Tech Policy Unit Horizon Scanner
September 2025
September 2025 has seen a marked acceleration in regulatory activities across the global technology landscape, with several jurisdictions introducing or refining frameworks to address the challenges and opportunities presented by artificial intelligence (AI), data protection, and cybersecurity.
Two prominent themes emerge from this month’s developments: the rapid institutionalisation of AI governance and the intensification of cross-border data and cybersecurity frameworks.
In the Asia-Pacific region, Japan’s full enactment of the AI Promotion Act and the establishment of its AI Strategy Council mark a decisive step towards embedding “Trustworthy AI” at the heart of national policy, with parallel moves to strengthen cybersecurity and cross-border data cooperation with the EU. South Korea, Taiwan, and Thailand are similarly advancing legislative and ethical frameworks for AI, while Malaysia and the Philippines are modernising data protection regimes and privacy engineering standards. Singapore’s latest cyber landscape report underscores the region’s heightened exposure to sophisticated threats, prompting legislative amendments and renewed emphasis on international collaboration.
China continues to assert its regulatory influence, consulting on significant amendments to its Cybersecurity Law and introducing new obligations for network operators and major platforms in relation to incident reporting and personal information protection.
In Europe, the entry into force of the EU Data Act and the launch of the digital omnibus package reflect a concerted effort to streamline and harmonise the region’s digital regulatory environment. The European Commission and Council of Europe are prioritising privacy and transparency in AI, while recent court decisions in the EU have provided important clarification on transatlantic data transfers and the scope of pseudonymisation. France and Germany’s joint agenda on digital sovereignty and cloud infrastructure further underscores the strategic importance of technological self-sufficiency.
The United Kingdom has continued to refine its approach to AI assurance and data security, with the ICO issuing final guidance on encryption and the government publishing a roadmap for trusted third-party AI assurance. The latest AI Sector Study highlights sustained growth and signals future policy priorities, particularly in responsible AI and international competitiveness.
In the United States, a remedies ruling in the Google antitrust case and a new federal partnership with xAI start to crystalise the approach there to platform regulation and public sector AI adoption. Meanwhile, the Middle East and Africa are seeing a wave of sovereign AI initiatives, data protection reforms, and digital infrastructure projects, with a growing emphasis on aligning with international standards and fostering innovation.
Collectively, these developments signal a global shift towards more structured, risk-based regulation of digital technologies. For organisations and their advisers, the challenge is to anticipate regulatory change, engage proactively with emerging standards, and ensure compliance in an increasingly complex and interconnected environment.
APAC (excluding China)
Japan
Enactment of the AI Promotion Act, Establishment of the AI Strategy Council, and Drawing up the Basic AI Plan
On 1 September 2025, the “Act on Promotion of Research and Development, and Utilization of AI-related Technology (AI Promotion Act)” was fully enacted. Based on the AI Promotion Act, the government plans to draw up a Basic AI Plan within this year - the proposed Basic AI Plan has four strategies: (1) promoting the active use of AI; (2) strengthening Japan’s capability to develop “Trustworthy AI”; (3) ensuring the legality of AI based on the research under the AI Act and taking a leading role in international governance; and (4) continuously transforming industries, employment, systems, and social structures for “collaboration between humans and AI”.
Japanese Government convenes two meetings on the Proactive Cybersecurity Law
On 19 September 2025, the government held the Cybersecurity Promotion Expert Meeting to begin drawing up a new “Cybersecurity Strategy” based on the Proactive Cybersecurity Law promulgated in February 2025. The new Cybersecurity Strategy has three aims: (1) countering increasingly serious cyber threats; (2) enhancing cybersecurity across society; and (3) developing human resources and promoting research and development to support cyber response capabilities.
On the same day, a separate council of knowledgeable persons was also held to discuss the implementation of the Proactive Cybersecurity Law. This council aims to draw up the basic guidelines for preventing damage caused by specified malicious acts. The basic guidelines will clarify the fundamental measures necessary to ensure that the functioning the policies under the Law effectively and will set out principles to ensure the proper execution of related tasks. The government is aiming to finalise these guidelines within the year.
