Hong Kong AI Governance — PDPO, PCPD Framework, and HKMA Requirements

Hong Kong's sector-led AI governance: PDPO data protection, PCPD Model Framework for AI, HKMA banking AI requirements, and practical compliance guidance for organisations.

Key Takeaways

Hong Kong has no standalone AI law. AI governance operates through the PDPO, sector-specific regulation (HKMA, SFC), and voluntary frameworks from the PCPD and Digital Policy Office.
The PCPD Model Personal Data Protection Framework for AI (June 2024) provides structured guidance for PDPO compliance when using AI — the closest thing to an AI governance code in Hong Kong.
The PCPD conducted compliance checks on 60 organisations in 2025, finding 80% (48 of 60) use AI in daily operations — a 5% increase over 2024.
The HKMA requires authorised institutions to adopt AI for anti-money laundering monitoring and submit feasibility studies. High-level Principles require explainability and human-in-the-loop for high-impact decisions.
The PCPD published a Checklist on Guidelines for the Use of Generative AI by Employees (March 2025) — directly relevant for any Hong Kong employer.

"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."

Hong Kong AI governance — sector-led, pragmatic, and increasingly active

Hong Kong has taken a deliberate approach to AI governance: no single AI law, but active enforcement through existing legal frameworks, sector-specific regulation, and increasingly detailed voluntary guidance. As an international financial centre with a growing technology sector, Hong Kong balances innovation promotion with practical governance — particularly in financial services and data protection.

PDPO — the primary legal framework

The Personal Data (Privacy) Ordinance (PDPO) is the primary legislation regulating AI in Hong Kong, administered by the Office of the Privacy Commissioner for Personal Data (PCPD). Six data protection principles govern the collection, use, storage, accuracy, retention, and security of personal data — all applicable to AI systems. Any organisation creating or operating AI that handles personal data is a "data user" under the PDPO and must comply with all six principles.

Key PDPO obligations for AI: purpose limitation for personal data used in AI training and inference; consent for collection and use; data accuracy obligations for AI inputs; retention limitation; data security requirements for AI systems processing personal data. Cross-border data transfer provisions apply when AI processes data offshore — relevant for organisations using cloud-based AI services.

PCPD AI-specific guidance

Model Personal Data Protection Framework for AI (June 2024). The most comprehensive AI governance guidance in Hong Kong. Provides practical measures for: establishing AI governance strategies; conducting comprehensive risk assessments; managing AI models securely; stakeholder engagement. While voluntary, the PCPD references it in compliance checks — making it the de facto standard of care.

Checklist on Guidelines for Generative AI by Employees (March 2025). Practical guidance for employers developing internal AI policies. Covers: acceptable use; data classification for AI inputs; confidentiality obligations; monitoring and review. Directly relevant for every organisation with employees using AI tools.

2025 Compliance Checks. The PCPD conducted compliance checks on 60 organisations across telecommunications, banking, insurance, beauty services, retail, transportation, education, medical services, public utilities, social services, and government. 80% (48 of 60) reported using AI in daily operations. No PDPO contraventions were found, but the PCPD issued expectations and recommended best practices including continuous monitoring and regular review of AI systems.

February 2026 Joint Statement. The PCPD joined 60 privacy authorities globally in issuing a statement on AI-generated imagery and privacy protection, expressing concern about AI systems generating realistic images of identifiable individuals without consent.

HKMA — financial services AI

The Hong Kong Monetary Authority actively regulates AI in banking. HKMA High-Level Principles on AI require authorised institutions to ensure AI models are explainable and maintain human-in-the-loop for high-impact decisions. Consumer protection principles apply to AI in customer-facing banking services.

The HKMA has specifically pushed AI adoption for anti-money laundering: a November 2025 circular noted 48 authorised institutions had conducted AI feasibility studies for ML/TF monitoring, with the vast majority agreeing AI was useful. The HKMA commenced workshops on AI implementation and crypto asset-related ML/TF risks. A March 2026 circular further addressed AI integration in compliance.

Digital Policy Office — government AI

The Ethical AI Framework, published by the Office of the Government Chief Information Officer (now Digital Policy Office), provides guiding principles for AI use within government. While designed for government, it is also recommended as applicable to other organisations.

Hong Kong committed HK$1 billion (approximately US$128 million) in February 2025 to establish the Hong Kong AI Research and Development Institute.

What organisations in Hong Kong should do

Comply with PDPO requirements for all AI processing personal data. Implement the PCPD Model Framework as the practical governance reference. Apply the Generative AI Employee Checklist to develop internal AI policies. For financial institutions: align with HKMA High-Level Principles and AI/ML compliance requirements. Consider AI governance readiness given the PCPD is actively conducting compliance checks and expects organisations to have implemented the Model Framework guidance.

Primary sources: PCPD · HKMA · White & Case — HK AI Tracker