INTERNATIONAL 

GLOBAL TREATIES, CONVENTIONS

13. Council of Europe Framework Convention on Artificial Intelligence[12]

In September 2024, the Council of Europe introduced the Framework Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law—the first legally binding international treaty on AI. This convention mandates that AI systems adhere to principles safeguarding human rights, democracy, and the rule of law. Signatories, including the United States, United Kingdom, European Union, and others, are required to implement legislative and administrative measures to ensure compliance.

14. Crypto-Asset Reporting Framework[13]

The Organisation for Economic Co-operation and Development introduced the Crypto-Asset Reporting Framework (“CARF”) to enhance tax transparency concerning crypto-assets. CARF mandates that Crypto-Asset Service Providers collect and report information on users’ tax residences and taxpayer identification numbers to their domestic tax authorities. This information is then exchanged between jurisdictions to combat tax evasion and ensure compliance. The European Union has adopted CARF, with implementation set for January 1, 2026[14].

15. AI Seoul Summit and Frontier AI Safety Commitments[15]

In May 2024, during the AI Seoul Summit, 16 global AI technology companies agreed to safety commitments concerning the development of AI. These commitments aim to ensure the responsible and ethical advancement of AI technologies, emphasizing safety, transparency, and collaboration among industry leaders.

EUROPEAN UNION

NEW LEGISLATIONS

16. EU Artificial Intelligence Act (AI Act)[16]

Enacted in August 2024[17], the AI Act established a risk-based regulatory framework for AI systems, categorizing them into minimal, limited, high, and unacceptable risk levels. High-risk systems are subject to strict data protection and transparency requirements. It also prohibits certain AI practices like real-time biometric identification in public spaces and social scoring by governments.

Impact on Businesses – AI Act imposes stringent compliance requirements, particularly for high-risk AI systems, necessitating significant investments in transparency, risk management, and technical safeguards. However, its phased enforcement provides flexibility, allowing businesses time to adapt while fostering a predictable legal framework that builds trust and encourages innovation.

17. Digital Services Act (DSA) Implementation[18]

The DSA, operational from February 2024, introduced stricter obligations for online platforms regarding content moderation, transparency, and accountability, including managing AI-driven algorithms and user data protection.

Impact on Businesses – DSA imposes strict requirements on online businesses, particularly large platforms. Companies will need to enhance their content moderation systems, ensure greater transparency in their operations, and comply with tighter data protection rules. Businesses will face challenges in managing AI-driven algorithms for content removal, providing transparency reports, and implementing systems to protect users from harmful content, including minors. The DSA’s phased rollout gives businesses time to adapt, but it still increases the operational burden, especially for platforms with large user bases, as they must also conduct regular risk assessments and audits to avoid penalties for non-compliance.

18. Digital Markets Act (DMA) Enforcement[19]

As of July 2024, the DMA began targeting ‘gatekeepers’ (large tech companies), ensuring fair data-sharing practices and compliance with data protection regulations, particularly impacting cross-platform AI applications.

Impact on Businesses – DMA aims to curb the power of gatekeepers by enforcing rules that prevent anti-competitive practices such as self-preferencing and unfair data-sharing. It promotes a level playing field, encouraging innovation and allowing smaller businesses to compete more effectively in the digital realm. For businesses, this means greater opportunities in a more transparent market, but it also requires compliance with new rules, potentially altering business models, especially in areas like data sharing, platform interoperability, and advertising practices.

19. Guidelines on Data Protection Impact Assessments for AI Systems[20]

Issued by the European Data Protection Board (EDPB) in December 2024, these guidelines formalized processes under GDPR for assessing privacy risks of AI systems.

Impact on Businesses – Businesses are required to perform detailed risk assessments, especially for AI models that process sensitive data or pose high risks to individuals’ privacy. This increases the compliance burden on organizations, ensuring that AI systems prioritize data protection by design, and promoting greater transparency and accountability in their use.

IMPORTANT RULINGS

20. CJEU Judgment on Commercial Interest as Legitimate Basis for Data Processing[21]

In October 2024, the Court of Justice of the European Union (“CJEU”) ruled that ‘legitimate interest’ under GDPR Article 6 could justify processing personal data for commercial interest on a case-to-case basis, provided it adheres to data minimization principles and respects the reasonable expectations of the data subjects.

21. CJEU Ruling on Competitors’ Right to Seek Injunctions for GDPR Violations[22]

CJEU ruled that competitors are entitled to bring injunction claims based on GDPR infringements under national unfair competition laws. This decision underscores the interplay between data protection and competition law, allowing businesses to hold competitors accountable for data protection violations.

22. Dutch Data Protection Authority vs. Clearview AI[23]

In May 2024, the Dutch regulator fined Clearview AI €30.5 million for GDPR violations, specifically for creating a facial recognition database without legal consent.

23. CJEU Decision on Cross-Border Data Transfers Post-Schrems II[24]

The CJEU reaffirmed its stance on adequacy standards for cross-border data transfers, further clarifying the obligations of organizations using Standard Contractual Clauses for data sharing.

24. French CNIL Fine on Violation of Principal of Data Minimization[25]

The French privacy authority (CNIL) fined a major e-commerce company €32 million in January 2024 for implementing overly intrusive employee monitoring systems in its warehouses.