Expansion of the Framework for Personal Data Sharing between Japan and the EU
On 18 September 2025, Chairperson Satoru Tezuka of the Personal Information Protection Commission (PIPC) and Commissioner Michael McGrath of the European Commission held talks to promote cooperation between Japan and the EU in the fields of data protection and data transfers. Agreement was reached on the smooth cross-border transfer of personal data in the field of academic research. They also decided to hold further discussions on expanding the scope to the public sector, with the aim of concluding these talks by the end of the year.
Malaysia
Malaysia Opens Public Consultation on Amendments to 2013 Data Protection Regulations
On 25 August 2025, Malaysia’s Department of Personal Data Protection consulted on proposed amendments to the 2013 Data Protection Regulations, including updating key terms, mandating Data Protection Officers for controllers and processors, requiring breach notifications, and allowing data subjects to request data transfers between controllers. Penalties for breaches are also set to increase.
Philippines
Philippines NPC Issues Advisory on Privacy Engineering Across System Lifecycle
On 27 August 2025, the National Privacy Commission released Advisory No. 2025-02, outlining requirements for personal information controllers and processors to integrate privacy engineering throughout system life cycles. The guidance promotes privacy-by-design and privacy-by-default principles, aiming to ensure compliance with the Data Protection Act and safeguard data subjects’ rights at all stages of data processing.
Singapore
Singapore Cyber Landscape Report Highlights Rise in Threats and Legislative Updates
On 3 September 2025, Singapore’s Cyber Security Agency published its Cyber Landscape 2024/2025 report, highlighting increased ransomware, APT activity, and AI-driven threats. Singapore faced a surge in advanced cyber threats, including a 21% increase in ransomware cases in 2024. The Cyber Security Agency emphasized cooperation with critical infrastructure owners and launched new plans for OT cybersecurity. Legislative amendments to the Cybersecurity Act now expand oversight and reporting, while AI’s role in security, both defensive and offensive, is growing, with new guidelines issued.
South Korea
South Korea PIPC Announces Reforms for AI and Emerging Industries
On 15 September 2025, South Korea’s Personal Information Protection Commission (PIPC) unveiled regulatory reforms to boost AI, autonomous mobility, and robotics. Key changes include fair use guidelines for AI training with copyrighted data, expanded access to public data, and new standards for autonomous vehicles and robotics. These reforms aim to foster innovation and provide clarity for emerging tech sectors.
South Korea’s PIPC Signs Joint Declaration on Personal Data Protection in the AI Era
On 17 September 2025, at the 47th Global Privacy Assembly in Seoul, South Korea’s PIPC joined 20 other supervisory authorities in signing a declaration focused on personal data protection and governance for AI. The declaration commits to exploring lawful processing bases, using scientific risk approaches, and implementing privacy-by-design, with an emphasis on leadership and international cooperation in AI innovation.
Taiwan
Taiwan Executive Yuan Passes Draft Basic Law on AI
On 28 August 2025, Taiwan’s Executive Yuan approved a draft law for human-centric AI, defining AI systems and setting requirements for sustainability, privacy, security, and risk management. The law assigns the government roles in AI research, education, infrastructure, and data protection. Next, the draft heads to the Legislative Yuan for further consideration.
Thailand
Thailand ETDA Releases Study on Driving AI Development Aligned with UNESCO Ethics
On 1 September 2025, Thailand’s Electronic Transactions Development Agency (ETDA) published a study on AI development, reflecting UNESCO’s 'Recommendation on the Ethics of Artificial Intelligence' . With input from over 45 organizations, the study notes that Thailand’s Personal Data Protection Act PDPA provides a solid data governance base, but there’s no dedicated AI law or ethical assessment framework. Recommendations include adopting voluntary soft law, AI certification, safe testing sandboxes, and interdisciplinary approaches to foster ethical AI.
China
China's Cyberspace Administration Issues the Administrative Measures on the Reporting of Cybersecurity Incidents
On 15 September 2025, the Cyberspace Administration of China issued the Administrative Measures on the Reporting of Cybersecurity Incidents. These measures require all network operators in China to report cybersecurity incidents caused by attacks, vulnerabilities, or force majeure. Incidents are categorized into four levels based on impact. The measures will take effect from 1 November 2025.
