AI & Agentic Economy Legal Services in Hong Kong

Liability for AI-caused harm in Hong Kong is currently determined by applying established legal principles — contract, tort, and negligence — to AI-specific facts. There is no dedicated AI liability statute in Hong Kong. Where an AI system causes harm, liability may attach to the developer (for defective design or code), the deployer (for improper use or inadequate oversight), or the operator of the platform on which the AI runs, depending on the contractual structure and the nature of the failure. In agentic systems that take actions autonomously — placing orders, executing transactions, sending communications — the question of whether a legally binding obligation was created, and who bears responsibility for consequential loss, turns on principles of agency, authority, and the specific terms governing the AI's deployment. We advise clients on structuring these arrangements to ensure clear allocation of risk before an incident occurs.

Hong Kong does not yet have a comprehensive AI-specific statute. AI deployment is instead regulated through a patchwork of existing laws — the Personal Data (Privacy) Ordinance (PDPO) for data processing, the Securities and Futures Ordinance (SFO) for AI used in financial services, the HKMA's guidelines for AI in banking, and sector-specific codes and circulars issued by the SFC and HKMA. The Privacy Commissioner has issued guidance on AI and privacy, and the government has published a set of non-binding AI principles. For financial institutions, the SFC and HKMA have been active in setting out supervisory expectations for the use of AI in regulated activities, and non-compliance can have licensing consequences. We anticipate increased legislative activity in this space and advise clients to build governance frameworks that will be robust regardless of how the regulatory landscape develops.

Both the SFC and HKMA have issued guidance on the use of AI by regulated entities. Key themes include: explainability and accountability (firms must be able to explain AI-driven decisions to regulators and clients), human oversight (AI must operate within approved risk parameters with human review of outputs), model risk management (firms must validate, test, and monitor AI models on an ongoing basis), and data governance (training data must be accurate, unbiased, and handled in accordance with applicable privacy obligations). For asset managers using AI in portfolio management, the SFC's circular on algorithmic trading and AI is directly relevant. For banks, the HKMA's Supervisory Policy Manual and its "Regtech" circulars set out supervisory expectations. Firms deploying AI in regulated activities should maintain detailed documentation of model design, testing, and ongoing monitoring to demonstrate compliance.

Under Hong Kong law, copyright subsists in works that are original and the product of human authorship. AI-generated outputs — where there is no identifiable human author exercising skill and judgment — may not attract copyright protection at all, leaving the output in the public domain. Where a human directs or curates the AI's output to a sufficient degree, copyright may vest in that person. The position is nuanced and depends on the level of human creative input. For businesses generating content, software, designs, or training data using AI, the implications for IP ownership, licensing, and the ability to enforce rights against infringers are significant. We advise clients on structuring AI development agreements, work-for-hire provisions, and IP assignment clauses to ensure the intended allocation of rights is achieved and enforceable.

Commercial contracts involving AI require careful attention to liability allocation, particularly where the AI operates autonomously or its outputs inform consequential decisions. Key provisions include: scope-of-use restrictions (defining permitted and prohibited uses of the AI), output disclaimers (clarifying that AI-generated outputs are not professional advice and must be verified), indemnity clauses (allocating responsibility for AI errors between developer, deployer, and end user), limitation of liability caps (often heavily negotiated in AI deployment agreements), and audit and inspection rights (allowing regulators or counterparties to review AI governance). In agentic contexts — where the AI may enter into contracts, place orders, or take actions — the agreement must address whether AI actions bind the principal and under what circumstances. We draft and negotiate these provisions regularly for both AI vendors and their enterprise customers.

Yes. The PDPO applies wherever an AI system collects, stores, uses, or processes personal data relating to identifiable individuals. This is directly relevant for AI systems that process customer data, train on user inputs, generate profiles, or make automated decisions about individuals. Key obligations include: the data protection principles (requiring lawful collection, limited retention, and appropriate security), data subject access rights (individuals may request access to personal data held about them, including data used in AI profiling), the restriction on use beyond the original collection purpose, and notification requirements where data is used in automated decision-making. The Privacy Commissioner's 2021 guidance on AI and privacy sets out recommended safeguards, including human oversight of automated decisions and transparency to individuals about how their data is being used. Non-compliance can result in enforcement action and reputational damage.