Data Protection Update - June 2026

Joint regulator statement on processing of vulnerable customers’ data

The Financial Conduct Authority and Information Commissioner’s Office have published a joint statement clarifying how financial services firms can meet their Consumer Duty obligations to deliver good outcomes for customers in vulnerable circumstances while remaining compliant with UK data protection law. The statement confirms that UK GDPR, the DPA 2018 and PECR do not prevent firms from collecting, using and sharing vulnerability-related data where this is appropriate and necessary to protect individuals and support them effectively – provided core principles such as lawfulness, fairness, transparency, data minimisation, security and accountability are respected, and appropriate lawful bases (including, where relevant, special category and substantial public interest conditions) are in place.

Firms are expected to understand and respond to indicators of vulnerability across the customer journey, to share information appropriately across distribution chains where needed to avoid foreseeable harm, and to monitor outcomes so that customers in vulnerable circumstances are not receiving systematically worse results. At the same time, they must avoid unnecessary or intrusive data collection, ensure any sharing is properly governed (including via data sharing agreements and DPIAs where high-risk processing is involved), and be alive to the risk that poorly designed profiling or automated decision-making could amount to unlawful discrimination.

This statement gives firms confidence that responsible, proportionate use and sharing of vulnerability-related data is not only permitted, but expected, where it is necessary to deliver good outcomes. This is a good opportunity for financial services firms to test how their Consumer Duty, data protection and anti-discrimination law compliance strategies align in practice.
For more information, see the statement here.

Ofcom and ICO publish joint statement on age assurance

On 25 March 2026, Ofcom and the Information Commissioner’s Office (ICO) published a joint statement on age assurance, aimed at online services likely to be accessed by children and within scope of the Online Safety Act and UK data protection legislation. The statement seeks to provide practical clarity on how organisations can meet both online safety and data protection obligations when implementing age assurance.

The regulators emphasise a shared, risk based and technology neutral approach. They reiterate that self declaration alone is not an effective means of age assurance and that, where highly effective age assurance is required, suitable methods may include (depending on context) digital identity services, facial age estimation, or document based verification, provided the overall process is robust and resistant to circumvention. Where a service has set a minimum age (for example, 13), it is expected to take practical steps to prevent underage access using appropriate and current viable technologies, which may include facial age estimation, digital identity solutions or one time photo matching.

From a data protection perspective, the ICO stresses that all age assurance methods involve the processing of personal data and must comply with UK GDPR principles. This includes having a valid lawful basis, ensuring necessity and proportionality, applying data minimisation and storage limitation, and being transparent with users. Where organisations lack sufficient certainty about users’ ages relative to the risks on the service, the ICO expects Children’s Code standards to be applied to all users as a baseline safeguard.

For more information, see the joint statement from Ofcom and the ICO here.

Smart data 2035: The UK’s Smart Data Strategy

The UK Government has published its long-term vision for “smart data” sharing in the UK. The Government’s goal is for at least 20 interoperable smart data schemes to be put in place by 2025 across various sectors including banking, finance, energy, property, retail, digital markets, transport, telecoms and agrifood, highlighting the potential of such schemes to generate billions of pounds of annual GDP contributions by 2043 (4 smart data schemes are estimated to generate £9.6 billion by 2043). These schemes will enable the secure and consented-for sharing of customer or business data with Authorised Third Parties (ATPs), underpinned by robust governance and technical standards.

The Open Banking scheme, the UK’s first smart data scheme (with 17 million users in January 2026), is cited as a success in making the UK a leader in Fintech by helping to generate investment into UK fintech companies. The UK Government’s recent Smart Data Challenge Prize resulted in impactful new use cases from Moverly (in relation to property sale documentation) and Beyond Encryption’s “Nigel” tool (that provides households with one secure place to store and manage important documents, receive reminders and share information with trusted contacts).