China consults on the amendments to the PRC Cybersecurity Law
On 12 September 2025, the Standing Committee of the PRC National People's Congress released the Consultation Draft of the PRC Cybersecurity Law proposing amendments to the currently effective PRC Cybersecurity Law promulgated in 2017. The Consultation Draft introduces stricter legal liability for network operators' non-compliance in areas such as network protection, incident response, real-name authentication, cybersecurity certification/testing, handling illegal content, and national security reviews for critical infrastructure. It also adds new legal liability for supplying unqualified network critical equipment or cybersecurity products, requiring certification/testing by qualified institutions, with penalties for non-compliance. The Standing Committee is seeking public comments on the Consultation Draft until 11 October 2025.
China consults on the Provisions on the Establishment of Personal Information Protection Supervision Committees by Significant Network Platforms
On 12 September 2025, the Cyberspace Administration of China released the Consultation Draft of the Provisions on the Establishment of Personal Information Protection Supervision Committees by Significant Network Platforms. If finalized, these provisions will require major network platforms to establish independent committees to oversee personal information protection. The consultation is open until 12 October 2025.
For more information on the consultation, read our article: China consults on the Provisions on the Establishment of Personal Information Protection Supervision Committees by Significant Network Platforms.
Europe
European Union
EU Data Act enters into force with sector-specific guidance on vehicle data access
On 12 September 2025, the EU Data Act (Regulation (EU) 2023/2854) officially became applicable across all Member States. The regulation introduces a comprehensive framework to facilitate fair access to data, promote interoperability, and support data-driven innovation, particularly for businesses and consumers. For more on the act read our article : EU Data Act: A new era for data sharing has begun
To support implementation, the European Commission announced several following measures:
A Legal Helpdesk to assist companies with practical questions, including how to protect trade secrets under the new rules.
The upcoming publication of model contractual terms for data sharing and standard cloud contract clauses.
A forthcoming Data Union Strategy aimed at streamlining the EU’s broader data governance landscape.
In parallel, the Commission released sector-specific guidance clarifying how the Data Act applies to vehicle data. The document outlines that users and authorized third parties have rights to access and use raw and pre-processed data generated by connected vehicles and related services. However, inferred or derived data, produced through complex analytics, is excluded from mandatory sharing obligations.
EU unveils digital omnibus to streamline tech regulations
The European Commission has launched an initiative to simplify digital legislation through the upcoming digital omnibus package, expected in Q4 2025. Henna Virkkunen, Executive Vice-President for Digital Sovereignty, announced it will particularly be focusing on notification obligations under the Cybersecurity Act. The AI Act will also be assessed for coherence with other frameworks such as the Digital Services Act (DSA). Importantly, the EU General Data Protection Regulation (GDPR), DSA, and Digital Markets Act (DMA) are excluded from this package and will be evaluated separately in 2026. A parallel “health check” will also assess whether further simplification of data regulations is needed. The Commission opened a public consultation on 16 September to gather input on five key areas: non-personal data, cookie policy, cybersecurity, AI, and digital identity. The goal is to reduce compliance burdens, streamline incident reporting, and enhance legal predictability, especially for small and medium-sized enterprises (SMEs)SMEs navigating the AI Act’s phased implementation. The consultation closes on 14 October 2025.
Council of Europe releases draft guidelines on privacy and data protection in the context of large language models (LLM)-based systems
ON September 2 2025 the Council of Europe issued draft guidelines under Convention 108+ to address privacy and data protection in large language model (LLM) systems. These guidelines take a comprehensive, lifecycle-based approach, covering everything from training and fine-tuning to deployment and user interaction. They reaffirm core principles such as lawfulness, transparency, purpose limitation, and accountability, and apply them to emerging challenges like hallucinations, personal data inference, and synthetic data use. The document calls for privacy-by-design, supported by interdisciplinary collaboration, risk assessments, and alignment with existing frameworks like the EU GDPR and the EU AI Act.
Commission consults on the development of guidelines on transparency requirements for certain AI systems under Article 50 of the EU AI Act.
On 4 September 2025, the European Commission opened a consultation on the development of guidelines on transparency requirements for certain AI systems under Article 50 of the EU AI Act. The consultation asks for responses to 20 questions on labelling AI-generated content and ensuring systems are effective, interoperable, and reliable. The code, which will be accompanied by practical guidelines, is expected to enter into force on 2 August 2026, with a drafting process involving stakeholders set to begin this autumn. The consultation closes on 9 October 2025.
EU Courts uphold EU-US data privacy framework and clarify scope of pseudonymisation
In two landmark decisions issued on consecutive days in September 2025, the European Union’s judiciary provided significant clarity on transatlantic data transfers and the qualification of pseudonymised personal data.
On 3 September 2025, the EU General Court affirmed the European Commission’s adequacy decision (EU 2023/1795), confirming the validity of the EU-US Data Privacy Framework. The decision enables data transfers to US organizations certified under this framework. The Court dismissed all challenges brought by French MP Philippe Latombe, notably upholding the independence of the Data Protection Review Court (DPRC) and the adequacy of US legal safeguards. The ruling clarified that the DPRC, as an external judicial body, operates independently and possesses binding authority to overturn intelligence findings, with protections against executive interference as stipulated in Executive Order 14086. The Court also rejected claims regarding bulk surveillance under Section 702 of the Foreign Intelligence Surveillance Act, affirming that only targeted surveillance is permissible and that post-factum oversight mechanisms are sufficiently robust. Additionally, the Court found US sectoral laws to offer protections comparable to the GDPR in automated decision-making contexts. This decision is open to appeal before the Court of Justice of the European Union within two months and ten days.
For more on this case read our article: Transatlantic Data Transfers: Where the DPF Stands Post-Latombe
On 4 September 2025, the Court of Justice clarified the scope of pseudonymisation. In a case involving the Single Resolution Board’s transfer of pseudonymised shareholder and creditor comments to Deloitte, the Court held that personal opinions, even when pseudonymised, may still constitute personal data as they are inherently tied to their authors. The Court emphasized that identifiability depends on the circumstances and the recipient’s access to re-identification means. Importantly, the controller’s duty to inform data subjects applies at the moment of collection, regardless of whether the recipient can identify the data subjects. The judgment set aside the previous General Court decision and referred the case back for further consideration.
For more on this case read our article: Pseudonymized data after EDPS v SRB
Joint Franco-German agenda targets cloud sovereignty and tech regulation
On 1 September 2025, France and Germany launched a coordinated strategy to reinforce European digital sovereignty, including a sovereign cloud infrastructure and protection against foreign data access. A European summit on digital sovereignty is scheduled for 18 November in Berlin, where further steps will be discussed, including the revision of the EU Cybersecurity Act. The two countries also plan joint efforts on AI, quantum technologies, and sovereign office software suites to reduce reliance on non-European providers. Their joint economic agenda calls for simplifying the GDPR through a risk-based approach, especially for SMEs, and proposes expanding the DMA to cover cloud-based AI services. They also advocate stronger rules against predatory acquisitions and a revision of EU merger guidelines to better address innovation and competitiveness challenges. France and Germany urge the European Commission to reform the “Tris” notification mechanism, citing delays and legal uncertainty in national regulation efforts. Recent Commission objections to French initiatives, such as smartphone sustainability labelling, cloud credit regulation, and fast fashion advertising bans, highlight broader sovereignty tensions under the Digital Services Act.
United Kingdom
ICO issues final guidance on encryption under UK GDPR
On 2 September 2025, the ICO published final guidance on encryption, affirming its status as a core security measure under the UK GDPR’s integrity and confidentiality principle. The guidance details when encryption should be applied, the importance of robust key management, and the need for risk assessments, emphasising that ineffective implementation may undermine data protection obligations. End-to-end encryption and privacy-enhancing technologies (PETs) are excluded from scope.
UK DSIT publishes roadmap for trusted third-party AI assurance
On 3 September 2025, the Department for Science, Innovation & Technology released a policy paper outlining a roadmap to foster secure and trusted AI adoption in the UK. Key measures include establishing a multistakeholder consortium, developing a skills and competencies framework for AI assurance, and launching an AI Assurance Innovation Fund targeting eight strategic sectors to support market quality and innovation.
UK Government publishes 2024 AI Sector Study
On 3 September 2025, the Department for Science, Innovation and Technology published its annual AI Sector Study, providing updated estimates on the size, scope, and economic contribution of UK-based AI firms. The study highlights continued growth in AI investment, employment, and regional activity, and identifies emerging trends such as increased adoption of foundation models and sector-specific AI applications. While the report does not introduce new regulations, it signals areas of future policy focus, including talent development, responsible AI, and international competitiveness.
UK NCSC issues guidance on mitigating generative AI risks through disclosure programmes
On 2 September 2025, the National Cyber Security Centre published guidance on managing risks in generative AI systems, emphasising the importance of Safeguard Bypass Bounty and Disclosure Programmes. These initiatives encourage researchers to identify and report vulnerabilities, strengthening AI safeguards against bypass techniques such as jailbreaking and prompt injection. Effective programmes require clear scope, robust internal review, and reproducible reporting mechanisms.
Americas
The United States of America
US v. Google (2020) Remedies Ruling: Court Rejects DOJ’s Breakup Request, Imposes Behavioural Remedies and Oversight
On 20 October 2020, the US Department of Justice (DOJ) and 11 states jointly filed a complaint against Google in the District Court for the District of Columbia under the Sherman Antitrust Act, alleging that Google unlawfully monopolized the search engine market through exclusive distribution agreements with browser developers, device manufacturers, and wireless carriers. On 5 August 2024, the court found Google liable for maintaining a monopoly of general search services and general search text advertising markets.
On 2 September 2025, the court issued its remedies ruling, rejecting the DOJ’s request to require Google to divest its Chrome browser or Android operating system. Instead, the court ordered Google to cease entering or maintaining exclusive distribution agreements for Google Search, Chrome, Google Assistant, and the Gemini app. The court further directed Google to provide certain search index and user-interaction data to qualified competitors and to offer search and search text ads syndication services on commercial terms. Additionally, the court declined to prohibit Google from making payments for default placement. The remedies judgment is set for a six-year term and includes the establishment of a technical committee to oversee compliance.
US Federal Agencies and Elon Musk's xAI Partnership for AI Adoption
On 25 September 2025, the US General Services Administration (GSA) announced a strategic partnership with xAI, Elon Musk’s artificial intelligence company, to expedite the adoption of AI technologies across federal agencies. The agreement allows federal agencies to access xAI’s AI solutions for a nominal fee of $0.42 per agency to significantly reduce procurement barriers and administrative overhead.
The partnership is intended to streamline the acquisition process for AI services, allowing agencies to quickly and cost-effectively integrate AI tools into their operations. The initiative is intended to support the federal government’s modernization agenda by aiming to enhance efficiency, improve public service delivery, and foster innovation in areas such as data analysis, automation, and decision-making.
Middle East
Saudi Arabia
Saudi Arabia launches HUMAIN Chat, the first Arabic-first conversational AI app
On 25 August 2025, HUMAIN, a Public Investment Fund (PIF) company, announced the launch of HUMAIN Chat, a next-generation Arabic conversational AI application powered by ALLAM 34B, its flagship large language model. Initially available in Saudi Arabia, with plans for regional and global expansion, HUMAIN Chat is designed to serve over 400 million Arabic speakers, addressing historic gaps in digital inclusion and linguistic equity. Key features include real-time web search, Arabic speech input across dialects, seamless bilingual switching, conversation sharing, and full compliance with Saudi Personal Data Protection Law PDPL, with all data hosted locally. The launch marks a significant milestone in sovereign AI, combining technical advancement with cultural authenticity, and aims to accelerate innovation and progress across the region and beyond.
United Arab Emirates
AI-Powered Financial Crime Detection System Launches
On 17 September 2025, Themis launched a new AI-driven platform in Abu Dhabi, the AI Investigator, to revolutionise financial crime detection. The system automates due diligence by analysing ownership structures, media coverage, and regulatory documentation, processing millions of data points in minutes. Using behavioural analysis and pattern matching, it identifies potential criminal activity across sectors including finance, real estate, professional services, and government. This marks a major leap in investigative efficiency and precision, significantly reducing timelines and enhancing regulatory oversight.
Abu Dhabi Global Market (ADGM) introduces Substantial Public Interest Rules under Data Protection Regulations
On 11 June 2025, the ADGM's Registration Authority issued a Consultation Paper which proposed amendments to the Data Protection Regulations 2021 (Regulations). The purpose of the Consultation Paper was to introduce additional substantial public interest grounds, applicable to the processing of special categories of personal data, relating to insurance and safeguarding of certain individuals.
Following this Consultation Paper, on 9 September 2025, the ADGM's Registration Authority made amendments to the Regulations and introduced certain Rules, with immediate effect, containing conditions applicable to the processing of special categories of personal data relating to insurance companies and safeguarding children and adults at risk.
Oman
Oman launches Artificial Intelligence Zone Development Project in Muscat
On 8 September 2025, Oman’s Ministry of Transport, Communications and Information Technology, in partnership with the Public Authority for Special Economic Zones and Free Zones, announced the launch of the Artificial Intelligence Zone Development Project in Seeb, Muscat. The initiative aims to establish a dedicated hub for AI-driven enterprises and technology startups from Oman, the Middle East, and Africa, fostering innovation and supporting the growth of local and regional AI businesses. The project is expected to enhance Oman’s digital infrastructure, create high-value jobs, and position Oman as a regional leader in advanced technologies. Governance will be shared between the Public Authority, responsible for regulatory and legislative oversight, and the Ministry, which will manage the tendering process for international developers. Companies operating within the zone will benefit from incentives, exemptions, and streamlined procedures under Oman’s special economic zone framework. Ufuq Investment and Real Estate Development Company will implement the first phase, including master planning, infrastructure development, and daily operations, while also promoting the zone, supporting startups, and advancing Oman’s In-Country Value and CSR objectives. This project underscores Oman’s commitment to digital transformation and sustainable economic growth.
Israel
Privacy Protection Authority (PPA) consults on draft regulations for administrative enforcement
On 2 September 2025, the PPA announced the publication of draft Privacy Protection Regulations (Administrative Notice) for public consultation. The Draft Regulations set out the circumstances in which the head of the PPA may issue an administrative warning instead of a financial penalty under the amended Protection of Privacy Law (PPL). Specifically, warnings may be issued where: (i) the breach concerns a new legal provision within three months of its entry into force; (ii) it is a first violation of certain provisions; (iii) the breach follows a shift to stricter enforcement; or (iv) the relevant provision is deemed unclear by the PPA. Administrative warnings are only available where a financial penalty could otherwise be imposed, and will not be issued if no breach is ultimately found. The consultation is open for comments until 23 September 2025.
Africa
Kenya
Kenya launches stakeholder consultations on Malabo Convention accession
On 8 September 2025, Kenya’s Office of the Data Protection Commissioner commenced national consultations on accession to the African Union’s Malabo Convention, which establishes a pan-African framework for cybersecurity and personal data protection. Stakeholders from academia, civil society, the private sector, and government are invited to submit feedback by 6 October 2025. The process aims to ensure broad sectoral input into Kenya’s accession.
Mozambique
Mozambique launches public consultation on draft data protection bill
On 2 September 2025, Mozambique’s National Institute of Information and Communication Technologies opened a public consultation on a draft data protection bill. The bill establishes principles for personal data processing, data subject rights, appointment of a data protection officer, breach notification, and international transfers. It also introduces a National Data Protection Authority and provides for civil and administrative penalties for non-compliance.
Nigeria
Nigeria reviews Internet Code of Practice to strengthen privacy and cybersecurity
On 29 August 2025, the Nigerian Communications Commission concluded its consultation on proposed updates to the Internet Code of Practice. Key proposals include enhanced governance of online content, stricter privacy and data protection obligations, regulation of AI and emerging technologies, and alignment with international cybersecurity standards. The revised Code aims to balance open internet principles with robust safeguards for users and infrastructure.
Additional information
This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.
The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.