Skip to main content

Clifford Chance

Clifford Chance
All
Tech<br />

Tech

Talking Tech

Tech Policy Unit Horizon Scanner

June 2025

Artificial Intelligence Data Privacy Cyber Security 14 July 2025

As digital technologies become more woven into government, business and daily life, regulators worldwide are stepping in, some more cautiously than others, to steer their development. June’s policy activity however underscores a growing consensus that oversight must now keep pace with innovation.

Across Asia, governments are tightening rules not only for AI but also for data protection, digital lending and cross-border data flows. China is accelerating industrial digitalisation through targeted sectoral blueprints. In Africa, a distinct regulatory voice is emerging, from Egypt’s investment in 5G infrastructure to South Sudan’s call for global norms on AI and space science.

Europe and the United States have shifted their emphasis to implementation and enforcement. The EU is publishing detailed guidance on platform accountability under the Digital Services Act, while US agencies craft sector-specific rules for high-risk AI. In the United Kingdom, the Data (Use and Access) Act received Royal Assent, introducing new provisions on lawful processing, secondary use and international transfers. Meanwhile, Middle Eastern states are directing substantial capital towards digital resilience and workforce development.

The direction of travel is clear: a more permissive era of digital experimentation is giving way to one of structured accountability, extending beyond AI to the entire digital economy.

APAC (excluding China)

Hong Kong

Privacy Commissioner for Personal Data (PCPD) Unveils 'AI Security' Thematic Website for Privacy Awareness

On 9 June 2025, the Office of the PCPD launched an 'AI Security' thematic website during Privacy Awareness Week 2025. This platform offers comprehensive access to the PCPD's guidance on AI, educational resources, global regulatory updates, and news on AI security initiatives. It provides the public and organisations with practical AI usage tips and insights into the latest AI governance developments in Hong Kong and globally.

PCPD Stresses Need for Internal AI Policies in Organisations

On 9 June 2025, The Office of the PCPD issued a letter highlighting the importance of organisations developing internal AI usage policies to safeguard personal data privacy and protect organisational interests. The PCPD provided a 'Checklist for Employee Use of Generative AI' to assist compliance with the Personal Data (Privacy) Ordinance, addressing AI use, data privacy, ethics, security, and policy breach consequences. The checklist recommends specifying AI tools and purposes, defining data input types, and anonymising personal data where possible, emphasising the role of internal policies in effective AI governance.

India

Reserve Bank of India (RBI) Enforces Reporting Rules for Digital Lending Activities

On 15 June 2025, new reporting requirements under the RBI's Digital Lending Directions were imposed on regulated entities such as banks, financial institutions and non-banking financial companies. These Directions require regulated entities to ensure their digital lending apps are connected to the regulated entity's website for privacy terms, appoint grievance redressal officers and adhere to data compliance. Other requirements include maintaining a detailed privacy policy, storing data on Indian servers and offering borrower consent options. Any data processed abroad must be erased and transferred back to India within 24 hours.

Japan

Personal Information Protection Commission's (PPC) 2024 Annual Report Highlights Supervisory Efforts and Breach Handling

On 10 June 2025, the PPC released its 2024 annual report, detailing its supervisory and monitoring activities, including the triennial review of the Act on the Protection of Personal Information and discussions on cross-border data transfers with the European Union (EU), United Kingdom (UK) and Singapore. The report also covers the PPC's handling of breach notifications, guidance, advice, and on-site inspections, noting that it processed 19,056 breach notifications in 2024, with 14,198 reported directly and 4,858 through delegated ministries and agencies.

Japan Enacts AI Promotion Act to Boost R&D and Utilisation

On 4 June 2025, Japan's Act on the promotion of research, development and utilization of AI came into force. It mandates both national and local governments to formulate and implement policies that actively support AI research, development and responsible use. Businesses are urged to improve efficiency and innovate new industries through AI, aligning with government policies. The AI Strategy Headquarters within the Cabinet is responsible for preparing and promoting a basic plan for AI technology advancement, including guidelines and comprehensive measures, to coordinate key policies for AI promotion in Japan.

Japan's PPC Issues Draft Guidance on APPI Compliance

On 28 May 2025, Japan's PPC released draft guidance to help organisations comply with processing principles under the Act on the Protection of Personal Information (APPI). The draft addresses differences in processing principles between private and public sectors, emphasising the necessity, appropriateness, and lawfulness of processing personal data. It also covers processing relevance and scope, security measures, data subject involvement, and transparency, with materials available in Japanese.

Singapore

Singapore Personal Data Protection Commission (PDPC) Unveils Practical Guide to Data Anonymisation

On 11 June 2025, Singapore’s PDPC released a new guide on anonymisation. The guide offers a clear five-step approach for organisations to anonymise personal data effectively, focusing on understanding data contexts, removing direct identifiers, applying suitable anonymisation techniques and managing ongoing re-identification risks. It aligns closely with the ISO/IEC 27559 standard, emphasising the importance of tailoring anonymisation to specific use cases, conducting regular risk assessments, and maintaining transparent documentation.

The PDPC’s guidance aims to help firms safeguard privacy while preserving the usefulness of data.

China

Chinese authorities release Implementation Plans for Digital Transformation Across Multiple Industries

On 27 May 2025, 10 June 2025, and 18 June 2025, the Ministry of Industry and Information Technology and several other departments jointly released the Implementation Plan for the Digital Transformation of the Electronics and Information Manufacturing Industry, the Implementation Plan for the Digital Transformation of the Food Industry, and the Implementation Plan for the Digital Transformation of the Textile Industry. The plans aim to drive digital transformation across key industries and advance the objectives set by the National Conference on Promoting New Industrialization.

Chinese authorities release Consultation Papers on the Security of Automotive Data Outbound Policies

On 13 June 2025, the Ministry of Industry and Information Technology and seven other departments released the Guidelines for the Security of Automotive Data Outbound (2025 Edition) (Consultation Paper).

The draft specifies (i) the exemption scenarios for automotive data outbound (ii) refines the scope of important data subject to declaration for data outbound security assessment (iii) puts forward more specific requirements for data outbound security protection, and (iv) provides reference guidance for the filing of important data in cross-border data flows of the automotive industry.

People's Bank of China (PBOC) releases the Measures on Cybersecurity Incident Report in PBOC Business Areas

On 30 May 2025, the PBOC released the Measures on Cybersecurity Incident Report in PBOC Business Areas. The measures aim to further regulate the reporting of cybersecurity incidents in business areas such as monetary credit, cross-border RMB, interbank markets, and anti-money laundering. The measures set out more granular reporting requirements for financial institutions to comply with. Moving forward, PBOC will provide more guidance for in-scope financial institutions to report cybersecurity incidents in a timely and accurate manner, reduce the losses and harm caused by cybersecurity incidents, and strengthen cybersecurity defence in the financial sector. The measures will take effect from 1 August 2025.

Europe

European Union

CNIL publishes recommendations on using legitimate interest for AI development, including web scraping in anticipation of AI Act

On 19 June 2025, France’s data protection authority CNIL released new recommendations on the use of “legitimate interest” as a legal basis for developing AI systems, following a public consultation. The guidance builds on European Data Protection Board (EDPB) Opinion 28/2024 and clarifies that AI development does not always require user consent under the EU GDPR. The CNIL outlines conditions under which legitimate interest can apply, notably in the context of web scraping, and provides concrete safeguards—such as increased transparency, excluding certain data from collection, and facilitating users’ rights.

CNIL continues in its collaboration with the EDPB and the European Commission’s AI Office to ensure alignment with upcoming AI Act rules, such as transparency obligations, data governance requirements and risk management and the development of best practices for general-purpose AI.

You may like to read our article on the CNIL updated guidance where we explore this in more detail.

European Council and European Parliament reach provisional deal to streamline cross-border GDPR enforcement

On 16 June 2025, the European Council and European Parliament agreed on new rules to improve cross-border GDPR enforcement. The rules aim to harmonise procedural steps across Member States, aligning complaint admissibility criteria and ensuring equal treatment. It strengthens procedural rights by informing complainants of rejections and allowing both parties to comment on preliminary findings. Binding deadlines are set at 15 months for regular investigations (extendable by 12 months for complex cases) and 12 months for simpler procedures. An early resolution mechanism and simplified cooperation procedure are included to expedite non-contentious cases. The rules now await formal adoption.

European Commission launches stakeholder consultation on classification and compliance of high-risk AI systems under AI Act

On 6 June 2025, the European Commission launched a six-week public consultation on implementing AI Act rules for high-risk AI systems. This will support the development of guidelines required by Article 6(5) of the AI Act, which are due by 2 February 2026.

The consultation seeks feedback on use cases, classification issues, and implementation challenges. Stakeholders have until the 18 July 2025 to participate.

EDPB adopts final guidelines on third country data requests and reviews GDPR record-keeping simplification proposal

On 5 June 2025, the EDPB published the final version of its guidelines on GDPR Article 48, clarifying how organisations should handle personal data requests from third country authorities. The guidelines confirm that such requests are generally not enforceable in the EU without an international agreement or appropriate legal safeguards and offers practical clarifications following public consultation - particularly on the roles of processors and cross-border corporate structures. Finally, the EDPB discussed the European Commission’s request for a joint opinion - alongside the EDPS - on a proposed simplification of GDPR Article 30 record-keeping obligations for SMEs and small-mid cap entities. The joint opinion is expected within eight weeks.

United Kingdom

The Data (Use and Access) Bill receives Royal Assent and becomes law

On 19 June 2025, the Data (Use and Access) Bill received Royal Assent and became law, introducing changes to the UK data protection framework. The Act sets out recognised grounds for data processing, conditions for secondary use, and new requirements for responding to subject access requests and automated decision-making. It also establishes safeguards for international data transfers, ensuring protection standards align with those in the EU. The Information Commissioner's Office (ICO) has issued additional guidance to support organisations in understanding and complying with the new requirements.

The ICO publishes draft guidance on Internet of Things (IoT) products and services

On 16 June 2025, the ICO published draft guidance on IoT products and services to help manufacturers and developers of smart devices comply with data protection law. The guidance addresses issues including the types of data processed by IoT devices, lawful and fair processing, transparency, security measures, and data subject rights. It also provides practical examples to support compliance and highlights accountability concerns, particularly where children are involved. The ICO is consulting on the draft guidance until 7 September 2025.

The Office of Communications (Ofcom) publishes strategic approach to AI for 2025/26

On 6 June 2025, Ofcom published its strategic approach to AI for 2025/26, setting out plans to support innovation and manage AI-related risks across telecoms, online safety, broadcasting, spectrum, and postal services. The strategy includes research support through technical sandboxes, data publication for model training, collaboration with regulators, and engagement with platforms on content moderation. Ofcom also outlines sector-specific initiatives, such as AI safety tech for online harms, AI use in telecom networks, broadcasting guidance and spectrum planning improvements.

The ICO publishes strategy on AI and biometrics

On 5 June 2025, the ICO published its strategy on AI and biometrics, outlining plans to address public concerns around foundation models, automated decision-making in recruitment and public services and the use of facial recognition by law enforcement. The strategy includes updating automated decision making (ADM) guidance, developing a statutory AI code of practice, setting expectations for responsible ADM use and assessing the data protection risks of agentic AI.

Americas

The United States of America

Texas passes the "Texas Responsible Artificial Intelligence Governance Act"

On 2 June 2025, the Texas legislature enacted the Texas Responsible Artificial Intelligence Governance Act (the TX Act). Unlike the Colorado AI Act (see our article: Colorado's New Comprehensive AI Legislation: Decoding SB 24-205: Colorado’s New AI Legislation), which was the first comprehensive AI law in the United States and which focuses on “high-risk” AI systems, the TX Act applies broadly to any individual or entity that develops, operates, or deploys any AI system within the state.  It also goes into effect earlier than Colorado's AI law—on January 1, 2026.  Among other requirements, the TX Act prohibits several uses of AI outright, including social scoring by government entities and unconsented biometric surveillance. AI-generated “dark patterns” that promote self-harm, facilitate criminal activity, or generate sexually explicit content are also prohibited.

The TX Act establishes the Texas AI Council to oversee its implementation and creates a Regulatory Sandbox Program to allow developers to test AI systems in controlled environments without immediate regulatory penalty. Although the TX Act does not create a private right of action, it authorizes the Texas Attorney General to issue investigative demands to enforce compliance.

US House passes a 10-year moratorium on state-level AI regulation

On 22 May 2025, the U.S. House of Representatives recently passed the One Big Beautiful Bill Act.  Buried within legislation about tax policy, one of the Act's provisions aims to halt state regulation of AI for 10 years. Currently under review with the Senate, the Act is the centre of a political battle in which politicians and experts are disputing its efficacy.

One important area of controversy concerns the growth of data centres, which many states oppose. If the moratorium blocks states from challenging data centre construction, data centres may proliferate. This would, in turn, lead to destabilizing environmental, economic, and social impacts.

Middle East

United Arab Emirates

DGHR collaborates with Dubai AI Campus to accelerate AI-driven workforce development

On 13 June 2025, the Dubai Government Human Resources Department (DGHR) signed a Memorandum of Understanding with Dubai AI Campus, a DIFC initiative (the largest dedicated hub for AI companies in the UAE). It aims to advance the development of human capital and to improve the workforce in the public and private sectors.

A key element under this partnership is the “AI for Civil Service” program; it aims at upskilling government employees by training them in using generative AI technologies to enhance public services.

The parties of the Memorandum will also implement a series of tailored training programs, offer mentorship opportunities as well as networking and knowledge exchange.

Cybersecurity Drill in Abu Dhabi Healthcare Sector 

On 30 May 2025, the Department of Health in Abu Dhabi, in partnership with the UAE Cyber Security Council, ran a sector-wide cybersecurity drill to test and strengthen digital resilience in healthcare. The simulation focused on real-world cyber-attack scenarios, evaluating incident response protocols and communication effectiveness under pressure.

UAE and USA establish AI acceleration partnership

On 15 May 2025,  the UAE and US governments announced on a new bilateral framework, titled  “US-UAE AI Acceleration Partnership” to deepen cooperation on critical and emerging technologies, with a focus on AI infrastructure. The US and UAE also agreed to jointly launch a 1GW AI data centre in Abu Dhabi - the first phase of a planned 5GW AI technology cluster.  The two governments will collaborate to enhance Know-Your-Customer protocols (KYC) so to monitor the access to the concerned compute resources.

Africa

South Sudan

South Sudan Urges Laws on AI and Space Development

On 24 June 2025, South Sudan called for the development of global legislation to guide the responsible use of AI and space science. The announcement followed the country’s participation in the St. Petersburg International Economic Forum (SPIEF) in Russia. The framework, supported by the South Sudan Media Authority and the Ministry of Telecommunications, emphasises AI’s central role in the digital economy and advocates for proactive governance. Officials highlighted the need to embrace AI’s potential while addressing associated challenges. As part of the initiative, South Sudan also proposed the establishment of a national data centre to support digital transformation and AI infrastructure development. The proposal aims to position the country for long-term technological growth and global collaboration.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.

Toolkits & Client Log-in