Detailed overview
Hong Kong does not currently have a single horizontal AI Act. AI governance is mainly based on data protection, official privacy guidance, sectoral rules and voluntary AI governance frameworks. The most important authority for AI involving personal data is the Office of the Privacy Commissioner for Personal Data, or PCPD.
PCPD AI Model Framework
The PCPD has published the Artificial Intelligence: Model Personal Data Protection Framework. The framework is intended for organisations that procure, implement and use AI systems involving personal data. It provides practical recommendations on AI governance, internal accountability, risk assessment, human oversight, data management, transparency and protection of personal-data privacy.
The framework is relevant to many business AI systems, including AI used for customer service, marketing, fraud detection, profiling, employment, credit assessment, risk scoring, document processing and automated recommendations. Where personal data is involved, organisations should assess whether the AI system uses personal data lawfully, whether data is necessary and proportionate, whether individuals are properly informed and whether safeguards exist against unfair or inaccurate outcomes.
Ethical AI guidance
Hong Kong's PCPD has also issued guidance on the ethical development and use of AI. The guidance addresses AI governance through values such as accountability, fairness, transparency, data quality, security, human oversight and explainability. It is designed to help organisations develop and use AI in a manner consistent with the Personal Data (Privacy) Ordinance and good privacy practice.
Penalties
There is no single Hong Kong AI-specific penalty table. Penalties may arise under the Personal Data (Privacy) Ordinance, sectoral regulation, consumer law, employment law, financial regulation or criminal law depending on the AI use case and the breach.
Practical requirements & details
Sourced from PCPD's "Artificial Intelligence: Model Personal Data Protection Framework" (2024), the PCPD Guidance on the Ethical Development and Use of Artificial Intelligence (2021), the Personal Data (Privacy) Ordinance (PDPO), HKMA/SFC AI guidance, and the Hong Kong Office of the Government Chief Information Officer.
PCPD AI Model Framework — four sections
- Establish AI strategy and governance — board-level oversight, AI governance committee, internal policies.
- Conduct risk assessment and human oversight — risk classification, mitigation, human-in-the-loop calibration.
- Customise AI models and implement responsible AI — data preparation, model selection, customisation, system integration, testing.
- Communicate and engage stakeholders — transparency, communication with users, complaint mechanisms.
PCPD ethical AI guidance — 7 principles
- Accountability; human oversight; transparency and interpretability; data privacy; fairness; beneficial AI; reliability, robustness and security.
PDPO overlay
- Six Data Protection Principles apply: purpose/manner of collection, accuracy and retention, use, security, openness, data access/correction.
- Direct-marketing consent rules apply to AI-driven personalised marketing.
- Cross-border data transfer principles in section 33 — not yet in force but informative.
Sector overlays
- HKMA Genai consumer-protection circulars + 2024 AI risk-management guidance for banks.
- SFC algo-trading and AI-asset-management circulars.
- Department of Health for AI medical devices.
Penalties
- Doxxing offences under PDPO (since 2021): fines up to HKD 1 million + 5 years imprisonment.
- Sector enforcement under banking, securities, consumer, criminal law as applicable.