This month we launched a report on growth and innovation, which explores the economic impact of General Data Protection Regulation (GDPR) and its implications for Europe’s digital future. The report examines how regulatory frameworks influence innovation and competitiveness, offering practical insights for businesses navigating compliance and growth. Read the full report here: Unlocking growth: exploring the economic impact of GDPR for tomorrow’s Europe

October saw no let-up in the pace of tech regulation, with developments spanning AI governance, data protection, and digital infrastructure. In APAC, regulators focused on privacy and AI oversight. The Office of the Australian Information Commissioner issued guidance ahead of the Social Media Minimum Age Scheme, and Hong Kong’s Privacy Commissioner highlighted AI governance and international cooperation in its annual report. Japan updated its guidelines to align with the Global Cross-Border Privacy Rules system, while Vietnam opened consultation on a draft AI law introducing a tiered risk framework.

In Europe, the EU started proceedings under the Digital Services Act (DSA) to protect minors and took forward its AI implementation strategy. The European Data Protection Board (EDPB) announced GDPR transparency obligations as the focus for its 2026 enforcement action, while tax measures on tech companies continue to be a policymaker focus.

The UK saw developments including new strategic cyber resilience guidance from the National Cyber Security Centre (NCSC), the Upper Tribunal (equivalent in status to the High Court for these specialised areas) affirming the Information Commissioner’s Office jurisdiction in the Clearview AI case, and a major GDPR breach fine against Capita. The UK government also urged companies to elevate cyber risk to Board-level priority.

Elsewhere, the United States advanced measures on TikTok divestiture and critical minerals supply chains, while the Middle East and Africa introduced new initiatives, including AI infrastructure programmes in Dubai, updates to crypto token regulation, and data protection laws in Jordan and Gambia.

APAC (excluding China)

Australia

Office of the Australian Information Commissioner (OAIC) Releases Privacy Guidance for Social Media Platforms Ahead of Minimum Age Scheme Implementation

On 10 October 2025, the OAIC published Privacy Guidance on the Social Media Minimum Age (SMMA) Scheme under Part 4A of the Online Safety Act 2021. The SMMA Scheme, effective from 10 December 2025, imposes additional privacy obligations on age-restricted social media platforms and age assurance providers, supplementing the Privacy Act 1988 and Australian Privacy Principles. The Guidance requires entities to implement age-assurance measures that are necessary and proportionate, minimise the collection of personal and sensitive information, and destroy such data once the purpose is fulfilled. The Guidance aims to strengthen privacy protections for children and enhance accountability for social media platforms operating in Australia.

Hong Kong

Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) publishes Annual Report 2024–25

On 22 October 2025, the PCPD published its 2024–25 annual report, themed ‘Leveraging Artificial Intelligence for a New Digital Privacy Era’. The report outlines the PCPD’s focus on AI governance, including the release of a Model Personal Data Protection Framework and guidelines for generative AI use by employees. Data security initiatives featured prominently, with Privacy Awareness Week, a new data security package for schools and Small and Medium-sized Enterprises (SMEs), and over 190 seminars delivered. The PCPD also enhanced international engagement, co-chairing global privacy working groups and promoting cross-border data flow standards, particularly within the Greater Bay Area. Enforcement activity saw a marked reduction in doxxing cases, with 14 convictions and 41 channels shut, alongside 88 criminal investigations and 21 arrests relating to data breaches and cybercrime. The PCPD received 3,450 complaints and 18,381 public enquiries and issued enforcement notices in response to major data breaches.

Japan

Japan’s Personal Information Protection Commission (PPC) Updates Data Protection Guidelines to Incorporate Global Cross-Border Privacy Rules (CBPR) System Standards

On 8 October 2025, Japan’s PPC announced revisions to several guidelines following the launch of the Global CBPR system in June 2025. The affected guidelines include those relating to the Act on the Protection of Personal Information (APPI), certified personal information protection organisations, telecommunications businesses, administrative agencies, and certification documents for accountability agents. The PPC clarified that the Global CBPR system now qualifies as a ‘third party located abroad’ under Article 28 of the APPI, aligning with international data transfer standards. The Commission also noted that some existing guidelines do not reference the Global CBPR system, which may cause uncertainty for organisations regarding compliance. Companies are advised to review and update their data protection practices to ensure alignment with the revised guidelines and the new Global CBPR framework.

India

Competition Commission of India (CCI) publishes report on AI and Competition

On 6 October 2025, the CCI published a report examining the competitive impact of AI. The report highlights concerns such as market dominance by large AI players, barriers to switching between ecosystems, self-preferencing, and the risk of algorithmic collusion. To mitigate these risks, the CCI recommends enterprises adopt a self-audit framework, including documentation of AI decision-making, regular internal audits, and safeguards against anti-competitive outcomes. The report also calls for increased transparency to address information asymmetry and build trust in AI systems.

Philippines

Philippines’ National Privacy Commission (NPC) halts World App’s biometric data collection over privacy breaches

On 8 October 2025, the NPC issued a Cease and Desist Order against Tools for Humanity (TFH) and its local partner WCPH Corporation, following an investigation into their biometric data practices. The NPC found that TFH collected facial and iris scans during public events in exchange for digital IDs and monetary incentives, which it ruled constituted undue influence and invalidated consent. The Commission also cited TFH’s failure to provide clear information about data processing purposes, deeming the collection of iris patterns excessive and unnecessary. It warned that continued processing posed serious risks of identity theft and fraud. As a result, TFH must halt all biometric verification activities in the Philippines, disable World App downloads, and submit operational details and user counts.

South Korea

South Korea unveils national strategy for personal data protection and AI innovation

On 22 September 2025, South Korea’s Personal Information Protection Commission (PIPC) launched a national policy to strengthen personal data safeguards and support AI development. The initiative outlines five key action plans, including stricter penalties for data breaches, expanded rights for data subjects, and proactive privacy enforcement. Notably, protections for youth have been broadened, with the age threshold raised to 18 and new rights introduced to delete adolescent online posts and synthetic AI content. Companies must now appoint Chief Privacy Officers and undergo on-site audits. Legal reforms will clarify the status of the Personal Information Protection Act and harmonize overlapping regulations. The policy also promotes safe data use in emerging industries, encourages pseudonymized data innovation, and seeks cross-border adequacy agreements with countries like the UK and Japan. These measures aim to build public trust and enhance South Korea’s global competitiveness in the AI and data economy.

Vietnam

Vietnam opens consultation on AI law with tiered risk regulation and strict penalties

On 29 September 2025, Vietnam’s Ministry of Science and Technology (MST) launched a public consultation on the Draft Law on Artificial Intelligence, aiming to safeguard rights, boost economic growth, and ensure national security. The law introduces a four-tier risk framework: unacceptable, high, medium, and low, with corresponding obligations. Unacceptable-risk systems, such as manipulative or surveillance-based AI, are banned. High-risk systems in sectors like healthcare and law enforcement must meet strict requirements including risk management, human oversight, and registration. Providers of general-purpose AI models face additional documentation and safety obligations. Enforcement includes administrative, civil, and criminal penalties, with certain violations subject to fines based on global revenue. The law takes effect on 1 January 2026, with phased compliance deadlines. The consultation closes on 20 October 2025.

China

China Issues Measures for Certification of Cross-border Transfer of Personal Information

On 17 October 2025, the Cyberspace Administration of China and the State Administration for Market Regulation released the Measures for Certification of Cross-border Transfer of Personal Information, effective from 1 January 2026. As an implementation measure to the framework established under the Personal Information Protection Law, the measures provide detailed rules how the certification process shall be arranged and supervised. The certification route allows personal information processors to undergo an evaluation by a licensed institution in relation to certain export activities, providing another option for some companies seeking to export personal information from China.

Europe

European Union

EU pushes unified digital protections for minors

On 10 October 2025, the European Commission launched formal proceedings against a number of companies. These investigations aim to determine whether certain platforms comply with DSA obligations concerning minors, specifically in areas such as age verification, default privacy settings, and algorithmic transparency.

The Commission also released an enhanced second version of its age-verification blueprint, designed to support platforms and Member States in implementing age checks. The updated framework expands onboarding options to include passports and national ID cards alongside electronic identification (eID) and is currently being pilot tested. Member States are integrating the system into national digital wallets or developing standalone age-verification apps for app store deployment, laying the groundwork for a harmonized technical solution across the EU.