The Data (Use and Access) Act 2025 provides the Government with powers to participate in smart data schemes, mandating secure data sharing and interoperability. The schemes only permit the sharing of data of customers (individuals and businesses) that have provided explicit and time-bound consents with ATPs. As is the case under the UK GDPR in relation to personal data, consents must be capable of being withdrawn freely at any time. Consent mechanisms and user control are central to scheme design, with a focus on transparency and the ability to withdraw consent.

Only accredited ATPs that meet strict governance, security and technical standards may participate in the schemes. Accreditation, compliance monitoring and enforcement will be overseen by designated regulators or scheme bodies. Schemes must also provide mechanisms for consumer redress, complaints handling and regulatory enforcement.

Common technical standards (such as in relation to APIs) will be needed to ensure standardised data sharing can take place across sectors. Further details of what these will involve will be set out in the Smart Data Guidebook (to be published by 2027).

The strategy aims for cross-border interoperability and alignment with international data protection standards, while considering national security and trade requirements.

A copy of the strategy is available here.

CJEU ‘Brillen Rottler’: when can DSARs be refused as abusive, and when do refusals trigger damages?

On 19 March 2026, the CJEU handed down its judgment in Brillen Rottler, clarifying when controllers may refuse a data subject access request (“DSAR”) as “excessive” under Article 12(5) GDPR and how refusals can give rise to compensation under Article 82. An Austrian individual had subscribed to a German optician’s newsletter and, 13 days later, submitted a DSAR. The company refused, arguing that he systematically subscribed to newsletters, filed DSARs and then claimed damages.

The Court held that even a first DSAR can be considered “excessive” – and therefore refused – where the controller can show that, despite formal compliance with Article 15, the request was not made to understand and verify the lawfulness of processing, but with an abusive intention, such as artificially creating the conditions for a damages claim. Abuse must remain exceptional: controllers bear the burden of proof and must demonstrate abusive intent “unequivocally”, taking into account all the circumstances (voluntary nature of providing data, the purpose and timing of the request, the data subject’s conduct). Publicly available information about a pattern of similar claims may be used, but must be backed by other material evidence.

On compensation, the CJEU confirmed that Article 82 is not limited to unlawful processing: a wrongful refusal to grant access can in itself be an infringement capable of triggering damages. Non-material damage can include loss of control over personal data and uncertainty as to whether data have been processed – but damage cannot be presumed from the infringement alone and there is no de minimis threshold; data subjects must still prove that they actually suffered harm, distinct from the mere breach. Importantly, the Court also held that the causal link can be broken where the data subject’s own conduct is the “determining cause” of the damage, for example where they submitted data solely to manufacture a compensation claim. The recognition of “uncertainty” as compensable harm is expected to lower the practical bar for GDPR damages claims, even as the causation defence gives controllers a new line of argument.

For organisations, the judgment reinforces three points: (i) refusals of DSARs on abuse grounds are possible but must be exceptional and carefully evidenced, not based on mere suspicion; (ii) DSAR handling failures can themselves generate compensable harm, even absent unlawful processing; and (iii) where there are signs of a “claims factory” pattern, documenting the requester’s conduct and the surrounding context will be critical, both to justify any refusal and to invoke causation-based defences in damages litigation. The judgment also lands as the Commission’s Digital Omnibus proposal moves forward; its envisaged express ground for rejecting abusive access requests will now be read against the CJEU’s abuse-of-rights test centred on “abusive intention”.

For more information, see the judgment here.

EDPB steps in on ‘scientific research’ under the GDPR

The EDPB’s draft Guidelines on scientific research of 10 March 2026 aim to bring consistency to how the GDPR’s research flexibilities are applied. Instead of defining “scientific research”, the EDPB proposes six indicative factors (methodical approach, ethics, verifiability/peer review, researcher autonomy, contribution to societal knowledge, and potential to extend or apply existing knowledge). If these are met, the project is presumed to be “scientific research”; by contrast, internal customer analytics to refine a retailer’s marketing strategy is explicitly flagged as falling outside this notion.

