What is AI regulation in Hong Kong?
AI regulation: countries and regions
Hong Kong regulates AI mainly through existing law and regulator guidance, rather than a single economy-wide AI Act. The legal base is the Personal Data (Privacy) Ordinance, reinforced by Privacy Commissioner guidance on ethical AI and personal data use. Banks and securities firms face extra supervisory controls from the HKMA and SFC, especially for customer-facing or high-risk uses. Government frameworks from the Digital Policy Office add ethics and assessment tools, but the overall model remains principles-based and mostly non-statutory.
What this means
Hong Kong's AI regime is distinct from mainland China's. Under the Basic Law, Hong Kong keeps its own legal system, so mainland national AI measures do not automatically govern local organisations. If the same business also operates in mainland China, that is a separate compliance analysis.
For most organisations, AI regulation in Hong Kong starts with existing legal duties, above all the rules on personal data. If an AI tool trains on, profiles, scores, recommends or generates material using personal data, the PDPO still applies across collection, use, security, openness and access or correction.
On top of that legal baseline, Hong Kong relies heavily on regulator guidance. The PCPD provides the main privacy and governance playbook, while the HKMA and SFC impose extra expectations in finance. The Digital Policy Office adds ethics and assessment frameworks for government and, increasingly, for general reference.
Why it matters
This matters because the risk in Hong Kong is easy to underestimate. A team may buy a chatbot, coding assistant or scoring tool and assume there is little AI law to worry about. In fact, the key decisions, what data goes in, what the model is allowed to do, who checks it, what customers are told, and how the vendor is controlled, can already trigger privacy, conduct, cyber and governance duties.
The practical stakes rise fast when AI affects customers, lending, investments, employment or large volumes of personal data. Even where guidance is non-statutory, it often shows how regulators expect firms to manage explainability, fairness, human oversight, audit trails and third-party risk. For founders, boards and buyers, that makes AI a governance issue, not just a technical purchase.
How it works
A separate regime from mainland China
Hong Kong SAR regulates AI within its own legal order. The Basic Law preserves Hong Kong's common law and local ordinances, and mainland national laws apply only in limited circumstances through Annex III. That is why Hong Kong's AI position has to be analysed separately from mainland China. A group operating on both sides of the boundary may therefore need two compliance maps, one for Hong Kong and one for the mainland.
The legal baseline is existing Hong Kong law
There is no single omnibus AI statute. The main legal baseline is horizontal law that already existed before the current generative AI wave, especially the Personal Data (Privacy) Ordinance. Its six Data Protection Principles run through the whole personal data lifecycle: collection, accuracy and retention, use, security, openness, and access or correction. If an AI system touches personal data, those duties still apply whether the model is built in house, bought from a vendor or embedded in a broader service.
That baseline matters beyond training data. Prompt inputs, fine-tuning datasets, generated material that reveals personal data, monitoring logs and user analytics can all bring the PDPO into play. The PCPD also has investigation powers and can issue enforcement notices, so the absence of a dedicated AI statute does not mean the absence of enforceable duties.
PCPD sets the main privacy and governance playbook
The PCPD's 2021 guidance is the foundation. It introduced three Data Stewardship Values, being respectful, being beneficial and being fair, plus seven ethical AI principles: accountability, human oversight, transparency and interpretability, data privacy, fairness, beneficial AI, and reliability, robustness and security. It also pushes a risk-based method, senior management buy-in, an AI strategy, a governance committee and structured stakeholder engagement.
The 2024 Model Personal Data Protection Framework moved from broad principles to operating detail. It is aimed at organisations that procure, implement and use AI, not only model developers. It covers AI strategy and governance, procurement due diligence, risk assessment, human oversight, data preparation, testing, continuous monitoring, explainability, and engagement with affected people. The framework is guidance rather than legislation, but it is expressly framed as a way to help organisations comply with the PDPO.
Financial services has an extra supervisory layer
Financial services has the clearest additional AI controls. The HKMA started with four guiding principles for banks: governance and accountability, fairness, transparency and disclosure, and data privacy and protection. It later sharpened that approach for customer-facing generative AI. The HKMA says boards and senior management remain responsible, banks should keep a human in the loop, customers should be able to seek human intervention, and banks should explain the purpose and limits of the tool.
The SFC's November 2024 circular does something similar for licensed corporations using AI language models in regulated activities. It treats investment recommendations, investment advice and investment research as high-risk AI uses. Firms are expected to put senior management oversight, model validation, ongoing monitoring, cybersecurity and data controls, third-party risk management and clear client disclosures in place. Where a firm's use of AI language models amounts to a significant change in business or service type, the SFC also reminds firms about notification duties.
Government guidance adds an ethics and standards layer
Hong Kong also has a standards and policy layer outside hard law. The Digital Policy Office's Ethical Artificial Intelligence Framework was first built for government bureaux and departments, then revised so it can serve as general reference for other organisations. It bundles ethical principles, a governance structure, an AI lifecycle and an impact assessment template.
