Clifford Chance

July 2025 brought a range of regulatory developments across jurisdictions, reflecting a continued ramping up of efforts to address the governance of artificial intelligence (AI), digital infrastructure, and data.

In Asia-Pacific, a Memorandum of Understanding was signed between Hong Kong and Macau which aims to strengthen cross-border enforcement in relation to privacy issues. Malaysia issued a manual for registering data protection officers (DPOs), while Singapore launched initiatives on AI assurance and privacy-enhancing technologies. South Korea revised its personal data security standards and internet access rules, and Vietnam enacted a comprehensive Personal Data Protection Law with new compliance obligations.

China released several guidelines, including standards for synthetic content identification, outbound data transfers, and model contracts for data trading. These updates reflect China's continued focus on standardising AI rules and data governance.

In Europe, implementation of the Digital Operational Resilience Act (DORA) and the Digital Services Act (DSA) progressed. The EU published the final Code of Practice for General Purpose AI (GPAI) and launched a consultation on digital fairness. New guidelines on transparency reporting for GPAI model providers were also introduced. In the UK, the Government announced a series of reforms and updates to the National Security and Investment (NSI) Act 2021 (NSIA) as well as calling for evidence on the Smart Data Scheme (introduced under the Data (Use and Access) Act 2025), whilst Ofcom published the final Transparency Reporting Guidance under the Online Safety Act 2023 (OSA).

In the United States, the federal government announced an AI Action Plan alongside a $90 billion investment in AI infrastructure. The Courts issued rulings on fair use in relation to AI training, and New York passed legislation to protect minors’ data. July also saw several music labels filing lawsuits against AI audio platforms for alleged copyright infringement.

Middle Eastern regulators remain active on AI and data governance, with the UAE launching a global initiative on regulatory innovation and the Saudi Data & Artificial Intelligence Authority announcing their accession to the OECD's Recommendation on AI.

Africa saw legislative proposals and summits focused on digital rights and legislative capacity building.

Overall, governments across jurisdictions are continuing to refine as well as add new legal frameworks (both compulsory and voluntary) in the AI, data and digital infrastructure space. Whilst, in many cases, there is a strong will by governments to balance innovation with oversight, whilst some changes and additions will add useful clarity for companies, others will certainly increase the regulatory compliance burden.

APAC (excluding China)

Hong Kong

Hong Kong Privacy Commissioner for Personal Data (PCPD) issues article on artificial intelligence (AI) governance and privacy risks

On 10 July 2025, the Hong Kong PCPD published an article highlighting that nearly 70% of enterprises recognise significant AI-related privacy risks, based on a 2024 survey. It recommends organisations use its ‘Checklist on Guidelines for the Use of Generative AI by Employees’ which they published earlier this year to create internal policies, helping to leverage AI’s benefits while safeguarding personal data privacy. This recommendation further emphasises the importance of referring to Guidelines and developing the relevant internal policies to ensure compliance.

Hong Kong and Macau sign Memorandum of Understanding to strengthen data privacy collaboration

On 15 July 2025, Hong Kong and Macau have entered a Memorandum of Understanding (MoU) aimed at enhancing cooperation on personal data privacy. The MoU covers collaboration in areas such as law enforcement, education, and secure cross-border data flow, supporting the digital economy in the Greater Bay Area. The Hong Kong PCPD and the Macau Personal Data Protection Bureau will provide mutual assistance in investigations and enforcement.

Malaysia

Malaysia’s Department of Personal Data Protection (PDP) issues data protection officer (DPO) registration manual, sets 21-day notification rule

On 2 July 2025, Malaysia’s PDP released a manual detailing the process for registering DPOs. Data controllers are required to notify the PDP within 21 days of appointing a DPO. The manual outlines account creation, registration, and information update steps, and specifies pre-registration requirements such as appointment criteria and necessary documentation.

Singapore

Singapore Infocomm Media Development Authority (IMDA) launches new AI and data protection initiatives

On 7 July 2025, the IMDA of Singapore announced three new initiatives focused on AI assurance, privacy-enhancing technologies (PETs), and data protection standards. The Global AI Assurance Sandbox expands to cover new AI risks, while the PET Adoption Guide provides evaluation tools open for public comment. The updated Singapore Standard for Data Protection allows companies to apply for the Data Protection Trustmark with oversight from the Singapore Accreditation Council.

South Korea

South Korea Personal Information Protection Commission (PIPC) amends standards for security of personal information

On 21 July 2025, the PIPC of South Korea announced amendments to the Standards for Ensuring Security of Personal Information. Key changes include new requirements on destroying personal data, internal management plans (with exemptions for smaller entities), access management, secure authentication, and access record retention (over two years for large processors).

South Korea PIPC revises internet blocking standards for personal data systems

On 21 July 2025, South Korea’s PIPC revised internet blocking measures for personal data processing systems, allowing large-scale processors with low risks or protective controls to permit selective device access. Processors are now required to implement secure authentication methods, with an aim to facilitate responsible AI-related data use. Public comments on the revision are open until 9 August 2025.

Vietnam

Vietnam publishes personal data protection law, sets new standards

On 1 July 2025, Vietnam’s Personal Data Protection Law (PDPL) was published. This covers both domestic and international entities processing Vietnamese citizens’ personal data. The law distinguishes between basic and sensitive data, defines key terms, and exempts small businesses and start-ups from certain requirements. It prohibits data misuse and actions against national interests, with penalties including fines and criminal liability for violations such as unlawful data sales or transfers. 

China

China's Information Security Standardization Technical Committee seeks public comment on six cybersecurity standard practice guidelines

On 24 June 2025, the National Information Security Standardisation Technical Committee released a set of six draft cybersecurity standard practice guidelines for public consultation. These six practice guidelines further implement the requirements of the Measures for the Identification of AI-Generated Synthetic Content, provide detailed technical guidance for service providers of AI-generated synthetic contents and service providers of network information content dissemination to carry out implicit identification activities of metadata for AI-generated synthetic text, images, audio, and video content.

Cyberspace Administration of China releases the guidelines for the security assessment filings of data outbound (third edition)

On 26 June 2025, the Cyberspace Administration of China issued the Guideline for Security Assessment Filings of Data Outbound (Third Edition).  The Guidelines aim to guide and assist data processors in making standardised and orderly declarations for outbound data security assessments. Compared with the second edition, the third edition has optimised and simplified the relevant materials that data processors need to submit for the application of data outbound security assessments. The Guidelines also clarify the conditions, procedures, and materials required for data processors to apply for an extension of the validity period of the data outbound security assessment results.

China releases the notice of the model contract for data circulation and trading

On 4 July 2025, the National Data Administration and the State Administration for Market Regulation jointly issued model contracts for data provision, data processing services, data integration and development, and data intermediary services. The model contract systematically constructs a data quality assurance mechanism covering the entire process at the contract level, presets clauses for risk management throughout the process, and considers the requirements of data security and privacy protection in a comprehensive manner. The model contracts are not compulsory but serve as guidance documents to standardise practices and reduce legal uncertainties in data businesses. Enterprises engaged in data-related activities should review these models to align with regulatory expectations and streamline contractual practices.

China's Information Security Standardization Technical Committee releases guidelines on Security Requirements for Shake-to-Trigger Ads

On 22 July 2025, the National Information Security Standardization Technical Committee released the Cybersecurity Standards Practice Guide – Security Requirements for Shake-to-Trigger Advertising Behaviour. The guide outlines the basic principles for protecting personal rights and the security requirements for triggering behaviours related to shake-to-trigger ads on mobile smart terminals. It is intended for mobile smart terminal providers, app developers, and third-party software development kit providers to regulate the display and triggering of shake-to-trigger advertisements. Additionally, it can be used as a reference by personal information processors and evaluation agencies for compliance and assessment purposes.

Europe

European Union

DORA implementation advances with new outsourcing rules and oversight guide

On 2 July 2025, the EU published Delegated Regulation 2025/532, setting out detailed outsourcing requirements under the Digital Operational Resilience Act (DORA) for financial entities relying on ICT services for critical functions. These rules mandate rigorous pre-outsourcing risk assessments and stricter contractual clauses, including audit rights and termination provisions. From 22 July 2025, financial groups must ensure consistent application across all subsidiaries. Complementing this, the European Supervisory Authorities (EBA, EIOPA, ESMA) released a guide on 15 July explaining how Joint Examination Teams will oversee critical ICT third-party providers. While not legally binding, the guide helps firms prepare DORA oversight implementation.  

Commission adopts two DSA-based measures on data access and child protection

On 2 July 2025, the European Commission adopted a delegated act under the Digital Services Act (DSA), requiring very large online platforms and search engines to grant vetted researchers access to publicly available data. The act sets out the vetting process, technical procedures, and the creation of a DSA access portal to facilitate data sharing. Separately, on 14 July, the Commission presented new DSA-based guidelines to protect minors online, along with a prototype age verification app. The guidelines address risks such as addictive design, cyberbullying, and harmful content, while the app ensures privacy-preserving age checks. Though distinct in scope, both initiatives reflect the DSA’s broader ambition to create a safer and more transparent digital environment. 

Commission launches consultation on digital fairness for consumers

On 17 July 2025, the European Commission opened a public consultation to gather feedback on strengthening consumer protection in the digital single market. Running until 9 October 2025, the initiative targets a wide range of stakeholders to assess how to ensure fairness in business-to-consumer transactions, improve legal certainty, and prevent market fragmentation. The consultation will inform the impact assessment and shape the forthcoming Digital Fairness Act which is a legislative proposal aimed at addressing emerging challenges in online consumer rights. Participants can respond via an online questionnaire available in all official EU languages.

EU finally publishes three key documents for providers of GPAI models

In July, the European Commission released three key documents for providers of general-purpose AI (GPAI) models for the purpose of compliance with the EU AI Act.

The first is the GPAI Code of Practice. This is a guiding document, provided for in the EU AI Act, to help organisations demonstrate compliance with the EU AI Act's requirements regarding GPAI models. It is structured around three chapters: Transparency, which notably introduces a Model Documentation Form for the purpose of compliance with relevant transparency requirements; Copyright, which outlines compliance measures regarding, amongst other things, the copyright policy GPAI model providers must draw up; and Safety and Security, which addresses measures to comply with the EU AI Act's requirements for GPAI models with systemic risk.

The second is the GPAI Guidelines, issued by the European Commission on 18 July. The GPAI Guidelines are aimed at clarifying some of the key concepts and obligations for providers of GPAI models under the EU AI Act, including as regards what a GPAI model is, the notion of provider and the concept of placing on the market, the model lifecycle, the partial and conditional exemptions for models released as open-source, and issues of enforcement.

The third is the Training Content Summary Template to be used to summarise the content used to train the GPAI model, introduced on 24 July. That summary is a requirement for GPAI model providers under the EU AI Act, and the EU AI Act requires the summary to be prepared according to the template. These measures collectively support the application of the rules for GPAI model providers which kicked in on 2 August 2025, for models placed on the market from that date (there is a specific regime for models already on the market before that date). In parallel, the European Commission provided further detail on the enforcement of the rules for GPAI models. Whilst those rules indeed started applying on 2 August 2025, the European Commission acknowledged that fines don't apply until August 2026. The Commission further indicated that there would be some form of leniency for Code of Practice signatories during the first year from 2 August 2025.  

You may like to read our article where we provide our insights on the GPAI Guidelines and other recent developments.

United Kingdom

Ofcom publishes Transparency Reporting Guidance

On 21 July 2025, Ofcom published the final Transparency Reporting Guidance under the Online Safety Act 2023. Transparency reporting is important to ensure that platforms disclose how they manage illegal and harmful content and to help Ofcom assess whether platforms are doing enough to protect users. The guidance applies to "categorised services" which are platforms listed on public register maintained by Ofcom. Ofcom will also produce its own transparency report based on the data received.

UK Government seeks views on the Smart Data Scheme

On 28 July 2025, UK Government, under the Department for Science, Innovation and Technology, called for evidence on the Smart Data Scheme which was introduced under the Data (Use and Access) Act 2025. The Smart Data Scheme aims to enable the secure sharing of customer and business data with authorised third parties. They are calling for views to help with, amongst other things, assessing how data sharing can empower customers, boost competition, and drive innovation in the UK. They are open for views until 15 September 2025.  

Proposed reforms on notifiable transactions under the NSIA

On 22 July 2025, the UK Government announced a series of reforms and updates to the National Security and Investment (NSI) Act 2021 (NSIA). This includes a statement that it intends to exempt certain intra-group transactions from the mandatory filing requirements of the NSIA. It also issued a consultation on potential changes to the definitions of "sensitive activities" that determine which other transactions are notifiable. The changes, if enacted, could refine several of the existing definitions, including those relating to AI and energy, while adding certain activities in the water sector. While some of the proposed refinements may improve clarity, the Government's own analysis estimates that even more businesses would be captured by the proposed amended regime. The consultation therefore raises questions about scope creep and the practical implications for deal certainty. The consultation closes on 14 October 2025. 

In parallel, the Government has published its annual NSIA report, offering useful data on how the regime is operating in practice and which types of transactions and investors are most affected. Connected to the consultation, the annual report reveals that a massive 1,143 filings were submitted in the reporting period, which continues to suggest that the scope of the NSIA regime is already too wide.

For those navigating UK FDI controls, these developments merit close attention.

Americas

The United States of America

The Trump Administration’s latest AI investments and AI action plan

On 10 July 2025, President Trump launched his AI Action Plan on ai.gov. Key pillars of this action plan include of accelerating innovation, building AI infrastructure, and leading in international diplomacy and security. The plan envisions massive investments in national AI capabilities spearheaded by the private sector, with implementation expected over the next 6 to 12 months. The plan calls for federal procurement guidelines within government contracts, recommending contracts with providers who can ensure ideological objectivity. The plan emphasises deregulation to accelerate AI's technological advancement, while it also raised concerns about its implications for public safety in a deregulated environment.

The President also recently announced an over $90 billion investment to transform Pennsylvania into a global artificial intelligence hub. The investment is motivated by the administration's desire for global leadership within emerging AI technologies, not wanting to fall behind China in the "AI race." Because of AI's intersection with the energy sector, President Trump hopes to use this development in Pennsylvania to activate his goal of having the United States be as self-reliant and domestically fuelled as possible. The investment proves mutualistic for technology companies as well, with AI tools requiring enhanced energy to power its growing capabilities.

NY Senate Bill S7695A – The New York Child Data Protection Act

On 20 June 2025, New York pioneered data protection laws for minors (under the age of 18) with the passage of NY Senate Bill S7695A. This establishes safeguards to prevent unauthorised access to minors' personal data, subject to narrow exceptions. A robust piece of legislation, it expands on existing federal protections to minors' data. The protections apply to standard digital spaces, such as websites, but also include apps and other online places expected to be frequented by minors. If a user is detected to be a minor, the digital service will not be able to sell the data or utilise it in any way deemed unnecessary to using the service. Given that many minors now have an online presence, the legislation is designed to protect children from manipulative advertising, creating unnecessary digital records without their consent, and preserving children's data privacy in an ever-changing digital ecosystem.

Anthropic and Meta Fair Use Opinions 

A group of authors sued AI firm Anthropic alleging unauthorised use of their copyrighted works to train its large language model (LLM), Claude. Anthropic was found to have pirated millions of digital copies from online “shadow libraries” to build its training dataset. Anthropic also was alleged to have purchased physical books, scanned them to create digital versions, and discarded them. Judge William Alsup of the Northern District of California ruled that training Claude on lawfully acquired books constituted fair use under §107 of the Copyright Act. He further described Anthropic's LLM training process as “spectacularly transformative.” However, he found that retaining pirated books amounted to copyright infringement. The amount Anthropic owes in damages related to the pirated materials will be determined at a separate trial in the future.  

Two days after the Anthropic ruling, Judge Vince Chhabria of the same court ruled in favour of Meta, holding that its use of a group of authors' copyrighted works to train its Llama, Meta's LLM, constituted fair use. Although Meta used pirated books and articles, including some materials belonging to the plaintiffs, Judge Chhabria deemed the LLM training process “highly transformative.” Judge Chhabria emphasised the plaintiffs’ failure to demonstrate market harm, such as lost licensing opportunities or Llama's ability to reproduce verbatim excerpts of the authors' copyrighted works. However, he reminded the parties that fair use is a fact-specific inquiry, and that stronger evidence of market impact may lead to a different outcome in future cases. 

Major Music Labels Sue AI Music Services Suno AI and Udio AI 

Two lawsuits filed in the District of Massachusetts by Universal Music Group, Sony Music, and Warner Music Group accuse AI music generation platforms Suno and Udio of widespread copyright infringement. The labels allege that both companies trained their generative AI audio models on extensive libraries of copyrighted sound recordings without the labels' authorisation. According to the complaints, both platforms' generative AI audio models output mimics plaintiff's copyrighted songs, replicating distinctive vocal styles and producer tags. In both cases, the plaintiffs argue that their AI-generated audio outputs do not constitute fair use under §107 of the Copyright Act nor undermine the market for licensed music. The labels are seeking injunctive relief and statutory damages of up to $150,000 per infringed work. The trial date has yet to be determined. 

Middle East

Israel

Privacy Protection Commission (PPC) publishes recommendations on use of personal use of AI systems

On 14 July 2025, the PPC issued recommendations for the personal use of AI systems, emphasising the risks of sharing personal data. The PPC warned that AI systems may store and use personal information for algorithm training or transfer it to third parties, increasing the risk of data being combined with publicly available sources. To mitigate these risks, the PPC advised users to minimise the input of personal data, use general terms, and avoid including identifying details—especially financial, medical, or other sensitive information. Users should also omit unnecessary details and, where possible, request deletion of personal data by the AI system. These recommendations aim to enhance individual awareness and promote safer interactions with AI technologies, especially as their use becomes more widespread in everyday life. The PPC’s guidance reflects growing global concerns about data privacy and responsible AI usage.

Privacy Protection Authority (PPA) publishes opinion on DPO appointment for public consultation

On 23 July 2025, the PPA released a Statement of Opinion for public consultation regarding the appointment of DPOs, in line with Amendment No. 13 to the Protection of Privacy Law, effective from 14 August 2025. The opinion outlines which entities must appoint a DPO, including public bodies, organisations trading in personal data, those conducting systematic monitoring, or processing sensitive data at scale. It also details DPO responsibilities, required qualifications, employment conditions, and necessary organisational support. While the legal obligation applies to public entities, the PPA encourages other organisations—especially dual-substance entities—to voluntarily appoint a DPO. The aim is to strengthen privacy governance and compliance readiness. This initiative reflects the PPA’s commitment to enhancing data protection standards and transparency in organizational data handling practices. Public comments may be submitted until 23 September 2025.

United Arab Emirates

Dubai International Financial Centre (DIFC) enacts amendments to Data Protection Law

On 16 July 2025, the DIFC enacted Amendment Law No. 1 of 2025, revising the DIFC Data Protection Law No. 5 of 2020. One of the key changes is the introduction of a private right of action, allowing individuals to seek redress through DIFC Courts if their personal data is mishandled. The law’s scope has been expanded to cover data processing in the DIFC by controllers, processors, or sub-processors, regardless of their place of incorporation. Article 28 was also updated to clarify how third countries are assessed for data transfer adequacy. Liability rules were refined: controllers are liable for all damage caused by processing; joint controllers are liable only if responsible for the breach; and processors are liable if they breach data protection obligations or act outside lawful instructions. Notably, damage includes both financial loss and non-financial harm such as distress. Entities can avoid liability by proving no responsibility.

A New Chapter in AI-Driven Investment Services for the UAE

In July 2025, the UAE Securities and Commodities Authority issued the Chairman Resolution No. 14/2025 (Resolution), amending the Regulations Manual of Financial Activities of 2021 (Manual). The Resolution introduces the concept of “Robo-Advisor Service” - an algorithm-based technology that delivers automated investment advice and recommendations within the portfolio management sphere.

The Resolution establishes a robust regulatory framework for the delivery of this service by licensed entities, subject to a rigorous framework for licensing, governance, risk control and investor protection. These amendments mark a significant regulatory leap in the UAE’s approach to AI-driven investment services.

Africa

Nigeria

The National Information Technology Development Agency (NITDA) plans to introduce the Online Harm Protection Bill

On 25 July 2025, the NITDA announced that they intend to introduce the draft Online Harm Protection Bill during a multi-stakeholder policy workshop. Building on that foundation, the draft Online Harm Protection Bill aims to create a robust and inclusive legal framework to address emerging challenges such as online harms, misinformation, algorithmic bias, and surveillance capitalism while upholding democratic values and safeguarding individual rights.

Zambia

Inaugural Africa Digital Parliamentary Summit on AI, Data Protection and Privacy held in Lusaka

On 11 July 2025, the first ever Africa Digital Parliamentary Summit on Artificial Intelligence, Data Protection and Privacy was held in Lusaka. This marks a continental commitment to advancing digital transformation. Hosted by the Pan-African Parliament in collaboration with African Population and Health Research Center and GSMA, the summit focused on AI, data protection, privacy, digital health, and smart manufacturing. It aimed to build legislative capacity among African MPs and align policy with the African Union’s Agenda 2063. The Summit culminated in the Lusaka Declaration which calls for inclusive, responsible, and evidence-based digital governance, emphasising the need for African lawmakers to acquire skills to navigate the Fourth Industrial Revolution and ensure Africa’s competitiveness in the global digital economy.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.