Clifford Chance

As we close off the first quarter of 2025, the dominant factor in global policy has been the continuing implementation of President Trump's radical agenda, with dramatic actions on trade policy, Artificial Intelligence (AI) and tech regulation.

Governments and companies around the world are working hard to adjust to this ongoing change. At a technical level, the European Commission, for example, is exploring a more adaptable approach to digital regulation between the EU and the U.S., and China. The EU is also considering the UK's existing data protection rules, and proposed to extend its current data adequacy decisions for the UK by six months, moving the expiration from 27 June to 27 December 2025.

The EDPB also launched its Coordinated Enforcement Framework for 2025, where 32 Data Protection Authorities (DPAs) across Europe will investigate how controllers handle erasure requests under the right to erasure; this is one of the most frequently exercised GDPR rights.

Japan continues to progress regulation on the AI front with a new bill for regulating AI relating to research and development and the utilisation of technologies related to AI.

China has published security measures in managing the application of facial recognition technology, aimed at regulating this technology and protecting individuals' right to privacy.

In the Middle East, cybersecurity and data protection remains a key focus. In Turkey, the cybersecurity law came into force which aims to protect information systems from cyberattacks. The Dubai International Finance Centre also opened a consultation on amendments to the Data Protection law.

Kenya also has AI and cybersecurity at the forefront of their 2025 agenda, publishing a National AI Strategy for 2025-2030 and initiating public consultation of their National Cybersecurity Strategy for 2025-2029.

Meanwhile, the UK is focusing on growth with the Information Commissioner's Office announcing new measures to support the government's efforts in doing so in the space of tech regulation.

APAC (excluding China)

Australia

Guidance on mitigating denial-of-service attacks released by the Australian Signals Directorate (ASD)

On 17 March 2025, the ASD, in partnership with New Zealand's National Cyber Security Centre (NCSC-NZ), Akamai Technologies Ltd, and Cloudflare Pty Ltd, released guidance on mitigating denial-of-service (DoS) attacks. These attacks can disrupt online services by flooding them with excessive traffic. The guidance suggests implementing network protections, partitioning services, and closely monitoring providers as preventive measures. It also outlines response strategies, such as activating a pre-established response plan, collaborating with service providers, and reporting incidents to ASD and NCSC-NZ for additional support.

Hong Kong

Hong Kong passes the Protection of Critical Infrastructures (Computer Systems) Bill

On 28 March 2025, Hong Kong passed the Protection of Critical Infrastructures (Computer Systems) Bill. This focuses specifically protecting the security of computer systems within Hong Kong's critical infrastructures and to further overall cybersecurity for systems of critical infrastructures.

Japan

Japan's inaugural AI regulations: A pro-innovation approach

On 28 February 2025, the Cabinet of Japan approved a bill for new AI regulations: the Act concerning the Promotion of Research and Development and the Utilisation of Technologies Related to  AI. The Japanese regulations are characterised by their soft and high-level approach. The bill's abstract language leaves unclear the extent of governmental authority over business operators. While the bill does not impose direct penalties, it includes a potential 'name and shame' approach, which could impact the reputations of AI developers and users who infringe citizen's rights. The bill could be passed within this year's ordinary Diet session ending 22 June 2025 (unless extended).

You may like to read our article where we explore this bill in more detail.

Japanese government's AI-related guidelines

On 4 March 2025, the Japan Financial Services Agency has published an AI discussion paper, which outlines the current state of AI utilisation in financial institutions, highlighting use cases such as operational efficiency, customer service, risk management, and market forecasting. It also examines the implementation status of generative AI, including its scope, customisation, and forms of deployment.

Additionally, the Information-technology Promotion Agency (IPA) has released a draft update to the AI Operator Guidelines Version 1.1, following the sixth working group meeting on 17 March 2025. The updates address key issues such as AI risk identification and classification, considerations for AI-related contracts, enhancements on generative AI, and improvements in AI governance examples and trends. The AI Operator Guidelines are currently considered as key and overarching guidelines applicable to many businesses.

Malaysia

Malaysia's Data Sharing Act 2025 published in Official Gazette

On 20 February 2025, the Data Sharing Act 2025, was officially published following Royal Assent on 5 February 2025. The Act establishes conditions and protections for data sharing among public sector agencies, aiming to enhance policy efficiency, safeguard health and safety, address emergencies, and serve the public interest. It also contains provisions for refusing data sharing requests and measures to ensure data security and privacy, but a commencement date has not yet been set.

Singapore

IMDA issues guidelines to strengthen cloud and data centre security

On 25 February 2025, Singapore's Infocomm Media Development Authority (IMDA) released Advisory Guidelines to bolster the security and resilience of Cloud Services and Data Centres. The guidelines advise Cloud Service Providers on best practices across seven areas, including governance and risk management, while Data Centre Operators are guided through a four-step process to address infrastructure and cyber risks. The aim is to ensure legal compliance, data protection, service availability, and third-party risk management.

China

Chinese authorities publish Administrative Measures on the Security Management for the Application of Facial Recognition Technology

On 21 March 2025, the Cyberspace Administration of China and the Ministry of Public Security jointly issued the Administrative Measures on the Security Management for the Application of Facial Recognition Technology, which will take effect on 1 June 2025. The measures aim to regulate the application of facial recognition technology and protect individuals' right to privacy. The measures require personal information processors that apply facial recognition technology to complete a filing with competent provincial cyber administration agencies within thirty (30) business days when the quantity of processed facial information concerns more than 100,000 individuals.

China's Information Security Standardisation Technical Committee release guidelines on AI-generated content identification

On 14 March 2025, the National Information Security Standardisation Technical Committee released the Cybersecurity Standards Practice Guide - Identification of AI-Generated Content Service Provider Coding Rules. The guide provides coding structures and rules for AI-generated content service providers and online information content dissemination service providers, aiming to guide the implicit identification of file metadata for AI-generated content.

China's Information Security Standardisation Technical Committee release draft guidelines on compliance audit service capabilities for personal information protection

On 3 March 2025, the National Information Security Standardisation Technical Committee released the Cybersecurity Standards Practice Guide - Compliance Audit Service Capability Requirements for Personal Information Protection (Draft for Comments). The guide aims to standardise the service capabilities of professional institutions conducting compliance audits for personal information protection and is open for public comments.

Europe

EU Commission launches consultation on Cyber Resilience Act

On 13 March 2025, the EU Commission launched a consultation on a draft implementing regulation of the Cyber Resilience Act  (CRA), to specify the technical description of the categories of important and critical products with digital elements. Gradually entering into application from September 2026, the CRA provides for cybersecurity obligations on manufacturers and suppliers of products (including software) with digital elements placed on the internal market. The draft implementing regulation outlines updated conformity assessments for certain products with digital elements, in line with the CRA's requirements. It includes examples such as standalone and embedded browsers, routers, modems, and security boxes, though the list is illustrative rather than exhaustive. Detailed information is provided in the CRA's annexes, which also include definitions for each product category.

Stakeholders are invited to submit comments on the draft until 15 April 2025.

EU proposes extension of UK data adequacy decision amid legal concerns

On 18 March 2025, the EU Commission proposed a six-month extension to the UK's adequacy decision under the EU GDPR and Law Enforcement Directive (LED), prolonging the existing decision until 27 December 2025. This extension will allow time for the Commission to evaluate the impact of the UK's Data Use and Access Bill (DAU) on its data protection laws. The UK's existing data protection rules, deemed adequate in 2021, remain in effect for EU data transfers during this period. After the UK's legislative process concludes, the Commission will assess whether the UK continues to meet EU GDPR adequacy standards and decide whether to renew the adequacy decisions. On a similar topic, the European Parliamentary Research Service (EPRS) released a report on 7 March 2025, highlighting concerns about the UK's adequacy status. The report raised concerns about the DAU Bill, including reduced protections against automated decision-making and less transparency in AI. It also criticised amendments to the Investigatory Powers Act, such as 'bulk personal data' retention and lack of accountability for civil servants accessing communications data.

