Skip to main content

Clifford Chance

Clifford Chance
All
Tech<br />

Tech

Talking Tech

Tech Policy Unit Horizon Scanner

February 2025

Artificial Intelligence Data Privacy Cyber Security 14 March 2025

In February, the AI Summit 2025 in Paris brought together global leaders and tech experts to explore the future of AI, focusing on investment and regulatory challenges. Over €109 billion was pledged for AI investment in France and the EU announced a €50 billion initiative. A declaration on "Inclusive and Sustainable" AI, signed by 61 nations, highlighted a commitment to ethical AI development.

Globally, nations continue to navigate AI's complexities. Hong Kong's Securities and Futures Commission focussed on cybersecurity vulnerabilities, prompting calls for stronger measures. Indonesia launched an AI Policy Dialogue aimed at shaping comprehensive regulations across multiple sectors.

Europe continued refining its AI regulatory framework, with the EU Commission issuing guidelines on prohibited AI practices.

The Trump administration announced that they are contemplating tariffs on countries implementing tax policies which target U.S. companies and they also released an AI Action Plan.

In the Middle East, the UAE's cybersecurity strategy and the launch of the Responsible AI Foundation by G42 and Microsoft showed a focus on ethical AI development. Türkiye's guidelines on cross-border data transfers highlight data governance importance.

Africa's growing influence in AI was showcased at the Paris summit, focusing on ethical AI and international cooperation. The launch of the African Network of Cybersecurity Authorities emphasises the continent's proactive stance on digital resilience.


APAC (excluding China)

Hong Kong

Report Published by SFC on Cybersecurity Review of Licensed Corporations

On 6 February 2025, the Securities and Futures Commission (SFC) of Hong Kong released a report on its 2023/24 thematic cybersecurity review, focusing on licensed corporations (LCs) engaged in internet trading. The report acknowledges some advancements in cybersecurity practices but also highlights ongoing vulnerabilities. Key issues identified include inadequate two-factor authentication, outdated software, and poor vendor risk management. The report also underscores significant cyber threats, such as phishing attacks, remote access vulnerabilities, and cloud security risks.

In response, the SFC has recommended the implementation of stronger security measures. Furthermore, the SFC plans to update its Cybersecurity Requirements by 2025 to create a comprehensive framework applicable to all LCs, aiming to enhance overall cybersecurity standards.

Indonesia

Ministry of Communication and Digital Affairs Launches AI Policy Dialogue

On 30 January 2025, the Ministry of Communication and Digital Affairs (Komdigi) revealed plans to engage industry professionals, academics, NGOs, and the public in shaping AI regulations. This initiative, known as the AI Policy Dialogue, aims to explore both the potential and challenges AI presents across multiple sectors such as e-commerce, banking and finance, health, education, the creative economy, and sustainability. The inaugural discussion will focus on the e-commerce sector, setting the stage for subsequent dialogues in other areas. This collaborative approach underscores the government's commitment to developing comprehensive and inclusive AI policies.

Ministry of Communication and Digital Affairs Announces Draft Regulation on Age Limit for Children to Access Digital Platforms

On 7 February 2025, the Ministry of Communication and Digital Affairs (Komdigi) revealed its initiative to formulate stringent regulations aimed at safeguarding children from the adverse effects of the digital realm. These forthcoming regulations will establish age restrictions for accessing digital platforms and categorise these platforms according to their risk levels to determine their suitability for children. Komdigi aims to finalise these regulations within one to two months. Once completed, the regulations will be incorporated into the Draft Government Regulation concerning Child Protection Governance in the Implementation of Electronic Systems. This effort underscores the ministry's commitment to enhancing the safety and well-being of children in the digital environment

Japan

AI Safety Institute Publishes Report Titled 'National Status Report on AI Safety in Japan 2024'

On 7 February 2025, the Japan AI Safety Institute (AISI) published its 'National Status Report on AI Safety in Japan 2024'. The report details AISI's activities since its inception, key events, and future plans.

Highlights include: updating the AI Business Operator Guidelines, developing the "Red Teaming Methodology Guide on AI Safety", a framework for evaluating AI systems' vulnerabilities from an attacker's perspective to enhance security and mitigate risks, and participating in international activities.

Looking ahead, AISI plans to conduct research on AI safety, enhance guidelines, collaborate with international AI safety institutions, and work with the private sector.

Information About DeepSeek's Privacy Policy Published by Japanese Personal Information Protection Commission

On 3 February 2025, the Personal Information Protection Commission (PPC) released details on the privacy policies of Beijing DeepSeek Artificial Intelligence Co., Ltd., Hangzhou DeepSeek Artificial Intelligence Co., Ltd., and their affiliates (DeepSeek). According to the PPC, the privacy policy covers the following:

  • Any data, including personal data, that DeepSeek collects while providing the service will be kept on a server situated in the People's Republic of China.
  • The data will be governed by Chinese laws, including the Cybersecurity Law, Data Security Act, Personal Information Protection Law (PIPL), and the National Information Law of the People's Republic of China

Singapore

AI Governance Initiatives Launched by IMDA

On 11 February 2025, the Infocomm Media Development Authority (IMDA) announced that it had started new AI governance activities. Among the initiatives are:

  • The release of the Singapore AI Safety Red Teaming Challenge Evaluation Report;
  • The Global AI Assurance Pilot; and
  • A joint testing report with Japan.

China

China publishes the Personal Information Protection Compliance Audit Measures

On 12 February 2025, the Cyberspace Administration of China (CAC) released the Personal Information Protection Compliance Audit Measures, which will take effect on 1 May 2025. These measures outline detailed regulations for conducting compliance audits, selecting audit institutions, determining audit frequency, and defining the responsibilities of personal information processors and professional institutions. The goal is to leverage external audit activities as a supervisory tool to enhance the legality and compliance of personal information processing activities and safeguard personal information rights.

China releases the Internet Military Information Dissemination Management Measures

On 8 February 2025, the CAC, along with several other ministries, issued the Internet Military Information Dissemination Management Measures. These measures aim to regulate the dissemination of military information online, promote positive energy, and create a favourable online environment for military-related information. They provide guidelines for establishing military websites, military columns, and military accounts, ensuring compliance with existing regulations.

China publishes the National Data Resources Statistical Survey System

On 21 February 2025,  the National Data Administration and the Ministry of Public Security jointly issued the National Data Resources Statistical Survey System. The system outlines the objectives, scope, content, frequency, and methods of statistical surveys. It aims to comprehensively reflect the national data resources, support policy-making, and enhance industry management. The survey covers data production, storage, computation, circulation, application, and security.

Europe

EU

Paris AI Summit: Key Takeaways on Investment, Regulation, and the Future of Work

On 10 and 11 February 2025, world leaders, tech experts, and AI entrepreneurs gathered at the AI Summit in Paris to discuss the future of AI, focusing on investment and the need for less constraining regulation. The summit aimed to encourage innovation and enhance global, particularly EU, competitiveness. Participants committed to over €109 billion in AI investment in France, while the EU announced a €50 billion initiative to boost innovation.

Discussions centred on reducing regulatory barriers as the AI Act gradually comes into effect, with European leaders seeking alignment with global markets. However, concerns were raised about the lack of safeguards in deregulation efforts. A declaration on "Inclusive and Sustainable" AI was signed by 62 nations, including China and India, although the US and UK abstained, highlighting ongoing global divisions.

The event also underscored the transformative impact of AI on labour markets, especially in the Global South, where adoption rates are accelerating.

EU Commission Publishes Guidelines on Prohibited AI Practices

On 4 February 2025, the EU Commission published  the "Guidelines on Prohibited Artificial Intelligence (AI) Practices," as defined by the EU AI Act. These guidelines aim to identify AI practices that may be prohibited or considered intolerable. The AI Act adopts a risk-based approach, categorising AI systems into four main risk categories: unacceptable risk, high risk, limited risk, and a specific category for those subject to transparency obligations.

The guidelines provide additional context on the specific types of AI practices that would be prohibited, focusing on the most problematic uses, such as social ranking or coercive manipulation. As outlined in Article 5 of the EU AI Act, these practices are prohibited due to the potential risks they pose to European values and fundamental rights.

The principal takeaways are as follows: the prohibition of certain AI practices came into effect on 2 February and may be enforced directly in court. Although non-binding, these guidelines offer valuable insights into the Commission's interpretation of the prohibitions and may influence the enforcement of the AI Act.

Commission Publishes Guidelines on AI System Definition to Facilitate the First AI Act’s Rules Application

On 6 February 2025, the EU Commission published its "Guidelines on AI System Definition." While these guidelines are non-binding, they aim to assist providers and developers in determining whether a software system meets the criteria of an AI system. The definition of an AI system is based on seven criteria: machine-based system, varying levels of autonomy, capability of adaptation, implicit or explicit objectives, inference capability, capability of generating outputs that can influence physical or virtual environments, and the system's interaction with the environment. The Commission aims to differentiate between conventional software and AI systems. Examples of systems outside the scope of the AI system definition include those for improving mathematical optimisation or basic data processing. Interestingly, general-purpose AI models are not covered by these guidelines.

EU Commission Adopts Brand Book for European Common Criteria-Based Cybersecurity Certification Scheme (EUCC)

On 31 January 2025, the EU Commission published a Brand Book providing guidance on the design of the cybersecurity certification mark and labels, in accordance with the EUCC Commission Implementing Regulation of the Cybersecurity Act. This guide defines the conditions under which the EUCC mark and label may be used and provides detailed instructions for designing EUCC-compliant certification marks and labels. By following these guidelines, EUCC certificate holders can ensure a consistent, professional appearance for their products throughout the EU, enhancing their visibility and credibility in the marketplace. High-quality trademark and label files can be downloaded in all EU languages.

EU Advocate General Clarifies Platform Liability in Personal Data Cases (CJEU)

On 6 February 2025, EU Advocate General Maciej Szpunar issued his opinion in case (C-413/23 P, Russmedia Digital and Inform Media Press) before the Court of Justice of the European Union (CJEU) regarding a platform’s liability for third-party personal data disclosures.

The case involves an online marketplace where a user’s photo and contact details were published in a sexually explicit ad without his consent. The Advocate General considers that a platform hosting ads upon user request acts as a processor concerning the personal data contained in the ads. Therefore, the platform is not required to verify the content of the ads or implement security measures to prevent or limit the copying and redistribution of the ads' content. However, the Advocate General considers that the online marketplace acts as a controller concerning the personal data of users that advertisers register on its website. In this context, the Advocate General indicates that online platforms must verify the identity of such user advertisers and implement appropriate technical and organisational measures to ensure the security of processing.

It remains to be seen whether the CJEU will follow this opinion in its final ruling. If so, this decision could redefine platform business models and heighten liability risks related to personal data.

UK

ICO Publishes Guidance on Storing Employee Records

On 5 February 2025, the Information Commissioner's Office (ICO) published new guidance to help employers comply with data protection laws when storing employee records. The guidance covers key areas such as retention policies, handling sensitive health information, and monitoring employees, ensuring that organizations understand their obligations under the UK GDPR and Data Protection Act 2018. This update aims to enhance transparency and protect employee privacy in the workplace.

ICO Launches Direct Marketing Advice Tool

On 5 February 2025, the ICO introduced a new Digital Marketing Advice Tool to assist organisations in complying with direct marketing regulations. This tool, currently in its beta phase, provides tailored guidance on email, SMS, direct mail, social media, telemarketing, and more. By answering a few simple questions, organisations can quickly access relevant advice, ensuring their marketing practices align with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR.

Ofcom Issues New Guidance for Safer Online Spaces for Women and Girls

On 25 February 2025, Ofcom released draft guidance aimed at improving online safety for women and girls. This guidance outlines nine key areas where technology firms need to take proactive measures to protect users from online harms. The guidance focuses on issues such as online misogyny, harassment, domestic abuse, and intimate image abuse. The draft guidance encourages a safety-by-design approach, urging tech companies to embed safety features into their platforms. Practical measures include abusability testing, enhanced account security, and improved reporting tools.

Stakeholders are invited to provide feedback on the draft guidance by 23 May 2025.