For legal bases, the Guidelines confirm that consent, legal obligation, public interest (Article 6(1)(e)) and legitimate interests (Article 6(1)(f)) may all be used, and they explicitly recognise legitimate interests for both non profit and commercial research, provided appropriate safeguards are in place. On consent, the EDPB endorses both broad consent (for a defined area of research) and dynamic consent (project or phase specific), but only where the research area is clearly delimited and there is ongoing transparency, easy withdrawal and governance measures such as oversight bodies and access controls. The draft also confirms that Article 53(1)(e) of the European Health Data Space Regulation can operate as the Article 9(2) ground for processing health data in research where Article 6(1)(f) GDPR is used as the legal basis.

The EDPB reiterates that Article 89(1) safeguards (in particular anonymisation or robust pseudonymisation, risk analysis/DPIAs and appropriate technical and organisational measures) remain a core condition for relying on the GDPR’s research regime. The Guidelines also cross refer to the Commission’s Digital Omnibus proposal, especially on further processing and transparency for new purposes, effectively aligning its interpretation of the current GDPR with concepts that are still under negotiation and not expected to be voted on until February 2027.

For more information, see the draft Guidelines here (public consultation closes 25 June).

EDPB and EDPS carefully supportive of European Biotech Act

The European Commission’s proposed European Biotech Act would create an EU framework to support biotechnology and biomanufacturing and, in doing so, significantly amend the Clinical Trials Regulation (“CTR”). The EDPB and EDPS’ Joint Opinion of 10 March 2026 broadly supports the Act’s objectives, but stresses that simplification must not reduce the level of protection for health and genetic data.

On clinical trials, the Joint Opinion welcomes a single legal basis under Article 6(1)(c) GDPR for sponsors and investigators, but calls for tighter drafting: processing should be limited to what is “necessary”, CTR terminology should be aligned with “scientific research”, and the authorised protocol should describe processing operations, categories of data and data subjects, disclosures and retention periods in more detail. The EDPB and EDPS also support explicitly designating sponsors and investigators as controllers, while urging clarification of when they (and co sponsors) are joint controllers and suggesting that controllership may be better allocated to the clinical trial site rather than individual investigators. They recommend clarifying that the 25 year retention period in the CTR applies only to personal data in the clinical trial master file, and that any further processing by the same controller for other trials or scientific research should rest on Article 6(1)(e) GDPR, with narrower purposes and specific safeguards such as pseudonymisation and governance arrangements.

For AI, sandboxes and EU level “testing environments”, the Joint Opinion underscores that the GDPR (and, where applicable, the AI Act) remains fully applicable and calls for clear legal bases, role allocations and safeguards wherever personal data are involved. The EDPB and EDPS also consider immediate application unrealistic and recommend transitional measures or exclusions for ongoing trials.

For more information, see the Joint Opinion here.

European Health Data Space: updated FAQs and first wave of implementing acts

The European Health Data Space Regulation (Regulation (EU) 2025/327) entered into force in March 2025 and will start to apply in stages from 26 March 2029 (primary use and most secondary use categories) and 26 March 2031 (remaining categories such as genetic data). On 26 March 2026, the Commission updated its EHDS FAQs, with more concrete guidance on what counts as an “EHR system”, how wellness apps, medical devices and high risk AI systems can legitimately claim interoperability with EHRs, how health data access permits and dataset catalogues should work in practice (including future updates and available remedies), and how the EHDS interacts with non EU participants and other digital legislation such as the Cyber Resilience Act.

In April 2026, three draft implementing regulations were opened for consultation: on MyHealth@EU (defining the central EU infrastructure, the Commission’s role as processor, and the requirements catalogue and testing regime, planned to apply from 26 March 2027), on the minimum metadata for dataset descriptions for secondary use (using HealthDCAT AP, aligned with the 26 March 2029 start date for mandatory secondary use), and on cross border identification and authentication in MyHealth@EU (based on eIDAS and the European Digital Identity Wallet, with a phased move to “high” assurance). In parallel, an implementing regulation adopted on 7 April 2026 has established how the European Health Data Space Board will operate (membership, procedures, work plans and cooperation with the MyHealth@EU and HealthData@EU steering groups).

