What the Personal Data (Privacy) Ordinance requires when you use AI on personal data — the six Data Protection Principles — grounded in the PCPD’s AI Model Framework, without overclaiming.

dgm is an independent osFoundry integration partner — not affiliated with osFoundry’s maker (OS LLC), and dgm has no completed client integrations yet.

Using AI on personal data in Hong Kong does not change the baseline law: the Personal Data (Privacy) Ordinance still applies. This guide explains what that means for an AI project, without overclaiming.

What the PDPO requires

The Personal Data (Privacy) Ordinance (Cap. 486), enforced by the Office of the Privacy Commissioner for Personal Data (PCPD), sets six Data Protection Principles covering collection, accuracy and retention, use, security, openness and access. A breach of a principle is not itself a criminal offence — the Commissioner issues an enforcement notice, and contravening that notice is the offence. Section 33, the cross-border transfer restriction, has never been brought into force, so there is currently no statutory restriction on transferring personal data out of Hong Kong; and breach notification to the PCPD is voluntary, not mandatory, in 2026.

How it applies to AI

AI that trains on, prompts with, or processes personal data must respect the six Data Protection Principles — especially not collecting excessively (DPP1), not repurposing data beyond its original purpose without consent (DPP3), and keeping it secure (DPP4). The PCPD’s June 2024 AI Model Personal Data Protection Framework adds advisory recommendations: AI governance, risk assessment with human oversight, careful customisation, and stakeholder communication.

Practical steps

Map what personal data your AI touches, confirm the purpose and legal basis, minimise what you collect, keep a human in the loop for decisions, and document it. osFoundry’s managed cloud pins data to the US, EU or Japan — it does not currently offer a Hong Kong managed region (its nearest managed region is Japan). To keep data in Hong Kong, the honest path is self-hosting osFoundry (BYO Cloud) inside a Hong Kong cloud region such as AWS Asia Pacific (Hong Kong) ap-east-1, Microsoft Azure East Asia (Hong Kong SAR) or Google Cloud asia-east2 (Hong Kong), or running models locally on-device.

Where dgm fits

dgm is an independent integration partner that helps Hong Kong businesses adopt osFoundry — scoping a first use case, handling the build, and connecting AI to the systems you already run. dgm is independent of osFoundry’s maker (OS LLC) and has no completed client integrations yet, so everything described here is a service offered, not a past result. If you want to scope a practical first project, dgm can help you map it out.