Clifford Chance

In April, there were significant developments in AI and technology regulation around the world, reflecting a concerted effort by various nations to address the challenges and opportunities presented by these rapidly evolving fields.

In APAC, the focus has been on ensuring compliance with various technology regulations are easier for businesses and for civilians to follow. Hong Kong introduced a comprehensive checklist to guide organisations in the ethical and lawful use of generative AI in the workplace and Singapore expanded its Cyber Trust mark to include cloud and AI security, allowing organisations to demonstrate robust cybersecurity practices. Meanwhile, Japan's House of Representatives passed the Cybersecurity Enhancement Bill, emphasising the importance of safeguarding national security and citizens' lives. South Korea's Personal Information Protection Commission revised its guidelines to enhance personal data processing policies.

In Europe, the European Commission fined Apple and Meta for breaching the Digital Markets Act, marking the first non-compliance decisions under this regulation. The European Data Protection Board published draft guidelines on processing personal data through blockchain technologies, aiming to ensure GDPR compliance. Additionally, the EU Commission launched a public consultation to revise the Cybersecurity Act, addressing both technical and strategic risks.

In the Americas, notable news in AI included the U.S. Federal Court ruling that Google maintained illegal monopolies in digital advertising markets. This ruling could lead to substantial changes in Google's business practices and market opportunities for competitors. Additionally, the U.S. Federal Trade Commission's antitrust case against Meta began on 14 April 2025, with potential implications for Meta's business structure and the broader tech industry.

In the Middle East, the Kingdom of Saudi Arabia's Communications, Space, and Technology Commission (CST) initiated a public consultation on 14 April 2025 for their draft Global AI Hub Law, which seeks to attract foreign investment in sovereign data centres and AI services. The UAE also saw significant AI advancements, with the launch of a AI-enabled ecosystem in government and the adoption of a comprehensive AI Strategy by the Ports, Customs and Free Zone Corporation (PCFC) of Dubai.

APAC (excluding China)

Hong Kong

PCPD introduced guideline checklist for generative AI use in the workplace

On 31 March 2025, the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong unveiled a comprehensive checklist designed to guide organisations in formulating policies for the use of generative AI by employees. This checklist ensures compliance with the Personal Data (Privacy) Ordinance, covering aspects such as the appropriate use of AI tools, data types and quantities, lawful and ethical considerations, data protection strategies, and protocols for handling breaches. It also provides practical advice to aid employees in effectively utilising generative AI technologies.

Japan

Cybersecurity Enhancement Bill Passed by the House of Representatives

On 8 April 2025, the Cybersecurity Enhancement Bill was passed by a majority vote in the House of Representatives, with support from some opposition parties, despite the ruling party not holding a majority in the House. Deliberations in the House of Councillors commenced on 18 April. Prime Minister Ishiba emphasised on the same day that the bill is essential for safeguarding the secure lives of citizens, as well as for protecting the peace, security, and the national interests of Japan.

Singapore

Singapore's Cyber Trust mark now covers cloud and AI security

On 16 April 2025, the Cyber Security Agency of Singapore expanded the Cyber Trust mark to encompass Cloud Security, Operational Technology Security, and AI security. This certification allows organisations to demonstrate robust cybersecurity practices in secure cloud management, protection of industrial control systems, and securing AI applications against vulnerabilities. Organisations must apply for the Cyber Trust Mark to validate their cybersecurity measures according to their risk profile.

South Korea

South Korea's PIPC enhances personal information processing guidelines

The Personal Information Protection Commission of South Korea (PIPC) has revised its Guidelines for Writing Personal Information Processing Policies. The updates clarify conditions for processing personal data without consent, outline requirements for handling sensitive information, and provide methods for categorising third parties and retention periods. Additionally, they include contact details for relevant departments, changes in privacy policy disclosure, procedures for data subjects' rights, and clearer guidance on behavioural data collection and refusal.

Taiwan

Taiwan Moves Forward with Personal Data Protection Reforms

The Executive Yuan of Taiwan has approved a draft act to establish the Personal Information Protection Commission (PIPC) and amend the Personal Data Protection Act 2010. The proposed changes outline the PIPC's organisational structure and responsibilities, introduce new obligations for agencies during data incidents, mandate the appointment of data protection officers, and enhance administrative oversight and penalties for non-compliance. These drafts will now proceed to the Legislative Yuan for further consideration.

China

Chinese authorities publish Guidelines for Promoting and Regulating the Compliance of Cross-Border Data Flow in the Financial Industry

On 17 April 2025, the People's Bank of China and five other authorities jointly issued the Guidelines for Promoting and Regulating the Compliance of Cross-Border Data Flow in the Financial Industry. The Guidelines aim to enhance the efficiency and standardization of cross-border financial data exchange between Chinese and foreign financial institutions. They specify the conditions under which data can be exported and enumerate the data items eligible for cross-border transfer, thereby streamlining the process. In addition, the Guidelines mandate that financial institutions implement essential data security management and technical measures to safeguard data integrity and security.

China releases the Implementation Rules for the Administration of Programme Trading

On 3 April 2025, all PRC stock exchanges – the Shanghai Stock Exchange, Shenzhen Stock Exchange, and Beijing Stock Exchange – issued the respective Implementation Rules for the Administration of Program Trading. These Rules provide detailed guidance following the promulgation of the Administrative Provisions on Program Trading in the Securities Market by the China Securities Regulatory Commission in 2024. The substantive requirements under the Rules issued by the exchanges are largely consistent with each other and will take effect from 7 July 2025.

China's Information Security Standardization Technical Committee releases guidelines on Technical Requirements for Minor Mode

On 2 April 2025, the National Information Security Standardization Technical Committee released the Cybersecurity Standards Practice Guide - Technical Requirements for Mobile Internet Minor Models. The guide outlines the technical specifications for the minor mode of mobile internet. It is intended for mobile internet application providers, mobile smart terminal manufacturers, and mobile internet application distribution platform providers to aid in the development and implementation of the minor mode. In addition, it can be used as a reference by regulatory authorities and third-party evaluation agencies for the supervision, management, and assessment of online protection measures for minors.

Europe

European Union

Apple and Meta fined by the EU Commission in breach of the Digital Markets Act

On 24 April 2025, the European Commission adopted its first non-compliance decisions under the Digital Markets Act (DMA), finding Apple and Meta in breach of their obligations as gatekeepers. Apple was fined EUR 500 million for violating its anti-steering obligations, and Meta was fined EUR 200 million for failing to offer an alternative service that uses minimized personal data. The investigations concluded that Apple's App Store restrictions prevented app developers from informing users about cheaper or alternative offers outside the App Store, whereas Meta's "Consent or Pay" advertising model was found not to offer users a genuine choice, as required under Article 5(2) DMA. EU users were said to have only been given the option to either consent to data combination or pay for an ad-free experience. A revised model introduced in late 2024 is still under review.

EDPB adopts guidelines on processing personal data through blockchains

On 14 April 2025, the EDPB published its first draft guidelines on processing personal data through blockchain technologies. Blockchain technologies remain particularly used for decentralized identity systems, health and supply chain records, or tokenized services particularly in finance. The guidelines offer a structured approach to evaluating GDPR compliance of blockchain-based processing, focusing on risk assessment for data subjects, the need for data protection by design and by default, minimization of on-chain personal data, and the roles and responsibilities among stakeholders. They stress the importance of conducting data protection impact assessments and selecting appropriate technical and organizational safeguards to address challenges related principles such as transparency, rectification, erasure, and storage limitation. A public consultation is open until 9 June 2025.

Cybersecurity Act to be revised to include sovereignty criteria into the certification process

On 11 April 2025, the EU Commission launched a public consultation to review and revise the Cybersecurity Act (UE) 2019/881 of 17 April 2019. The review will assess the mandate of the European Union Agency for Cybersecurity (ENISA), the EU Cybersecurity Certification Framework, and security within the ICT supply chain. Crucially, the initiative also seeks to address not only technical risks, but also strategic risks and dependencies affecting critical IT infrastructures, as highlighted in the Commission's communication. These priorities are aligned with France's push to introduce sovereignty criteria into the certification process for sensitive data hosting, an objective it hopes to achieve in the upcoming reform, following its unsuccessful efforts to include such requirements in the EUCS certification scheme. The consultation will remain open until 20 June 2025.

EU Commission outlines new action plan for advancing AI development

On 9 April 2025, the European Commission published the AI Continent Action Plan to strengthen Europe's leadership in artificial intelligence and drive innovation across the EU. Building on the EUR 200 billion InvestAI initiative, the plan outlines the creation of up to 13 AI factories and 5 gigafactories to support startups, researchers, and industry with advanced computing infrastructure. It also introduces a Data Union Strategy to improve access to high-quality data, alongside efforts to boost AI adoption in sectors such as healthcare and public services. To address the growing demand for skilled professionals, the plan includes training programs, international recruitment, and migration pathways. A central AI Act Service Desk will provide businesses with guidance on complying with forthcoming EU regulations.

EU Commission prepares interservice group for upcoming Digital Fairness Act (DFA)

On 8 April 2025, it was reported that the EU Commission is preparing to establish an interservice steering group to coordinate work on the forthcoming Digital Fairness Act (DFA). Expected to be formalised in the coming weeks, the group will include officials from Directorate General (DG) Justice, which will lead the initiative, and DG Connect, and will oversee internal coordination, support related research, and contribute to shaping the legislative proposal. In parallel, the Commission has published its upcoming public consultation on the DFA, aimed at gathering input from stakeholders across sectors. The consultation is expected to remain open throughout the summer, with a formal launch anticipated around the annual Consumer Summit in late May.

Final report of the Data Act Expert Group on B2B data sharing and cloud computing contracts

On 2 April 2025, the Expert Group established by the EU Commission for the Data Act implementation standards published its final report on B2B data sharing and cloud computing contracts. The European Commission has been tasked with creating and recommending model contractual terms for data access and use. The final report introduces Model Contractual Terms (MCTs) for data sharing between users, data holders, and third-party recipients, including voluntary B2B arrangements. It also presents Standard Contractual Clauses (SCCs) for data processing services (e.g., IaaS, SaaS, PaaS), covering key areas such as general terms, switching and exit, termination, security, non-dispersion, and liability, to support GDPR-compliant and balanced contractual frameworks. The Commission will soon formulate a recommendation incorporating these models.

United Kingdom

The Data (Use and Access) Bill is now in its final stages

On 7 May 2025, the Data (Use and Access) Bill passed the third reading in the House of Commons and is now the final stages of consideration of amendments. If the bill obtains royal assent, it will give rise to recognition of several legitimate interests as the lawful basis of processing, require controllers to respond to data subject requests in a specific manner, and introduces new obligations for automated decision making.  

Ofcom launches their first investigation under the Online Safety Act

On 9 April 2025, Ofcom launched their first investigation into an individual online service provider under the Online Safety Act. They are investigating an unnamed online suicide forum regarding appropriate safety measures, risk assessments, and responses to statutory information requests.

New Cyber Security and Resilience Bill

On 1 April 2024, the Department for Science, Innovation & Technology has announced a new Cyber Security and Resilience Bill. This aims to ensure that vital infrastructure and digital services in the UK are more secure.

Americas

The United States of America

Federal Court Rules Google Maintained Illegal Monopolies in Digital Advertising Markets

On 17 April 2025, Judge Leonie Brinkema of the U.S. District Court for the Eastern District of Virginia ruled that Google unlawfully monopolised publisher ad server market and the ad exchange market by tying its ad server (DoubleClick for Publishers or DFP) and publisher ad exchange (AdX) together through contractual policies and technological integration, imposing anti-competitive policies that harmed competitors, publishers, and consumers. The plaintiffs failed to prove that Google also monopolized the advertiser ad network market as the Court found "advertiser ad network" an uncommon term in the industry and not a relevant product market.

The court has ordered the parties to propose a schedule for briefing and arguing their positions on the appropriate remedies. The DOJ has suggested divesting Google's publisher as server and ad exchange products.

Addressing Mental Health Risks of AI Chatbot for Minors California

Senate Bill 243 (SB 243), proposed by Senator Steve Padilla on 30 January 2025, aims to address the mental health risks posed by AI Chatbots, particularly for vulnerable users like minors. SB 243 seeks to protect children from addictive and isolating aspects of AI chatbots by requiring companies to periodically remind users that chatbots are not human, and implement protocols for addressing suicidal ideation, and submit annual reports on such interactions. The bill also mandates third-party audits to ensure compliance. Currently under review in the Senate Committee on Health, SB 243 represents a focused effort to regulate AI chatbots and their interactions with minors, aiming to prevent manipulation and ensure user safety.

Update on Meta's antitrust case

Trial for the Federal Trade Commission's (FTC) antitrust case against Meta began on 14 April 2025 with CEO Mark Zuckerberg testifying. The FTC alleges that Meta has maintained a monopoly in the personal social networking market through anti-competitive practices. The complaint highlights Meta's acquisitions of Instagram in 2012 and WhatsApp in 2014 as key examples of these practices.

The government has argued that these acquisitions were part of a systematic strategy to eliminate potential threats to Meta's dominance. Meta may be forced to divest from Instagram and WhatsApp to restore competition in the market. However, the company contends that the FTC's definition of the market is too narrow and excludes other significant competitors like TikTok, YouTube, and social media platforms. The outcome of this case could have significant implications for Meta's business structure and the broader tech industry.

Administration imposes tariffs on global trade partners, with some carveouts for tech

The Trump administration issued temporary exemptions for a range of tech products from the newly imposed "reciprocal" tariffs, providing some relief to the tech industry. The carveouts to the 10% global baseline and 125% tariff on Chinese imports include smartphones, laptops, computer components, memory cards, solar cells, and semiconductors.

The exemptions, which were applied retroactively beginning on 5 April, aim to mitigate the impact of the tariffs on tech companies and consumers, which depend heavily on imports. Despite these exemptions, the Administration has launched an investigation into the national security impact of semiconductors and derivative products which could result in new tariffs on technology products being introduced in the coming months.

Middle East

Israel

Israel rolls out pilot for students to learn with conversational avatar companions

Israel is launching a nationwide pilot program to enhance students' learning skills through affordable one-on-one tutoring by artificial intelligence avatars that mimic human private tutors. This initiative is spearheaded by Israeli startup eSelf, which has developed a platform for interactive, digital, face-to-face conversational avatars. eSelf has partnered with the Center for Educational Technology (CET), Israel's largest K-12 textbook publisher, to introduce this personalized AI tutoring system across the country.

Starting in May, the AI tutoring system will be implemented via CET's Ofek online learning platform. Harvard University will serve as an academic adviser for the pilot, guiding the methodology and evaluation to assess the educational impact of eSelf's AI tutor. CET's VP of Marketing, Tzachi Langer, emphasised that this partnership aims to make AI an accessible tool for students nationwide, increasing educational equity and empowering Israel's children to feel more confident in their academic capabilities and potential.

Kingdom of Saudi Arabia

Draft Controls Published by the Saudi Data & AI Authority (SDAIA)

On 23 April, the SDAIA released a draft of controls for public consultation. The Controls govern the commercial, professional, and non-profit activities related to personal data protection (Activities), regardless of their nature or the means through which they are conducted.

The consultation will close on 20 May 2025. The Controls apply to entities involved in consultancy services, technical solutions and training related to data protection. These entities are required to:

• register on the National Data Governance Platform.
• comply with the Personal Data Protection Law and its implementing regulations.
• disclose any prior complaints or violation and ensure no ongoing investigations exist.
• adheres to any additional requirements set by the SDAIA.

SDAIA released a consultation paper on the PDPL implementing regulations

On 27th April, the SDAIA published a consultation paper proposing some key amendments to the PDPL implementing regulation. The consultation closes on 27 May 2025.

Below is a summary of some of the important changes proposed in the consultation:

• removal of the definitions of direct marketing activities and personal data breaches.
• introduction of new conditions for mandatory registration in the National Register of Controllers. This would apply, for example, to public entities and those transferring data outside the Kingdom.
• granting rights to data subjects to request a copy of their personal data in a readable format.
• the introduction of the requirements of the provision of information in simplified language (if data subjects lack legal capacity).
• introduction of a requirement to ensure that privacy policies are clear and comprehensible.

Communications, Space, and Technology Commission opened consultation on draft Global AI Hub Law

On 14 April 2025, Saudi Arabia's Communications, Space, and Technology Commission (CST) initiated a public consultation on the draft Global AI Hub Law, which will remain open until 14 May 2025. This draft law aims to create a legislative framework to attract foreign investment in sovereign data centres and AI services. It introduces three hosting regulation models: private, extended, and virtual centres, tailored to accommodate foreign governments, international technology companies, and investors. The law seeks to develop sovereign data centres that ensure continuous service, cross-border data sovereignty, and secure digital infrastructure. Additionally, it promotes research and innovation in advanced technologies and delineates roles and responsibilities for entities such as Guest Countries, operators, and service providers, who must adhere to relevant national and international regulations.

Data sovereignty will be bestowed upon foreign countries with the proposed 'AI hub' law

On 14 April 2025, the Communication, Space & Technology Commission (CST) of the Kingdom released the draft Global AI Hub Law (Law); it is currently subject to public consultation. 

Although the term "AI" is specifically referred in the title of the Law, however, the term "advanced technologies" is used in connection with data centre operations and other digital services throughout the Law. This indicates that this Law has a wider application and not limited to AI technology.

The consultation will close on 14 May 2025.

