Detailed overview
Hong Kong does not currently have a single horizontal AI Act. AI governance is mainly based on data protection, official privacy guidance, sectoral rules and voluntary AI governance frameworks. The most important authority for AI involving personal data is the Office of the Privacy Commissioner for Personal Data, or PCPD.
PCPD AI Model Framework
The PCPD has published the Artificial Intelligence: Model Personal Data Protection Framework. The framework is intended for organisations that procure, implement and use AI systems involving personal data. It provides practical recommendations on AI governance, internal accountability, risk assessment, human oversight, data management, transparency and protection of personal-data privacy.
The framework is relevant to many business AI systems, including AI used for customer service, marketing, fraud detection, profiling, employment, credit assessment, risk scoring, document processing and automated recommendations. Where personal data is involved, organisations should assess whether the AI system uses personal data lawfully, whether data is necessary and proportionate, whether individuals are properly informed and whether safeguards exist against unfair or inaccurate outcomes.
Ethical AI guidance
Hong Kong's PCPD has also issued guidance on the ethical development and use of AI. The guidance addresses AI governance through values such as accountability, fairness, transparency, data quality, security, human oversight and explainability. It is designed to help organisations develop and use AI in a manner consistent with the Personal Data (Privacy) Ordinance and good privacy practice.
Penalties
There is no single Hong Kong AI-specific penalty table. Penalties may arise under the Personal Data (Privacy) Ordinance, sectoral regulation, consumer law, employment law, financial regulation or criminal law depending on the AI use case and the breach.