Alongside that, the Digital Policy Office published the Hong Kong Generative Artificial Intelligence Technical and Application Guideline in December 2025. That document is not a statute, but it is a clear signal of policy direction. It gives practical guidance for developers, service providers and users around privacy, intellectual property, crime prevention, trustworthiness and system security.
The model is mostly soft law, backed by existing enforcement
Hong Kong's current AI regime is largely principles-based and non-statutory. In most sectors, AI-specific documents are guidance, frameworks or circulars rather than a single licensing or classification law. Their practical force comes from the way they connect to existing legal duties, supervisory powers and normal governance expectations.
For leaders, the right question is not whether Hong Kong has one AI law, but which combination of PDPO duties, regulator expectations and internal controls applies to a particular use case. The official direction to date suggests continued refinement through guidance, sector supervision and targeted policy work, rather than an immediate move to one EU-style AI code.
Examples
A retailer customising a recommendation chatbot. The PCPD's 2024 framework uses the example of a fashion retail platform customising a third-party chatbot. The practical message is to use only the purchase and browsing data actually needed for the task, avoid feeding in names, contact details or extra demographic data if they are unnecessary, and consider anonymised, pseudonymised or synthetic data, or a smaller model, where that would do the job.
A bank deploying customer-facing generative AI. Under HKMA guidance, the bank's board and senior management remain accountable. The tool should not run as an unchecked black box. Human review, customer disclosure about the tool's purpose and limits, and a route to human intervention are central safeguards.
A licensed broker using an AI language model for research or client queries. The SFC says firms are already using AI language models for public-facing chatbots, summaries, research reports, investment signal detection and code generation. Once the model is used for investment recommendations, advice or research, the SFC treats the use as high risk, which means stronger validation, monitoring, cyber and data controls, and potentially early notification to the regulator.
Common misunderstandings
Mainland China's AI rules automatically govern Hong Kong. They do not. Hong Kong's legal analysis starts with Hong Kong law and Hong Kong regulators.
No AI Act means no meaningful regulation. Wrong. Existing privacy law and sector supervision already regulate many AI uses.
Only customer-facing AI needs controls. Incorrect. Internal drafting, coding, HR, compliance and analytics tools can still create privacy, confidentiality, bias and security risk.
If the vendor built the model, the deploying firm can pass the risk back. Not fully. Hong Kong guidance expects the buyer to assess fit, data use, security, oversight and contract terms.
Guidance can be ignored because it is not legislation. Not safely. In practice it tells organisations how regulators expect them to meet existing duties.
Risks and boundaries
Hong Kong's model is flexible, but that flexibility leaves room for judgement. It does not yet provide one universal statutory list of banned AI practices, a single cross-economy risk classification system, or one registration route for all developers and deployers. Organisations therefore have to assess risk use case by use case.
This page is about Hong Kong SAR only. Businesses with cross-boundary data, staff or users may need separate analysis for mainland China or other jurisdictions. The same AI system can therefore sit inside more than one regulatory frame at once.
The regime is also uneven. Finance has detailed AI-specific supervisory material, while many other sectors still rely mainly on the PDPO, PCPD guidance, cyber discipline and contract management. That can change through new circulars, updated frameworks or targeted legislative reform, so the current position is best understood as stable in architecture but still developing in detail.
What to do next
Build an inventory of AI uses, data flows and decision points across the business.
Separate low-friction tools from high-stakes uses that affect customers, workers, credit, investments or sensitive data.
Assign a senior accountable owner and a cross-functional AI governance forum.
Require privacy, risk and vendor assessments before launch, plus testing for bias, reliability, security and explainability.
Put human review, logging, incident response and periodic re-assessment into production, not only into pilot discussions.
If you are in banking or securities, map each use case to HKMA or SFC expectations before deployment, especially if it touches customers, advice, research or trading.
FAQs
Does Hong Kong have a general AI Act?
Not at present. AI is mainly governed through the PDPO, regulator guidance and sector-specific supervisory rules.
Is Hong Kong's regime the same as mainland China's?
No. Hong Kong has a separate legal order under the Basic Law, so mainland AI measures are a different compliance question.
Who is the main AI regulator in Hong Kong?
There is no single AI regulator. The PCPD leads on personal data privacy, the HKMA supervises banks, the SFC supervises licensed corporations, and the Digital Policy Office provides ethics and technical guidance.
Are PCPD and Digital Policy Office frameworks legally binding?
The frameworks themselves are guidance. Their practical force comes from how they map to existing legal duties, procurement standards and regulator expectations.
What makes an AI use case higher risk in Hong Kong?
In practice, use cases become more sensitive when they affect people materially, rely on personal data, face customers directly, influence investment or credit decisions, or make large-scale judgments with limited human review.
What should a bank or broker do before launching customer-facing generative AI?
Put senior management in charge, test reliability and bias, define human oversight, draft clear disclosures, manage vendor and cyber risk, and make sure customers can reach a human channel when needed.
Does buying a third-party model reduce responsibility?
No. Hong Kong guidance expects the deploying organisation to assess fit for purpose, data use, security, explainability, auditability and contractual allocation of duties.