (30, or 50%) had more than 500 employees. Importantly, as with the 2025 review, the PCPD found no contravention of the PDPO during the 2026 process.

Key Findings of the 2026 Compliance Checks

Adoption of AI

57 of the 60 organisations (95%) used AI in their day-to-day operations, with 45 (approximately 79%) having used AI for more than a year, while 29 (approximately 51%) used three or more AI systems. AI was applied principally in administrative support, customer service, research and development, marketing and compliance/risk management.

Collection, Use and Processing of Personal Data

Of the 57 AI-using organisations, 24 (approximately 42%) collected and/or used personal data through AI systems. Of those 24, 11 (about 46%) both collected and used personal data through AI, while the remaining 13 (about 54%) only used personal data through AI. The AI systems used include chatbots, optical character recognitions, text/image/video/presentation generators, and data analysis tools, etc.

All 24 organisations which collected and/or used personal data through AI systems provided Personal Information Collection Statements before or at the time of collection, but only seven (about 29%) specified the use of AI tools in those statements. Seven of these organisations (about 29%) retained the personal data collected through AI systems while specifying the retention periods, with the remaining 17 (approximately 71%) not retaining the data at all.

Data Security and Minimisation

All 24 organisations implemented appropriate security measures, including access control, data encryption, penetration testing and data anonymisation. Five (around 21%) also deployed AI-related security alerts and conducted red-teaming drills. For data minimisation, 15 (approximately 63%) used anonymised or pseudonymised data in the use of AI, and eight (about 33%) adopted privacy-enhancing technologies such as synthetic data and federated learning.

Implementation and Oversight

23 of the 24 organisations (about 96%) conducted pre-implementation testing for reliability, robustness and fairness, and 19 (about 79%) carried out privacy impact assessments. All of the organisations which collected and/or used personal data through AI systems conducted risk assessments in the procurement, use and management of AI systems.

On human oversight, 19 (about 79%) adopted a "human-in-the-loop" approach, and five (about 21%) adopted a "human-in-command" approach, where the outputs of AI systems are reviewed by humans to oversee the operations of systems and intervened where necessary. 22 organisations (approximately 92%) had data breach response plans, of which nine (around 41%) specifically addressed AI-related incidents, and 15 (approximately 68%) conducted regular internal audits and/or independent assessments with respect to the use of AI.

Strategy, Governance and Training

19 organisations (about 79%) established AI governance structures such as AI governance committees or designated personnel, but only 12 (50%) formulated AI-related policies, with a further 10, about 42%, planning to do so. Only 13 organisations (around 54%) conducted board-level discussions on AI. All 24 organisations permitted employees to use generative AI at work, and 17 (about 71%) had internal generative-AI policies. 20 organisations (about 83%) provided AI-related training for employees, of which 18 organisations (90%) covered AI-related privacy risks in their training.

What Has Changed Since 2025

The most immediately apparent change is the continued rapid climb in AI adoption, rising 15 percentage points from 80% in 2025 to 95% in 2026, confirming that AI is now an extensive feature of business operations in Hong Kong, rather than an emerging experiment.

Against the backdrop of accelerating AI adoption, the most striking development is a sharp pull-back in the handling of personal data by AI systems. The proportion of organisations that retained personal data collected through AI fell by roughly 50 percentage points, from approximately 79% in 2025 to approximately 29% in 2026. This was accompanied by a more modest decline in the proportion of AI-using organisations that collect, use, and/or process personal data through AI, down from 50% to approximately 42%. Taken together, these figures point to organisations deliberately reducing their personal-data footprint when deploying AI.

Accountability and risk-management practices also matured noticeably. The proportion of organisations conducting regular internal audits and/or independent assessments rose by around 17 percentage points, and those whose data breach response plans specifically addressed AI-related incidents rose by around 9 percentage points. Staff training covering AI-related privacy risks also rose by around 7 percentage points. A particularly telling shift is in human oversight: all organisations that referred to the PCPD AI Model Framework adopted the "human-in-the-loop" approach in 2026, an increase of around 17 percentage points on 2025, indicating that the Model Framework is having a real influence on how organisations supervise their AI.

