Hong Kong

Hong Kong - LCQ6: Regulation and Development of AI Technology

The Hong Kong government, aligning with the National 15th Five-Year Plan, is accelerating AI industrialization while emphasizing safe, ethical, and responsible use. The government is developing governance measures for AI in Hong Kong.

Privacy Commissioner for Personal Data's inquiry into security risks related to use of OpenClaw and other agentic AI

On 16 March 2026, the Privacy Commissioner for Personal Data issued an alert cautioning about the privacy and security risks posed by OpenClaw and other agentic Artificial Intelligence (AI) systems. It highlighted that, unlike standard AI chatbots, agentic AI holds elevated access to local files, emails, account credentials, and browser-stored content, and can autonomously execute multi-step tasks without real-time user involvement, creating heightened risks of data breaches, malicious system...

Office of the Privacy Commissioner for Personal Data investigation into Grok over alleged generation of indecent content

On 15 January 2026, the Office of the Privacy Commissioner for Personal Data (PCPD) announced that it is proactively contacting the organisation responsible for the artificial intelligence (AI) chatbot Grok to investigate its potential for generating indecent or malicious content. The PCPD expressed concern regarding reports that the chatbot could be utilised to produce indecent photos and videos, which may contravene the Personal Data (Privacy) Ordinance (PDPO) and its 6 Data Protection Prin...

Cybersecurity regulation in Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025)

On 1 January 2026, the Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation enters into force following designation by the Secretary for Security. The Ordinance establishes cybersecurity obligations for operators of critical infrastructures, including infrastructure that is essential to the continuous provision of certain essential services or which, if damaged, would hinder or substantially affe...

PCPD updated guidance on cloud computing

On 9 January 2025, the Office of the Privacy Commissioner for Personal Data (PCPD) issued an updated guidance on cloud computing to help organisations protect personal data privacy. The guidance covers technological developments and provides recommendations on service and deployment models, standard services and contracts, and outsourcing arrangements. Additionally, the guidance advises implementing robust logging, appropriate user configuration, encryption for data in transit and at rest, m...

Licksun Company Limited v Occupiers of Lot No. 552

Pro Se Litigant appeared before the District Court. Fabricated: Case Law | One of six authorities lodged by the Plaintiff was found not to exist; court described it as suspiciously incomplete and the Plaintiff abandoned reliance.

Licksun Company Limited v Occupiers of Lot No. 552

Fabricated: Case Law | One of six authorities lodged by the Plaintiff was found not to exist; court described it as suspiciously incomplete and the Plaintiff abandoned reliance. || Fabricated: Case Law | A second lodged authority was found not to exist; court noted counsel for 2nd Defendant had identified six non-existent authorities. || Fabricated: Case Law | A third lodged authority was found to be non-existent or incomplete; Plaintiff's representative did not contradict the point at hearing. || Fabricated: Case Law | A fourth lodged authority was identified as not actually existing; Court recorded unnecessary time spent researching nonexistent cases. || Fabricated: Case Law | A fifth lodged authority was found to be suspiciously incomplete/non-existent; Plaintiff said the list was prepared by a non-legally trained employee. || Fabricated: Case Law | A sixth lodged authority was found not to exist; Court concluded the lodging of these authorities had the effect of misleading the court.

Licksun Company Limited v Occupiers of Lot No. 552

Securities and Futures Commission investigation into licensed corporations's compliance with cybersecurity obligations

On 6 February 2025, the Securities and Futures Commission (SFC) concluded its 2023/24 thematic cybersecurity review of licensed corporations (LC) in Hong Kong. The review assessed compliance with existing cybersecurity requirements, focusing on emerging risks such as phishing attacks, end-of-life (EOL) software, and third-party provider management. The SFC surveyed 50 LCs of various sizes and business types, conducted on-site inspections of seven internet brokers, and held discussions with si...

Yu Hon Tong Thomas v Centaline Property Agency

Pro Se Litigant used Unidentified in proceedings before the High Court. Misrepresented: Case Law | Application and Addendum contained citations to Canadian court cases assembled by AI; court held those authorities to be inapplicable to Hong Kong law on Employment Ordinance s70.

Yu Hon Tong Thomas v Centaline Property Agency

Misrepresented: Case Law | Application and Addendum contained citations to Canadian court cases assembled by AI; court held those authorities to be inapplicable to Hong Kong law on Employment Ordinance s70. || Fabricated: Exhibits & Submissions | AI-generated grounds alleged serious criminal conduct (forgery, theft, conspiracy to defraud, money laundering, ballot-fixing) based on purported transcripts (Exhibits C43(1)-(19)); court found these allegations baseless and 'piled up' by AI.

