Dieser Artikel ist derzeit auf Englisch verfügbar.
AI Governance in Hong Kong: PCPD, SFC, HKMA, and the China AI Regulation Intersection
Hong Kong operates a distinct AI governance framework under common law, with PCPD enforcing the Personal Data (Privacy) Ordinance, SFC and HKMA setting financial sector expectations, and increasing alignment with Mainland China's CAC regulations creating a unique dual-compliance environment.
Key Takeaways
Hong Kong operates under its own common law system distinct from Mainland China — the Personal Data (Privacy) Ordinance (PDPO) governs data protection, not PIPL.
The PCPD (Office of the Privacy Commissioner for Personal Data) has issued guidance on AI and data protection, including model AI governance frameworks for financial institutions.
SFC and HKMA have both issued circulars on AI governance in financial services — algorithmic trading, credit decisioning, and AI-generated financial analysis are all in scope.
Hong Kong financial institutions with Mainland China operations face dual compliance: HKMA/SFC on the HK side, CAC and PIPL on the Mainland side. These frameworks have fundamental differences in approach.
Hong Kong's unique position means EU AI Act obligations may apply to HK companies serving EU clients, while also navigating Mainland regulatory alignment pressures.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
Hong Kong's distinct AI regulatory position
Hong Kong operates its own legal system under the Basic Law and the "one country, two systems" principle. For AI governance, this means Hong Kong organisations are subject to Hong Kong law — primarily the Personal Data (Privacy) Ordinance (PDPO) — rather than Mainland China's CAC-administered regulatory stack. However, organisations operating across both Hong Kong and the Mainland must understand both frameworks.
The PDPO is enforced by the Office of the Privacy Commissioner for Personal Data (PCPD). The PCPD has issued AI-specific guidance, including an Ethical Accountability Framework for Hong Kong and a model AI governance framework document developed with the financial services sector. These are voluntary frameworks, not legislation, but they carry significant weight with regulators and enterprise buyers.
Financial sector: HKMA and SFC
Hong Kong's financial regulators are the most active AI governance authorities. The Hong Kong Monetary Authority (HKMA) has issued circulars on AI governance for authorised institutions covering model risk management, algorithm testing, and customer disclosure when AI influences financial decisions. The Securities and Futures Commission (SFC) has addressed AI in algorithmic trading, portfolio management, and financial analysis — including rules on disclosure when AI generates investment advice or research.
The Mainland dimension
Hong Kong financial institutions with Mainland operations face a dual-compliance environment that has no close parallel elsewhere. On the Hong Kong side, PDPO and HKMA/SFC apply with common-law principles. On the Mainland side, PIPL, DSL, and CAC's AI-specific regulations (Algorithm Recommendations, Deep Synthesis, Generative AI) apply with very different legal foundations — including strict data localisation requirements and content control obligations that have no equivalent in Hong Kong law. Organisations with significant cross-boundary operations need governance architectures designed for both systems simultaneously.