Artificial intelligence (AI) has been developing rapidly, with new breakthroughs and innovations emerging constantly. As AI technology becomes more advanced and integrated into businesses and everyday life, it is crucial for Hong Kong’s data protection laws and regulations to keep pace. This article provides an overview of the current legal and regulatory framework of data protection and privacy in Hong Kong in the context of AI.

In Hong Kong, the primary law governing data protection is the Personal Data (Privacy) Ordinance (PDPO). Additionally, the Office of the Privacy Commissioner for Personal Data (PCPD) has provided guidance on the ethical development and use of AI and the model framework for organisations that procure, implement and use AI systems.

PDPO and DPPs

The PDPO is technology-neutral and principle-based. Section 2 of the PDPO defines a “data user” as a person who controls the collection, holding, processing or use of personal data.

Accordingly, any individual, entity, organisation or business that develops and/or uses AI systems involving the handling of personal data is likely to be considered a data user and must adhere to the following six data protection principles (DPPs) in schedule 1 of the PDPO, among other requirements under the PDPO:

AI guidance

In August 2021, the PCPD published the Guidance on the Ethical Development and Use of Artificial Intelligence (AI Guidance) to provide recommendations primarily for organisations that develop and use AI systems involving the use of personal data.

The AI Guidance recommends that organisations embrace three core data stewardship values (Values), being:

It also encourages organisations to adopt the seven internationally recognised ethical principles (Ethical Principles) for AI:

To ensure the Values and the Ethical Principles are practicable, organisations should take into consideration the recommended practices in the following areas, as set out in the AI Guidance, when they develop and use AI and formulate appropriate policies, practices and procedures:

Model framework

On 11 June 2024, the PCPD published the Artificial Intelligence: Model Personal Data Protection Framework (Model Framework). The Model Framework provides recommendations on the best practices for organisations that procure, implement and use any type of AI systems or solutions involving the use of personal data, including predictive AI and generative AI.

Similar to the AI Guidance, the Model Framework outlines recommended measures to ensure the implementation of the Values and the Ethical Principles. Organisations should consider these recommended practices in the following areas when procuring, implementing and using AI solutions, as well as when formulating appropriate policies, practices and procedures:

An evolving landscape

While the AI Guidance and the Model Framework do not impose mandatory requirements and their recommendations are not exhaustive, their publication is a significant step towards supporting the responsible and ethical development of AI in Hong Kong. Given the rapid development and groundbreaking advancement of AI, it is likely that the relevant legal and regulatory landscape in Hong Kong will continue to evolve to address new issues and challenges.

For the time being, data users must ensure they comply with the PDPO and the six DPPs, and follow the best practice recommendations in the AI Guidance and the Model Framework, especially when it comes to the collection, use and retention of personal data during the development, operation and use of AI.

This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please contact us for specific advice.

Author: Sam Wu, Partner at YYC Legal