Find a lawyerOur capabilitiesYour careerSearch
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  2. 2025 Data law trends
  3. AI governance takes center stage
1. AI governance takes center stage
2025 Data law trends
hero-image-0

In brief

With regulatory pressures, changing expectations from shareholders and customers, and the increasing risk of litigation, it’s clear that addressing AI governance is more important than ever.

As a result, many organizations today are feeling the heat to show they have the right governance structures and decision-making processes in place for their use of AI – or for deciding not to use it at all. In this chapter, we’ll dive into why a proactive AI governance framework is essential.

It’s not just about ticking boxes; it’s about taking control of AI’s potential while managing its risks.

 We’ll explore the key pressures you’re facing and highlight the foundational elements that can lead to successful AI governance.

Download report
AI governance takes center stage

Pressures to develop AI governance frameworks include:

AI-specific regulatory regimes

These regimes are taking more discernible shape across the globe, with AI specific regulation now in force across the EU and China, and planned at national level (with published draft texts) in Brazil, Canada, South Korea, Thailand and Vietnam. New (albeit narrow) AI-specific regulation was introduced to protect the integrity of India’s recent elections and is also anticipated in the UK.

A proliferation of guidance as to the application of existing regulatory regimes to the use of AI

The UK, US and other jurisdictions (including Australia, Hong Kong, India, Japan, Russia, Saudia Arabia, Singapore, South Korea and Turkey) have implemented policies aimed at streamlining AI regulation at the national level. These fall short of AI-specific laws and instead direct established regulators to apply existing regimes to the use of AI. Non-regulatory government bodies are also being vocal in this space – for example, the US Department of Justice, primarily a law enforcement agency, has spoken about its expectations that corporate compliance programs are effective at mitigating AI-related risks.

The emergence of global standards for AI governance, such as ISO/IEC JTC 1/SC 42

Customers, distributors and other contractual counterparties may start expecting compliance with these types of standards as a ‘badging’ of an organization’s AI maturity.

Increased scrutiny of company reporting with respect to use of AI from shareholders

Companies in the US are already facing scrutiny from shareholders who view them as being insufficiently transparent about their use of AI. We have seen a trend of shareholder petitions being filed at the US Securities and Exchange Commission aimed at eliciting further detail relating to a company’s AI strategy. AI risks and opportunities are becoming a common theme of listed company reports; see infographic below.

Increasing focus from NGOs on AI and the potential risks it poses

For example, Amnesty International published a report titled The State of the World’s Human Rights in April 2024, which looked at human rights concerns from 2023. This report highlighted AI as a potential threat to human rights citing use cases such as state deployment of facial recognition software to aid policing of mass events, including protests, as well as use of biometrics and algorithmic decision-making in migration and border enforcement. The Austrian privacy advocacy group ‘noyb’ has been vocal in relation to the privacy implications of AI technologies.

Increasing risk of AI litigation and regulatory enforcement

QuoteMarks_34x25px_Blue.png

Companies are feeling the pressure to get AI governance right not only from regulators, but also from the markets, the emergence of global standards for AI governance and third-party actors such as NGOs.

Giles Pratt, Partner

Companies need a framework to ensure compliance and respond to regulatory scrutiny and allow them to make the most of AI while navigating the risks associated with its use.

Data-related matters will be a core component of this framework. The EU AI Act, which is the world’s first comprehensive AI-specific legislation, imposes numerous governance and documentation-related obligations, including specific data governance obligations on providers of high-risk AI systems. Similarly, data protection regulators globally have not shied away from enforcement activity relating to the use of personal data in connection with AI systems (we have seen activity in this space from data protection regulators in the UK, Ireland, Italy, the Netherlands, Hong Kong and elsewhere. The US Federal Trade Commission is also active in this space as part of its consumer protection remit) and are also proactively consulting on the application of data protection laws to AI.

New450x236px_Data Trends 2024_AI oversight_V2A.jpg

 

New450x236px_Data Trends 2024_AI oversight_V2B.jpg

 

Looking Ahead

As the litigation and regulatory landscape continues to change, it’s crucial for businesses to keep a close eye on these developments. Regularly evaluating the effectiveness of your governance systems will be key to mitigating AI-litigation risks.

If your business is developing or deploying AI, now’s the time to make sure you have the right governance structures in place. This means ensuring you have the right staffing, resources, and clear terms of reference. But don’t stop there. Building in flexibility will help you proactively adapt to future needs, positioning you for future success as the landscape evolves.

Our team

Our team

London
Rachael AnnearPartner
London
Zofia AszendorfSenior Associate
London
Georgina BaylyAssociate
Hong Kong
Richard BirdPartner
Düsseldorf, Frankfurt am Main
Theresa EhlenPartner
San Francisco
Beth GeorgePartner
London
Adam GillertGlobal Data Knowledge Lawyer
London
Cat Greenwood-SmithPartner
London
Giles PrattPartner
Vienna, Düsseldorf
Lutz RiedePartner
2025 Data law trends

2025 Data law trends

Data Trends 2025
Reports
Nov 29 2024
1. AI governance takes center stage

With regulatory pressures, changing expectations from shareholders and customers, and the increasing risk of litigation, it’s clear that addressing AI governance is more important than ever.

Reports
Nov 29 2024
2. International data transfers are under the spotlight

In 2025, questions around data transfers and localization requirements will still be front and center for businesses. Regulators across different jurisdictions – each with varying requirements – aren’t holding back either; they’ve shown they’re ready to impose hefty fines for non-compliance.

Reports
Nov 29 2024
3. A new wave of cyber threats is here

As global cybersecurity threats continue to evolve, companies are navigating an increasingly complex risk landscape.

Reports
Nov 29 2024
4. New global regulations are changing our digital operations

Over the past year, a global push to regulate the safety, accountability, and transparency of online services have begun to crystalize. In late 2023, the EU Digital Services Act came into force alongside the passage of the UK Online Safety Act, signaling a significant shift in how digital intermediaries are regulated.

Reports
Nov 29 2024
5. Tougher enforcement is reshaping data and privacy compliance

The spotlight on AI risks is intensifying, and with it comes a surge in data-related regulatory enforcement worldwide. Regulators are not only using existing laws but are also advocating for greater powers to oversee AI development and deployment.

Reports
Nov 29 2024
6. US State consumer privacy laws are expanding

Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.

Reports
Nov 29 2024
7. Asia’s privacy laws are maturing

In recent years, many countries across Asia have either rolled out new comprehensive privacy laws or made significant amendments to existing regulations. Notable examples include China, India, Indonesia, Japan, Malaysia, South Korea, Sri Lanka, Thailand, and Vietnam. Currently, Indonesia, India, and Malaysia are working toward the full implementation of their newly amended laws.

Reports
Nov 29 2024
8. New EU data access regulations are shaping the future

The European Commission’s Data Strategy 2020 has paved the way for new data access regulations that will significantly impact businesses across Europe. In this chapter, we dive into the data access rights established by the EU’s Data Act, along with two pivotal Common European Data Spaces: the European Health Data Space (EHDS) and the Financial Data Access (FIDA) framework.

FIND US IN
All locations
NAVIGATE TO
About usYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: