HK — Country Profile

Hong Kong

46TOTAL
37OFFICIAL SOURCES
10TOPIC AREAS
Law / Act5
Executive Order4
Policy / Guidance1
National Strategy3
Court Case4
Other29
18 MAR 2026 · Policy / Guidance

Hong Kong - LCQ6: Regulation and Development of AI Technology

The Hong Kong government, aligning with the National 15th Five-Year Plan, is accelerating AI industrialization while emphasizing safe, ethical, and responsible use. The government is developing governance measures for AI in Hong Kong.

✓ OfficialNational Strategy ·Industrial Development ·Ethicsinfo.gov.hk ↗
16 MAR 2026 · Other

Privacy Commissioner for Personal Data's inquiry into security risks related to use of OpenClaw and other agentic AI

On 16 March 2026, the Privacy Commissioner for Personal Data issued an alert cautioning about the privacy and security risks posed by OpenClaw and other agentic Artificial Intelligence (AI) systems. It highlighted that, unlike standard AI chatbots, agentic AI holds elevated access to local files, emails, account credentials, and browser-stored content, and can autonomously execute multi-step tasks without real-time user involvement, creating heightened risks of data breaches, malicious system...

✓ OfficialNational Strategypcpd.org.hk ↗
15 JAN 2026 · Other

Office of the Privacy Commissioner for Personal Data investigation into Grok over alleged generation of indecent content

On 15 January 2026, the Office of the Privacy Commissioner for Personal Data (PCPD) announced that it is proactively contacting the organisation responsible for the artificial intelligence (AI) chatbot Grok to investigate its potential for generating indecent or malicious content. The PCPD expressed concern regarding reports that the chatbot could be utilised to produce indecent photos and videos, which may contravene the Personal Data (Privacy) Ordinance (PDPO) and its 6 Data Protection Prin...

National Strategypcpd.org.hk ↗
01 JAN 2026 · Law / Act

Cybersecurity regulation in Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025)

On 1 January 2026, the Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation enters into force following designation by the Secretary for Security. The Ordinance establishes cybersecurity obligations for operators of critical infrastructures, including infrastructure that is essential to the continuous provision of certain essential services or which, if damaged, would hinder or substantially affe...

✓ OfficialNational Strategylegco.gov.hk ↗
01 SEP 2025 · Other

PCPD updated guidance on cloud computing

On 9 January 2025, the Office of the Privacy Commissioner for Personal Data (PCPD) issued an updated guidance on cloud computing to help organisations protect personal data privacy. The guidance covers technological developments and provides recommendations on service and deployment models, standard services and contracts, and outsourcing arrangements. Additionally, the guidance advises implementing robust logging, appropriate user configuration, encryption for data in transit and at rest, m...

✓ OfficialNational Strategypcpd.org.hk ↗
08 AUG 2025 · Court Case

Licksun Company Limited v Occupiers of Lot No. 552

Pro Se Litigant appeared before the District Court. Fabricated: Case Law | One of six authorities lodged by the Plaintiff was found not to exist; court described it as suspiciously incomplete and the Plaintiff abandoned reliance.

Court: District CourtParty: Pro Se Litigant
✓ OfficialJudicial & Law Enforcement ·Generative AI ·Liability & Accountability
08 AUG 2025 · Court Case

Licksun Company Limited v Occupiers of Lot No. 552

Fabricated: Case Law | One of six authorities lodged by the Plaintiff was found not to exist; court described it as suspiciously incomplete and the Plaintiff abandoned reliance. || Fabricated: Case Law | A second lodged authority was found not to exist; court noted counsel for 2nd Defendant had identified six non-existent authorities. || Fabricated: Case Law | A third lodged authority was found to be non-existent or incomplete; Plaintiff's representative did not contradict the point at hearing. || Fabricated: Case Law | A fourth lodged authority was identified as not actually existing; Court recorded unnecessary time spent researching nonexistent cases. || Fabricated: Case Law | A fifth lodged authority was found to be suspiciously incomplete/non-existent; Plaintiff said the list was prepared by a non-legally trained employee. || Fabricated: Case Law | A sixth lodged authority was found not to exist; Court concluded the lodging of these authorities had the effect of misleading the court.

Court: District CourtParty: Pro Se Litigant
Harms: Hallucination in legal filings
08 AUG 2025 · Other

Licksun Company Limited v Occupiers of Lot No. 552

Judicial & Law Enforcement ·Generative AI ·Liability & Accountability↗ Link available ↗
02 JUN 2025 · Other

Securities and Futures Commission investigation into licensed corporations's compliance with cybersecurity obligations

On 6 February 2025, the Securities and Futures Commission (SFC) concluded its 2023/24 thematic cybersecurity review of licensed corporations (LC) in Hong Kong. The review assessed compliance with existing cybersecurity requirements, focusing on emerging risks such as phishing attacks, end-of-life (EOL) software, and third-party provider management. The SFC surveyed 50 LCs of various sizes and business types, conducted on-site inspections of seven internet brokers, and held discussions with si...

✓ OfficialNational Strategyapps.sfc.hk ↗
26 FEB 2025 · Court Case

Yu Hon Tong Thomas v Centaline Property Agency

Pro Se Litigant used Unidentified in proceedings before the High Court. Misrepresented: Case Law | Application and Addendum contained citations to Canadian court cases assembled by AI; court held those authorities to be inapplicable to Hong Kong law on Employment Ordinance s70.

Court: High CourtParty: Pro Se LitigantTool: Unidentified
✓ OfficialJudicial & Law Enforcement ·Generative AI ·Liability & Accountability
26 FEB 2025 · Court Case

Yu Hon Tong Thomas v Centaline Property Agency

Misrepresented: Case Law | Application and Addendum contained citations to Canadian court cases assembled by AI; court held those authorities to be inapplicable to Hong Kong law on Employment Ordinance s70. || Fabricated: Exhibits & Submissions | AI-generated grounds alleged serious criminal conduct (forgery, theft, conspiracy to defraud, money laundering, ballot-fixing) based on purported transcripts (Exhibits C43(1)-(19)); court found these allegations baseless and 'piled up' by AI.

Court: High CourtParty: Pro Se LitigantTool: Unidentified
Harms: Hallucination in legal filings
26 FEB 2025 · Other

Yu Hon Tong Thomas v Centaline Property Agency

Judicial & Law Enforcement ·Generative AI ·Liability & Accountability↗ Link available ↗
11 DEC 2024 · Other

SFC circular to licensed corporations on use of generative AI models in financial sector

On 12 November 2024, the Securities and Futures Commission (SFC) issued a circular addressing the use of generative AI models by licensed corporations (LCs) in the financial sector. The circular outlines obligations for LCs to manage potential risks associated with the use of AI models. LCs must ensure robust governance and oversight, with senior management held accountable for policies, procedures, and staffing associated with AI use. LCs are also responsible for model risk management, parti...

✓ OfficialConsumer Protectionapps.sfc.hk ↗
18 NOV 2024 · Other

PCPD inquiry into data collection practices of online travel platforms' compliance with privacy laws

On 18 November 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) issued a report titled “A Study of the Collection of Personal Data by 10 Online Travel Platforms.” The report reviewed the data practices of ten travel platforms including Agoda, EGL Tours, Expedia and Goldjoy Holidays, among others. The report aimed to assess compliance with privacy laws, including the Personal Data (Privacy) Ordinance, and to evaluate transparency and data handling practices. The report s...

✓ OfficialNational Strategypcpd.org.hk ↗
06 NOV 2024 · Executive Order

Organisational requirements in PCPD Artificial Intelligence: Model Personal Data Protection Framework

On 11 June 2024, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) adopted the Artificial Intelligence: Model Personal Data Protection Framework, including organisational requirements. The framework aims to assist organisations in formulating their AI strategies and governance structures, including the creation of an AI governance committee and the provision of AI-related training for employees. The framework is designed to ensure that organisations comply with the Per...

✓ OfficialNational Strategypcpd.org.hk ↗
15 OCT 2024 · Other

PCPD statement on LinkedIn's use of personal data for training generative AI models

On 15 October 2024, the Privacy Commissioner for Personal Data (PCPD) welcomed LinkedIn's decision to pause the use of Hong Kong user's personal data for training generative AI models. This decision follows concerns raised by the PCPD regarding LinkedIn's default opt-in setting, in response to which LinkedIn confirmed it would suspend data usage while addressing the issues. PCPD highlighted that it will continue to monitor the situation to ensure the privacy of Hong Kong users is protected.

National Strategypcpd.org.hk ↗
09 SEP 2024 · Other

HKMA Guideline on the Use of Artificial Intelligence for Monitoring of Suspicious Activities

On 9 September 2024, the Hong Kong Monetary Authority (HKMA) issued a Guideline on the Use of Artificial Intelligence for Monitoring of Suspicious Activities, encouraging authorised institutions in the financial sector to adopt artificial intelligence (AI) systems for monitoring suspicious activities related to money laundering and terrorist financing. The Guideline points out that monitoring systems using AI can take into account a broad range of contextual information and can be more effect...

✓ OfficialContent Moderationhkma.gov.hk ↗
20 AUG 2024 · Executive Order

HKMA Guidance on Provision of Custodial Services for Digital Assets

On 20 August 2024, the Hong Kong Monetary Authority (HKMA) guidance on the provision of custodial services for digital assets enetred into force. The guidance applies to authorised institutions (AIs) and subsidiaries of locally incorporated AIs that conduct digital asset custodial activities. The AIs are required to inform the HKMA of their intention to provide digital asset custodial services and must be compliant with the standards and requirements. The guidance, aimed at AIs interested in ...

✓ OfficialNational Strategyhkma.gov.hk ↗
19 AUG 2024 · Other

HKMA Circular on consumer protection regarding use of Generative Artificial Intelligence

On 19 August 2024 the Hong Kong Monetary Authority (HKMA) issued a circular with guiding principles for consumer protection with respect to the use of generative Artificial Intelligence (GenAI) in customer-facing applications. The circular builds on the “Consumer Protection in respect of Use of Big Data Analytics and Artificial Intelligence by Authorized Institutions” of 5 November 2019 (2019 BDAI Guiding Principles) and sets out additional principles to ensure appropriate safeguards for cons...

✓ OfficialNational Strategyhkma.gov.hk ↗
07 AUG 2024 · Law / Act

Government launches public consultation on enhancing Copyright Ordinance regarding protection for artificial intelligence technology development

✓ OfficialNational Strategyinfo.gov.hk ↗
03 AUG 2024 · Law / Act

Safeguarding National Security Bill implementing Basic Law Article 23 Legislation

On 8 March 2024, the Safeguarding National Security Bill implementing Article 23 of the Basic Law was introduced in the Legislative Council of Hong Kong Special Administrative Region (SAR). The Bill covers the government's constitutional duty to safeguard national security, recommendations on offences, and measures to give proportionate extraterritorial effect to some offences. The Bill addresses risks posed by new information technologies and would classify actions endangering national secur...

National Strategylegco.gov.hk ↗
22 MAY 2024 · Other

PCPD investigation into Worldcoin project

On 22 May 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong concluded its investigation into the Worldcoin project, finding multiple contraventions of the Personal Data (Privacy) Ordinance (PDPO). The PCPD's findings highlighted that Worldcoin's collection of face and iris images for creating digital passports and distributing cryptocurrency tokens violated data protection principles concerning necessity, fairness, transparency, retention, and individuals’ rig...

✓ OfficialNational Strategypcpd.org.hk ↗
10 MAR 2024 · Other

PCPD Reminder regarding personal data use by LinkedIn for training AI models

On 3 October 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) issued a reminder to users regarding LinkedIn's recent privacy policy update, which allows the use of users' personal data and content to train generative AI models for content creation. This policy update sets consent to use personal data for such purposes by default. LinkedIn users are advised to understand the policy and review their privacy settings, and are reminded of their ability to opt-out by adjusting...

✓ OfficialNational Strategypcpd.org.hk ↗
21 FEB 2024 · Other

PCPD Investigations into the Impact of the Development or Use of Artificial Intelligence on Personal Data Privacy

On 21 February 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) concluded investigations into 28 local organisations. The investigations, conducted from August 2023 to February 2024, aimed to identify the implications of Artificial Intelligence (AI) development and use on personal data privacy. The investigations covered various sectors, including telecommunications, finance and insurance, retail, transportation, education, and government departments. The PCPD found that...

✓ OfficialNational Strategypcpd.org.hk ↗
04 FEB 2024 · Other

PCPD investigation into Cyberport's data breach incident

On 2 April 2024, the Privacy Commission for Personal Data (PCPD) ruled in an investigation into a data breach incident at Cyberport caused by a ransomware attack. This breach compromised the personal information of over 13'000 individuals, including unsuccessful job applicants and former employees. Cyberport's deficiencies included inadequate detection measures, failure to implement multi-factor authentication, insufficient security audits, vague information security policies, and unnecessary...

✓ OfficialNational Strategypcpd.org.hk ↗
11 JAN 2024 · Executive Order

Extended GBA standard contract facilitation measure enabling cross-boundary data flow

On 1 November 2024, the Digital Policy Office of Hong Kong (DPO) adopted the extension of the facilitation measures of the standard contract for the cross-border flow of personal information within the Guangdong–Hong Kong–Macao Greater Bay Area (GBA) to all sectors in Hong Kong. The contract previously applied to banking, credit referencing, and healthcare and is now extended to all sectors handling cross-border data flows within the GBA. The contract provides a framework to promote digital i...

✓ OfficialNational Strategypcpd.org.hk ↗
08 JAN 2024 · Other

PCPD outline on combating fraud involving AI deepfake technology

On 1 August 2024, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued an outline on combating fraud involving Artificial Intelligence (AI) deepfake technology. The outline emphasised that PCPD received nearly 600 enquiries related to fraud in the first half of 2024, a 90% increase from the previous year. The outline noted that various tactics used to deceive individuals include hijacking instant messaging accounts to impersonate victims and send fraudulent messages, creatin...

✓ OfficialConsumer Protectionpcpd.org.hk ↗
21 DEC 2023 · Other

Privacy Commissioner for Personal Data Investigation of Carousell for Unauthorised Scraping of Users' Personal Data

On 21 December 2023, the Hong Kong Privacy Commissioner for Personal Data (PCPD) closed its investigation of Carousell for unauthorised scraping of its users' personal data. The PCPD found Carousell had deficient assessment procedures and data safeguarding policies in place during a system migration in January 2022, resulting in a data breach affecting over 320'000 Hong Kong users and 2.6 mln Carousell users worldwide. The PCPD has issued an enforcement notice to Carousell, directing them to ...

✓ OfficialNational Strategypcpd.org.hk ↗
22 SEP 2023 · Other

Guideline to Strengthen Data Security

On 22 September 2023, the Office of the Privacy Commissioner for Personal Data (PCPD) issued a guideline to strengthen organisational data security measures in response to recent cyber attacks resulting in personal data leaks. These guidelines emphasise the necessity of regular data security assessments and the implementation of comprehensive security measures including secure network systems, consistent vulnerability assessments, effective patch management, data encryption, and diligent data...

✓ OfficialNational Strategypcpd.org.hk ↗
10 SEP 2023 · Other

PCPD investigation into ZA Bank Limited concerning data protection

On 9 October 2023, the Office of the Privacy Commissioner for Personal Data (PCPD) Hong Kong closed its investigation into ZA Bank Limited, Hong Kong's first virtual bank, concerning compliance with data protection laws. The PDPC's investigation found that ZA Bank complies with data protection principles for most parts, but it recommended several improvements, such as strengthening data processor management, enhancing data loss prevention system monitoring, limiting staff access to customer d...

✓ OfficialNational Strategypcpd.org.hk ↗
30 JUN 2023 · Other

Guidance on Data Breach Handling and Data Breach Notifications

On 30 June 2023, the Hong Kong Privacy Commissioner for Personal Data (PCPD) adopted a Guidance on Data Breach Handling and Data Breach Notifications. The Guidance aims to offer support in preventing the recurrence of data breaches and limit loss and damage to data subjects, especially when personal data is involved. In the Guidance, personal data and data breaches are defined, and common causes of data breaches in Hong Kong are listed. Furthermore, the Guidance outlines steps for preparing a...

✓ OfficialNational Strategypcpd.org.hk ↗
22 MAY 2023 · Other

Philippines and Hong Kong Memorandum of Understanding on Cooperation on Data Protection Matters

On 22 May 2023, the National Privacy Commission (NPC) of the Philippines and the Office of the Privacy Commissioner for Personal Data (PCPD) of Hong Kong signed a Memorandum of Understanding (MoU) to establish cooperation in the field of data protection. Under this MoU, both authorities will extend mutual assistance in investigations concerning cross-border data incidents and breaches, while also facilitating the sharing of information between them. Additionally, the NPC and PCPD will collabo...

✓ OfficialNational Strategyprivacy.gov.ph ↗
05 DEC 2022 · Other

Guidance on Recommended Model Contractual Clauses for Cross-Border Personal Data Transfers

On 12 May 2022, the Hong Kong Privacy Commissioner for Personal Data (PCPD) issued its Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data. The Guidance contains two sets of Recommended Model Contractual Clauses (RMCs) for use in two cross-border data transfer scenarios: the transfer of data from one data user to another; and the transfer of data from data user to data processor. Furthermore, the Guidance outlines the applicable rules for cross-border ...

✓ OfficialNational Strategypcpd.org.hk ↗
19 OCT 2022 · Executive Order

Hong Kong Cybercrimes Regulations

On 19 October 2022, the Sub-Committee on Cybercrime of the Law Reform Commission of Hong Kong closed its consultation on cyber-dependent crimes and jurisdictional issues. The paper proposes new cybercrime legislation to cover five new types of cyber crimes, such as unauthorised access to programmes or data, unauthorised interception, disclosure or use of computer data for criminal or dishonest purposes. In addition, the document proposes the reorganisation of the offence of computer misuse, i...

National Strategyhkreform.gov.hk ↗
30 AUG 2022 · Other

PCPD Guidance on Data Security Measures for ICT

On 30 August 2022, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) published the Guidance Note on Data Security Measures for information and communications technology (ICT). In particular, the guidance lists the security measures that should be implemented and taken into consideration in the risk assessment of new systems and includes guidance regarding technical and operational security measures, remedial actions in the event of data security incidents, monitoring, ...

✓ OfficialNational Strategypcpd.org.hk ↗
13 JUL 2022 · Other

Hong Kong-Singapore Memorandum of Understanding on personal data protection collaboration

On 13 July 2022, the Hong Kong Office of the Privacy Commissioner for Personal Data and Singapore’s Personal Data Protection Commission announced the renewal of their Memorandum of Understanding (MoU) on personal data protection collaboration. The first MoU was signed by both agencies on 31 May 2019. According to the renewed MoU, the agencies will share information on data protection regulations enforcement, collaborate in cross-border investigations and work on training programmes.

✓ OfficialNational Strategypcpd.org.hk ↗
16 JUN 2022 · Other

Isreal-Hong Kong trial on Central Bank Digital Currency Cybersecurity

On 16 June 2022, the Hong Kong Monetary Authority (HKMA), the Bank of Israel and the Bank for International Settlements Innovation Hub (BISIH) Hong Kong Centre, announced a collaboration to test the cybersecurity of a two-tier retail Central Bank Digital Currency (CBDC). The project will focus on data security in a two-tier retail CBDC architecture where the intermediaries have no financial exposure and is expected to be completed by the end of 2022.

✓ OfficialNational Strategyhkma.gov.hk ↗
29 DEC 2021 · Other

PCPD guidance on cross-border data transfer under PIPL

On 29 December 2021, the Hong Kong Privacy Commissioner for Personal Data (PCPD) has published an article containing guidance for Hong Kong-based companies operating under mainland jurisdiction regarding cross-border data transfers under mainland China's Personal Information Protection Law (PIPL). The article points out the legal requirements of cross-border data transfers (consent, security and impact assessment, certification, data transfer contract), additional requirements for certain cat...

✓ OfficialNational Strategypcpd.org.hk ↗
18 NOV 2021 · Other

PCPD guidance on Personal Information Protection Law of Mainland China

On 18 November 2021, the Privacy Commissioner for Personal Data (PCPD), Hong Kong's personal data protection body, has published its guidance on the Personal Information Protection Law (PIPL) in force in mainland China from 1 November 2021. Alongside an overview of the PIPL's provisions, the guidance contains a comparison between the PIPL and the Personal Data (Privacy) Ordinance that is in force in Hong Kong.

✓ OfficialNational Strategypcpd.org.hk ↗
14 SEP 2021 · Other

Hong Kong: PCPD issues FAQ guidelines on EU New SCCs

On 14 September 2021, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) has issued a set of FAQs to provide advice to entities affected by the European Union's new Standard Contractual Clauses (SCCs) for data transfers outside the EU, which were adopted by the European Commission on 27 June 2021. The FAQs provide information on which Hong Kong-based entities may be affected by the SCCs, and what the scope of the obligations under the SCCs are. Notably, even companies t...

✓ OfficialNational Strategypcpd.org.hk ↗