Regulating AI in Hong Kong: What Small Businesses Must Do Now

The conversation around regulating AI in Hong Kong has shifted significantly since 2024. There is still no dedicated AI law in Hong Kong as of early 2026. But the absence of a specific statute does not mean a business using AI tools has no obligations. The PCPD conducted compliance checks in May 2025 and found that 80% of the 60 organisations surveyed were already using AI in their daily operations, according to Mayer Brown's November 2025 analysis of that review.

Nearly 70% of those surveyed organisations recognised that AI use posed significant privacy risks, according to the PCPD's own 2024 AI security survey. The combination of high adoption and high awareness of risk means that enforcement is not a future possibility. It is an active concern right now.

What makes regulating AI in Hong Kong particularly challenging for small businesses is that the obligations come from multiple directions at once. The Privacy Commissioner for Personal Data has issued guidance. The Digital Policy Office has published voluntary guidelines. The Financial Services and Treasury Bureau has issued a policy statement. None of these are currently binding law except the Personal Data (Privacy) Ordinance, which was already in force before AI became widespread.

A University of Melbourne and KPMG survey of 48,000 people across 47 countries found that 66% of AI users rely on AI output without evaluating accuracy, while 56% make workplace mistakes using AI tools. A University of Melbourne and KPMG survey of 48,000 people across 47 countries found that 66% of AI users rely on AI output without evaluating accuracy, while 56% make workplace mistakes using AI tools.

In Hong Kong, where staff and customers may both be affected by AI-driven decisions, that error rate carries direct legal exposure under existing law.

DOOD builds AI-integrated websites and digital systems for Hong Kong businesses using confirmed enterprise-grade platforms with proper data handling agreements. Our AI services are designed with HK regulatory requirements in mind from the first line of code.

Why Hong Kong Has No AI Law Yet and Why That Does Not Protect Your Business

The soft law approach and what it means for businesses today

Hong Kong has deliberately chosen a soft law approach to regulating AI in Hong Kong. This is the starting point for understanding all current obligations.

Soft law means voluntary guidelines, codes of practice, and policy statements rather than binding statutes with criminal penalties. The government's reasoning is that technology moves faster than legislation, and that rigid rules risk becoming outdated before they can be enforced. In February 2025, the HK government committed HK$1 billion to establish the Hong Kong AI Research and Development Institute, signalling that AI is a strategic priority. The investment reflects a desire to grow the AI sector, not constrain it.

Soft law is central to the current approach of regulating AI in Hong Kong. It allows businesses to adopt AI quickly while giving regulators time to observe which risks actually materialise before writing binding rules around them. Soft law is central to the current approach of regulating AI in Hong Kong. It allows businesses to adopt AI quickly while giving regulators time to observe which risks actually materialise before writing binding rules around them.

The practical consequence for a small business owner is that there is currently no single document you can read that tells you everything you need to do. The guidelines exist across multiple publications from multiple bodies, none of which has the force of law on its own.

However, the PCPD has signalled that compliance with voluntary guidance will be taken into account during investigations under the PDPO. A business that ignored every voluntary guideline on regulating AI in Hong Kong and then faced a data breach involving AI-processed customer data would have a very difficult time arguing that it behaved responsibly.

The soft law approach to regulating AI in Hong Kong is not a free pass. It is a transitional phase with real teeth attached to existing law. DOOD's AI services for Hong Kong businesses are built to satisfy the PCPD's voluntary framework from day one, not as an afterthought.

The one law that already applies to every AI tool your business uses

The Personal Data (Privacy) Ordinance, known as the PDPO, is Cap. 486 of Hong Kong law and has been in force since 1996. It applies to any organisation that collects, holds, processes, or uses personal data belonging to individuals in Hong Kong. It was written before generative AI existed, but its data protection principles are central to regulating AI in Hong Kong in practice today.

When a business feeds customer names, email addresses, purchase histories, or any other personal data into an AI tool, the obligations at the heart of regulating AI in Hong Kong apply immediately. The question of regulating AI in Hong Kong through new law is therefore somewhat secondary to the question of whether your business is already complying with the law that has existed for nearly 30 years.

Most businesses that discover they have an AI compliance problem find that the root cause is a PDPO compliance gap, not a missing AI-specific rule.

The 6 Frameworks Hong Kong Businesses Are Expected to Follow Right Now

The table below maps the six active governance frameworks relevant to businesses using AI in Hong Kong as of early 2026. All information is confirmed from named sources active this session. Understanding which of these apply to your business is the starting point for any serious approach to regulating AI in Hong Kong.

What the PCPD Model Framework actually asks you to do

The PCPD published its AI Model Personal Data Protection Framework in June 2024, the most directly relevant guidance for regulating AI in Hong Kong compliance for any business using third-party AI tools. It is the most directly relevant guidance for any organisation using third-party AI tools in Hong Kong. The framework, which sits at the heart of regulating AI in Hong Kong for data-handling businesses, asks organisations to carry out a Personal Data Impact Assessment before deploying any AI system that processes personal data,

to establish clear data governance policies, which are central to regulating AI in Hong Kong compliance, covering which data can be fed into which AI tools, to ensure human oversight is in place for AI-driven decisions that affect individuals.

Organisations must also maintain records of what AI systems are used and what data they process, a requirement that sits at the core of any credible approach to regulating AI in Hong Kong., to establish clear data governance policies, which are central to regulating AI in Hong Kong compliance, covering which data can be fed into which AI tools, to ensure human oversight is in place for AI-driven decisions that affect individuals, and to maintain records of what AI systems are used and what data they process. None of this is legally required today.

But the PCPD's 2025 compliance checks specifically looked for evidence that organisations were aware of and working toward this framework. A business that has never heard of it is at real risk when the conversation around regulating AI in Hong Kong shifts from voluntary to mandatory.

What the Digital Policy Office April 2025 guidelines add

The Digital Policy Office released its Generative Artificial Intelligence Technical and Application Guideline in April 2025. Where the PCPD framework focuses on data protection, the DPO guideline focuses on the quality and reliability of AI outputs.

It asks organisations to verify AI-generated content before it is used in customer communications or decisions, to be transparent with customers when AI is involved in producing content or recommendations they receive, and to maintain human accountability for AI-assisted decisions. For a small business in Hong Kong navigating regulating AI in Hong Kong obligations, the practical translation is straightforward.

If your team uses AI to draft customer-facing content, someone in the business needs to check it before it goes out. If AI drives a pricing decision, a discount offer, or a product recommendation a customer receives, the business is responsible for that output. The approach to regulating AI in Hong Kong through these guidelines places accountability firmly with the business, not the tool. AI web development for HK businesses built by DOOD includes audit logging and human review checkpoints specifically to satisfy this accountability requirement.

What the PDPO Actually Requires When Your Business Uses AI

The four scenarios where the PDPO kicks in immediately

The PDPO applies the moment personal data belonging to a Hong Kong resident is collected, held, or processed by your business. When it comes to AI, this means four specific scenarios trigger PDPO obligations immediately. First, feeding customer contact details into an AI tool for any purpose such as drafting responses, generating recommendations, or summarising enquiries makes the PDPO relevant. Second, using AI to analyse employee records, performance data, or HR documents triggers the Ordinance for employee data.

Third, training or fine-tuning any AI model on data that includes real customer or employee information requires explicit data governance procedures. Fourth, any AI-generated decision that produces a legal or significant effect for an individual requires transparency and a right of access. Third, training or fine-tuning any AI model on data that includes real customer or employee information requires explicit data governance procedures under the PDPO. Fourth, any AI-generated decision that produces a legal or significant effect for an individual,

such as denying a service, flagging a transaction, or producing a credit-related output: these require transparency and a right of access. The challenge of regulating AI in Hong Kong under the PDPO is that all four of these triggers are already active for most businesses that have started using AI, whether or not they realise it.

Third, training or fine-tuning any AI model on data that includes real customer or employee information requires explicit data governance procedures under the PDPO.

What counts as a data processing agreement and why you need one for every AI tool

When a business sends personal data to a third-party AI platform, the PDPO requires that the relationship is governed by a data processing agreement. This is a contract between your business and the AI platform that specifies what data is transferred, how it is used, who can access it, how long it is retained, and how it is deleted when the relationship ends. Consumer-tier accounts on AI platforms, including free and standard-paid tiers, typically do not include these agreements.

Enterprise tiers almost always do. This distinction is fundamental to regulating AI in Hong Kong compliance for any business using third-party AI platforms.

This is the single most practical compliance step for any Hong Kong small business navigating regulating AI in Hong Kong under the PDPO. Check every tool. check whether every AI tool your team uses has a data processing agreement in place.

This single check resolves more regulating AI in Hong Kong compliance gaps than any other action. If it does not, either upgrade to an enterprise tier that provides one or stop feeding personal data into that tool. Website maintenance and security for Hong Kong businesses increasingly includes a review of which AI tools are connected to the site and whether each one has appropriate data agreements in place.

The most common gap DOOD sees when auditing AI use in HK small businesses is exactly this one. A staff member signed up for a free AI writing or customer service tool, started feeding customer enquiries into it, and nobody checked whether an enterprise data agreement existed.

The tool is useful, the team adopts it, and six months later the business has been processing thousands of customer messages through a platform with no PDPO-compliant data processing agreement. Fixing this retroactively is far more disruptive than getting it right from the start, which is why proactive attention to regulating AI in Hong Kong requirements pays for itself quickly. The question of regulating AI in Hong Kong often has a very simple practical answer: check the terms of every tool your staff uses and upgrade the data agreement where one is missing.

What Sector-Specific AI Rules Mean for HK Businesses in Finance and Insurance

Financial businesses: what the HKMA and SFC expect

The Financial Services and Treasury Bureau published its Policy Statement on Responsible Application of AI in the Financial Market in October 2024. The HKMA and SFC have both issued supplementary guidance for firms they supervise, adding sector-specific layers to the general framework for regulating AI in Hong Kong. These layers apply in addition to, not instead of, the PDPO.

For any Hong Kong business operating in financial services, including insurers, fund administrators, payment processors, and financial advisers, the regulatory expectation goes beyond the general PDPO obligations. For any Hong Kong business operating in financial services, including insurers, fund administrators, payment processors, and financial advisers, the regulatory expectation goes beyond the general PDPO obligations that apply to all businesses. Supervised firms are expected to have a documented AI governance framework, to conduct pre-deployment risk assessments for any AI system that affects customer outcomes.

They must also maintain records that demonstrate accountability for AI-driven decisions, making regulating AI in Hong Kong compliance a documentation exercise as much as a technical one., and to maintain records that demonstrate accountability for AI-driven decisions. The discussion around regulating AI in Hong Kong is most advanced in the financial sector because regulators already have supervisory relationships with these firms and can request evidence of compliance directly.

Healthcare and insurance: why AI use is under active review in 2026

The Insurance Authority indicated in August 2025 that updated guidelines on AI use in the insurance sector will be issued in 2026. This reflects a broader pattern: sector-specific regulators in Hong Kong are each developing their own AI guidance on top of the general framework. For a healthcare business using AI for appointment scheduling, clinical documentation, or patient communication, the question of regulating AI in Hong Kong involves both the PDPO and sector-specific requirements from the Department of Health.

For insurance businesses, the IA's forthcoming 2026 guidelines will add a further layer to the already active framework for regulating AI in Hong Kong in that sector. The practical implication of regulating AI in Hong Kong for any business operating in a regulated sector is that the compliance checklist will be longer than for a general retailer or service business, and it will continue to grow through 2026 as each regulator finalises its sector-specific position. WordPress development for regulated HK businesses built by DOOD includes documentation of all AI components specifically so that regulatory audits can be completed without delay.

The Practical Steps Every HK Small Business Should Take Before Enforcement Begins

Building an internal AI policy that satisfies the PCPD checklist

The PCPD published a Checklist on Guidelines for the Use of Generative AI by Employees in March 2025. It is the most practical starting document for any HK small business that wants to approach regulating AI in Hong Kong in a systematic way.

The checklist covers six areas: establishing an AI usage policy, defining which data can and cannot be input into AI tools, ensuring employees understand accountability for AI outputs, maintaining a record of which AI tools are used, reviewing AI tool data processing agreements, and establishing a process for handling errors from AI use.

A business that completes this checklist honestly will have identified every significant compliance gap it has. The checklist covers six areas: establishing an AI usage policy, defining which data can and cannot be input into AI tools, ensuring employees understand accountability for AI outputs, maintaining a record of which AI tools are used and for what purpose, reviewing AI tool data processing agreements, and establishing a process for handling errors or complaints arising from AI use. This is the most practical entry point into regulating AI in Hong Kong compliance for any SME.

It takes a few hours, not weeks. The regulating AI in Hong Kong landscape rewards businesses that start early. The Protection of Critical Infrastructure (Computer Systems) Ordinance, which was gazetted on 28 March 2025 and came into force on 1 January 2026, adds a further layer for businesses operating designated critical infrastructure, requiring cybersecurity incident response plans that cover AI-related vulnerabilities.

What to do if your business cannot afford a compliance team

Most Hong Kong small businesses cannot justify a dedicated compliance officer for AI governance. The practical alternative is to designate one person, typically the business owner or an operations manager, as the person responsible for regulating AI in Hong Kong compliance within the business.

A simple one-page AI policy that covers the PCPD checklist items is sufficient. It is the foundation of credible regulating AI in Hong Kong compliance for any SME. This does not need to be written by a lawyer. It needs to be written, communicated to staff, and updated when the business adopts a new AI tool. The key principle behind regulating AI in Hong Kong through voluntary frameworks is that good faith effort matters.

A business that has a written policy, reviews it when tools change, and keeps records of which tools process which data is in a fundamentally different position from a business that has given this no thought at all. Managed hosting in Hong Kong for businesses running AI-integrated websites includes infrastructure documentation that forms part of the technical evidence base for any AI compliance review.

The direction of travel for regulating AI in Hong Kong is clear. The government has invested too heavily in AI development to allow unchecked risk to erode public trust. The government has committed significant investment to AI development, which means it also has a growing interest in ensuring that AI adoption does not produce harm that damages public trust. The shift from voluntary frameworks to binding regulation is a matter of when, not whether. Businesses that have engaged seriously with regulating AI in Hong Kong during the voluntary phase will find the transition to binding law straightforward.

Businesses that have ignored the voluntary frameworks entirely will face a much steeper compliance burden when binding rules arrive.