The aims of the Law are:

• Facilitating the establishment of sovereign data centres (referred to in the Law as "Hubs"); each type would be subject to different rules and oversite.
• Representing the Kingdom as a global digital hub in advanced technologies.
• Utilising the Kingdom's strategic geographic location so to offer technological solutions for the benefit of global businesses.
• Fostering a collaborative environment in which foreign governments and private entities can develop and adopt advanced technologies for peaceful purposes.

The Law proposes the establishment of the following three types of Hubs in the Kingdom:

• Private Hubs- data centres operated by a foreign government (a guest country), while enjoying sovereign immunities and extensive privilege.
• Extended Hubs- they host data for guest countries; however, they will be managed by an approved operator responsible for compliance.
• Virtual Hubs- data centres operated by local service providers. Nevertheless, all their data, applications and services would fall within the realm of the concerned foreign legal jurisdictions.

United Arab Emirates

AI platform 3AI expands in the Middle East with AI hub in Dubai

AI platform and marketplace 3AI announced on16 April that it will establish an AI hub in Dubai in collaboration with the UAE government to enhance the AI ecosystem in the region. The initiative aims to create a community of select AI and Analytics thought leaders from global enterprises, pure-play AI firms, technology consulting, service and solution firms, and startups in Dubai and the Middle East.

3AI's goal is to foster a cohesive and broad ecosystem for AI thought leadership, strategic innovation, and business adoption. The platform plans to initiate novel and differentiated AI thought leadership summits, CXO mixers, and leadership roundtables. This expansion is expected to significantly contribute to the development and adoption of AI technologies in the Middle East, positioning Dubai as a central hub for AI innovation and collaboration.

First government-led initiative in Abu Dhabi to introduce face recognition

In April, the Department of Culture and Tourism of Abu Dhabi (the Department) confirmed that a new Abu Dhabi facial recognition system will be deployed at 5-star hotels in the Abu Dhabi city (first phase). This will then be followed later by a second phase, which will target four-star hotels, with gradual expansion to all remaining hotel categories.

This initiative will be overseen by the Department's Licensing & Regulatory Compliance Branch. This is expected to enhance the guest verification processes, simplify procedures and make check-in process more efficient.

The facial recognition system will capture biometric data during guest check-in. Such data will then securely be encrypted, retrieved, and transmitted to a centralised database.

UAE launches first AI-enabled ecosystem in government

In April 2025, the UAE Cabinet launched the first integrated regulatory intelligence ecosystem. It aims to streamline regulation, improve compliance monitoring, and enhance risk analysis through AI and analytics. This involves the establishment of the Regulatory Intelligence Office within the Cabinet.

This AI-driven legislative system is designed to:

• Integrate federal/local laws, judicial rulings, executive procedures, and public services through the use of AI.
• Use AI and big data to monitor the real-time impact of laws on economy and the nation of the UAE.
• Spead up the legislative processes by up to 70%.
• Track international legal developments and align with best global practices.

The Dubai Ports, Customs and Free Zone Corporation adopted an AI Strategy

In April 2025, the Ports, Customs and Free Zone Corporation (PCFC) of Dubai adopted and launched its comprehensive AI Strategy. The Strategy has 20 core pillars, including: automation, intelligent data analysis and forecasting, system integration, data security and regulatory compliance, and the certification of all IT staff in international AI programs by the end of 2025. This constitutes a step forward to accelerate the adoption of AI across various sectors.

It has been indicated that the PCFC aims to launch a smart system for the Dubai Maritime Authority by June 2025, making it the first business unit to benefit from this digital transformation. Other business units will also follow suit by the end of 2025. 

Africa

Nigeria

The Nigerian Federal Competition and Consumer Protection Commission (FCCPC) announces that the Tribunal upheld is USD 220 million fine against Meta and WhatsApp

On 25 April 2025, the Competition and Consumer Protection Tribunal upheld the USD 220 million fine against Meta Platforms Incorporated and WhatsApp LLC. This was regarding an investigation that started in 2021 on:

• Denying Nigerian data subjects the right to self-determine
• Unauthorised transfer and sharing of Nigerian data-subjects personal data, including cross-border storage in violation of the law
• Discrimination and disparate treatment
• Abuse of dominance
• Tying and bundling.

South Africa

South Africa's Information Regulator launches an online reporting platform for security compromises

On 7 April 2025, the Information Regulator launched an online system where public and private bodies can report security compromises/data breaches. From 1 April 2025, all organisations are required to report any breaches through this portal rather than via email. 

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.