Key points of AI data protection and privacy regulations in Hong Kong

Sam Wu • 3 July 2024
Sam Wu

Partner, Hong Kong

Download PDF

Key points of AI data protection and privacy regulations in Hong Kong

Artificial intelligence (AI) has been developing rapidly, with new breakthroughs and innovations emerging constantly. As AI technology becomes more advanced and integrated into businesses and everyday life, it is crucial for Hong Kong’s data protection laws and regulations to keep pace. This article provides an overview of the current legal and regulatory framework of data protection and privacy in Hong Kong in the context of AI.


In Hong Kong, the primary law governing data protection is the Personal Data (Privacy) Ordinance (PDPO). Additionally, the Office of the Privacy Commissioner for Personal Data (PCPD) has provided guidance on the ethical development and use of AI and the model framework for organisations that procure, implement and use AI systems.
PDPO and DPPs


The PDPO is technology-neutral and principle-based. Section 2 of the PDPO defines a “data user” as a person who controls the collection, holding, processing or use of personal data.


Accordingly, any individual, entity, organisation or business that develops and/or uses AI systems involving the handling of personal data is likely to be considered a data user and must adhere to the following six data protection principles (DPPs) in schedule 1 of the PDPO, among other requirements under the PDPO:

  • DPP 1 (Purpose and manner of collection): Personal data must be collected in a lawful and fair manner for a lawful purpose directly related to the data user’s function or activity. The data collected shall be necessary and adequate but not excessive for such purpose;
  • DPP 2 (Accuracy and duration of retention): The data user must take all practicable steps to ensure that personal data is accurate, up to date and not kept longer than necessary;
  • DPP 3 (Use): Personal data can only be used for the purposes for which it was collected, unless express and voluntary consent has been obtained from the data subjects for any other purposes;
  • DPP 4 (Security): Reasonable security measures must be taken to protect personal data from unauthorised or accidental access, processing, erasure, loss or use;
  • DPP 5 (Openness): The data user must be open about its policies and practices in relation to personal data, the kind of personal data it holds, how it is used and the main purposes for which personal data is held; and
  • DPP 6 (Access and correction): Data subjects shall have the right to request access to and correction of their own personal data if it is inaccurate.


AI guidance


In August 2021, the PCPD published the Guidance on the Ethical Development and Use of Artificial Intelligence (AI Guidance) to provide recommendations primarily for organisations that develop and use AI systems involving the use of personal data.


The AI Guidance recommends that organisations embrace three core data stewardship values (Values), being:

  1. respectful;
  2. beneficial; and
  3. fair.


It also encourages organisations to adopt the seven internationally recognised ethical principles (Ethical Principles) for AI:

  1. accountability;
  2. human oversight;
  3. transparency and interpretability;
  4. data privacy;
  5. fairness;
  6. beneficial AI, and
  7. reliability, robustness and security.


To ensure the Values and the Ethical Principles are practicable, organisations should take into consideration the recommended practices in the following areas, as set out in the AI Guidance, when they develop and use AI and formulate appropriate policies, practices and procedures:

  • establishing AI strategy and governance;
  • conducting risk assessment and human oversight;
  • executing development of AI models and management of AI systems; and
  • fostering communication and engagement with stakeholders.


Model framework


On 11 June 2024, the PCPD published the Artificial Intelligence: Model Personal Data Protection Framework (Model Framework). The Model Framework provides recommendations on the best practices for organisations that procure, implement and use any type of AI systems or solutions involving the use of personal data, including predictive AI and generative AI.


Similar to the AI Guidance, the Model Framework outlines recommended measures to ensure the implementation of the Values and the Ethical Principles. Organisations should consider these recommended practices in the following areas when procuring, implementing and using AI solutions, as well as when formulating appropriate policies, practices and procedures:

  • establishing AI strategy and governance;
  • conducting risk assessment and human oversight;
  • executing customisation of AI models and implementation and management of AI systems; and
  • fostering communication and engagement with stakeholders.