For more information, see the updated FAQs here, the draft implementing regulation on MyHealth@EU here, the draft implementing regulation on identity management here, the draft implementing regulation on dataset descriptions here, and finally the implementing regulation on the EHDS Board here.

Employment and data protection: Italian Data Protection Authority guidance on access to corporate emails post-termination and DSAR limits post termination

On 12 March 2026, the Italian Data Protection Authority (the “Garante”) issued a decision addressing the rights of former employees to access corporate email accounts and documents stored on company IT systems following the termination of their employment.

The Garante clarified that emails contained within an individualised corporate email account constitute personal data of the employee, even where such emails relate to professional or work related matters. Consequently, employers may not lawfully restrict access solely to emails deemed “strictly personal”, nor may they engage in the prior filtering of messages based on their professional content.

The Authority further emphasised that any limitation on the right of access must be specifically justified and supported by concrete evidence, for example to protect trade secrets or the rights and freedoms of third parties. In this context, the use of pseudonymisation or generalised redaction techniques cannot serve as automatic means to restrict the right of access.

Importantly, the right of access was also found to extend to documents stored on the employee’s corporate computer.

This decision reaffirms the Garante’s strict and structured approach to management of individual corporate email accounts.

For more information, see the decision here (in Italian).

App-based fraud prevention under scrutiny: Garante fines Poste Italiane and Postepay over invasive data processing activities

On 17 April 2026, the Garante imposed administrative fines exceeding €12.5 million on Poste Italiane S.p.A. and Postepay S.p.A. for the unlawful processing of personal data carried out through the BancoPosta and Postepay mobile applications.

The investigation, launched following numerous complaints and reports received since April 2024, focused on the operation of the apps, which required users—as a mandatory condition to access services—to authorise the monitoring of a wide range of data stored on their mobile devices. This included information on installed and running applications, purportedly to identify malicious software and prevent fraud.

While the companies argued that these practices were necessary to comply with EU payment services legislation and to ensure transaction security, the Garante found that the data collection mechanisms were excessively intrusive and not strictly necessary for fraud prevention purposes.

The Authority also identified multiple GDPR infringements, including insufficient transparency in privacy notices, the absence of a Data Protection Impact Assessment (DPIA), inadequate security measures, unlawful data retention policies, and irregularities in the designation of processors.

In addition to the financial penalties, the Garante ordered the companies to cease the contested processing activities (where not already suspended) and to implement corrective measures in line with the GDPR.

For more information, see the decision here (in Italian).

Customer profiling and corporate transactions: the Garante clarifies limits of legitimate interest in banking sector

On 12 March 2026, the Garante adopted a high impact decision imposing a €17 million sanction on Intesa Sanpaolo in connection with the profiling of customers carried out as part of a corporate transaction involving the transfer of a business unit.

The Garante ruled that the legitimate interest relied upon by the bank could not be invoked automatically as a lawful basis for large scale customer data transfers linked to corporate restructuring. Instead, such reliance requires a specific, concrete and well-documented balancing assessment, also considering the reasonable expectations of the affected customers.

In particular, the Garante examined the use of automated criteria to identify customers suitable for transfer and clarified that profiling activities conducted in the context of M&A or corporate reorganisations must comply strictly with transparency, purpose limitation and fairness requirements under the GDPR.

The decision highlights the heightened scrutiny applied by the Garante to data processing operations in complex corporate and financial transactions, especially where automated decision-making or profiling techniques are involved.

For more information, see the decision here (in Italian).

Luxembourg Administrative Court Overturns €746 Million Fine against Amazon

On 12 March 2026, the Luxembourg Administrative Court handed down a decision that overturned the CNPD’s €746m fine against Luxembourg-based Amazon for GDPR breaches relating to targeted advertising. The Court broadly upheld the substance of the CNPD’s findings, confirming that, at the time the investigation was opened in 2019, Amazon’s processing of personal data for interest-based advertising could not validly rely on “legitimate interest” as a legal basis under Article 6 GDPR. The Court also confirmed breaches of the obligations of transparency and of the rights of access, rectification and objection granted to data subjects.

However, the Court identified two major procedural shortcomings in the CNPD’s approach:

Firstly, it found that the CNPD had failed to brush up on the requirements set by recent CJEU case law, which now demands a full assessment of whether the controller’s conduct was intentional or negligent before imposing an administrative fine.

Secondly, the Court criticised the CNPD’s methodology, noting that the authority had imposed a fine almost automatically after finding breaches, without giving a go-through to the full range of corrective measures available under the GDPR to determine the most appropriate response.

The Court referred the case back to the CNPD for a fresh analysis, including a proper assessment of Amazon’s conduct and the proportionality of any sanction. The Court therefore annulled the CNPD’s 2021 decision.

The judgement also noted that, by the time of the oral hearing in January 2026, Amazon had overhauled its data processing practices, switching from legitimate interest to user consent as the legal basis for targeted advertising.

For more information, see the decision here.

Belgian DPA steps up AI focus with new “AI & Data Protection” series

On 13 April 2026, the Belgian Data Protection Authority launched its new “AI & Data Protection” initiative, starting with a brochure on The impact of artificial intelligence on privacy. The brochure is aimed primarily at individuals who use or interact with AI systems in their daily lives and explains, in accessible terms, what AI systems are, how they process personal data across their lifecycle, the privacy risks involved (including large scale profiling and automated decision making) and practical steps to retain control over one’s data (privacy settings, limiting data sharing, and exercising data subject rights or escalating to the DPA).

The new series explicitly builds on the DPA’s December 2024 paper Artificial Intelligence Systems and the GDPR: A Data Protection Perspective, which was directed at legal, DPO and technical audiences and focused on how GDPR (and the AI Act) apply to AI system development and deployment, including lawfulness, fairness, data minimisation, security, automated decision making and accountability, illustrated through controller oriented “user stories”. Taken together, these publications signal a growing regulatory focus on AI in Belgium and provide useful reference material for organisations building or deploying AI systems.

For more information, see the series launch here.

Kuwait NCSC issues binding national cybersecurity baseline and data sovereignty controls

On 31 March 2026, the Kuwaiti National Cyber Security Centre issued Decree Law No. 2/2026 which approved and published the Kuwait National Basic Cybersecurity Controls as a binding national baseline for cyber awareness and security. The Decision applies to “Relevant Entities” across the civil, military, security and private sectors that fall within NCSC’s mandate, as set out in Decree Law No.37/2022.

Annex 1 sets out minimum security requirements, covering governance; asset and data inventories and classifications; cyber incident response; and a dedicated cloud security appendix. From a data protection perspective, this decree brings data classification and data sovereignty under cyber compliance: (1) Sensitive data must be classified and labelled, (2) protection must scale with sensitivity, for example, implementing stronger access controls and encryption for Sensitive data, and (3) storing or processing Sensitive data outside Kuwait (including in backups and cloud) now requires following the national approval process and obtaining explicit NCSC sign off.

In practice, Decision No. 2/2026 marks a shift from internal discretionary cyber governance to a prescriptive and auditable framework. Relevant Entities must implement the applicable Mandatory Requirements by developing internal policies and procedures, carrying out (at least) annual self assessments using NCSC templates, and retaining records and evidence for NCSC review.

Relevant Entities have an18 month window from Official Gazette publication (5 April 2026) to achieve full compliance. The Decision sits on top of sectoral requirements. Entities subject to other regulators must apply the stricter standard. While it is still early in the implementation timeline, organisations should already be conducting internal analyses against the new baseline.

For more information, see the decree here (upon subscription only).

CAC releases draft rule on simplified data protection measures for small-scale personal information processors

On 3 April, the Cyberspace Administration of China (CAC) released a draft rule on simplified measures for small-sized personal information processors (equivalent to “data controllers” in GDPR context) for public comments (Draft Rule). This follows Article 62 of the Personal Information Protection Law (PIPL), which empowers the CAC to issue targeted rules and standards for small-sized personal information processors. It also reflects a global trend among data regulators to consider the practical impact of data protection obligations on small and medium-sized businesses and to explore diversified, risk-appropriate regulatory approach.

Small-sized personal information processors are defined as those processing personal information of fewer than 100,000 individuals. Some key takeaways include:

1. Simplified privacy disclosures

The Draft Rule reduces PIPL’s long list of information which must be provided to data subjects. At a minimum, only the following items must now be disclosed:

• name of the small-sized personal information processor;
• personnel and contact details for receiving data subject rights requests;
• purposes and manners of processing, types of personal information to be processed, and the retention periods; and
• where sensitive personal information is to be processed for specific purposes, the necessity of such processing and the impact on the data subjects’ rights and interests.

Notably, the Draft Rule no longer expressly requires detailed disclosures on personal information transfer activities. Under the PIPL, processors are required to disclose the overseas recipients’ names, contact details, purposes and manners of the overseas recipients’ processing, and types of personal information to be transferred. In practice, this has been challenging due to the complex data flows and commercial sensitivity. It is unclear whether the Draft Rule’s silence on this requirement should be interpreted to mean that the PIPL requirement continues to apply, or that small-sized processors are exempt from this requirement. If indeed exempted (which is what the market has been looking forward to), it will bring China-related privacy disclosures closer to global standards and ease the administrative burden of maintaining and updating the privacy notices.

2. Exemption of express consent / separate consent for voluntarily submitted information

Where the small-sized personal information processor has published its privacy notices and fulfilled the obligation to inform the data subjects, and data subjects voluntarily provide personal information necessary to obtain products or services, or where the data subjects voluntarily cooperate to provide sensitive personal information such as their facial information or biological samples on an informed basis, the processor may process the personal information in accordance with its published rules.

The Draft Rule recognises the proactive submission of information as implied consent, although the practical value of this provision is yet to be tested.

3. Personal information protection impact assessments (DPIA)

The Draft Rule introduces a simplified, one-page DPIA form for small-sized processors, with “yes/no/not applicable” options. Compared with the recommendatory national standard of DPIA, this simplified DPIA form will significantly reduce the compliance burden, especially considering that a wide range activities may trigger the DPIA requirement under the PIPL (including the processing of sensitive personal information, entrusted processing, and cross-border data transfer, much wider than the triggering events under the GDPR). This simplified DPIA form is optional - for global organisations, it may choose to use harmonised DPIA standards and forms if a processing activity triggers DPIA in multiple jurisdictions, while adopting the simplified DPIA form for China-only DPIAs.

4. Personal information protection compliance audits

The Draft Rule provides a self-assessment form for personal information protection compliance audits and requires that such audits be conducted at least once every five years and the records be kept for at least five years.

5. Leniency in penalties

The Draft Rules provide for waived or reduced penalties where the non-compliance is minor, has been corrected or proactively mitigated. This aligns with the current enforcement approach of Chinese data regulators, which remains focusing on rectification rather than punishment.

For more information, see the link here (official text in Chinese only).

Regulators kick off 2026 personal information protection enforcement campaign

The CAC, the Ministry of Industry and Information Technology and the Ministry of Public Security announced a joint enforcement campaign against personal information violations on 2 April. The focus areas include mobile applications and SDKs, internet advertising, education sector, transport sector, health and medical services and financial sector.

The announcement also sets out specific target issues for each focus area. For example, for the financial sector, the regulators will pay special attention to the issues including: (i) collecting non-essential personal information (such as contact lists, text messages, call logs, location data, device information and App lists) or accessing function permissions (such as the microphone and storage) under the pretext of security risk control or loan services through the organisation’s website or App; (ii) provision of personal information by loan facilitation platforms to cooperating third-party institutions without informing the data subjects of the names of such third parties, the purposes and methods of processing the personal information, and without obtaining the data subjects’ consent; (iii) using facial recognition technology as the sole means of identity verification in the organisation’s offline business reviews or on its website or App, even though non-facial recognition technologies could achieve the same purpose, or failure to implement the relevant security management requirements for the application of facial recognition technology; and (iv) failure to establish personal information protection management systems, adopt effective security protection measures, or mitigate risks of personal information leaks.

This announcement provides clear guidance on Chinese authorities’ enforcement priorities. Market players are strongly recommended to perform internal reviews accordingly to identify and eliminate potential risks.

For more information, see the link here (official text in Chinese only).

Eight regulators jointly issue cross-border data transfer guidance for automobile data

Eight Chinese regulators jointly issued the Guidance on Secure Export of Automobile Data (2026 edition) (Guidance) on 30 January. On top of China’s existing regulatory regime for cross-border data transfer, the Guidance introduces three new transfer scenarios which may be exempted from the obligations of clearing data export security assessment (which is in essence a regulatory approval), entering into and filing the standard contract, or obtaining a personal information protection certification. These scenarios include the outbound transfer of personal information for the purposes of fixing security loopholes, handling security incidents, and conducting product recall to eliminate defects, subject to the condition that the relevant loopholes, security incidents or recall activities have been reported to the relevant regulators.

In addition, the Guidance provides for the criteria of identifying automobile-related “important data”, of which the outbound transfer is subject to regulatory approval. The potential important data involves activities including product R&D, testing, manufacturing, driving automation, software upgrade, and IoV operation.

For more information, see the link here (official text in Chinese only).

Hong Kong privacy authority issued alert on agentic AI tools

On 16 March 2026, the Office of the Privacy Commissioner for Personal Data (PCPD) issued an alert on the privacy and security risks of agentic AI tools, urging organisations and the public to implement robust safeguards before deployment.

Unlike conventional AI chatbots used for text replies or content generation, agentic AI tools are installed on local devices or servers with high-level access. They can read and write files, allocate system resources, interact with external services and autonomously execute multi-step workflows without real-time human involvement, presenting a significantly higher privacy risk profile.

The PCPD's practical recommendations include:

• Minimise access – Grant only the permissions strictly needed; avoid sharing confidential or sensitive personal data unless necessary; never assign administrator-level privileges.
• Use trusted, up-to-date software – Only deploy the latest official versions from verified channels to reduce exposure to unpatched vulnerabilities.
• Strengthen technical controls – Isolate the agentic AI runtime environment from local devices and core servers, tighten network and perimeter defences, and lower access rights for Internet-facing components.
• Vet plugins rigorously – Install third-party components only after verifying their authenticity and security; avoid any whose safety cannot be confirmed.
• Maintain human oversight – Conduct continuous risk assessments and adopt a "human-in-the-loop" approach, retaining final human control over high-risk operations such as data transmissions or system configuration changes.

For more information, see the alert here.

Hong Kong regulators expand GenA.I. Sandbox++ across sectors

On 5 March 2026, the Hong Kong Monetary Authority, Securities and Futures Commission, Insurance Authority and Mandatory Provident Fund Schemes Authority, in collaboration with Cyberport, launched the Generative Artificial Intelligence (GenA.I.) Sandbox++, expanding on the original 2024 GenA.I. Sandbox initiative across multiple financial sectors including banking, securities and capital markets, asset and wealth management, insurance, MPF and stored value facilities.

The initiative continues to target three high impact areas: risk management, anti fraud and customer experience while advancing “A.I. vs A.I.” strategies that use AI to manage the risks of A.I. adoption. Financial institutions taking part will receive supervisory guidance, technical support and complimentary access to GPU computing resources at Cyberport’s A.I. Supercomputing Centre, enabling them to develop and pilot use cases in a risk-controlled environment.

For more information, see the joint announcement here.