Americas

Consideration of Tariffs Against Foreign Tech Taxes

On 21 February 2025, the Trump administration announced that they are contemplating tariffs on countries implementing tax policies which target U.S. companies, focusing on technology companies like Meta and Google. They also announced that the United States State Trade Representative shall consider whether to renew investigations that they opened in 2019 and 2020 against France, Austria, Italy, Spain, Turkey and the UK on their digital services taxes. This is being done with the aim of ensuring American companies' global competitiveness and to protect American intellectual property.

Public Consultation on AI Strategy

The Trump Administration invited public comment on their AI Action Plan on 25 February 2025. The AI Action Plan is the U.S.' new AI strategy, emphasising U.S. leadership in this sector. This initiative aims to develop an "AI Action Plan" within 180 days, incorporating feedback from various stakeholders, which includes academia, industry groups, private sector organisations, and local governments.

Middle East

UAE

Approving 5-year National Cybersecurity Strategy

On 3 February 2025, The UAE Cabinet approved a 5-year National Cybersecurity Strategy built around five key pillars, namely: governance, protection, innovation, establishing and building, and partnership.

The Strategy also aims to set up an effective governance framework for cybersecurity to achieve the following goals:

  • Building a secure and resilient digital environment.
  • Enabling the safe adoption of innovative technologies.
  • Improving national capabilities in relation to cybersecurity.
  • Encouraging partnerships and collaboration on a national and international level.

Launch of the Responsible AI Foundation by G42 and Microsoft

On 9 February 2025, Abu-Dhabi based AI Group, G42, and Microsoft launched the Responsible AI Foundation, aiming to promote responsible AI standards and best practices in the Middle East (in collaboration with Mohamed bin Zayed (the University of Artificial Intelligence)).

The Foundation has two key aims:

·        Advancing technical and ethical principles of responsible AI, by developing AI safety methodologies, bias mitigation techniques, and explainability tools by collaborating with global and regional research institutions. Such efforts will be utilised to produce new AI standards on fairness, transparency, and accountability.

·        Developing frameworks to ensure ethical development and deployment of AI systems, taking into account cultural diversity. This will take the form of designing risk assessment models, external ethics boards, technical audit tools and governance guidelines.

Türkiye

Release of Guidelines on Standard Contracts for Cross-Border Data Transfers

On 5 February 2025, the Turkish Data Protection Authority (KVKK) released guidelines on standard contracts for the international transfer of personal data.

Key points from the guidelines are:

  • Standard contracts must be signed by authorised representatives from both parties. The signatures must appear on the Turkish version (if the contract is in a foreign language).
  • Contracts must be submitted to the authority within five working days, accompanied by supporting documents.
  • Changes to the text of the contract must be limited to optional or alternative clauses.

Africa

African Network of Cybersecurity Authorities (ANCA) Launched

On 4 February 2025, the African Network of Cybersecurity Authorities (ANCA) was officially launched, following the adoption of its constitution and a comprehensive five-year strategy. This initiative, spearheaded by Smart Africa, aims to tackle cross-border cybersecurity challenges and enhance cybersecurity resilience across the continent. ANCA will coordinate cybersecurity policies, legislation, and threat management among African nations.

AI Action Summit Highlights Africa's Role in AI Development

On 11 February 2025, the AI Action Summit 2025, held in Paris, showcased Africa's growing influence in the global AI landscape. African nations, including Ghana, Kenya, and Nigeria, were signatories to the Statement on Inclusive and Sustainable Artificial Intelligence for People and the Planet, emphasising the importance of ethical AI development and international cooperation. The summit also highlighted the potential of AI to address challenges in healthcare, agriculture, and education across the continent.

NDPC Publishes 2024 Annual Report

On 28 January 2025, the Nigeria Data Protection Commission (NDPC) announced its 2024 Annual Report during a press conference for National Privacy Week, coinciding with Global Privacy Day. The Report highlights the NDPC's key achievements, such as issuing guidelines for data controllers and processors, licensing the Institute of Information Management as the national certification body for data protection officers, and launching a responsible data management course for public servants. Additionally, the NDPC registered 246 data protection organizations and 36,052 data controllers, established 8 MOUs, and conducted over 10,467 awareness events. The Report also details ongoing investigations into 213 privacy rights violations.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.

Toolkits & Client Log-in