Skip to main content

Clifford Chance

Clifford Chance
All
Tech<br />

Tech

Talking Tech

Tech Policy Unit Horizon Scanner

January 2025

Artificial Intelligence Data Privacy Cyber Security 5 February 2025

Before we get into this month's news – if you're in Paris on 11 February, then come and join us at the AI Fringe for our panel on responsible AI. Details + RSVP here. It's an officially accredited part of the programme running alongside the French Government's AI Action Summit – there will be a lot to talk about…

It has been a dramatic start to 2025. The US announced the $500 billion Stargate Project to revolutionise AI infrastructure. While President Trump revoked President Biden’s 2023 Executive Order on safe, secure, and trustworthy AI and replaced it with his own order, he left standing (for now) Biden’s recent Executive Order on American AI infrastructure which offered considerable federal support to address energy needs for AI data centres.

We have prepared a detailed briefing - President Trump's first 7 days in office: what's out, what's in and what's still in for Tech? exploring the key tech-related developments in President Trump’s first days in office, including his decision to delay the shutdown of TikTok.

DeepSeek made a splash with its new models, and the UK government unveiled its AI Opportunities Action Plan and a £14 billion investment to build AI infrastructure.

South Korea signed into law its Basic Act on Artificial Intelligence and Creation of Trust Base which, amongst other things, mandates risk management and human oversight for ‘high-impact AI’, with specific obligations for transparency and safety. Japan announced it is planning to introduce its own AI legislation, while Kenya ran a public consultation on its National AI Strategy 2025–2030.

Finally, in the data protection sphere, the European Data Protection Board published guidelines on pseudonymization, providing two key clarifications: first, that pseudonymisation does not strip data of its status as personal data, and second, that pseudonymisation can reduce risks and facilitate the use of legitimate interests as a legal basis. On 14 January 2025, Botswana’s Data Protection Act 2024 entered into force, establishing certain requirements for processing sensitive personal data and raising the value of maximum fines.

APAC (excluding China)

South Korea’s AI law signed into law

On 21 January 2025, following its passage by the South Korean National Assembly, the Basic Act on Artificial Intelligence and Creation of Trust Base was signed into law. The Act enters into force on 22 January 2026.

The Act defines 'high-impact AI' as 'an AI system that may have significant effects on or pose risks to human life, bodily safety, or fundamental rights.' It applies to international acts impacting South Korea’s domestic market and users, while it does not apply to national defence and security AI. The Act emphasizes safety, reliability, and transparency, requiring AI business operators to notify users about high-impact and generative AI.

It mandates risk management and human oversight for high-impact AI, with specific obligations for transparency and safety. The Ministry of Science and ICT oversees implementation, including developing a Basic AI Plan every three years. Violations can result in fines and imprisonment. The Act also allows for the establishment of AI ethics committees and outlines future guidance on AI training data and support for SMEs.

Japan plans to introduce AI legislation

On 26 December 2024, at the AI Regulation Study Group, Prime Minister Ishiba urged the relevant ministers to submit a new bill to the Diet which aims at both accelerating AI innovation and addressing associated risks. The ordinary Diet was convened on 24 January 2025, and Prime Minister Ishiba made a speech on the same day, addressing that the government plans to submit an AI legislation bill. The details of the bill have not yet been made public, but it is reported that it will focus on preventing the development or use of AI for illicit purposes.

Singapore issues new code of practice for online safety

On 15 January 2025, the Singaporean Infocomm Media Development Authority (IMDA) published a new Code of Practice for Online Safety for App Distribution Services (ADS). The code will enter into force on 31 March 2025.

The code requires ADS to put system-level safeguards in place to shield users - children in particular - from dangerous information, which is classified into six categories, including violent and sexual content. It specifies responsibilities for user safety, ADS accountability, including the yearly production of a safety report to IMDA, and the reporting and remediation of hazardous content. The code demands clear information for users to understand safety measures and prioritizes prompt action against harmful content, with accelerated processes for child exploitation material.

China

China's Information Security Standardization Technical Committee Releases Guidelines for Protecting Personal Information in Facial Recognition Payment Scenarios

On 26 January 2025, the National Information Security Standardization Technical Committee issued the Cybersecurity Standard Practice Guidelines - Personal Information Protection Requirements for Facial Recognition Payment Scenarios Guidelines. The guidelines provide security requirements for the collection, storage, transmission, export, and deletion of data in facial recognition payment scenarios.

China's Information Security Standardization Technical Committee Releases Consultation Papers of the Artificial Intelligence Security Standards System

On 26 January 2025, the National Information Security Standardization Technical Committee issued the Artificial Intelligence Security Standards System (V1.0) (Consultation Paper). The Artificial Intelligence Security Standards System is designed to implement the "Artificial Intelligence Security Governance Framework."

It addresses three main security risks: model algorithm security, data security, and system security, along with four application security risks: network, physical, cognitive, and ethical domains. The system outlines key standards to prevent and manage AI security risks and aligns with national cybersecurity standards. This approach aims to address risks proactively and support the healthy development of AI technology and applications.

China's Authorities Release a Circular to Promote the Marketization of Data Elements

On 15 January 2025, the National Development and Reform Commission, the National Data Administration, and 4 other authorities jointly issued the Implementation Plan for Improving Data Flow Security Governance and Promoting the Market-Based Allocation and Capitalization of Data Elements.

The Plan estimates that by the end of 2027, a clear data flow security governance system will be initially established. It also prescribes that when disclosing important data, data processors shall comply with laws and regulations to take protection measures and protect national security. Furthermore, it proposes enhancing the security management of public data flow, especially for government data.

Europe

European General Court orders Commission to pay damages for unlawful data transfer

On 8 January 2025, the European General Court (T‑354/22) ordered the EU Commission to pay a data subject €400 in non-material damages due to unlawful transfer of personal data to the United States following the use of the Commission’s websites. The main significance of the ruling lies in the consideration that a transfer may occur even if it is not directly carried out by the processor, but if the conditions for the transfer to take place are created by them.

In this case, the Commission's website enabled a litigant to sign-in via Facebook, resulting in the de facto transfer of the IP address to servers located in the United States, in the absence of an adequacy decision. This decision might be a shake-up regarding the integration of third-party tools that collect and make international transfers of IP addresses unlawfully.

Council adopts new regulation improving cross-border access to EU health data

On 21 January 2025, the EU Council has adopted a regulation on the European Health Data Space (EHDS). The purpose of the EDHS is facilitating access by individuals to their electronic health data with a free of charge right to access. It also provides a framework for the primary use of the data by health professionals and secondary use by researchers and policymakers.

The EHDS aims to harmonise and ensure interoperability of electronic health record systems of member states, which will have to comply with a European record exchange format. The interoperability will make the exchange of the data at the EU level possible, facilitating cross-border digital health services such as telemedicine or mobile health.

Finally, the EHDS provides for additional rules for providers of high-risk AI systems that claim interoperability with software components of electronic health record (EHR) systems. The regulation will soon be formally signed by the Council and the European Parliament. It will enter into force 20 days after publication in the EU’s Official Journal.

EDPB publishes guidelines on pseudonymisation

On 17 January 2025, the European Data Protection Board (EDPB) adopted guidelines on pseudonymisation. Pseudonymisation is a key technical safeguard that may be appropriate and effective to meet data protection obligations. The guidelines provide for two key clarifications: first, that pseudonymisation does not strip data of its status as personal data, and second, that pseudonymisation can reduce risks and facilitate the use of legitimate interests as a legal basis.

Pseudonymisation can also help processors meet their obligations relating to the implementation of key data protection principles, as well as data protection by[FH4]  design and by default. These clarifications are supported by technical measures and safeguards designed to ensure confidentiality through the implementation of pseudonymisation.

UK Government announces AI Opportunities Action Plan

On 13 January 2025, the Prime Minister announced the government was backing all 50 recommendations set out in the AI Opportunities Action Plan in order to “deliver a decade of national renewal”. Key parts of the plan involve establishing new AI Growth Zones to accelerate planning and infrastructure development. Public computing capacity will be increased twentyfold, beginning with the construction of a new supercomputer. A National Data Library will be created to securely unlock public data for AI development. Additionally, an AI Energy Council, led by the Science and Energy Secretaries, will collaborate with energy companies to address energy needs and support the government's goal of becoming a clean energy leader through technologies like small modular reactors.

Furthermore, three major tech companies – Vantage Data Centres, Nscale and Kyndryl – have committed to £14 billion investment to build the AI infrastructure in the UK. The author of the action plan, Matt Clifford, has been appointed as the Prime Minister's advisor on AI to oversee delivery.

UK Government consults on making ransomware payments illegal and mandatory reporting of incidents

On 14 January 2025, the National Cyber Security Centre announced that the Home Office had launched a public consultation on three proposals to tackle the ransomware criminal business model. The proposals are as follows:

  • Implementing a targeted ban on ransomware payments for all public sector bodies and critical national infrastructure, extending the current ban on such payments by government departments.
  • Establishing a ransomware payment prevention regime to enhance the National Crime Agency's awareness of ongoing attacks and ransom demands, offering victims advice before they respond, and blocking payments to known criminal groups and sanctioned entities.
  • Introducing a mandatory reporting system for ransomware incidents.

The consultation is open until 9 April 2025.

Americas

US Supreme Court upholds congressional TikTok ban; President Trump's Executive Order delays app shut down by 75 days

Since the Supreme Court upheld the TikTok ban, American users have faced uncertainty about the app’s future. For a brief period spanning 18 January to 19 January 2025, TikTok went dark in the U.S. for 14 hours. Upon its return online, users were greeted by a message stating, “Thanks for your patience and support. As a result of President Trump’s efforts, TikTok is back in the U.S.”

On 20 January 2025, within hours of assuming office, President Trump issued an Executive Order, Application of Protecting Americans from Foreign Adversary Controlled Applications Act to TikTok. This order delayed the shutdown of TikTok by 75 days to allow the new administration "an opportunity to determine the appropriate course forward in an orderly way that protects national security while avoiding an abrupt shutdown of a communications platform used by millions of Americans." The legality of this workaround may be challenged on constitutional grounds in the coming weeks. For now, TikTok remains operational in the U.S.

President Trump rescinds dozens of President Biden’s executive orders—including a 2023 order on AI

On his first day in office, President Trump rescinded 78 of his predecessor's executive orders and presidential memoranda, including, Executive Order 14110 Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence ("Biden's EO"). Biden's EO required AI developers of systems posing risks to national security, the economy, public health, and public safety to disclose results of safety tests to the federal government before publicly sharing this information. Further, it directed federal agencies to set AI standards and metrics calling for the publication of regulations, guidance and research, which many agencies have actioned.

This step was bolstered by a subsequent Executive Order, Removing Barriers to American Leadership in Artificial Intelligence, which also revoked Biden's EO and called for departments and agencies to suspend, revise or rescind all policies, directives, regulations, orders and other actions that are "inconsistent with enhancing America's leadership in AI."  It requires that within 180 days, various officials submit to the President an action plan to achieve the administration's policy "to sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security." It also calls for revisions to the United States Office of Management and Budget Memoranda M-24-10 and M-24-18 within 60 days.

These actions may in the longer term affect various Executive Orders and regulations that the Trump administration has not yet revoked, including those the Biden administration undertook during its last weeks. One key example is the Executive Order 14141, Advancing United States Leadership in Artificial Intelligence Infrastructure, which offered federal support to address energy needs for AI data centres, specifically for leasing federal sites owned by the Defence and Energy departments. For now, these initiatives remain as is and in force.

President Trump Signed Executive Order: Strengthening American Leadership in Digital Financial Technology

On 23 January 2025, President Trump signed an Executive Order to position the United States as a leader in digital financial technology. This Order established the Presidential Working Group on Digital Asset Markets, tasked with creating a federal regulatory framework for digital assets, including stablecoins, and exploring the possibility of a national digital asset reserve.

The Order revokes the previous Administration's policies that were considered restrictive to the innovation in the cryptocurrency industry. It underscores the Trump administration's broader effort to provide regulatory clarity, promote economic freedom, and encourage innovation in the digital assets sector.In parallel, the U.S. Securities and Exchange Commission, led by Acting Chairman Mark T. Uyeda, has launched a new Crypto Task Force under Commissioner Hester Peirce. This initiative, known as "Crypto 2.0," aims to establish a clear and comprehensive regulatory framework for digital assets, moving away from an enforcement-centric approach to one that offers practical guidance for registration and compliance.

Middle East

Saudi Arabia has integrated AI into its educational system

The Saudi Ministry of Education and the Saudi Data and Artificial Intelligence Authority (SDAIA) have launched guidelines on the use of AI in the Saudi educational system.

The Guidelines aim to upgrade the quality of education and improve its outputs in an “ethical and responsible” way, empower teachers and prepare students for a tech-driven future.

The guidelines also address certain concerns of the use of AI, such as data privacy, algorithmic bias and transparency.

The Ministry has imposed age-based restrictions on the use of AI. Students under 13 years of age can only use generative AI tools under direct supervision, while under 18 years of age would need a parental consent.

Dubai and UK financial regulators co-publish report on AI

On 27 January 2025, the Dubai Financial Services Authority (DFSA) co-published with the UK Financial Conduct Authority (FCA) a Global Financial Innovation Network (GFIN) report titled 'Key insights on the use of consumer-facing AI in global financial services'. It combines the collective efforts from the members of the GFIN to better understand the opportunities and challenges that AI presents to consumer-facing financial services.

The report outlines key topics such as the transformative role of AI and machine learning, emphasising on their application within risk management, customer service, fraud detection and investment strategies.

Some of the key insights of the report include:

  • There is a growing demand for transparent decision-making processes in automated financial advice.
  • AI’s role in expanding financial inclusion has been clear. It has been helping those who are unbanked and underbanked to access the financial tools needed.
  • AI-powered open finance models present certain challenges, such as those relating to governance, accountability and cybersecurity so there is a need to balance risk and opportunity.

Africa

Botswana’s Data Protection Act 2024 enters into force

On 14 January 2025, Botswana’s Data Protection Act 2024 entered into force. As outlined in November’s Tech Policy Unit Horizon Scanner, the Act establishes a number of changes.

It raises the highest fine to BWP 50 million (approx. £2.9 million) or 4% of the total worldwide annual turnover, whichever is higher. It sets out conditions for the appointment of data protection officers along with their qualifications, duties, and a code of conduct. It establishes certain requirements for processing sensitive personal data, including data revealing racial or ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. The Act also establishes additional conditions for the lawfulness of processing data including data minimization, accuracy, storage limitation, and accountability.

Kenya consults on National AI Strategy

On 14 January 2025, Kenya’s Ministry of Information, Communications, and Digital Economy announced a public consultation for the National AI Strategy 2025–2030. The draft strategy is structured around three main pillars: AI digital infrastructure, aiming to create accessible and affordable AI infrastructure; data, focusing on building a sustainable data ecosystem for AI and innovation; and AI research and innovation, which involves developing local AI models through research and commercialisation.

The consultation closed on 19 January 2025.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.

Toolkits & Client Log-in