An evolving landscape


While the AI Guidance and the Model Framework do not impose mandatory requirements and their recommendations are not exhaustive, their publication is a significant step towards supporting the responsible and ethical development of AI in Hong Kong. Given the rapid development and groundbreaking advancement of AI, it is likely that the relevant legal and regulatory landscape in Hong Kong will continue to evolve to address new issues and challenges.


For the time being, data users must ensure they comply with the PDPO and the six DPPs, and follow the best practice recommendations in the AI Guidance and the Model Framework, especially when it comes to the collection, use and retention of personal data during the development, operation and use of AI. 

YYC Legal LLP is in Association with East & Concord Partners (Hong Kong) Law Firm.

First published in July 2024 YYC Legal - legal trends of China Business Law Journal.

This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please contact us for specific advice.

Recent articles

HKEX’s review of issuers’ annual reports for FY2023

by Rossana Chu 20 February 2025
Hong Kong Exchanges and Clearing Limited published on 10 December 2024 a report on its annual review (with the aid of artificial intelligence) of listed issuers’ annual reports for the financial year ended 2023.

LexisNexis International Corporate Procedures, Issue 139 – Hong Kong Chapter

by Roy Chiang 14 February 2025
Our partner Roy Chiang has contributed to LexisNexis International Corporate Procedures, Issue 139, Hong Kong Chapter and published for subscription on 22 January 2025.

DAOs in Hong Kong: legal framework and recent developments

by Sam Wu, Beverly Fu 3 February 2025
With a growing prominence of virtual assets, decentralised autonomous organisations are becoming a critical component of the digital economy.

Lexology In-Depth: International Capital Markets – Hong Kong, Edition 14

by Rossana Chu 24 December 2024
Our partner Rossana Chu has contributed to Lexology In-Depth: International Capital Markets, Edition 14, Hong Kong Chapter and published on 17 December 2024.

Facilitating cross-border data flow in the GBA

by Sam Wu, Beverly Fu 9 December 2024
Introduction of the Standard Contract for the Cross-boundary Flow of Personal Information within the GBA (GBA SCC) marks a new milestone for cross-border data transfer.

Hong Kong proposes critical infrastructure cybersecurity law

by Rossana Chu, Beverly Fu 26 November 2024
Hong Kong proposes to enact a new legislation tentatively titled the Protection of Critical Infrastructure (Computer System) Bill.
More articles

Recent News

YYC Legal is ranked in Chambers Greater China Region Guide 2025

by YYC Legal 17 January 2025
YYC Legal is recognised as a Leading Firm and our partner Rossana Chu is named as a Leading Individual in Chambers Greater China Region Guide 2025.

Rossana Chu is named as a Visionary in China Business Law Journal A-List 2024-25

by YYC Legal 18 December 2024
Rossana Chu is ranked by China Business Law Journal as one of The A-List 2024-25: Visionaries (International) and is recognised as amongst the most highly recommended lawyers in the market.

Rossana Chu shared insights in “Roads less travelled” by CBLJ

by YYC Legal 29 November 2024
Our Partner Rossana Chu is featured in the China Business Law Journal special report titled “Roads less travelled” published on 18 October 2024.

YYC Legal ranked in Legal 500 Asia Pacific Greater China 2025

by YYC Legal 28 November 2024
YYC Legal is recognised as a Leading Firm and our partner Rossana Chu is named as a Leading Partner in Legal 500 Asia Pacific Greater China 2025.

Sam Wu is recognised in ALB Hong Kong Rising Stars 2024

by YYC Legal 27 November 2024
Our Partner, Sam Wu, has been recognised by Asian Legal Business (ALB) as one of ALB Hong Kong Rising Stars 2024.

Sam Wu is recognised in the LexisNexis® 40 UNDER 40 2024 – Greater China List

by YYC Legal 21 November 2024
Our partner, Sam Wu, has been recognised as one of the winners in the prestigious LexisNexis® 40 UNDER 40 2024 – Greater China List.
More News

Related Article

Proposed enhancement of data privacy protection under the Personal Data (Privacy) Ordinance (the
Share by: