Clifford Chance

This month, we saw developments that reflect a global push to balance innovation with accountability, privacy, and the rights of data subjects at large, as AI and digital technologies become increasingly embedded in economic and social systems.

Hong Kong’s Privacy Commissioner reported that 80% of surveyed organisations were using AI. The report recommended stronger AI governance and risk management – a recommendation that is echoed by many other regulators. Australia updated its health privacy guidance to clarify when genetic information can be disclosed without consent. Japan passed two new cybersecurity laws to counter rising threats to critical infrastructure, and deepened its digital partnership with the EU, focusing on AI and cybersecurity cooperation.

India and the UK finalised a long-awaited trade agreement with provisions on cross-border data flows and source code protections. Singapore’s free trade agreement with the Pacific Alliance entered into force, facilitating data transfers. Indonesia’s Financial Services Authority issued AI governance guidance for banks, while Vietnam’s draft personal data protection law neared approval.

In Europe, regulators were focused on ensuring that relevant training and guidance material are made available to businesses, specifically small and medium-sized enterprises (SMEs), to ensure higher rates of compliance and with hopes of lowering administrative burdens. This is seen in the European Commission’s draft guidelines to protect minors and the UK’s Information Commissioner’s Office’s cybersecurity training guidance.

The U.S. enacted legislation to combat AI-generated deepfakes and non-consensual image sharing. They have also agreed to a tech deal with the UAE, Saudi Arabia, and Qatar valued at over USD 2 trillion, with two major AI data centres now in development, one in the UAE and another in Saudia Arabia.

The UAE published drone cybersecurity guidelines to strengthen the cybersecurity framework for the operation of drones. Abu Dhabi have also opened the draft amendments to their cyber risk management framework for consultation.

More draft guidance and standards were published in Kenya and Nigeria. In Kenya, this focused on compliance with the Data Protection Act. In Nigeria, this focused on the safe use of automated solutions for anti-money laundering.

APAC (excluding China)

Australia

OAIC clarifies rules for disclosing genetic information

On 9 May 2025, the Office of the Australian Information Commissioner updated its Guide to Health Privacy, detailing when healthcare providers can disclose genetic information to family members without consent. Such disclosure is allowed if the information was obtained during health services, is needed to avert a serious threat to a genetic relative, complies with National Health and Medical Research Council guidelines, and is shared with a genetic relative. The guidelines stress obtaining patient consent, evaluating threats, ethical conduct, and managing cases involving children. Providers can collect relatives’ contact details without consent if it’s impractical to obtain and necessary to prevent serious threats.

Hong Kong

The Privacy Commissioner’s Office (PCPD) AI security report highlights compliance and recommendations

On 8 May 2025, the PCPD’s inspection of AI security in 60 Hong Kong organisations found that 80% utilised AI, with 88% having done so for over a year, and no breaches of the PDPO were identified. Organisations implemented security measures such as access control and encryption, conducted Privacy Impact Assessments, and established AI governance structures. The PCPD recommended further strengthening AI governance, conducting risk assessments, providing training, and developing AI incident response plans, while advising organisations to follow PCPD guidelines for internal AI policies.

India

UK-India trade deal finalises data transfer provisions

On 6 May 2025, the UK and India concluded negotiations on a free trade agreement featuring provisions on data transfers, safeguarding businesses from mandatory source code sharing and boosting online consumer safety. The deal seeks to reduce unsolicited commercial messages by mandating consent and making spam identifiable. It establishes rules for cross-border data flows and data localisation, ensuring UK data protection standards are maintained. The legal text is being finalised, with the agreement to take effect following governmental approvals.

Indonesia

Indonesia’s Financial Services Authority (FSA) issues AI governance guidance for banking sector

On 29  April 2025, the FSA of Indonesia published guidance on AI governance in banking, covering AI concepts, risks, and international regulatory standards. It highlights key risks like deepfakes and bias, comparing global governance frameworks to shape Indonesia’s strategy. The guidance stresses principles of reliability and transparency, offering a structured framework for risk management and governance, along with implementation guidelines and audit procedures to ensure ethical and compliant AI systems in the banking sector.

Japan

The National Diet passes the Act on the Prevention of Damage from Unauthorised Activities Against Critical Computers

On 16 May 2025, the National Diet passed the Act on the Prevention of Damage from Unauthorised Activities Against Critical Computers and the Law on the Arrangement of Related Laws Following the Enforcement of the Act on Act on the Prevention of Damage from Unauthorised Activities Against Critical Computers. This is in response to Japan’s legislative and strategic efforts to enhance cybersecurity in response to sophisticated cyber threats.

Two new laws aim to prevent damage from unauthorised activities targeting critical computer systems, establishing a framework for proactive defence and public-private partnerships to safeguard national and citizen safety. Japan faces increasing cyber threats, often originating overseas, affecting critical infrastructure and causing data breaches. To address these, Japan seeks to align its cybersecurity capabilities with other nations, such as the UK and US, by improving collaboration and implementing measures to neutralise threats. Key to this strategy is the creation of a Cybersecurity Strategy Headquarters, led by the Prime Minister, and an independent oversight body to ensure proper use of communication data while protecting privacy. Public-private collaboration will also be required, with mandatory incident reporting and information sharing. The laws will take effect within 18 months of 23 March 2025 (the publication date).

EU and Japan strengthen digital partnership with focus on AI and cybersecurity

On 12 May 2025, the European Union and Japan issued a joint statement from their third Digital Partnership Council meeting, underscoring their dedication to innovation, secure AI, and collaboration on digital identities and data sharing. They explored expanding the EU adequacy decision for Japan to encompass academia, research, and the public sector, while committing to a safe online environment through regulatory exchanges. The statement also highlighted joint efforts in cybersecurity, focusing on critical infrastructure protection and product security standards.

Singapore

Pacific Alliance - Singapore Free Trade Agreement (PASFTA) enters into force, facilitating cross-border data transfers

On 3 May 2025, the PASFTA became effective for Singapore, Chile, and Peru, emphasising cross-border data transfers. Chapter 13 of the free trade agreement requires parties to allow these transfers, including personal data, for business purposes, while permitting restrictions for legitimate public policy objectives. Such restrictions must be neither arbitrary nor unjustifiable and should be limited to what is necessary to achieve the intended objective.

Vietnam

Vietnam’s draft personal data protection law nears approval

On 12 May 2025, The Vice Chairman of the National Assembly announced that Vietnam’s draft Law on Personal Data Protection is set for National Assembly approval after its introduction in September 2024. The National Assembly Standing Committee has reviewed the draft, highlighting the need for clear distinctions between basic and sensitive personal data, stricter rules for transferring sensitive data, and appropriate administrative fines. Concerns about the severity of fines for minor errors require further review to ensure consistency before the law’s passage.

China

China advances Internet Protocol version 6 (IPv6) deployment and application strategy

On 20 May 2025, the Cyberspace Administration of China, along with the National Development and Reform Commission and the Ministry of Industry and Information Technology, jointly issued the 2025 Work Points for Deepening IPv6 Deployment and Application. The document outlines nine focus areas and 42 key tasks to accelerate IPv6 adoption across sectors. It sets targets for IPv6 user base, traffic share, and integration with emerging technologies such as AI and Internet of Things. The initiative underscores China’s commitment to building a globally leading IPv6 ecosystem and enhancing network security and innovation capacity.

People’s Bank of China releases measures for data security in financial services

On 17 May 2025, the People’s Bank of China published the Regulations on Data Security in People's Bank of China Business Areas. The regulations, effective from 30 June 2025, provides a comprehensive framework for managing data security across financial institutions. It covers data classification, storage, processing, transmission, and deletion, and introduces requirements for risk monitoring, incident response, and regulatory oversight. The regulations aim to strengthen legal foundations for data security, promote lawful data utilisation, and protect the rights of individuals and organisations.

China’s Cyberspace Administration Issues Satellite Connectivity Regulation

On 30 April 2025, the Cyberspace Administration of China, together with six other ministries, issued the Administrative Provisions on Terminal Equipment Directly Connecting to Satellite Services, which will take effect from 1 June 2025. This regulation aims to standardise the development and use of satellite-connected terminal equipment within China. It emphasises the importance to safeguard national security, public interest, and the protection of personal and organisational rights. The provisions require service providers to comply with the laws and regulations regulating cybersecurity, data security, and personal information, and to implement classified protection, encryption security evaluations, and real-name authentication for users.

China’s Ministry of Finance and National Financial Regulatory Administration issues Notice on Accelerating Digitalisation of Bank Confirmations

On 30 April 2025, the Ministry of Finance and the National Financial Regulatory Administration jointly issued the Notice on Accelerating the Development of Digital Bank Confirmations. The notice aims to enhance audit quality and efficiency by promoting the digital transformation of bank confirmation processes. It outlines a comprehensive framework for building a secure, efficient, and scalable digital confirmation system.

Europe

European Union

European Commission proposes General Data Protection Regulation (GDPR) record-keeping exemptions for ‘small-mid caps’ in Omnibus IV package

On 21 May 2025, the European Commission unveiled its fourth simplification Omnibus package, including a legislative proposal to extend GDPR Article 30 record-keeping exemptions to “small-mid cap” companies—those with fewer than 750 employees and up to EUR 150 million in turnover. This expansion from the previous 500 employee threshold could ease compliance burdens for around 38,000 companies. The European Data Protection Board (EDPB) and European Data Protection Supervisors (EDPS) welcomed the proposal in principle but stressed the need for safeguards to ensure data protection standards remain intact. This forms part of the Commission’s wider effort to reduce administrative burdens across the EU by 25% by 2029.

Irish Data Protection Commission (DPC) approves Meta’s use of public EU user data for AI training

On 21 May 2025, Ireland’s DPC approved Meta’s plan to use publicly shared user data in the EU to train its AI models, starting 27 May 2025. Although the privacy group ‘None of your Business’ (noyb) sent Meta a cease-and-desist letter on 14 May 2025, the DPC stated that Meta had implemented key improvements to inform and protect users following their temporary pause of the project in June 2024. However, regulatory scrutiny continues. Meta must submit a compliance report in October to the Irish DPC as part of the DPC's ongoing monitoring.

EU Commission plans to tackle AI-driven consumer risks in upcoming Digital Fairness Act (DFA)

On 14 May 2025, Commissioner Michael McGrath confirmed that the EU Commission will propose a DFA aimed at closing gaps in consumer protection laws, especially concerning dark patterns and manipulative AI use. Speaking at the International Association of Privacy Professionals AI Governance Global Europe conference, McGrath said the DFA will clarify AI-related obligations in consumer contexts, reduce regulatory burdens in areas like in-app purchases, and complement existing frameworks without reopening rules already addressed. He also announced related initiatives, including a digital justice strategy, a “democracy shield” against disinformation, and further support for market surveillance under the AI Act.

EU Commission launches draft guidelines to protect minors online under the Digital Services Act (DSA)

On 13 May 2025, the EU Commission published draft guidelines aimed at enhancing the protection of minors under the DSA, launching a public consultation, open until 10 June 2025. The guidelines outline a wide range of recommended measures for platforms accessible to minors, including age verification, private-by-default settings, safer content recommendations, child-friendly reporting tools, and clear internal governance standards. Platforms of all sizes, except micro and small enterprises, are expected to align with these standards, including very large online platforms (VLOPs) with over 45 million EU users. The measures were developed in close consultation with stakeholders, including youth representatives from the Better Internet for Kids (BIK+) initiative. Executive Vice-President Henna Virkkunen of the Commission stated that “children’s safety online is our top priority”.

The European Data Protection Board (EDPB) announced six-month extension of UK adequacy decisions under General Data Protection Regulation

On 6 May 2025, the EDPB announced that they have adopted the 5 May 2025 Opinion 06/2025 on extending the European Commission Implementing Decisions under the GDPR and the Law Enforcement Directive. Therefore, the initial expiration date of 27 June 2025, is now extended to 27 December 2025. The EDPB noted that this extension is “exceptional” due to the ongoing developments in the UK with the Data (Use and Access) Bill.

United Kingdom

The AI Security Institute (AISI) publishes a paper on an example safety case for safeguards against misuse

On 29 May 2025, the AISI published a paper on an example safety case for safeguards against misuse to address the challenge of making safeguard evaluations actionable and decision-relevant. The paper presents a pathway for connecting safeguard evaluation results to actionable risk assessment, sharing an end-to-end argument to link technical evaluations to decision-making.

The Information Commissioner’s Office (ICO) publishes cybersecurity training guidance for organisations

On 19 May 2025, the ICO published cybersecurity training guidance for organisations, primarily aimed at SMEs, charities and the voluntary sector but is nevertheless applicable to any organisation regardless of size or sector. It contains ‘Top Tips for Staff’ training to help organisations ensure that all individuals in their organisation are aware of why cybersecurity is relevant to them.

The ICO opens the guidance on encryption for public consultation

On 13 May 2025, the ICO opened the draft guidance on encryption for public consultation. They are asking stakeholders on their views on the ICO’s approach to encryption and data protection law. This includes any questions stakeholders may have about the encryption scenarios the guidance covers and any additional comments.

The consultation is open until 24 June 2025.

UK and India conclude trade deal talks

On 7 May 2025, the UK and India concluded talks on a trade deal free trade agreement. This agreement included provisions on cross border data flows and data localisation. While the legal text of the trade deal is still being finalised, the Department for Business & Trade made clear in their policy paper that the commitments discussed in the trade deal do not affect the UK’s high standards of data protection, and any transfer of personal data will still be protected under the UK’s data protection law.

The National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT) publish a Software Security Code of Practice

On 7 May 2025, the NCSC and the DSIT published a voluntary Software Security Code of Practice aimed at software vendors and their customers to reduce the likelihood and impact of software supply chain attacks. It focuses on four key themes: secure design and development, building environment security, secure deployment and maintenance, and communication with customers.

Americas

The United States of America

Trump administration secures strategic tech partnerships with Gulf states after repealing Biden-era AI diffusion rule

In May 2025, President Donald Trump finalised over USD 2 trillion tech and economic agreements with the United Arab Emirates (UAE), Saudi Arabia, and Qatar. These partnerships span multiple sectors, including AI, energy, aviation, defence, and infrastructure.

Paving the way for these agreements, President Trump repealed the Biden-era “AI Diffusion Rule” on 14 May 2025, which, among other things, restricted advanced AI chips and certain model weights to be exported to most countries. This policy reversal aided the U.S. tech firms’ expansion into the Gulf region. Two major AI data centres are now under development, one in the UAE and another in Saudi Arabia. Qatar, meanwhile, has pledged USD 1 billion toward a joint venture focused on quantum computing R&D and cybersecurity.

These developments are set to deepen technological ties between the U.S. and the UAE, Saudi Arabia, and Qatar, accelerate AI deployment across these the UAE, Saudi Arabia, and Qatar, and boost American chipmakers. However, the scale and geopolitical implications of these agreements have raised concerns about long-term control over critical AI infrastructure and supply chains, risks of intellectual property leakage, and the consequences of accelerating AI capabilities in a geopolitically sensitive region.

TAKE IT DOWN Act enacted to curb revenge porn and AI-generated deepfakes

On 19 May 2025, in response to the growing threat of AI-generated deepfakes and the rise of nonconsensual image sharing online, President Trump signed into law the TAKE IT DOWN Act (S. 146). The law criminalises the knowing publication of intimate images, including altered or fabricated ones, without consent, especially when intended to cause harm or involving minors. Penalties range from fines to up to three years in prison.

To further protect victims, the law requires certain online platforms to implement a notice-and-removal system by May 2026, allowing individuals to request swift takedown of such content. The Federal Trade Commission will oversee enforcement, treating noncompliance as a deceptive business practice. The law aims to restore control and dignity to victims in the digital age, while navigating complex issues around free speech and platform liability.

Google to pay USD 1.375 billion to settle Texas lawsuits on data privacy violations

On 9 May 2025, Texas announced a USD 1.375 billion settlement with Google to resolve two lawsuits alleging that Google (1) deceptively tracked users’ locations through Android devices, including after users disabled location history, violating the Texas Deceptive Trade Practices Act, and (2) unlawfully collected biometric data, such as voiceprints and facial geometry, through services like Google Photos and Google Assistant, violating the Texas Capture or Use of Biometric Identifier Act. Google was also accused of misleading users about the extent of its data collection, including through its Chrome browser’s “Incognito Mode,” which allegedly did not provide the privacy protections users expected.

This is the largest privacy-related resolution ever secured by a single state against Google. Under the terms of the agreement, Google did not admit to any wrongdoing, nor was it required to implement product changes since all the required disclosures and policy changes had already been introduced.

Middle East

Israel

Consultation on the guidelines of the application of Privacy Law to AI systems

On 28 April 2025, the Privacy Protection Authority (PPA) of Israel published draft guidelines for public consultation on how the Protection of Privacy Law (PPL) would apply to AI systems.

The guidelines provide that PPL covers personal data input into AI systems as well as data inferred by them. Further, there must be valid legal basis throughout the AI system’s lifecycle and requires transparency when individuals interact with AI-based bots. This is even of more importance when such interaction affects consent. The guidelines also state that scraping personal data from the internet for AI training requires informed consent, and public availability on social media does not replace the need for gaining consent.

Public comments can be made until 5 June 2025.

Oman

Ministry of Transport, Communications, and Information Technology (MTCIT) publishes general AI policy

On 18 May 2025, the MTCIT of Oman released a general policy for the ethical use of AI systems. The policy focuses on the importance of transparency, fairness, accountability, inclusiveness and privacy. It also requires a responsible use of AI, human intervention in sensitive decisions and the implementation of certain measures to reduce bias.

Regulators would need to align their regulations with this policy and publicise it to ensure consistent application across Oman.

United Arab Emirates

First comprehensive UAE drone cybersecurity guideline

In May 2025, the UAE Cybersecurity Council published the first UAE drone cybersecurity guidelines. These guidelines aim to strengthen the cybersecurity framework relating to the operation of drones so to align their operation with global practices and to ensure of their resilience and security across various sectors.

The guidelines relate to cybersecurity risks associated with unmanned aerial vehicles, with a focus on protecting airspace, infrastructure, and data integrity.

These guidelines are expected to have an impact on entities that are involved in drone operations, such as those involved in agriculture, environmental monitoring, and logistics.

Financial Services Regulatory Authority (FSRA) released draft amendments to cyber risk management rulebook for consultation

On 30 April 2025, the FSRA of the Abu Dhabi Global Market ADGM published a Consultation Paper relating to the proposed amendments to its cyber risk management framework for authorised persons and recognised bodies.

The proposed amendments are designed to enhance the regulatory approach to cyber threats by building on existing FSRA guidance. This would include the Information Technology Risk Management Guidance and Governance Principles and Practices to Mitigate Cyber Threats and Crime. The amendments are expected to enhance cybersecurity governance, improve resilience, and align with evolving global standards.

The consultation paper will is open until 11 June 2025.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.