Nearly 70 % of organizations recognize that using AI in their operations poses significant privacy risks, highlighting the pressing need to address these concerns.
Source: Hong Kong Enterprise Cyber Security Readiness Index and AI Security Survey 2024
What are the Guidelines for the Use of GenAI by Employees
In March 2025, Hong Kong’s office of the Privacy Commissioner for Personal Data (PCPD), published a checklist for use by organizations where employees are beginning to utilize Generative AI (GenAI) tools. The publication titled ‘Checklist on Guidelines for the Use of Generative AI by Employees’ (‘Guidelines’) aims to facilitate the safe and healthy development of AI in Hong Kong and to help organisations develop internal policies or guidelines while complying with the requirements of the Personal Data (Privacy) Ordinance.
The recommended coverage of policies by the PCPD are based on:
- Scope: Indicate clearly which GenAI tools are permitted for use, what specific tasks are allowed, and whether the policy applies to certain departments, roles or the whole organization.
- Personal Data Privacy Protection: Define what type of information can be input into GenAI tools, what the permissible purpose of the output is, how this information can be stored, and whether the tool use is aligned with other personal data handling and information security policies in place.
- Lawful, Ethical Use and Prevention of Bias: Require proof-reading, fact-checking by humans, and set correction or reporting mechanisms when output is biased or discriminatory.
- Data Security: Specify the permitted devices, users, and security settings for GenAl tool use. Further, have requirements to report any breach to data, security or privacy laws with GenAI use, input or output in an AI Incident Response Plan.
- Violation of Policies: Set out possible consequences of violation of GenAI policies by employees.
The Guidelines also has practical tips on supporting employees in using GenAI tools as seen in AI Asia Pacific Institute’s reference image below:
Current Regulatory Landscape in Asia Pacific for GenAI Use
The regulatory landscape across the region reveals a patchwork of approaches, each reflecting local governance structures, and below is a glance at some major players:
China, as early as October 2023, introduced the “Global AI Governance Initiative”, which proposes principles such as “people-centred, AI for good” while emphasising the equal importance of the development and security of AI. (Ada Chung at HK-Lawyer, May 2025).
Singapore mainly incorporates the AI regulation into sector or industry regulatory departments, implementing governance by issuing non-binding guidelines and recommendations. The Infocomm Media Development Authority (IMDA), and the Personal Data Protection Commission (PDPC), lead these efforts, responsible for communication and personal data protection respectively. (HK Gen AI Tech Appl Guideline, Digital Policy Office, HK, April 2025).
Malaysia currently lacks specific AI legislation, and although the AI Roadmap’s Seven AI principles are not legally obligatory, the AI guidelines urge AI developers and deployers to embrace them as an industry best practice. https://mastic.mosti.gov.my/publication/the-national-guidelines-on-ai-governance-ethics/
Thailand released Guidelines for Applying GenAI with Good Governance for Organizations on October 30, 2024, with the Ministry of Digital Economy and Society (MDES) and the Electronic Transactions Development Agency (ETDA) spearheading the initiative. htps://www.etda.or.th/th/pr-news/AI_Gov_Anual.aspxt and https://opengovasia.com/2024/10/31/thailand-guidelines-for-responsible-generative-ai-use/
Vietnam is developing comprehensive AI policies with plans to reportedly build an AI Center by 2030, signaling strong government commitment to AI development and governance.
Lastly, ASEAN has developed the AI Risk Impact Assessment Template as part of the Guide on AI Governance and Ethics, providing a regional framework for member states to adopt. (ASEAN Guide, 2024). Further, the AI Asia Pacific Institute published the discussion paper endorsed by ASEAN on the ‘Responsible Development and Use of Generative AI in ASEAN’
Effect of Hong Kong’s Gen AI Guidelines on Regional Countries
With the release of the Guidelines, Hong Kong has announced that a proactive approach to manage the use of GenAI is the need of the hour. This move has the potential to influence neighbouring jurisdictions to adopt similar frameworks, where shared data privacy regulations are in effect.
By linking AI technology uptake with National Security concerns, the PCPD highlights the broader implications of AI misuse due to inadequate policies and guidelines. Other countries in the region can be driven to adopt the security-focused benchmark set by Hong Kong, placing robust national interests alongside technological advancements.
By virtue of interconnected economies in the region, neighbouring countries will be encouraged to emphasize lawful and ethical use of GenAI as advocated in the PCPD’s Guidelines with the prevention of bias and discrimination, need for accuracy and fact-checking, and labeling AI usage.
Less than 30 per cent of organisations in Hong Kong have established guidelines for employees using artificial intelligence (AI), the city’s privacy commissioner has said, urging companies to avoid inputting sensitive data into such tools as much as possible.
Recommendations by AIAPI
Adopt Regulatory Best Practices from Advanced Economies
Hong Kong’s Innovation and Technology Blueprint provides a framework for developing economies to adapt based on local resources and priorities. Worth noting the value of achievable, clear directives in the checklist format, before advancing to complex regulatory structures.
Environment of Knowledge Sharing
The released guidelines are a great start to emulate. But PCPD’s continued success is assured by offering to private sector organizations informative seminars, an AI hotline, and training sessions on request. Regulatory success requires ongoing support, resources and engagement with GenAI adopters in the early transformative years.
Foster Private-Public and North-South Collaboration:
Effective AI governance requires dialogue between government agencies, private sector organizations, and civil society.
Challenges, Considerations and Context
AI Guidelines such as those released by Hong Kong often emerge from broader data security policies, such as the AI Plus Initiative, the country’s strategy to integrate artificial intelligence (AI) into various sectors and industries, demonstrating that successful AI governance requires integration with existing national frameworks, data policies and sectoral regulations.
In order for developing economies to emulate Hong Kong’s Guidelines, they must aim, hand in hand, to have robust national data privacy regulations in place. Without baseline protections, guidelines may lack enforcement mechanisms and legal backing.
Further, a successful adoption of such GenAI policies requires proactive measures taken on the organization level. The PCPD Guidelines are intended to be customized to an organizations’ existing internal policies, values and mission. The PCPD recommends regularly reviewing and updating organizational AI policies to accommodate operational and technical changes as good practice.
A final key consideration is resource and commitment limitations in the global South economies. The Hong Kong government reiterated its dedication to advancing AI development, recognising AI as a core driver of new quality productive forces. To that end, the government’s HK$1 billion investment in AI research and development and in various AI initiatives shows substantial commitment. (Ada Chung at HK-Lawyer, May 2025)
