Guides

Data-Breach Notification and AI in Hong Kong 2026

Hong Kong breach notification to the PCPD is voluntary, not mandatory, in 2026 — but reform is being discussed. How to handle an AI-related breach responsibly.

By dgm · 2026-04-29 · 2 min read

Hong Kong breach notification to the PCPD is voluntary, not mandatory, in 2026 — but reform is being discussed. How to handle an AI-related breach responsibly.

dgm is an independent osFoundry integration partner — not affiliated with osFoundry’s maker (OS LLC), and dgm has no completed client integrations yet.

If an AI system is involved in a data breach in Hong Kong, what must you do? The 2026 position is that breach notification to the regulator is voluntary, not mandatory — but reform is being discussed.

The current position

The PCPD’s own guidance states that notifying it of a data breach is not a statutory requirement, though it is a recommended practice. So in 2026 breach notification in Hong Kong is voluntary. The PCPD revised its breach-handling guidance in 2023, widely read as a step toward a future mandatory regime.

What this means for AI

An AI-related breach (for example, an AI tool exposing personal data) is handled like any other under the PDPO: contain it, assess the harm, notify affected individuals where appropriate, and consider notifying the PCPD as recommended practice. The DPP4 security obligation still applies regardless of notification.

Build the capability now

Given the reform direction, build breach-response capability now even though notification is voluntary. osFoundry’s managed cloud pins data to the US, EU or Japan — it does not currently offer a Hong Kong managed region (its nearest managed region is Japan). To keep data in Hong Kong, the honest path is self-hosting osFoundry (BYO Cloud) inside a Hong Kong cloud region such as AWS Asia Pacific (Hong Kong) ap-east-1, Microsoft Azure East Asia (Hong Kong SAR) or Google Cloud asia-east2 (Hong Kong), or running models locally on-device.

Where dgm fits

dgm is an independent integration partner that helps Hong Kong businesses adopt osFoundry — scoping a first use case, handling the build, and connecting AI to the systems you already run. dgm is independent of osFoundry’s maker (OS LLC) and has no completed client integrations yet, so everything described here is a service offered, not a past result. If you want to scope a practical first project, dgm can help you map it out.

Frequently asked questions

Is data-breach notification mandatory in Hong Kong?

No — in 2026 it is voluntary. The PCPD recommends notifying it as good practice but it is not a statutory requirement.

What should I do after an AI-related breach?

Contain it, assess harm, notify affected individuals where appropriate, and consider notifying the PCPD. The PDPO's security obligation (DPP4) still applies.

How does dgm help?

dgm can build AI with security and breach-response capability in mind, and keep data in Hong Kong via self-hosting.

Data-Breach Notification and AI in Hong Kong 2026

The current position

What this means for AI

Build the capability now

Where dgm fits

Frequently asked questions

Ready to replace your SaaS stack with osFoundry?

Simple, transparent pricing

Initial consultation

AI integration

Data-Breach Notification and AI in Hong Kong 2026

The current position

What this means for AI

Build the capability now

Where dgm fits

Related guides

Frequently asked questions

Related reading

Ready to replace your SaaS stack with osFoundry?

Simple, transparent pricing

Initial consultation

AI integration