25. CJEU Ruling on Meta’s Use of Sensitive Data for Targeted Advertising[26]

In October 2024, the CJEU ruled that Meta cannot use users’ sensitive personal data, such as sexual orientation, for targeted advertising without explicit consent, even if the information is publicly available. This decision reinforces the stringent requirements for processing sensitive data under the GDPR.

UNITED STATES OF AMERICA

NEW LEGISLATIONS

26. States Take Legislative Action on AI and Data Privacy

California introduced 5 laws targeting AI-generated deepfakes[27] in elections and protecting performers’ digital likenesses, with strict rules for reporting and removal of deceptive content. Montana, along with other States, enacted comprehensive privacy laws granting data access and deletion rights. These efforts highlight growing State-level actions to regulate AI and safeguard privacy[28].

27. Utah’s Artificial Intelligence Policy Act[29]

Signed into law in March 2024, this act establishes liability for companies failing to disclose their use of generative AI when required and creates the ‘Office of Artificial Intelligence Policy’ to oversee AI-related matters within the State.

28. Tennessee’s ELVIS Act[30]

Enacted in March 2024, the Ensuring Likeness Voice and Image Security Act, 2024 (“ELVIS Act”) addresses the unauthorized use of an individual’s voice and likeness through AI technologies, marking one of the first state-level legislations targeting AI-generated impersonations.

29. Intimate Privacy Protection Act Proposal[31]

In July 2024, a bipartisan group of House lawmakers introduced the Intimate Privacy Protection Act, aiming to amend Section 230 of the Communications Act of 1934. This proposed legislation seeks to hold tech companies accountable for failing to remove intimate AI-generated deepfakes and related harmful content. It mandates that online platforms establish reasonable processes to address and remove such content within 24 hours of reporting. 

IMPORTANT RULINGS

30. Supreme Court’s Overturning of the Chevron Doctrine[32]

In 2024, the Supreme Court overturned the Chevron doctrine, which previously required judicial deference to federal agencies’ interpretations of ambiguous statutes. This decision has significant implications for agencies like the Federal Trade Commission (“FTC”) in regulating data privacy and AI practices.

31. Illinois Supreme Court’s Policy on AI Use in Legal Proceedings[33]

In December 2024, the Illinois Supreme Court issued a policy allowing judges and attorneys to use artificial intelligence tools in their work under certain conditions. This policy underscores the growing integration of AI in the legal system while emphasizing the need for ethical considerations and limitations.

32. AI-Related Copyright Lawsuits[34]

Throughout 2024, numerous lawsuits were filed concerning the use of copyrighted materials in training AI models. These cases involve authors, artists, and media companies challenging AI developers over alleged intellectual property infringements.

33. FTC Enforcement Actions[35]

The FTC took action against several businesses for issues including data breaches[36], unfair and deceptive disclosures related to the sharing of health data, failure to obtain parental consent for collecting children’s data, and the use of dark patterns concerning children’s privacy.

REST OF THE WORLD

LEGISLATIONS

34. Australia: Privacy and Other Legislation Amendment Bill 2024[37]

Introduced in October 2024, this bill strengthens privacy protections by requiring organizations to disclose their use of automated decision-making processes and tightening rules around cross-border data transfers. It focuses on transparency in AI and automated systems, ensuring compliance with privacy principles.

35. United Kingdom: Online Safety Act[38]

Enacted in 2024, this legislation introduces criminal penalties for creating and distributing AI-generated explicit content (deepfake pornography) without consent. The act is part of a broader initiative to enhance online safety and combat the misuse of AI technologies.

36. China: Network Data Security Management Regulations[39]

China’s Network Data Security Management Regulations, released on September 30, 2024, and effective January 1, 2025, establish stringent rules for data processing activities within China, impacting both domestic and international entities handling Chinese data. The regulations mandate enhanced data security measures, stricter controls on cross-border data transfers, and rigorous personal information protection protocols, particularly for data that may affect Chinese citizens or national security.

Impact for Businesses- For Indian and other international businesses operating in or with China, these rules necessitate robust compliance strategies, including significant upgrades to data management systems, adherence to lawful data export procedures, and proactive risk management to avoid severe penalties such as fines or operational restrictions. These measures are expected to increase operational costs and necessitate careful legal and infrastructural adjustments, particularly for multinational companies relying on seamless data flows. Overall, the regulations underscore the need for businesses to integrate these requirements into their operations to maintain market access and avoid disruptions in the Chinese market.

IMPORTANT RULINGS

37. Australia’s Legal Profession and AI Disclosure Requirements[40]

In May 2024, the Supreme Court of Victoria issued comprehensive guidelines on the use of AI in legal proceedings, requiring lawyers to disclose any AI assistance in forming arguments or drafting documents. The guidelines emphasize that AI usage must not mislead other participants and that practitioners need to understand the tools and their limitations. Additionally, those signing court documents remain responsible for their accuracy, even if AI assisted in their preparation. This move reflects a broader trend in the Australian legal system to ensure transparency and maintain the integrity of legal processes amid increasing AI integration.