A logistics firm in Kwun Tong deploys three AI systems across customer service, route planning, and invoice processing. None of the vendor contracts mention personal data. Six months in, a client asks a simple question: where does the data your AI reads actually go? Nobody in the room can answer.
This is the exact scenario Hong Kong's Privacy Commissioner for Personal Data (PCPD) set out to examine in 2026. The findings should reframe how every enterprise leader thinks about AI and the Personal Data (Privacy) Ordinance.
What did Hong Kong's 2026 PCPD AI compliance checks find?
The PCPD completed compliance checks on 60 organisations in May 2026, examining how they use AI and protect personal data. It found no contravention of the PDPO, but the data revealed how deeply AI is now embedded: 57 of 60 organisations (95%) use AI daily, and 29 (51%) run three or more AI systems.
According to the PCPD's May 2026 statement, the review spanned accounting, food and beverage, innovation and technology, logistics, and property management. Around 79% of the organisations had used AI for more than a year, meaning AI is no longer experimental in Hong Kong operations. It is infrastructure.
The absence of a formal contravention is not a clean bill of health. It reflects a regulator that is watching closely and setting expectations before it needs to enforce them.
What is the PDPO and how does it apply to AI?
The Personal Data (Privacy) Ordinance is Hong Kong's core data protection law. It applies to AI whenever a system collects, uses, or processes personal data, whether during model training, customer interactions, or automated decisions. AI does not sit outside the PDPO; it sits squarely inside it.
The practical implication for enterprises is direct. If your AI reads customer emails, screens job applicants, or scores credit risk, every one of the PDPO's data protection principles applies, including purpose limitation, accuracy, retention, and security.
The trap most leaders fall into is assuming the vendor carries this responsibility. Under the PDPO, the data user, meaning your organisation, remains accountable. Outsourcing the technology does not outsource the obligation.
What is the Model Personal Data Protection Framework?
Issued by the PCPD in June 2024, the Model Personal Data Protection Framework is Hong Kong's practical playbook for responsible enterprise AI. It sets out recommendations across four areas: AI strategy and governance, risk assessment and human oversight, stakeholder communication, and AI system management.
According to the PCPD framework, the first area demands that top management formally commit to an AI strategy and establish an internal governance structure. This is a board-level signal, not an IT checklist item.
The framework aligns with the three Data Stewardship Values and seven Ethical Principles from the PCPD's 2021 guidance. For a COO or IT Director, it functions as a ready-made structure to present AI governance credibly to the board.
The following four areas anchor the framework:
--- AI strategy and governance, led by top management
--- Risk assessment and human oversight, using a risk-based approach
--- Communication with staff, customers, and regulators
--- Ongoing customisation, implementation, and management of AI systems
Why is agentic AI a new privacy risk under the PDPO?
In March 2026, the PCPD issued a specific alert on agentic AI, flagging it as an elevated privacy risk. Agentic systems can access local devices, files, emails, credentials, and browser contents, then execute multi-step tasks autonomously without a human approving each action.
According to the PCPD, the concern is scope. A traditional chatbot answers a question. An AI agent may open your email, extract a client's details, log into a third-party service, and act, all before anyone reviews it.
The PCPD's practical recommendations are concrete. Restrict AI systems to minimum access rights, avoid administrator privileges, separate runtime environments from local infrastructure, review plugins for malicious code, and keep a human in the loop for decisions with significant individual impact.
How should Hong Kong enterprises assess their AI privacy readiness?
Start with a data map. Before any governance policy, an enterprise must know which AI systems touch personal data, what data they read, where it flows, and how long it is retained. Most organisations discover they cannot answer these questions on day one.
The PCPD noted a clear 2026 trend towards data-light AI: fewer organisations retain the personal data their AI processes, favouring architectures that process data transiently or rely on anonymisation and pseudonymisation. This is a defensible default for enterprises building now.
A readiness assessment should test four things in sequence:
--- Inventory: which AI systems process personal data, and under what contract terms
--- Access: whether each system holds only the minimum rights it needs
--- Retention: whether personal data is deleted once its purpose is served
--- Oversight: whether a human reviews high-impact automated decisions
An enterprise that can answer these four cleanly is already ahead of most of the 60 organisations the PCPD reviewed.
What are the common mistakes enterprises make with AI and personal data?
The most common mistake is treating AI privacy as a legal formality signed once at procurement. AI systems change, data flows shift, and vendors update models, so a one-time review ages badly. The PCPD explicitly recommends continuous monitoring and review.
A second mistake is granting AI systems administrator-level access for convenience. This is precisely the pattern the PCPD's March 2026 agentic AI alert warns against, because broad access turns a minor incident into a major data breach.
The third mistake is silence. Enterprises deploy AI without telling staff or customers how their data is used. The Model Framework treats stakeholder communication as a core pillar, not an optional courtesy, because trust erodes fastest when people feel data was taken rather than given.
The bottom line for Hong Kong enterprise leaders
The PCPD found no contravention in 2026, but it also made clear that scrutiny is rising and expectations are set. For a VP of Operations or IT Director, AI privacy is now a board-level accountability, not a technical afterthought.
The organisations that will navigate this well are not the ones with the most AI, but the ones who know exactly what their AI touches and can prove it. Governance is no longer a brake on AI; it is the license to scale it with confidence.
This is where a trusted local partner matters. We understand AI. We understand you. With UD by your side, AI never feels cold, because technology should reduce your risk, not quietly add to it.
Ready to know exactly where your organisation stands?
Now that you understand what the PCPD expects, the next step is a clear picture of your own AI and data footprint. We'll walk you through every step, from mapping which systems touch personal data to building a governance structure your board will trust, with 28 years of Hong Kong enterprise experience behind you.