Regulatory Direction: PCPD AI Guidelines and the Model Framework
In June 2024, the PCPD formally issued the Artificial Intelligence: Model Personal Data Protection Framework (the “Model Framework”) . This guidance provides structured direction for organizations procuring, implementing, or using AI systems — particularly generative AI — in compliance with the PDPO.
The issuance of the PCPD AI guidelines marks a more proactive and structured phase of AI data protection regulation in Hong Kong.
Importantly, the Model Framework does not seek to restrain technological innovation. Rather, it promotes responsible AI governance grounded in three core data stewardship values and seven ethical AI principles. Accountability, transparency, and a risk-based approach are embedded throughout the framework.
Organizations are encouraged to build AI governance across four core domains:
- AI Strategy and Governance
Establish a clear AI governance structure, define internal policies for AI procurement and use, and provide appropriate staff training.
- Risk Assessment and Human Oversight
Conduct structured AI privacy risk assessments prior to deployment — including Privacy Impact Assessments (PIAs) — and determine proportionate levels of human oversight (e.g., human-in-the-loop or human-on-the-loop).
- AI Model Customization, Implementation and Management
Ensure PDPO compliance in data handling, model testing, system security, and ongoing monitoring.
- Stakeholder Communication and Transparency
Clearly communicate AI usage to data subjects and establish effective channels for feedback and complaints.
The regulatory direction signals that AI data protection in Hong Kong is expected to be embedded throughout the entire AI system lifecycle — not treated as a one-time technical implementation exercise.
Core Regulatory and Audit Focus Areas in AI Compliance
From an audit and certification standpoint, AI compliance is evaluated primarily through the integrity and effectiveness of governance processes. Three areas typically receive particular attention.
1. Risk Identification and AI Privacy Impact Assessment
Regulators assess whether organizations have exercised due diligence before deploying AI systems. The expectation is not that every risk is predicted, but that a structured risk identification and evaluation mechanism exists.
Evidence commonly reviewed includes:
- Documented Privacy Impact Assessments (PIAs):
Whether AI privacy risk assessments were conducted prior to implementation. According to a PCPD compliance inspection report issued in May 2025, approximately 83% of inspected organizations collecting personal data conducted PIAs before deploying AI systems .
- Recorded decision-making processes:
Documentation explaining why specific AI models were selected, how oversight levels were determined, and how risk assessments informed governance decisions.
- Data minimization and lawful sourcing analysis:
Evaluation of whether only necessary personal data is used, and whether training data sources comply with PDPO requirements.
2. Transparency and Data Subject Rights Under PDPO
Transparency is a cornerstone of the PCPD AI governance framework. Organizations are expected to communicate clearly and accessibly how AI systems process personal data.
Key areas of regulatory focus include:
- Disclosure in Personal Information Collection Statements (PICS):
Whether individuals are informed that their personal data may be used in AI-driven analysis or automated decision-making.
- Mechanisms to respond to inquiries or challenges:
Whether organizations can explain AI-assisted decisions, particularly in contexts such as credit approval or personalized recommendations. This relates to system interpretability and accountability.
- Provision of meaningful choice:
Where appropriate, whether individuals are offered options to opt out of AI-driven analysis.
For decision-makers, this means AI compliance is closely linked to trust, transparency, and reputational risk management.
3. Data Security Controls and Governance Accountability
AI compliance in Hong Kong extends beyond legal interpretation — it is fundamentally a governance issue.
PCPD inspection findings indicate that approximately 79% of inspected organizations have established formal AI governance structures . Regulatory attention commonly focuses on:
- Clear allocation of responsibility:
Whether an AI governance committee or designated responsible officer oversees AI risk and compliance.
- Robust data security measures:
Implementation of access controls, encryption, and safeguards against adversarial attacks targeting AI models.
- Ongoing monitoring and review mechanisms:
Recognition that AI models and risk environments evolve, requiring periodic reassessment and internal audit processes.
Common AI Compliance Pitfalls Observed in Practice
Based on interactions with enterprises, several recurring governance misconceptions emerge in AI implementation.
- Pitfall 1: Treating AI Risk as a Purely Technical Issue
Delegating AI deployment exclusively to IT functions without early involvement from legal, compliance, risk management, and corporate governance teams creates structural blind spots. AI privacy risk is cross-functional and strategic.
- Pitfall 2: Failing to Systematically Assess Personal Data Implications
Project teams may prioritize functionality over data protection analysis. The PCPD has emphasized that using real customer dialogue data to train a general-purpose chatbot — without proper authorization or beyond the original collection purpose — may contravene the PDPO purpose limitation principle .
- Pitfall 3: Prioritizing Speed of Innovation Over Governance Readiness
In competitive markets, compliance reviews are sometimes deferred. Embedding Privacy by Design principles early in system development is significantly more cost-effective than post-deployment remediation.
- Pitfall 4: Assuming Third-Party Vendors Bear Full Compliance Responsibility
Under the PDPO, the organization remains the “Data User” even when outsourcing AI services. Contractual controls and due diligence over data processors remain essential components of AI compliance in Hong Kong.
What Organizations May Be Asked to Demonstrate in AI Audit or Certification
In independent AI audit or certification exercises, the central question is whether governance commitments are effectively implemented in practice.
Organizations may be requested to provide evidence such as:
- Risk assessment documentation:
PIA reports, risk registers, workshop records.
Vendor selection criteria, approval documentation for AI use cases, and analyses determining oversight levels.
- Governance structure documentation:
Terms of reference for AI governance committees, job descriptions, or internal policy provisions defining accountability.
- Internal policies and procedures:
AI usage policies, employee guidelines on generative AI, and incident response procedures covering AI-related data breaches.
Audit focus typically centers on the existence, coherence, and proportionality of governance mechanisms — rather than adherence to a rigid template.
Conclusion: From Reactive Compliance to Proactive AI Governance in Hong Kong
As AI regulation in Hong Kong becomes increasingly structured under the PCPD framework, organizations are expected to transition from reactive compliance to proactive AI governance.
For enterprise leaders, the key issue is not whether AI presents risk — but how governance structures demonstrate accountability, transparency, and risk-based decision-making under the PDPO.
AI compliance in Hong Kong is not merely a technical matter. It is an organizational governance issue spanning strategy, culture, and operational controls. Organizations that embed structured AI governance across the lifecycle of their systems will be better positioned to manage regulatory risk, strengthen stakeholder trust, and sustain long-term competitiveness in an AI-driven market environment.
Associated Services by DQS HK