However, not every indicator moved in the same direction, and two governance metrics went backwards in a way that is worth flagging. The proportion of organisations that had formulated AI-related policies fell from around 63% to 50%, and the proportion conducting board-level discussions on the use of AI dropped by around 25 percentage points. In a year in which adoption escalated rapidly, this retreat in AI policy-making and board-level engagement is a concerning trend. A number of core practices, by contrast, simply held steady at high levels, including the universal (100%) provision of Personal Information Collection Statements, implementation of appropriate security measures, formulation of Privacy Policy Statements, and the establishment of AI governance structures (steady at approximately 79%).

Agentic AI

In this 2026 compliance check report, as well as in its announcement published earlier this year, the PCPD has identified agentic AI as a distinct and elevated area of risk. Unlike chatbots used for text replies, summaries or content generation, agentic AI is typically deployed on a local device or server with high-level access, enabling it to read and write local files, allocate system resources, and autonomously execute multi-step tasks without real-time user involvement. This versatility makes agentic AI higher-risk than ordinary chatbots. Its elevated default access rights may expose files, emails, account credentials and browser contents. It may misinterpret commands and delete important data, and the vulnerabilities in systems with high-level, multi-source access can create significant data-security risks. Unvetted plugins or skills may embed malicious code enabling account or system takeover by hackers.

The PCPD advised organisations using agentic AI to collect, use or process personal data to grant only the minimum access rights necessary, download only the latest official versions of agentic AI from official channels, and segregate the runtime environment from local devices and servers, and strengthen network controls. Users should install and use plugins or skills only after verifying their security, conduct continuous risk assessments, and adopt a "human-in-the-loop" approach to retain final control over decision making processes.

Takeaways for Businesses Operating in Hong Kong

These 2026 compliance checks show that AI adoption across Hong Kong's business sectors is becoming embedded rather than experimental, with most organisations using AI for more than a year and many of them using multiple AI systems. There is also a noticeable move towards "data-light" AI deployments: fewer organisations are retaining personal data processed by AI, suggesting greater use of architectures that process data transiently or rely on anonymisation, pseudonymisation and privacy-enhancing technologies. In addition, accountability mechanisms (independent audits, incident response and training) are maturing, even as the formalisation of AI strategy at policy and board levels has not kept pace with the speed of adoption.

In light of these developments, businesses operating in Hong Kong should take note of the following:

  1. AI governance as baseline accountability: Treat an enterprise-wide AI policy and periodic board or senior-management reporting as baseline accountability, and where possible, align them to the PCPD AI Model Framework so that oversight scales with deployment. Undocumented governance could leave an organisation unable to demonstrate oversight and diligence, and shifts the burden of explanation onto management when an incident attracts scrutiny.
  2. Make AI transparency a priority: Update Personal Information Collection Statements and Privacy Policy Statements to explain, in plain language, where, and how AI processes personal data. For example, a privacy statement silent on AI may not support feeding that data into AI systems for model training.
  3. Calibrate human oversight to risk, and pay particular attention to the risks of agentic AI: Reserve genuine "human-in-the-loop" control for AI use cases, and adopt a separate, stricter control set for agentic AI (e.g., least-privilege access, environment segregation, plugin/skill vetting and continuous monitoring), as deploying an AI agent effectively grants a non-human actor standing access to your systems and data.
  4. Put AI safeguards into practice: Audits, AI-specific incident response and privacy-risk training are all trending upward and are fast becoming the expected standard. Organisations still at the "planning" stage should operationalise these now, and rehearse AI-specific breach scenarios within their incident response plans.
  5. Manage your AI supply chain contractually: With most organisations running multiple AI systems and tools, vendor and processor management is central to compliance. Ensure vendor contracts impose adequate data security, provision of assistance and accountability obligations, and conduct due diligence on AI tools and their plugins before deployment.
  6. Stay ahead of the regulatory direction: The express alignment of the 2026 checks with the National "15th Five-Year Plan" and the "AI Plus" agenda signals sustained and intensifying regulatory focus. Building robust, well-documented governance now is the most effective way to demonstrate accountability and compliance if scrutiny increases.

 

Compétences et Secteurs liés

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe