Find a lawyerOur capabilitiesYour careerSearch
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  2. 2025 Data law trends
  3. Tougher enforcement is reshaping data and privacy compliance
5. Tougher enforcement is reshaping data and privacy compliance
2025 Data law trends
hero-image-0

In brief

The spotlight on AI risks is intensifying, and with it comes a surge in data-related regulatory enforcement worldwide. Regulators are not only using existing laws but are also advocating for greater powers to oversee AI development and deployment. In some regions, this includes calls for restrictions on AI-related processing. For organizations developing AI, it’s important to integrate compliance and risk management measures throughout the process. At the same time, attention should remain on existing enforcement risks around cyber issues, privacy practices, and consumer and competition laws.
Download report
Tougher enforcement is reshaping data and privacy compliance

As AI becomes ever more ubiquitous and powerful, regulators are rushing to manage and mitigate this potentially high-risk technology. Typically, this means relying on privacy laws, including the EU and UK GDPR, where the data processing includes personal data, but consumer protection legislation and antitrust laws are also being used to put guardrails around AI.

Examples of regulatory action in 2024 include:

  • Some regulators, including several EU data protection authorities (DPAs), are actively investigating AI companies for alleged breaches of the EU GDPR. The Italian DPA issued OpenAI with a formal notice for violations of provisions of the EU GDPR, having originally banned the use of ChatGPT in Italy until OpenAI complied with a set of interim measures.
  • In the UK, the Information Commissioner’s Office (ICO) has been investigating Snap’s ‘My AI’ chatbot but, in July 2024, agreed to close its investigation on the basis that Snap appropriately remedied its alleged breaches of the UK GDPR. However, the ICO noted that its investigation had led to Snap conducting a more thorough review of potential risks posed by the chatbot.
  • Some regulators, such as the South Korean Personal Information Protection Commission (PIPC) and the UK’s ICO, are aiming to mitigate AI risks through updating existing guidance and regulatory innovation. The ICO launched a consultation series in the first half of 2024 on the intersection of data protection and generative AI, focused on topics such as purpose limitation in the generative AI lifecycle, the accuracy of training data and model outputs and the allocation of controllership. We expect to see updates to ICO guidance in 2025 as a result. South Korea’s PIPC has emphasized regulatory sandboxes and introduced a ‘Prior Adequacy Review Mechanism,’ where it will work together with startups developing innovative AI models or services to ensure that sufficient privacy and data protection measures are embedded in the design of AI systems.

QuoteMarks_34x25px_Blue.png

Data privacy regulators across the world are focused on AI. Businesses need to ensure that they are developing and deploying AI systems compliantly including, where appropriate, engaging closely with regulators as they do so.

Giles Pratt, Partner

  • In the US, the Federal Trade Commission (FTC) has increasingly brought investigations and enforcement actions related to AI. In July 2023, the FTC issued a civil investigative demand (CID) to OpenAI covering a range of topics, including public disclosures about AI products, the data it used to train its models and measures taken to mitigate potential risks including false statements about individuals. This follows a settlement with Rite Aide related to the company’s use of AI-based facial recognition technology. In addition, the agency recently announced a sweep of enforcement actions concerning AI-related misrepresentations. More CIDs can be expected to be issued in AI investigations, given the FTC’s November 2023 approval of a resolution making it easier for officials to issue CIDs.

QuoteMarks_34x25px_Blue.png

The Italian DPA’s bold stance against OpenAI reflects the global shift toward stricter AI regulation. AI growth must be matched by strong commitments to data protection and regulatory engagement.

Davide Borelli, Counsel

Looking ahead to 2025, we expect privacy regulators to continue their focus on AI.

In the US, the FTC should be expected to ramp up its rigorous scrutiny of AI products and businesses. The FTC has publicly stated its interest in enforcement relating to advertising claims, AI product misuse to perpetuate fraud and scams, competition concerns and copyright/IP concerns with regards to training AI models and data privacy. The FTC’s interest in investigating competition concerns has already resulted in the issuance of orders to five companies requiring them to provide information about recent investments and partnerships involving generative AI companies and cloud service providers. The agency has also announced an investigation into ‘surveillance pricing,’ the practice of categorizing individuals using their personal information to set pricing targets for goods or services using AI technology.