Third draft of the general-purpose AI code of practice published

On 11 March 2025, the European Commission published the third draft of the General-Purpose AI Code of Practice, aiming to refine transparency and copyright obligations for all AI systems providers while introducing stricter safety and security commitments for high-risk AI models. However, this version has faced criticism from EU lawmakers, who warned that it weakens key risk assessment obligations. Former AI Act negotiators cautioned that the draft makes risk evaluation and mitigation optional for certain threats, contradicting the AI Act's core principles on health, safety, human rights, and democracy. They urged the Commission to reject any version that fails to uphold these fundamentals. The final version, expected in May, will have to balance the raised regulatory issues with industry concerns.

The EDPB's launches coordinated enforcement on right to erasure

On 5 March 2025, the European Data Protection Board (EDPB) announced the launch of its Coordinated Enforcement Framework (CEF) action that will focus on the right to erasure or the "right to be forgotten" (Art. 17 GDPR). The EDPB emphasised that it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals. For example, in France, the right to erasure accounts for 37% of the complaints received by the National Commission on Informatics and Liberty (CNIL).

As part of the CEF action, 32 DPAs across Europe will investigate how controllers handle erasure requests, applying conditions and exceptions, through formal investigations or fact-finding exercises, with findings shared and analysed for targeted follow-ups at national and EU levels. At the conclusion of the action, the EDPB will adopt a report on the implementation of the right to erasure, listing the issues observed, along with a series of recommendations for data controllers.

UK's Online Safety Act now in effect

On 17 March 2025, the Online Safety Act came into effect. This sets out obligations for social media companies and search services to ensure the safety of users on their platforms. The Department of Science, Innovation and Technology released an explainer that dives into more detail.

The main provisions of the Online Safety Act require platforms to prevent users from accessing harmful content, assess the risks of illegal content and remove such content, assess any risks to children specifically, and introduces new criminal offences.

The UK Information Commissioner's Office announced new regulatory measures

On 18 March 2025, the Information Commissioner's Office announced new regulatory measures to support the Government's growth agenda. This will include a pilot data essentials training, an experimentation regime, AI guidance, regulatory review of online advertising and new guidance on international transfers of data.  

The Information Commissioner John Edwards said, "There's a responsibility on all regulators to create an environment where businesses can flourish, particularly for the ICO as a whole economy regulator."

The UK government launches Call for Views on data intermediaries and on the data broking industry

On 20 March 2025, the Department for Science, Innovation and Technology (DSIT)  announced that the UK government has launched a call for views on data intermediaries and data brokers. To better understand data intermediaries, the inquiry will explore the reasons for low utilisation of certain data subject rights, analyse their operational practices, define critical success factors, and assess potential risks. For data brokers, they will focus on defining their service offerings, evaluating potential national security vulnerabilities, and determining how they protect and secure data, and who their customers are.

The calls for views are open until 12 May 2025.

Americas

Update on TikTok

On 24 March 2025, Senate Democrats sent a letter to President Trump urging the administration to extend the deadline for the sale of TikTok and requesting the President to work collaboratively with Congress on any next steps.

TikTok faced a ban in the United States unless it is sold to a non-Chinese owner by 5 April 2025, which Trump then granted a 75 day extension for on 4 April. 

FTC removes posts critical of large tech companies and AI companies

As of 18 March 2025, the Federal Trade Commission (FTC) has removed from its official website four years' worth of business guidance blogs, amounting to over 300 posts. These blogs contained advice from the agency on how big tech companies could avoid violating consumer protection laws. They also included consumer protection information pertaining to AI and privacy lawsuits brought by the FTC under its former Chair, Lina Khan.

DOJ revises remedies in antitrust case against Google's search monopoly

On 7 March 2025, the US Department of Justice (DOJ) submitted their Revised Proposed Final Judgment (“RPFJ”) in their antitrust case against Google, opened  on 20 October 2020, challenging Google's monopoly in the search engine market under the Sherman Antitrust Act of 1890. In August 2024, Judge Amit P. Mehta held that Google had maintained an illegal monopoly over search and search-related advertising. 

The remedies trial is scheduled for April 2025, with a decision expected by early August 2025.

The DOJ's initial proposal required Google to divest from AI companies, which would significantly impact Google's ability to lead and innovate in the AI sector. Anthropic, an AI startup, opposed this proposal, arguing that forcing Google to divest its stake in Anthropic would depress Anthropic's market value and reduce its competitiveness in the AI race. The initial proposal also prohibited search-related payments to Apple for default search placement on Apple devices. Apple attempted to intervene, claiming unfair treatment as the proposal would disrupt its $20 billion annual agreement with Google, but Judge Mehta denied the motion in January 2025, stating that it was too late. 

The final proposed remedies, softened these requirements, allowing Google to provide advance notification before any future AI investments instead of divesting them. The revised proposal also allowed Apple to receive non-search-related payments from Google.

Middle East

Kingdom of Saudi Arabia

The Publication of the Risk Assessment Guideline for Transferring Personal Outside the Kingdom

On 26 February 2025, the Saudi Data & Artificial Intelligence Authority (SDAIA) published the Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom. The Guideline sets outs four phases to assess the risks of transferring or disclosing personal data to entities outside the Kingdom. Namely: preparation, assessing negative impacts and potential risks, risk assessment for data transfer/disclosure, and analysing implications for the Kingdom’s vital interests. The Guideline refers to the importance of determining the risk assessment, assessing compliance with the Personal Data Protection Law (PDPL) and its Regulations and considering the adequacy of measures to prevent or mitigate any risks involved. It has been suggested in the Guideline to reassess the processing activities or adopting different measures in the case of identifying high levels of risk and irreversible impacts.

UAE

DIFC opens consultation on amendments to Data Protection Law

On 26 February 2025, the Dubai International Financial Centre (DIFC) announced proposed amendments to its Data Protection Law through the DIFC Laws Amendment Law No. 1 of 2005. These amendments aim to enhance data subject protections and align DIFC Laws with international best practices. The proposed changes are largely clarificatory and seek to provide additional protections and rights of action for data subjects within the DIFC.

The key proposed amendments include:

1. Clarification on Scope: The amendments aim to clarify the scope of application and extraterritorial reach of the Data Protection Law, ensuring that DIFC data subjects receive full protection regardless of where their data is processed.

2. Article 28 Update: The proposed changes to Article 28 focus on data sharing, allowing the Commissioner of Data Protection to reassess the adequacy of third countries for receiving personal data. This ensures that personal data processed by government authorities is protected, with suitable redress available for data subjects.

3. Private Right of Action: The amendments introduce a private right of action through the DIFC Courts, enhancing the rights and remedies available to data subjects whose personal data has been processed in violation of the Data Protection Law.

The proposed amendments are detailed in Consultation Paper No. 1 of 2025, which is open for public comments until 26 March 2025.

Turkey

Cybersecurity Law enters into force

On 12 March 2025, Turkey's Cybersecurity Law No. 7545 came into force following its publication in the Official Gazette. The Law defines 'cybersecurity' as activities aimed at protecting information systems in cyberspace from attacks, ensuring data confidentiality, integrity, and accessibility, detecting cyber incidents, activating response mechanisms, and restoring pre-incident conditions. It also covers concepts like 'critical infrastructure,' 'cyber incident,' 'cyber threat intelligence,' and 'cyberspace.'

The Law applies to public institutions, professional organisations, real and legal persons, and entities without legal personality operating in cyberspace. It mandates these entities to provide the Presidency with requested data, take prescribed security measures, report vulnerabilities, procure cybersecurity products from certified sources, and comply with policies and strategies developed by the Presidency.

The Law outlines penalties for non-compliance, including imprisonment and fines. Offences include failing to provide requested information, conducting unauthorized activities, breaching confidentiality, and not fulfilling specified duties. Penalties range from imprisonment for one to eight years and fines from TRY 1,000 to TRY 100,000 million, depending on the severity of the offense. The Law emphasises cooperation between the Presidency and various entities to enhance cybersecurity.

KVKK approves VF Ege Giyim Sanayi ve Ticaret's application for data transfer abroad

On 13 March 2025, the Personal Data Protection Authority (KVKK) announced that the Personal Data Protection Board had approved VF Ege Giyim Sanayi ve Ticaret Limited Şirketi's application for a commitment letter regarding the transfer of personal data abroad. In particular, the KVKK noted that VF Ege Giyim Sanayi ve Ticaret submitted three applications which were evaluated under the provisions of Article 9(4)(ç) of the Law on Protection of Personal Data. The KVKK highlighted that there were no deficiencies regarding the procedure and substance, and the Board granted permission for the data transfers in question on 12 March 2025.

KVKK publishes guide on processing of special personal data

On 26 February 2025, the KVKK published a guide on processing special personal data to align with Law No. 7499 and EU standards. The guide aims to ensure compliance with the amendments introduced by the Code of Criminal Procedure and Certain Laws No. 7499, which modified Article 6 of the Law on Protection of Personal Data.

Article 6 initially required explicit consent for processing personal data related to health and sexual life, or processing by authorised institutions for public health and related purposes. Other special categories of personal data could be processed with explicit consent or as provided by law. Law No. 7499, effective 1 June 2024, removed distinctions between special data categories and introduced new processing conditions.

The guide helps data controllers comply with the Law by providing information on special data categories, processing conditions, and necessary actions to meet the amendments introduced by Law No. 7499.

Israel

Privacy Protection Authority closes consultation on statement on implementation of consent principle

On 24 March 2025, the Privacy Protection Authority of Israel concluded a public consultation on a statement clarifying the application of the consent principle under national data protection laws. The statement outlines the Authority's legal interpretation for exercising its statutory powers, including monitoring compliance with the law and its regulations. It emphasises that consent must be informed, clearly presented, and appropriately detailed, especially for vulnerable groups. The statement addresses power imbalances, placing the burden of proof on entities seeking consent and clarifying that silence does not constitute valid consent. It specifies when explicit opt-in consent is required, such as for profiling, and stresses that entities relying on legal exceptions for processing without consent must meet proportionality requirements. Additionally, it highlights the importance of allowing individuals to withdraw consent, particularly when continued processing could significantly impact privacy.

Africa

Kenya publishes a National Artificial Intelligence Strategy 2025-2030

On 27 March 2025, the Ministry of Information, Communications, and Digital Economy in Kenya published the Kenya National Artificial Intelligence Strategy for 2025-2030. The strategy focuses on adopting and leading on AI technologies, research and innovation, commercialisation, and creating solutions that are made for the unique needs of those of the African content. Cabinet Secretary Kabogo emphasised AI as an important pillar of Kenya's digital transformation agenda.

Kenya's National Computer and Cybercrimes Coordination Committee has initiated a public consultation for the revised draft National Cybersecurity Strategy for 2025-2029

On 27 March 2025, the Ministry of Interior and National Administration opened the revised draft National Cybersecurity Strategy for 2025-2029 to stakeholders for comments. The revised draft strategy focuses on evolving cyber threats and improving cyber resilience, protection of critical infrastructure, encouraging a securing digital ecosystem and trying to harmonise the approach to cyber incident response. It also mentions AI integration and strong public-private partnerships.

The call for comments closes on 25 April 2025.

The Nigeria Data Protection Commission released the General Application and Implementation Directive

On 20 March 2025, the Nigeria Data Protection Commission released the General Application and Implementation Directive (GAID) for the Nigeria Data Protection Act (NDPA). The GAID reflects and provides an outline of the NDPA, emphasising the need to consider the NDPA before making decisions affecting privacy rights.

The GAID states the obligations of data controllers and processors which includes registering with the Nigeria Data Protection Commission, conduct compliance audits, file annual returns, designate Data Protection Officers, and implement privacy policies. 

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.