These enforcement and technical measures are complemented by action in the European Parliament. The Internal Market and Consumer Protection Committee has proposed EU‑wide rules that would: set a minimum age of 16 to access social media and AI companions without parental consent (with access prohibited for children under 13); prohibit certain design practices, including engagement‑driven algorithms, addictive features, loot boxes and the monetisation of child influencers; and mandate age verification with strict DSA enforcement, including fines and potential platform bans for non‑compliance. These proposals are at committee stage and are not yet law.

EU accelerates AI adoption with strategic infrastructure and support tools

On 8 October 2025, the European Commission published its AI implementation strategy, outlining a sector-specific roadmap for deploying AI across critical domains such as defence, healthcare, and energy. Central to this strategy is a push for European technological sovereignty, with Commissioner Henna Virkkunen emphasizing a preference for EU-based solutions in funding and project selection.

To operationalize this vision, the Commission announced several key initiatives:

• A coordinated EU-wide program for advanced AI development set to launch in early 2026.
• An AI Implementation Forum to be established by the end of 2025, fostering dialogue among stakeholders.
• An AI Observatory by mid-2026 to monitor trends and risks.
• Detailed guidelines on high-risk AI classification expected in Q1 2026, followed by guidance on how the AI Act interacts with other EU regulations in Q3.

Complementing the strategic roadmap, the Commission also launched the AI Act Service Desk and a Single Information Platform to support companies navigating the new regulatory landscape. These tools offer practical guidance, particularly for providers of general-purpose AI models subject to the recently adopted code of conduct. A dedicated FAQ section compiles insights from AI Pact webinars and stakeholder feedback, helping businesses interpret and apply complex obligations.

In parallel, the EU continues to expand its physical AI infrastructure. The announcement of six new AI Factories in Czech Republic, Lithuania, Netherlands, Romania, Spain, and Poland brings the total to 19 centres across 16 Member States. Backed by over €500 million in joint investment, these hubs will offer startups and SMEs access to AI-optimized supercomputers and expert support.

Transparency obligations under GDPR selected for 2026 EDPB enforcement action

The European Data Protection Board (EDPB) has announced that its 2026 Coordinated Enforcement Framework (CEF) will focus on transparency and information obligations under the GDPR. This includes how organisations inform individuals about data processing, with national Data Protection Authorities (DPAs) expected to participate voluntarily. The initiative aims to strengthen enforcement and generate insights for targeted follow-up across the EU.

EU targets companies with revenues above €100 million for new levy; France moves to raise digital services tax

At the EU level, the European Commission has proposed a new flat-rate annual levy targeting companies with revenues above €100 million operating within the single market. Part of the broader “Core” initiative to fund the next Multiannual Financial Framework (2028–2034), the tax would apply to all firms in scope. Budget Commissioner Piotr Serafin framed the proposal as a fair contribution from major beneficiaries of the EU economy. However, several finance ministers have voiced concerns, warning that the measure could harm European competitiveness by discouraging investment.

In parallel, France has moved independently to raise its digital services tax, adopting an amendment on 22 October that increases the rate from 3% to 15%. This fivefold increase is part of a broader strategy, responding to U.S. tariffs. The amendment also raises the taxation threshold from €750 million to €2 billion in global revenue.

United Kingdom

NCSC publishes strategic guidance to bolster organisational cyber resilience

On 8 October 2025, the National Cyber Security Centre (NCSC) published a blog post providing guidance for organisations on strengthening cyber resilience through improved observability and proactive threat hunting. Observability is defined as maintaining a comprehensive view of activity across networks, systems, and services, while threat hunting refers to the proactive identification of cyber threats beyond those detected by existing security rules. The NCSC recommends that organisations maximise visibility across all systems and data sets, including legacy and niche environments, and encourages technology vendors to support enhanced monitoring capabilities. The guidance cautions against over-reliance on Indicators of Compromise (IOCs), which are often easily evaded by attackers, and instead supports the development and use of Tactics, Techniques, and Procedures (TTPs) to gain deeper insight into attacker behaviour. These measures are intended to support long-term cyber defence strategies and improve the detection and response to evolving threats. The NCSC’s recommendations reflect the increasing importance of proactive cyber defence in the face of sophisticated and persistent cyber risks.

UK Upper Tribunal hands down judgment on Clearview AI Inc

On 8 October 2025, the Upper Tribunal (UT) handed down its judgment in the Information Commissioner's Office's (ICO's) appeal against the First-tier Tribunal’s decision concerning Clearview AI Inc. The UT upheld three of the ICO’s four grounds of appeal, confirming that the ICO has jurisdiction to issue a £7.5 million fine and enforcement notice against Clearview AI for scraping images of UK residents and using them for facial recognition services. The UT found that Clearview’s processing of personal data constitutes monitoring the behaviour of UK residents and falls within the scope of UK data protection law, notwithstanding that its services were provided to foreign law enforcement and government agencies. The Tribunal also held that the First-tier Tribunal had erred in finding that Clearview’s processing was outside the material scope of the UK GDPR. The case has been remitted to the First-tier Tribunal to determine the substantive appeal, with the ICO’s jurisdiction affirmed.

For more on this case read our article: ICO v Clearview AI: The reach of GDPR and the breadth of 'behavioural monitoring'

UK Government urges top firms to strengthen cyber defences amid rising threats

On 14 October 2025, UK ministers and security chiefs issued a joint letter to FTSE100, FTSE250, and other leading companies, warning of escalating cyber threats and urging immediate action. The letter highlights the growing frequency and sophistication of hostile cyber activity, stressing the importance of preparedness and resilience. Companies are advised to elevate cyber risk to Board-level priority using the Cyber Governance Code of Practice, sign up for the National Cyber Security Centre’s Early Warning service, and require Cyber Essentials certification across their supply chains. The letter was signed by senior officials including the Secretary of State for Science, Innovation and Technology, the Chancellor of the Exchequer, and the CEO of the NCSC. The initiative aims to embed cybersecurity into strategic decision-making and protect UK businesses and citizens from financial and social harm.

UK ICO fines Capita £14M for GDPR failures in major data breach

On 15 October 2025, the ICO fined Capita plc £8 million and Capita Pension Solutions Limited (CPSL) £6 million for UK GDPR violations following a 2023 cyber-attack. The breach exposed personal data of 6.6 million individuals, including sensitive pension and criminal record information. The ICO found that Capita failed to implement adequate technical and organisational safeguards, violating Articles 5(1)(f), 32(1), and 32(2) of the UK GDPR. Key failures included delayed response to security alerts, lack of administrative account tiering, and insufficient penetration testing. CPSL, which processes data for over 600 pension schemes, was also found non-compliant. Capita admitted liability and agreed to pay the full £14 million penalty without appeal. The case underscores the importance of timely breach response and continuous security testing for systems handling sensitive data.

For more on this case read our article: ICO fines Capita for UK GDPR infringements following March 2023 data breach

Americas

The United States of America

TikTok Divestiture Framework: Executive Order Approves U.S.-Led Joint Venture

On 25 September 2025, President Donald Trump issued an executive order requiring ByteDance to divest its ownership stake in TikTok’s U.S. operations and create a new entity. The framework establishes a new joint venture majority-owned and governed by U.S. investors, with Oracle serving as the designated security provider responsible for data storage and algorithm oversight. ByteDance will reduce its ownership stake to below 20% and license its proprietary recommendation algorithm to the U.S. entity but will have no role in governance and security oversight. A ByteDance Spokesperson said, “ByteDance will work in accordance with applicable laws to ensure TikTok remains available to American users through TikTok U.S.”

U.S. and Australia Announce Over $3 Billion in Joint Investments to Strengthen Critical Minerals Supply Chains and Defense Cooperation

On 20 October 2025, the U.S. and Australia signed the Critical Minerals Framework Agreement, committing over $3 billion to joint mining and processing projects including a $2.2 billion financing package from the U.S. Export-Import Bank. The deal supports initiatives like a gallium refinery in Western Australia and incorporates defense-related contributions under the Australia-United Kingdom-United States treaty (AUKUS), including unmanned underwater vehicles, Apache helicopters, and submarine industrial base support. The Framework outlines a non-binding action plan to enhance supply chain resilience and market stability for critical minerals and rare earths with, new capacity expected in 2026, and a ministerial meeting planned within 180 days to promote investment.

Middle East

United Arab Emirates

Dubai Financial Services Authority consults on further updates to Crypto Token regulation

On 21 October 2025, the Dubai Financial Services Authority (DFSA) published Consultation Paper 168 (CP 168), proposing further updates to its regulatory framework for Crypto Tokens within the Dubai International Financial Centre (DIFC). This follows earlier consultations and rulemaking (CP 143, CP 150, and CP 153), which addressed anti-money laundering (AML), counter-terrorism financing, technology, governance, custody, disclosure, market abuse, and financial crime. Key proposals in CP 168 include removing existing thresholds and restrictions on funds investing in Crypto Tokens, provided a suitability assessment is conducted, and shifting responsibility for suitability assessments from the DFSA to regulated persons. Minor amendments to conduct requirements are also proposed, reflecting market feedback. The DFSA will issue Supervisory Guidelines to assist market participants in complying with the revised framework. These developments aim to align the DIFC’s regime with international standards, support responsible innovation, and enhance investor protection. The consultation closed on 31 October 2025.

Dubai launches new AI initiatives to accelerate digital transformation

On 19 October 2025, Dubai’s Crown Prince, Sheikh Hamdan bin Mohammed, announced a package of AI initiatives designed to accelerate the city’s digital infrastructure and drive public sector innovation. Central to these measures is the launch of the AI Infrastructure Empowerment Platform, which provides government departments with a secure, integrated environment for the development and deployment of AI solutions. This platform combines advanced infrastructure with ready-to-use smart services, enabling streamlined implementation and enhanced operational efficiency across government operations. Additionally, Dubai has established the AI Acceleration Taskforce, following consultations with Chief AI Officers from 27 government entities and led by the Dubai Centre for Artificial Intelligence. The taskforce will coordinate unified strategies for AI adoption and deployment, promoting institutional integration and effective decision-making. The package also includes the Unicorn 30 Programme, aimed at supporting the growth of 30 start-ups into global unicorns.

DFSA launches DFSA Connect to streamline regulatory approvals

On 13 October 2025, the DFSA unveiled DFSA Connect at Gulf Information Technology Exhibition (GITEX), introducing a digital platform to simplify authorisation and regulatory approval processes within the DIFC. The system aims to make applications faster and more user-friendly, addressing an 18% rise in authorisation requests this year. DFSA Connect promises a 33% efficiency gain through automation and streamlined workflows, reducing manual steps and delays. Future enhancements will integrate AI to personalise services and accelerate approvals. DFSA emphasises that this initiative reflects its commitment to innovation, responsible regulation, and strengthening Dubai’s position as a leading financial and technology hub.

Jordan

Jordan enacts Regulation on Data Subject Rights for 2025

On 16 September 2025, Jordan’s Prime Ministry approved the Regulation on the Organisation of Data Subject Rights, reinforcing protections under the Personal Data Protection Law. The Regulation mandates explicit informed consent for data processing, mechanisms for withdrawing consent, and procedures for complaint handling. Data controllers must implement clear, publicly accessible processes for managing personal data, addressing complaints, and ensuring compliance. These measures aim to enhance transparency, accountability, and trust in Jordan’s digital economy while aligning with international best practices in data governance.

Africa

Kenya

Kenya and Romania sign Memorandum of Understanding to bolster cybersecurity cooperation

On 7 October 2025, Kenya and Romania signed a Memorandum of Understanding (MoU) to enhance cooperation on cybersecurity. The agreement, formalised in Bucharest during a cybersecurity conference, was led by Kenya’s National Computer and Cybercrimes Coordination Committee and Romania’s National Cyber Security Directorate. Kenya’s ICT minister, William Gitau, emphasised that the MoU establishes a framework for information sharing, joint incident response, capacity building, and the development of advanced cybersecurity solutions.

Gambia

Gambia moves ahead with data protection regime with passage of Personal Data Protection and Privacy Bill

On 29 September 2025, the National Assembly of Gambia passed the Personal Data Protection and Privacy Bill, 2025, which now awaits Presidential assent before entering into force. The legislation establishes a framework for the protection of personal data and privacy rights, aligning with the Economic Community of West African States (ECOWAS) Supplementary Act on Personal Data Protection. Key provisions address principles of data processing, lawful processing, special categories of data, and the processing of children’s data. The Ministry of Information, Media, and Broadcasting Services has described the Bill as a significant step towards strengthening data protection and fostering trust in Gambia’s digital transformation.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.