QuoteMarks_34x25px_Blue.png

As many companies increasingly become AI companies, they will need to ensure that they are developing and deploying AI systems safely and effectively.

Joseph Mason, Associate

In the UK and EU, we expect ongoing focus on AI products and services, particularly those deemed to be higher risk, and companies should expect a robust approach from regulators if they suspect infringements of EU or UK GDPR. It remains to be seen how plans to reform UK data laws announced by the newly-elected UK government will impact data protection regulation as it relates to AI.

QuoteMarks_34x25px_Blue.png

Working out how to approach AI enforcement is fast becoming a global priority, reflecting a collective commitment to harnessing the power of AI responsibly.

Rachael Annear, Partner

Looking ahead

As we look to 2025 and beyond, companies should brace for an intensified regulatory focus on data enforcement, particularly concerning the development and deployment of AI systems. Regulators have shown a readiness to take strong actions against suspected privacy law violations, including halting the launch of AI solutions or pausing ongoing AI development.

However, these regulatory measures also serve as valuable guidance for safe and effective AI deployment. To navigate this landscape, companies should:

  • Ensure they maintain comprehensive documentation, including detailed data protection impact assessments for high-risk processing.
  • Stay informed about the latest guidance from DPAs, such as the UK’s ICO and the EU’s EDPB.
  • Prioritize the integration of privacy protections into their AI systems from the outset of the development process.

Beyond AI, changes to the EU GDPR’s OSS mechanism are likely to facilitate more enforcement of cross-border processing within the EU. We also anticipate an uptick in global enforcement actions related to alleged breaches of privacy, cybersecurity, and consumer protection laws.

Our team

Our team

London
Rachael AnnearPartner
New York
Robert BartonAssociate
Hong Kong
Richard BirdPartner
Milan
Davide BorelliCounsel
Amsterdam
Mark EgelerPartner
Washington, DC
Nina FrantSpecial counsel
London
Daniel GoldAssociate
London
Cat Greenwood-SmithPartner
New York
Timothy HowardPartner
London
Joseph MasonAssociate
London
Giles PrattPartner
2025 Data law trends

2025 Data law trends

Reports
Nov 29 2024
1. AI governance takes center stage

With regulatory pressures, changing expectations from shareholders and customers, and the increasing risk of litigation, it’s clear that addressing AI governance is more important than ever.

Reports
Nov 29 2024
2. International data transfers are under the spotlight

In 2025, questions around data transfers and localization requirements will still be front and center for businesses. Regulators across different jurisdictions – each with varying requirements – aren’t holding back either; they’ve shown they’re ready to impose hefty fines for non-compliance.

Reports
Nov 29 2024
3. A new wave of cyber threats is here

As global cybersecurity threats continue to evolve, companies are navigating an increasingly complex risk landscape.

Reports
Nov 29 2024
4. New global regulations are changing our digital operations

Over the past year, a global push to regulate the safety, accountability, and transparency of online services have begun to crystalize. In late 2023, the EU Digital Services Act came into force alongside the passage of the UK Online Safety Act, signaling a significant shift in how digital intermediaries are regulated.

Reports
Nov 29 2024
5. Tougher enforcement is reshaping data and privacy compliance

The spotlight on AI risks is intensifying, and with it comes a surge in data-related regulatory enforcement worldwide. Regulators are not only using existing laws but are also advocating for greater powers to oversee AI development and deployment.

Reports
Nov 29 2024
6. US State consumer privacy laws are expanding

Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.

Reports
Nov 29 2024
7. Asia’s privacy laws are maturing

In recent years, many countries across Asia have either rolled out new comprehensive privacy laws or made significant amendments to existing regulations. Notable examples include China, India, Indonesia, Japan, Malaysia, South Korea, Sri Lanka, Thailand, and Vietnam. Currently, Indonesia, India, and Malaysia are working toward the full implementation of their newly amended laws.

Reports
Nov 29 2024
8. New EU data access regulations are shaping the future

The European Commission’s Data Strategy 2020 has paved the way for new data access regulations that will significantly impact businesses across Europe. In this chapter, we dive into the data access rights established by the EU’s Data Act, along with two pivotal Common European Data Spaces: the European Health Data Space (EHDS) and the Financial Data Access (FIDA) framework.

FIND US IN
All locations
NAVIGATE TO
About usYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: