Navigating the New Frontier: A Guide for the Adoption of Artificial Intelligence for Businesses in Hong Kong

Date: 24 June 2026

Author: Rendy Ng & Amber Yung | Rendy Ng Law Firm

‍

Introduction

From professional-grade platforms like HeyGen and Synthesia to innovative tools such as Kling AI and Higgsfield, artificial intelligence (“AI”) content generation is no longer a futuristic concept, it is a present-day business tool. Using these platforms, users can transform personal facial features into video avatars or create stunning cinematic content with a single click. Many forward-looking companies in Hong Kong are rapidly adopting these technologies to advance their marketing and business goals.

As AI generation becomes increasingly advanced in its ability to transcend basic human functionality, many concerns have arisen regarding user privacy and consumer awareness. The term “deepfake” refers to AI’s ability to manipulate visuals and sounds to generate realistic human experiences, which can lead to significant liabilities if misused. In Hong Kong, the government targets cases in which the creation of a deepfake results in the violation of personal data, including but not limited to image-based sexual violence, sophisticated scams, harassment, and the spread of disinformation.

While Hong Kong has not yet enacted a single, comprehensive “AI Act”, the regulatory landscape is developing quickly. In 2025 and 2026, Hong Kong moved from broad AI/privacy guidance toward more practical generative AI guidelines, active privacy compliance checks, sector-specific adoption, and formal reviews of whether new AI laws or administrative measures are needed.

For businesses deploying, procuring, developing, or investing in AI systems, the message is clear: AI governance is no longer a purely voluntary “innovation” issue. It is becoming a legal, regulatory, operational, and reputational risk-management priority.

‍

Executive Summary

Recent developments in Hong Kong's AI arena include:

• the release of the Hong Kong Generative Artificial Intelligence Technical and Application Guideline in April 2025;
• continued reliance on the Personal Data (Privacy) Ordinance as the core binding law for AI systems involving personal data;
• the Privacy Commissioner's active focus on AI governance, including compliance checks on organisations' AI security and governance practices;
• increasing emphasis on employee use of generative AI tools;
• emerging sector-specific guidance, including in the judiciary and legal sector;
• Government confirmation in 2026 that it is reviewing existing legislation to support wider AI application; and
• policy focus on future areas such as embodied intelligence, robotics, and AI industrial development.

‍

AI Governance in Existing Legal Frameworks

Currently, Hong Kong does not have a standalone AI statue; rather, it relies on existing legal obligations to govern the use of AI systems. Since AI systems collect, process, analyse, train on, infer, and generate content from personal data, the Personal Data Privacy Ordinance (“PD(P)O”) is a central binding law. Key PD(P)O issues include collection limitation, transparency, purpose limitation, prescribed consent for new purposes, retention, data security, access and correction rights, and controls over processors and vendors.

Other existing laws and regulatory requirements that are applicable to AI systems include:

• sectoral financial services, insurance, healthcare, education, telecoms, transport, and professional regulation;
• employment and anti-discrimination laws;
• consumer protection rules;
• intellectual property law;
• confidentiality and trade secret obligations;
• cybersecurity and computer crime rules;
• defamation law; and
• contract and outsourcing laws.

The flexible nature and broad enforcement capability of these governing frameworks mean that they can be applied to AI systems on a case-to-case basis.

‍

Shifting to AI-Specific Governance

Recently, however, Hong Kong has recognized the need to address and clarify risks specific to the growing application of AI. In April 2025, the Digital Policy Office released the Hong Kong Generative Artificial Intelligence Technical and Application Guideline, providing guidance for developers, service providers and users of GenAI systems. The guideline addresses key risks such as data leakage, inaccurate or fabricated outputs, bias, cybersecurity vulnerabilities, over-reliance on AI-generated content and accountability.

The Office of the Privacy Commissioner for Personal Data (“PCPD”) also stepped up its supervisory activity. In May 2025, it completed compliance checks on 60 organisations' AI security and governance practices, signalling a shift from general awareness-raising toward active regulatory scrutiny. The PCPD has also encouraged organisations to adopt internal policies on employee use of GenAI, particularly to prevent staff from uploading personal data, confidential information, privileged material or proprietary data into public AI tools.

Other sector-specific developments also emerged. The Judiciary issued guidelines on the use of GenAI by judges, judicial officers and support staff, while the Government continued to promote AI adoption in the legal sector, including work on a local legal-sector large language model.

‍

2026 Developments: Legislative Review and Future Regulatory Direction

In 2026, the Hong Kong Government confirmed that it is reviewing existing legislation to support wider AI application. This marks an important policy shift: the Government is now actively considering whether targeted legislation or administrative measures may be needed for particular AI risks or use cases.

The review is likely to be relevant to areas such as automated decision-making, public-sector AI use, financial services, healthcare, employment, deepfakes, cybersecurity, AI-enabled fraud, intellectual property, liability, cross-border data issues and generative AI. The Government has also highlighted embodied intelligence (AI embedded in robots, autonomous systems, smart devices and other physical-world technologies) as an emerging area of focus, although there are currently no specific Hong Kong rules targeting embodied intelligence as a standalone category.

AI also became a more prominent industrial policy priority in 2026. The Government announced the formation of an “AI+ and Industrial Development Strategy Committee”, and the Hong Kong Artificial Intelligence Research and Development Institute is expected to come into operation in the second half of 2026, with a role that includes advising on AI governance. While existing frameworks such as the PD(P)O continue to enforce AI governance, these new reviews and policies allow for increased clarification and support.

‍

What Businesses Should Do Now

Businesses operating in Hong Kong should take a practical, organized approach to AI governance.

First, organisations should identify and map existing AI use cases, including both formally approved tools and “shadow AI” used by employees or business units. This inventory should capture the relevant tool, business owner, purpose, data inputs and outputs, whether personal or confidential data is involved, whether decisions are automated or human-reviewed, the vendor arrangements, processing location and overall risk profile.

Second, businesses should classify AI use cases by risk, taking into account data sensitivity, impact on individuals, degree of automation, explainability, sectoral regulation, cybersecurity, reputational exposure, third-party reliance, and potential discrimination or unfairness.

Third, organisations should review privacy and data protection compliance where personal data is involved, including privacy notices, collection purposes, consent requirements, data minimisation, retention, access controls, processor arrangements, cross-border transfers, security safeguards, data subject rights and incident response.

Fourth, businesses should put in place an internal AI governance framework covering board and senior management oversight, roles and responsibilities, approval processes, risk assessment methodology, procurement standards, vendor due diligence, model testing and validation, human oversight, incident reporting, monitoring, audit, documentation and periodic review.

Fifth, organisations should update contracts and vendor arrangements for AI procurement, including provisions on model training, confidentiality, data segregation, IP ownership and use of outputs, accuracy and performance, audit rights, security, subcontracting, data transfers, deletion or return of data, regulatory cooperation, liability, indemnities, continuity, change management and termination assistance.

Sixth, employers should manage workplace AI risks, including employee use of GenAI, workplace monitoring, recruitment tools, automated screening, performance management, disciplinary processes, bias and discrimination, employee privacy notices, consultation, training and acceptable use of company data.

Finally, organisations should train staff and monitor regulatory change, ensuring employees understand approved tools, prohibited inputs, human review requirements, output verification, escalation procedures and data protection obligations, while keeping pace with Hong Kong’s legislative review and sector-specific developments.

‍

How We Can Help

We advise clients on the legal, regulatory, contractual and governance issues arising from AI development, procurement and deployment in Hong Kong and across the region.

We can assist with:

• AI legal and regulatory risk assessments, including privacy, financial services, employment, consumer protection, IP, confidentiality, cybersecurity and sector-specific issues.
• AI governance frameworks, including approval procedures, risk assessment tools, board reporting and accountability structures.
• GenAI employee policies, covering personal data, confidential information, privileged material, client data, source code, human review and output verification.
• Privacy and data protection compliance, including privacy impact assessments, data mapping, notices, consent, processor arrangements, cross-border transfers, retention and incident response.
• AI procurement and vendor contracts, including SaaS and outsourcing terms, data processing clauses, model-training restrictions, IP rights, audit rights, liability allocation and regulatory cooperation.
• Sector-specific AI advice for financial services, insurance, healthcare, technology, retail, education, professional services and employment contexts.
• AI product development support, including data sourcing, training data risk, user terms, acceptable use policies, IP ownership, liability and go-to-market compliance.
• Board, management and staff training for legal, compliance, HR, procurement, IT and business teams.
• Regulatory horizon scanning across Hong Kong and relevant overseas regimes, including Mainland China, the EU, Singapore, the UK and the US.

‍

‍

Disclaimer: Nothing herein shall be interpreted as legal advice to any person. Readers are encouraged to consult their legal representatives for independent advice. The information provided is based on overall observations and the experience of the practitioners of the firm at the time of writing. The content may change without prior notification depending on changes in the law. If there are two versions of the article in different languages, the English version will prevail in case of discrepancies.

About Us:

Rendy Ng Law Firm is a law firm based in Hong Kong, providing a full range of commercial legal services for all sectors, with particular focus on supporting professionals and businesses in the medical and veterinary, consumer goods and retail and entertainment industries to achieve sustainable success. By combining legal guidance with understanding of business practicalities, we ensure that our clients receive support tailored to their business goals and individual needs. Please feel free to reach out to our team should you have any questions about our services.

For enquiries, please contact us at:

P | +(852) 6033-3072 E | info@rknlegal.com W | www.rknlegal.com