On April 15, 2025, the Digital Policy Office (DPO) of the Hong Kong Special Administrative Region (HKSAR) released the “Hong Kong Generative Artificial Intelligence Technical and Application Guideline” (the Guideline). The Guideline seeks to guide developers, service providers, and users through complex technical and social considerations, promoting responsible AI development while maintaining public trust and international competitiveness.
The policy was co-developed with the Hong Kong Generative AI Research and Development Center (HKGAI), an organization established in 2023 under the AIR@InnoHK initiative. The HKGAI plays a crucial role in advancing AI R&D and bridging the knowledge gap between policymakers, academics, and industry stakeholders. The resulting Guideline integrates international standards and regulatory principles with Hong Kong’s legal, economic, and social context to produce a holistic and actionable governance blueprint.
This article will analyze the Guideline’s key provisions and regulatory principles therein, and provide advice on the legal obligations and risk challenges that technology developers, service providers and business users may face.
I. Key Provisions
The Guideline delineates a comprehensive governance structure that emphasizes stakeholder accountability, system transparency, ethical usage, and operational readiness. It is segmented across three principal stakeholder categories: Technology Developers, Service Providers, and Service Users. Each group is assigned targeted responsibilities to ensure that all participants in the generative AI ecosystem contribute to its integrity and trustworthiness.
1. Technical Limitations and Risk Awareness
1) Model Hallucination: Generative AI models often generate plausible-sounding yet false information, which can mislead users and propagate misinformation. The Guideline mandates the implementation of automated fact-checking mechanisms, probabilistic scoring, and clear user warnings accompanying AI-generated content. In high-risk contexts, it is recommended to restrict the autonomous operation of such models without human validation.
2) Data Leakage: When training models on large datasets, particularly scraped or user-contributed content, there exists a risk of inadvertently exposing confidential or personally identifiable information. The Guideline stresses the importance of pre-training data vetting, end-to-end encryption, secure data silos, and frequent privacy impact assessments.
3) Model Bias and Inaccuracy: Since generative AI outputs reflect their training data, unintentional biases and systemic inaccuracies can perpetuate social inequalities or misinform decision-makers. Stakeholders are instructed to routinely audit model behavior for fairness, retrain with diverse datasets, and establish redress mechanisms for affected parties.
2. Governance and Ethical Principles
1) Legality and Regulatory Alignment: AI implementations must comply with foundational statutes, particularly the Personal Data (Privacy) Ordinance (Cap. 486) and the Copyright Ordinance (Cap. 528). The Guideline advises legal counsel review for AI projects to ensure cross-jurisdictional compliance and ethical sourcing of training content.
2) Transparency and Explainability: AI systems should offer understandable explanations of their functions, limitations, and output rationale. Especially for automated decisions with legal or financial impact, users must be empowered to request explanations or human override. Clear, non-technical documentation is required.
3) Security and Robustness: Developers must design AI systems to withstand cyber threats and manipulation. The Guideline promotes penetration testing, adversarial training, and AI-specific incident response plans. Resilience to model inversion, data poisoning, and unauthorized prompt injection is paramount.
4) Accountability and Responsibility: A robust accountability framework necessitates tracking system decisions to responsible entities. The Guideline calls for transparent chain-of-responsibility logs, clear roles in collaborative AI projects, and independent ethics oversight for high-impact applications.
5) User Empowerment and Consent: Informed consent is critical in AI applications involving user data or personalization. Consent interfaces must be granular, allowing users to opt in or out of specific data uses, and withdrawals must be easy and honored promptly.
6) Sustainability and Social Good: The energy and environmental costs of training large models are increasingly scrutinized. The Guideline encourages sustainability reporting and the prioritization of AI use cases that demonstrably enhance social welfare, such as accessibility tools, public health applications, and environmental monitoring.
3. Operational Guidance and Implementation Practices
1) Risk and Impact Assessment (RIA): Organizations must embed risk assessment into the development cycle. A structured methodology for assessing potential social, economic, and legal risks should guide AI system design, deployment, and scaling decisions.
2) Human-in-the-Loop (HITL) Oversight: In domains such as healthcare, education, and legal analysis, human oversight is not optional. AI must augment, not replace, expert judgment. Clear documentation of decision chains and override mechanisms is required.
3) Data Governance and Audit Trails: Effective oversight depends on complete and tamper-proof logs of training data provenance, user inputs, and model outputs. Stakeholders are advised to maintain audit tools capable of reconstructing AI behavior in case of disputes or malfunctions.
4) Content Traceability and Attribution: To mitigate the spread of disinformation and deepfakes, the Guideline advocates for the inclusion of digital watermarks or metadata in AI-generated outputs. Content platforms are encouraged to detect and label such content automatically.
5) Model Versioning and Update Logs: Frequent updates to AI systems necessitate version control and detailed documentation. Any substantive change must be evaluated for risk implications, and deployment records must be auditable by regulators.
6) Public Disclosure and Usage Notices: Any interaction where the public or consumers are exposed to AI-generated content or decisions should include clear disclosures. Where AI augments human agents, users should be aware of the nature and limitations of the system involved.
II. Impact Analysis
1. For Technology DevelopersDevelopers are expected to build systems that are safe, secure, and socially responsible by design. Ethical-by-design principles must be operationalized through code audits, impact assessments, and internal ethics training. Transparent documentation and open channels for whistleblowing are encouraged to address misconduct or unintended harm. 2. For Service ProvidersService providers are required to integrate AI governance into operational workflows. They must support end-user rights, establish compliance reporting routines, and invest in staff training to understand AI system constraints. Providers serving regulated industries will face additional scrutiny. 3. For Service UsersUsers, especially institutional adopters, must exercise caution in deploying generative AI. The Guideline emphasizes digital literacy, appropriate use cases, and awareness of ethical pitfalls. Personal and organizational users alike bear responsibility for ensuring their use of AI aligns with applicable standards. 4. Sector-Specific Implications: 1) Financial Services: Need to ensure AI-driven decisions are explainable, non-discriminatory, and auditable. 2) Healthcare: Must protect patient data, ensure clinical oversight, and validate AI tool accuracy. 3) Education: Should focus on transparency, fair access, and the use of AI to enhance learning, not monitor or control behavior unfairly. [Comment]The Hong Kong Generative Artificial Intelligence Technical and Application Guideline not only provide an institutional foundation for Hong Kong in global AI governance and a model for other rule of law societies, but also signify that Hong Kong has proactively tackled major challenges related to data privacy, ethical hazards, system transparency, dissemination of misinformation, and algorithmic accountability against the backdrop of the rapid development of global generative artificial intelligence (AI) technologies. As AI applications continue to evolve, regular reviews, international coordination and public engagement will be key pillars to ensure the continued effectiveness of the guidelines.
1. For Technology DevelopersDevelopers are expected to build systems that are safe, secure, and socially responsible by design. Ethical-by-design principles must be operationalized through code audits, impact assessments, and internal ethics training. Transparent documentation and open channels for whistleblowing are encouraged to address misconduct or unintended harm. 2. For Service ProvidersService providers are required to integrate AI governance into operational workflows. They must support end-user rights, establish compliance reporting routines, and invest in staff training to understand AI system constraints. Providers serving regulated industries will face additional scrutiny. 3. For Service UsersUsers, especially institutional adopters, must exercise caution in deploying generative AI. The Guideline emphasizes digital literacy, appropriate use cases, and awareness of ethical pitfalls. Personal and organizational users alike bear responsibility for ensuring their use of AI aligns with applicable standards. 4. Sector-Specific Implications: 1) Financial Services: Need to ensure AI-driven decisions are explainable, non-discriminatory, and auditable. 2) Healthcare: Must protect patient data, ensure clinical oversight, and validate AI tool accuracy. 3) Education: Should focus on transparency, fair access, and the use of AI to enhance learning, not monitor or control behavior unfairly. [Comment]The Hong Kong Generative Artificial Intelligence Technical and Application Guideline not only provide an institutional foundation for Hong Kong in global AI governance and a model for other rule of law societies, but also signify that Hong Kong has proactively tackled major challenges related to data privacy, ethical hazards, system transparency, dissemination of misinformation, and algorithmic accountability against the backdrop of the rapid development of global generative artificial intelligence (AI) technologies. As AI applications continue to evolve, regular reviews, international coordination and public engagement will be key pillars to ensure the continued effectiveness of the guidelines.