Yu Hon Tong Thomas v Centaline Property Agency

SFC circular to licensed corporations on use of generative AI models in financial sector

On 12 November 2024, the Securities and Futures Commission (SFC) issued a circular addressing the use of generative AI models by licensed corporations (LCs) in the financial sector. The circular outlines obligations for LCs to manage potential risks associated with the use of AI models. LCs must ensure robust governance and oversight, with senior management held accountable for policies, procedures, and staffing associated with AI use. LCs are also responsible for model risk management, parti...

PCPD inquiry into data collection practices of online travel platforms' compliance with privacy laws

On 18 November 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) issued a report titled “A Study of the Collection of Personal Data by 10 Online Travel Platforms.” The report reviewed the data practices of ten travel platforms including Agoda, EGL Tours, Expedia and Goldjoy Holidays, among others. The report aimed to assess compliance with privacy laws, including the Personal Data (Privacy) Ordinance, and to evaluate transparency and data handling practices. The report s...

Organisational requirements in PCPD Artificial Intelligence: Model Personal Data Protection Framework

On 11 June 2024, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) adopted the Artificial Intelligence: Model Personal Data Protection Framework, including organisational requirements. The framework aims to assist organisations in formulating their AI strategies and governance structures, including the creation of an AI governance committee and the provision of AI-related training for employees. The framework is designed to ensure that organisations comply with the Per...

HKMA Guidance on Provision of Custodial Services for Digital Assets

On 20 August 2024, the Hong Kong Monetary Authority (HKMA) guidance on the provision of custodial services for digital assets enetred into force. The guidance applies to authorised institutions (AIs) and subsidiaries of locally incorporated AIs that conduct digital asset custodial activities. The AIs are required to inform the HKMA of their intention to provide digital asset custodial services and must be compliant with the standards and requirements. The guidance, aimed at AIs interested in ...

Safeguarding National Security Bill implementing Basic Law Article 23 Legislation

On 8 March 2024, the Safeguarding National Security Bill implementing Article 23 of the Basic Law was introduced in the Legislative Council of Hong Kong Special Administrative Region (SAR). The Bill covers the government's constitutional duty to safeguard national security, recommendations on offences, and measures to give proportionate extraterritorial effect to some offences. The Bill addresses risks posed by new information technologies and would classify actions endangering national secur...

PCPD Reminder regarding personal data use by LinkedIn for training AI models

On 3 October 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) issued a reminder to users regarding LinkedIn's recent privacy policy update, which allows the use of users' personal data and content to train generative AI models for content creation. This policy update sets consent to use personal data for such purposes by default. LinkedIn users are advised to understand the policy and review their privacy settings, and are reminded of their ability to opt-out by adjusting...

PCPD investigation into Cyberport's data breach incident

On 2 April 2024, the Privacy Commission for Personal Data (PCPD) ruled in an investigation into a data breach incident at Cyberport caused by a ransomware attack. This breach compromised the personal information of over 13'000 individuals, including unsuccessful job applicants and former employees. Cyberport's deficiencies included inadequate detection measures, failure to implement multi-factor authentication, insufficient security audits, vague information security policies, and unnecessary...

Extended GBA standard contract facilitation measure enabling cross-boundary data flow

On 1 November 2024, the Digital Policy Office of Hong Kong (DPO) adopted the extension of the facilitation measures of the standard contract for the cross-border flow of personal information within the Guangdong–Hong Kong–Macao Greater Bay Area (GBA) to all sectors in Hong Kong. The contract previously applied to banking, credit referencing, and healthcare and is now extended to all sectors handling cross-border data flows within the GBA. The contract provides a framework to promote digital i...

PCPD outline on combating fraud involving AI deepfake technology

On 1 August 2024, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued an outline on combating fraud involving Artificial Intelligence (AI) deepfake technology. The outline emphasised that PCPD received nearly 600 enquiries related to fraud in the first half of 2024, a 90% increase from the previous year. The outline noted that various tactics used to deceive individuals include hijacking instant messaging accounts to impersonate victims and send fraudulent messages, creatin...

Privacy Commissioner for Personal Data Investigation of Carousell for Unauthorised Scraping of Users' Personal Data

On 21 December 2023, the Hong Kong Privacy Commissioner for Personal Data (PCPD) closed its investigation of Carousell for unauthorised scraping of its users' personal data. The PCPD found Carousell had deficient assessment procedures and data safeguarding policies in place during a system migration in January 2022, resulting in a data breach affecting over 320'000 Hong Kong users and 2.6 mln Carousell users worldwide. The PCPD has issued an enforcement notice to Carousell, directing them to ...

Guideline to Strengthen Data Security

On 22 September 2023, the Office of the Privacy Commissioner for Personal Data (PCPD) issued a guideline to strengthen organisational data security measures in response to recent cyber attacks resulting in personal data leaks. These guidelines emphasise the necessity of regular data security assessments and the implementation of comprehensive security measures including secure network systems, consistent vulnerability assessments, effective patch management, data encryption, and diligent data...

Guidance on Data Breach Handling and Data Breach Notifications

On 30 June 2023, the Hong Kong Privacy Commissioner for Personal Data (PCPD) adopted a Guidance on Data Breach Handling and Data Breach Notifications. The Guidance aims to offer support in preventing the recurrence of data breaches and limit loss and damage to data subjects, especially when personal data is involved. In the Guidance, personal data and data breaches are defined, and common causes of data breaches in Hong Kong are listed. Furthermore, the Guidance outlines steps for preparing a...

Guidance on Recommended Model Contractual Clauses for Cross-Border Personal Data Transfers

On 12 May 2022, the Hong Kong Privacy Commissioner for Personal Data (PCPD) issued its Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data. The Guidance contains two sets of Recommended Model Contractual Clauses (RMCs) for use in two cross-border data transfer scenarios: the transfer of data from one data user to another; and the transfer of data from data user to data processor. Furthermore, the Guidance outlines the applicable rules for cross-border ...

Hong Kong Cybercrimes Regulations

On 19 October 2022, the Sub-Committee on Cybercrime of the Law Reform Commission of Hong Kong closed its consultation on cyber-dependent crimes and jurisdictional issues. The paper proposes new cybercrime legislation to cover five new types of cyber crimes, such as unauthorised access to programmes or data, unauthorised interception, disclosure or use of computer data for criminal or dishonest purposes. In addition, the document proposes the reorganisation of the offence of computer misuse, i...

Isreal-Hong Kong trial on Central Bank Digital Currency Cybersecurity

On 16 June 2022, the Hong Kong Monetary Authority (HKMA), the Bank of Israel and the Bank for International Settlements Innovation Hub (BISIH) Hong Kong Centre, announced a collaboration to test the cybersecurity of a two-tier retail Central Bank Digital Currency (CBDC). The project will focus on data security in a two-tier retail CBDC architecture where the intermediaries have no financial exposure and is expected to be completed by the end of 2022.

PCPD guidance on cross-border data transfer under PIPL

On 29 December 2021, the Hong Kong Privacy Commissioner for Personal Data (PCPD) has published an article containing guidance for Hong Kong-based companies operating under mainland jurisdiction regarding cross-border data transfers under mainland China's Personal Information Protection Law (PIPL). The article points out the legal requirements of cross-border data transfers (consent, security and impact assessment, certification, data transfer contract), additional requirements for certain cat...

Hong Kong: PCPD issues FAQ guidelines on EU New SCCs

On 14 September 2021, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) has issued a set of FAQs to provide advice to entities affected by the European Union's new Standard Contractual Clauses (SCCs) for data transfers outside the EU, which were adopted by the European Commission on 27 June 2021. The FAQs provide information on which Hong Kong-based entities may be affected by the SCCs, and what the scope of the obligations under the SCCs are. Notably, even companies t...

Data protection considerations in AI ethical development guidance

The Hong Kong Privacy Commissioner for Personal Data, responsible for ensuring the privacy protection of individuals, has published a set of guidelines in its Guidance on Ethical Developmet and Use of AI. The Guidance contains practical advice for AI developers on the use of personal data in the development and training of AI.

Doxxing Regulation in Personal Data (Privacy) Ordinance (Cap. 486)

The Personal Data (Privacy) (Amendment) Bill 2021 has come into force on 8 October 2021. The law sets to (i) criminalise doxxing acts; (ii) empower the Privacy Commissioner for Personal Data to conduct criminal investigations and prosecute doxxing cases; and (iii) confer on the Commissioner powers to demand the removal of doxxing content from online platforms. In general, the Ordinance establishes a data protection framework, including prohibiting data users from contravening its data protect...

Ethical Artificial Intelligence Framework

AI law in Hong Kong: The Ethical Artificial Intelligence Framework is a government-issued guidance document developed to help Hong Kong government bureaux/departments (B/Ds) and other organisations adopt AI and big data analytics responsibly. It sets out 12 ethical principles, an AI governance structure, lifecycle practices and an AI Application Impact Assessment template to identify, manage and mitigate ethical, privacy and security risks....

Smart City Blueprint for Hong Kong 2.0

AI law in Hong Kong: The Smart City Blueprint for Hong Kong 2.0 (Blueprint 2.0) is the Hong Kong SAR Government's 2020 strategic update setting out over 130 initiatives across six smart areas to accelerate digital infrastructure, public services modernisation and the use of I&T (innovation & technology), including a new chapter on the use of I&T to combat COVID-19. The Blueprint is a policy strategy and implementation roadmap led by the Innovation, Technology and Industry Bureau and supported by the Smart City portal and related agencies....

Hong Kong Generative Artificial Intelligence Technical and Application Guideline

AI law in Hong Kong: Hong Kong's Digital Policy Office issued the GenAI Technical and Application Guideline on April 15, 2025, providing practical guidance for safe and responsible generative AI use....