Corporate Governance 2026

HONG KONG SAR, CHINA Law and Practice Contributed by: Vincent Lung and Mike Yeung, Parkside Chambers

guidance, the Digital Policy Office’s Ethical AI materi - als and sector-specific guidance from financial regu - lators. The PCPD’s framework encourages organisations to establish governance structures, conduct risk assess - ments, determine human oversight, manage data quality and provide training. Generative AI Guidance In March 2025, the PCPD published guidance to help organisations develop internal policies on employees’ use of generative AI at work. The guidance is intended to assist organisations in complying with the Personal Data (Privacy) Ordinance when employees use gen - erative AI. In April 2025, the Digital Policy Office released a Hong Kong Generative Artificial Intelligence Technical and Application Guideline. Government materials state that it provides practical operational guidance and addresses risks including data leakage, model bias and model errors. Key Risks AI use-related risks include: • inaccurate or hallucinated outputs; • unfair or biased outcomes; • privacy breaches; • leakage of confidential information; • cybersecurity vulnerabilities; • IP infringement;

Management should maintain an AI inventory, approve use cases, implement policies and monitor compli - ance. Legal, compliance, procurement, data protec - tion and cybersecurity teams should review higher- risk AI tools. Internal audit should provide assurance where AI use is material. 8.3 Liability Exposures Arising From AI Use Main Liability Exposures The main exposures include data privacy breaches, cyber incidents, misuse of confidential information, misleading outputs, discriminatory outcomes, intel - lectual property infringement, breach of contract, employment claims, consumer harm, regulatory breaches and reputational damage. For listed companies, AI may also create disclosure risk. If AI is material to the business, inaccurate public statements about AI capability, performance, safety, governance or profitability may be misleading. Directors’ and Officers’ Exposure Directors and officers are unlikely to be liable merely because the company uses AI. The risk arises where they fail to exercise reasonable oversight, ignore known risks, approve misleading disclosure or allow inadequate controls. If AI is used in a regulated business, senior manage - ment exposure may be greater. AI-related failures could affect suitability assessments, client advice, AML monitoring, market conduct, insurance under - writing, credit decisions or complaints handling. Data and Privacy Enforcement The Privacy Commissioner may investigate privacy breaches or misuse of personal data. Enforcement may also arise where AI systems process personal data without proper notice, consent, security or pur - pose limitation. Personal data governance is therefore one of the most immediate AI compliance risks in Hong Kong. Other Enforcers Other potential enforcers include HKEX, the Securities and Futures Commission, the Hong Kong Monetary Authority, the Insurance Authority, the Competition

• lack of explainability; • over-reliance by staff; • poor vendor management; and • reputational harm.

Companies should distinguish between low-risk inter - nal use and high-risk use affecting customers, inves - tors, employees or regulated decisions. Allocation of Responsibility The board should approve AI strategy and risk appe - tite where AI is material. The audit or risk committee should oversee controls, assurance, data governance, cybersecurity and incident reporting.

335 CHAMBERS.COM

Powered by