January 2026 opened where 2025 left off with governments accelerating efforts to modernise data‑governance frameworks, respond to emerging AI‑related risks (especially relating to protecting minors) and reinforce cyber security and critical infrastructure.

In the Asia‑Pacific region, several jurisdictions moved from legislative design to implementation: Vietnam and Malaysia saw major data and online‑safety laws come into force, Taiwan activated its first AI‑specific legislation, and Japan advanced two major initiatives simultaneously — active cyber‑defence planning and a comprehensive review of its personal‑information protection regime. China, meanwhile, continued its rapid regulatory cycle with three major consultations covering personal‑information governance, financial‑data classification, and protections for minors online.

Across Europe, digital‑policy reform remained at the forefront. The European Commission tabled proposals for both a strengthened Cybersecurity Act and a new Digital Networks Act (DNA). We have published articles on both these developments.  EU cyber reforms proposed, including overhauled Cybersecurity Act provides an overview of key changes in the Commission's proposal and Commission sets out plans to update to EU telecoms rules with Digital Networks Act outlines the key points for telecoms operators, financial investors and other industry players alike. We will be producing further updates on the DNA in the coming months exploring some of the proposals in more depth.

Elsewhere the United States advanced high‑value industrial policy through proposed CHIPS Act investments and tabled new legislation reshaping energy infrastructure for AI data centres. In the Middle East and Africa, data‑governance and cybersecurity frameworks were in focus, including updated crypto‑token rules in Dubai, new secondary‑data‑use principles in Saudi Arabia, adequacy recognition across key Gulf financial centres, and major strategic digital‑economy initiatives in Kenya and Nigeria.

THE REGIONS IN DETAIL

APAC (Excluding China)

Indonesia

Constitutional Court Upholds Personal Data Protection Law

On 19 January 2026, Indonesia’s Constitutional Court upheld the validity of the country’s Personal Data Protection Law, dismissing a challenge to the rules governing transfers of personal data outside Indonesia. The Court concluded that these provisions pursue a legitimate objective—ensuring that personal data sent abroad is adequately protected—and that the associated requirements for safeguards and regulatory oversight are proportionate. It further found that the rules do not violate constitutional protections related to legal certainty or personal security and are consistent with widely recognised international standards for cross­border data transfers. As a result, the law continues to apply in full, including all obligations relating to sending personal data overseas.

Japan

Japan’s Personal Information Protection Commission Publishes Policy Outline for the Upcoming Review of the Personal Information Protection System

On 9 January 2026, Japan’s Personal Information Protection Commission published a policy document setting out proposed amendments to the Act on the Protection of Personal Information (APPI). It identifies four areas for examination: data utilisation, risk‑based rules, prevention of improper use, and the effectiveness of compliance mechanisms. The specific amendments under consideration include an exemption from consent requirements when personal data is used solely for educating AI systems, adjustments to notification duties in the event of a data breach, and the introduction of an administrative surcharge system.

Malaysia

Malaysia – Online Safety Act Enters Into Effect

On 1 January 2026, the Malaysian Online Safety Act 2025 entered into effect, applying to application services, content application services, and network services using internet access, while excluding private messaging features. The Act mandates service providers to implement safety measures including harmful‑content reduction tools, user privacy controls, reporting mechanisms, child‑specific protections, and an Online Safety Plan. It also establishes an Online Safety Committee responsible for advising on harmful content categories and mitigation methods. The Malaysian Communications and Multimedia Commission may impose penalties of up to MYR 10 million for non‑compliance.

South Korea

South Korea Amends Personal Information Protection Level Assessment Rules

On 7 January 2026, the Personal Information Protection Commission (PIPC) issued Notice No. 2026‑04, amending the rules for personal information protection level assessments. The amendment prioritises evaluations for institutions processing large volumes of sensitive or unique identification data or those with repeated breaches, and introduces procedures including annual planning, material submission, on‑site verification, and result disclosure. It also expands the scope of entities subject to evaluation to include local government‑funded and invested institutions following changes to the Enforcement Decree of the Personal Information Protection Act. Evaluation results will be used to promote best practices, support compliance, and impose corrective measures where necessary.

Taiwan

Taiwan's AI Basic Law Comes Into Force

On January 14, 2026, Taiwan’s AI Basic Law came into force. The AI Basic Law emphasises human-centric AI development and research. The law mandates adherence to social ethics and outlines seven guiding principles, including sustainability, privacy, and fairness. The National Science and Technology Council is designated as the main authority for AI governance under this law.

Vietnam

Vietnam's Personal Data Protection Law (PDPL) Comes Into Force

On 1 January 2026, Vietnam’s PDPL took effect. The law prohibits illegal processing, trading, or leaking of personal data, and imposes severe penalties, including fines and revenue-based sanctions for cross-border violations. Data transfers are strictly regulated and require consent and compliance. Small businesses and start-ups are granted exemptions from certain provisions for five years.

China

Chinese authorities seek public comments on draft Guidelines on data classification for financial information services

On 24 January 2026, the Cyberspace Administration of China released the Guidelines on Data Classification and Grading for Financial Information Services (Consultation Draft) for public comment. The draft applies to financial information service providers operating in the PRC and sets out rules for data classification, data grading, and identification of important data, with reference to the Cybersecurity Law, the Data Security Law, and relevant regulations. It categorises financial information service data by business attributes and grades data into four levels, including core data and important data, based on potential security and societal impact. Comments are requested by 23 February 2026.

Chinese authorities issue Measures on the Classification of Online Information Potentially Harmful to Minors

On 23 January 2026, the Cyberspace Administration of China, together with seven other authorities, issued the Measures for the Classification of Online Information That May Affect the Physical and Mental Health of Minors.. The measures, which will take effect on 1 March 2026,define categories, scope, and judgment criteria for online information that may negatively affect minors, including content inducing unsafe behavior, improper values, misuse of minors’ images, and improper disclosure of minors’ personal information. They require content producers and online service providers to adopt prevention and mitigation measures, including prominent content warnings and restrictions on algorithmic recommendation to minors. Violations will be handled in accordance with relevant laws and regulations.

China’s Information Security Standardization Technical Committee releases guidelines on Security Functions for AI Accelerator Chips

On 12 January 2026, the National Information Security Standardization Technical Committee released the Cybersecurity Standard Practice Guide — Technical Requirements for Security Functions of Artificial Intelligence Accelerator Chips. The practice guide sets out security function requirements and testing methods for AI accelerator chips across seven areas, including hardware security, interface security, firmware security, secure storage units, cryptographic mechanisms, fault detection and diagnostics, and data protection. It applies to the design, development, and application of AI accelerator chips, and serves as a reference for conducting related security assessment, testing, and certification activities.

Chinese authorities release Draft Rules on the Collection and Use of Personal Information by Internet Applications

 On 10 January 2026, the Cyberspace Administration of China released the Provisions on the Collection and Use of Personal Information by Internet Applications (Consultation Draft) for public comment. The draft applies to internet application operators, software development kit providers, distribution platforms, and smart terminal manufacturers involved in the collection and use of personal information. It sets out detailed requirements on transparency, consent mechanisms, permission requests, and data minimization, including restrictions on excessive permission calls and improper collection of sensitive personal information. For internet applications with more than 50 million registered users or 10 million monthly active users and complex business models, additional obligations apply when updating personal information collection rules, including public consultation requirements. Comments are requested by 9 February 2026.

Europe

European Union

European Commission proposes revised Cybersecurity Act to strengthen ICT supply chain security

On 20 January 2026, the European Commission introduced a proposal to revise the EU Cybersecurity Act. The proposal would simplify EU‑wide certification for ICT products and services, reinforce security across critical ICT supply chains, and expand the mandate of the European Union Agency for Cybersecurity (ENISA) in threat monitoring and coordinated incident response. It also includes measures on secure‑by‑design practices and seeks to streamline compliance obligations.

We have published a briefing EU cyber reforms proposed, including overhauled Cybersecurity Act which provides an overview of key changes in the Commission's proposal.

European Parliament examines risks posed to minors by sexualised AI-generated content.

On 26^th January 2026, the European Parliament's Internal Market and Consumer Protection Committee (IMCO) held a hearing on the risks posed to minors by sexualised AI-generated content. The discussion examined the key challenges, and the policy solutions for protecting children and adolescents in digital environments and whether EU laws – particularly the Digital Services Act – provide sufficient tools to address these challenges.

European Commission classifies Whatsapp as a Very Large Online Platform under the Digital Services Act

On 26 January 2026, the European Commission designated WhatsApp as a Very Large Online Platform (VLOP) under the Digital Services Act following assessment of its Channels feature, which exceeds the threshold of 45 million monthly users in the EU. The designation applies only to Channels' functionality, while WhatsApp’s private messaging services remain outside the DSA’s scope. Meta must ensure compliance with VLOP obligations by mid‑May 2026.

EU Commission presents proposal for a Digital Networks Act

On 21 January 2026, the European Commission presented a proposal for a Digital Networks Act establishing an EU regulatory framework for digital networks and services. The proposal would replace the European Electronic Communications Code and introduce harmonised rules aimed at reducing regulatory fragmentation, supporting cross‑border operations. According to the Commission, the initiative seeks to strengthen the competitiveness and resilience of EU connectivity infrastructure by addressing market fragmentation, promoting investment, and enhancing cooperation at EU level. The proposal also includes measures on network security and resilience, including reducing dependencies within the connectivity ecosystem.

We have written an article - Commission sets out plans to update to EU telecoms rules with Digital Networks Act  - outlining the key points for telecoms operators, financial investors and other industry players alike.

EDPB and EDPS issue joint opinion on Digital Omnibus on Artificial Intelligence

On 21 January 2026, the European Data Protection Board and the European Data Protection Supervisor released a joint opinion on the Commission’s Proposal for the Digital Omnibus on AI.. The opinion raises considerations regarding safeguards for individuals’ rights in relation to personal data and addresses areas including bias detection and correction, registration and documentation requirements, Union‑level regulatory sandboxes, supervision by the AI Office, and AI literacy.

EU Commission publishes public consultation on the Digital Markets Act

On 8 January 2026, the European Commission released the submissions received in response to its first review of the effectiveness of the Digital Markets Act.The consultation examined the DMA’s effects on business users and end users, its impact on contestability and fairness in digital markets, potential adjustments to CPS regulation, and how could the Act address AI-related services. The Commission will present its review report by 3 May 2026.

United Kingdom

UK Publishes AI Opportunities Action Plan: One Year On

On 29 January 2026, the UK Government published its “AI Opportunities Action Plan: One Year On”.The update reports that over one million AI training courses have already been delivered, NHS diagnostics are increasingly AI‑enabled, and five AI Growth Zones have been designated to accelerate infrastructure and investment. It also confirms major commitments to scaling UK compute capacity, including the Isambard‑AI buildout and funding through the new Sovereign AI Unit. The government signals that the next phase will focus on nationwide scaling of proven AI tools across public services and accelerating private‑sector adoption.

Americas

The United States of America

US Government Proposes $1.6 B CHIPS Act Investment for a 10% Stake in USA Rare Earth

On 26 January 2026, the U.S. Department of Commerce, in collaboration with the  U.S. Department of Energy, announced a proposed $1.6 billion federal investment to support USA Rare Earth, a U.S. developer of a vertically integrated mine‑to‑magnet rare earth supply chain. The non‑binding letter of intent includes $277 million in proposed federal funding and a $1.3 billion senior secured loan under the CHIPS Act (a Department of Commerce program). According to the announcement, the initiative aims to reduce U.S. dependence on foreign sources for critical minerals.

US Senate Introduces Decentralized Access to Technology Alternatives (DATA) Actof 2026

On 7 January 2026, the DATA Act of 2026 was introduced in the U.S. Senate to amend the Federal Power Act and allow AI data center companies to build and operate their own independent, off-grid energy infrastructure. The bill would create “consumer-regulated electric utilities”, a new utility category for entities that remain fully disconnected from the main grid and serve only new electric loads, with loss of exempt status if they later connect to the grid. Qualifying companies would be exempt from several federal regulations, including those related to rates, reliability, interconnection, transmission planning, and mergers, and would also be permitted to sell electricity at retail to other customers as long as their systems remain isolated.

Middle East

United Arab Emirates

Dubai Financial Services Authority (DFSA) Implements Updated Crypto Token Regulatory Framework

On 12 January 2026, the DFSA brought into force updated rules for Crypto Tokens in the Dubai International Financial Centre. The revised framework follows the DFSA’s October 2025 consultation and updates the regime first introduced in 2022. A key change is the shift from DFSA‑led suitability assessments to firm‑led assessments, with licensed firms required to determine on a documented basis whether each Crypto Token meets DFSA suitability criteria. As part of this change, the DFSA will no longer maintain a list of Recognised Crypto Tokens. The updated rules also introduce investor‑protection measures, refined conduct and operational requirements, and proportionate reporting obligations.

Saudi Arabia

Saudi Arabia Issues General Rules on Secondary Use of Data

On 28 December 2025, Saudi Arabia’s Saudi Data and Artificial Intelligence Authority (SDAIA) issued the General Rules on Secondary Use of Data. The Rules define secondary use as processing data for purposes different from the original purpose of collection, including research, development, innovation, and government operations linked to public‑interest objectives. They apply to government‑to‑government, government‑to‑private, and private‑to‑government data‑sharing requests and require applicants to demonstrate a legitimate, non‑profit‑driven purpose and request only the minimum necessary data. The Rules also set principles such as privacy, responsible use, data quality, ethical standards, security, and public interest, and provide for compliance assessments and licensing by data sharing entities.

Qatar

QFC Establishes Mutual Data Protection Adequacy Recognition with ADGM and DIFC

On 29 January 2026, the Qatar Financial Centre (QFC) announced that it has established reciprocal data protection adequacy recognition with the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC). According to the QFC, the inclusions in each authority’s adequacy list follow an assessment of the respective data protection frameworks and enforcement arrangements. The recognition enables data transfers between the three financial centres without the need for additional transfer mechanisms. The announcement also notes that the authorities undertook assessments with external legal support to evaluate alignment with applicable data protection requirements.

Africa

Kenya

ODPC launches report on importance of data to Keyna's economic growth

On 29^th January 2026 the Office of the Data Protection Commissioner (ODPC) published a report, "Data Without Borders: How Trusted Data Flows Can Power Kenya's Economic Growth," which outlines a strategic vision for positioning data protection as the foundational pillar of Kenya’s digital economy. It emphasizes that secure and transparent cross-border data flows are essential for attracting global investment and fostering regional integration within Africa's data-driven market. By moving from foundational awareness to aggressive enforcement—evidenced by the registration of over 15,000 data handlers and the issuance of significant compensation orders for privacy breaches—the report argues that robust data governance is not merely a regulatory requirement but a competitive economic advantage. Furthermore, it highlights the necessity of aligning Kenyan frameworks with emerging technologies like AI and fintech to ensure that innovation is balanced with ethical standards and "privacy-by-design" principles.

Kenya Launches Kenya Cyber Resilience (KCR) Project

The Government of Kenya has launched the €3 million Kenya Cyber Resilience (KCR) Project, a 36-month initiative funded by the European Union to secure the nation’s digital ecosystem and protect critical infrastructure. Implemented by Expertise France and ESTDEV in collaboration with the Ministry of Information, Communications and the Digital Economy, the project aims to refine national cybersecurity policy, support the designation of Critical Information Infrastructure, and enable the establishment of a National Cybersecurity Agency. The project is designed to complement existing policies, including the National Cybersecurity Strategy, the Digital Master Plan, the Data Protection Act, and the Computer Misuse and Cybercrimes Act.

Nigeria

Nigeria introduces Push for a Borderless Digital Economy

On 30 January 2026, Nigeria held a high‑level media briefing at the Presidential Villa unveiling plans for the upcoming RegTech Africa Conference & Expo (RACE 2026). The event, anchored by the Office of the Vice President and in partnership with GIABA, outlined efforts to address Africa’s regulatory fragmentation, harmonise digital‑economy rules, promote interoperable payment and identity systems, and strengthen trust frameworks for cross‑border trade.

Key Dates on the Horizon

February 2026

• 1 February 2026 Colorado Consumer Protections for Artificial Intelligence Act comes into effect. Bill
• 2 February 2026 Deadline for comments on UK MHRA call for evidence on AI  regulation in healthcare. More info
• 9 February 2026 Deadline for comments on China’s Internet Applications Personal Information Draft. CAC link
• 23 February 2026 Deadline for comments on China’s Financial Information Services Data Classification Draft. CAC link

March 2026

• 1 March 2026 China’s Measures on Classification of Online Information Affecting Minors take effect. CAC link
• 11 March 2026 Deadline for feedback on the EU Digital Fitness Check consultation and call for evidence, which could result in further reform to a wide range of EU digital legislation. Consultation link
• 18 March 2026 Deadline for UK report and economic impact assessment on Copyright and AI. More info

May 2026

• Mid‑May 2026 WhatsApp must comply with DSA VLOP obligations. Designation

August 2026

• 2 August 2026    
  • Providers of GPAI models that have been placed on the market / put into service before this date need to be compliant with the EU AI Act by this date.* EU AI Act
  • Transparency requirements for certain AI systems under Article 50 of the EU AI Act expected to enter into force, following the development of guidelines and a voluntary code of practice.*EU AI Act

January 2027

• 1 January 2027 China’s mandatory standard on information erasure in electronic products takes effect. More info

* Both these dates would be delayed if proposal in the EU Digital Omnibus package get adopted. 

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.