AI View - July 2025

Welcome to AI View, Simmons & Simmons' fortnightly round-up of key AI legislative, regulatory, and policy updates from around the world.

This edition brings you:

1. US Senate strikes down proposed 10-year moratorium on state AI laws

2. German DSK adopts guidance on measures for the development and operation of AI systems

3. French Data Protection Authority adopts guidance on using legitimate interest as a legal basis for developing AI systems under GDPR

4. Italy to set up AI coordination committee as part of its national AI bill

5. South Korea introduces a bill for the promotion of the AI industry

1. US Senate strikes down proposed 10-year moratorium on state AI laws

On 1 July 2025, the US Senate voted overwhelmingly (99-1) to strike down the provision titled “Artificial Intelligence and Information Technology Modernization Initiative” (the Provision) from the budget reconciliation bill (the Bill). The Provision would have in effect imposed a 10-year federal moratorium on state regulation of AI by making states choose between enforcing AI regulation or accepting federal funding to expand broadband access.

Proponents of the Provision noted that its aim was to prevent states from forming an unworkable patchwork of regulations that would stifle innovation in the AI sector. The removal of the Provision from the Bill means that states retain the authority to regulate AI independently, even if this may lead to a lack of uniformity in the US AI regulatory framework.

Many US states – most recently Texas – have enacted legislation to regulate the risks posed by AI, such as authorised deepfakes, copyright violations and algorithmic discrimination.

Read more about the Bill here.

2. German DSK adopts guidance on measures for the development and operation of AI systems

On 16 June 2025, the Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments (DSK) in Germany adopted guidance on recommended technical and organisational measures for the development and operation of AI systems (the Guidance).

The Guidance applies to manufacturers and developers of AI systems processing personal data, especially where high-risk activities are involved.

The Guidance sets out data protection recommendations and practical measures for the complete lifecycle of AI systems, dividing it into four distinct phases: design, development, implementation, and operation and monitoring. The measures include responsible data handling, secure software updates, and continuous monitoring. Notably, some of the key points include:

• Transparency: Data controllers should document information including (i) the purpose, legal basis and methodology for data collection; (ii) the algorithm and training process; and (iii) system functionality, decision-making processes and user rights, to ensure decisions are reproducible and to facilitate accountability.
• Data Minimisation: Data controllers should: (i) collect, process and use only necessary data; (ii) consider alternatives such as synthetic or anonymised data; (iii) implement privacy-friendly configurations; and (iv) regularly review and reduce unnecessary data processing.
• Integrity: Data controllers should ensure data quality and prevent manipulation (such as data poisoning). They should also continuously monitor system behaviour to detect and address risks, including bias or evasion attacks.
• Intervenability: Measures to implement data subject rights and official orders must be established early, for both training data and AI models. Data controllers should implement mechanisms to uphold data subject rights, such as enabling deletion or correction of personal data.

Read the Guidance here (in German only).

3. French Data Protection Authority adopts guidance on using legitimate interest as a legal basis for developing AI systems under GDPR

On 19 June 2025, the French Data Protection Authority (CNIL) adopted guidance on the use of the General Data Protection Regulation (GDPR)’s “legitimate interest” as a legal basis for developing AI systems, and in particular for the processing of personal data sourced from public content (the Guidance).

The Guidance applies to private organisations that process data when it is not possible to rely on consent, as well as public bodies engaging in activities beyond their core public missions, such as human resources management.

The Guidance states that “legitimate interest” can only be used as a legal basis if the following three conditions are met:

• the interest pursued is lawful e.g. the improvement of services, increase of IT security, scientific research, or facilitating public access to information. Commercial interests may also constitute legitimate interest;
• the processing is necessary i.e. there are no other, more data protection-friendly alternatives; and
• individual rights are not disproportionately affected. This involves a balancing test of the legitimate interest of the controller against the fundamental rights and freedom of data subjects by assessing the benefits of its processing as well as the impact on the individuals concerned and implementing, when necessary, protective measures.

The Guidance also provides practical examples to show how the tri-partite limbs would apply in the context of AI development.

Certain mitigating measures are set out in the Guidance that controllers can implement to minimise the impact of processing on data controllers. These measures include the prompt anonymisation of data, greater transparency about the processing operations performed, the use of synthetic data and the provision of a prior opt-out mechanism.

More generally, the CNIL emphasises that data controllers must assess and document compliance with these conditions and implement safeguards at the time of training, rather than retroactively.

The CNIL has also published a specific focus sheet on the application of the legitimate interest legal basis in cases of data scraping.

Read the Guidance here and the factsheet here.

4. Italy to set up AI coordination committee as part of its national AI bill

On 30 June 2025, Italy announced its plan to establish a National Coordination Committee on AI and Digital Innovation following a series of amendments introduced as part of its national law (the Bill) implementing the EU AI Act. The EU AI Act requires member states to designate competent national authorities and implement relevant sanction regimes in their national legal frameworks by 2 August 2025.

According to the Bill, the Committee “performs functions of coordinating the action of directing and promoting the research, experimentation, development, adoption and application of artificial intelligence systems and models carried out by national public or private bodies and organisations subject to supervision or recipients of public funding”. It appears that the role of this Committee will be limited to the promotion of research and development of AI, rather than having any active role in the regulation of the EU AI Act. The Committee will include the ministries of economy and finance, enterprises, research, health, and public administration, as well as the public authorities responsible for cybersecurity and the digital transition.

The Bill was adopted in the Chamber of Deputies and transmitted to the Senate on 30 June 2025 for final approval. Depending on the Senate agenda, the Bill may be formally adopted before the August recess.

Read the full report here.

5. South Korea introduces a bill for the promotion of the AI industry

On 20 June 2025, South Korea introduced a bill on the “Special Law for the Promotion of the Artificial Intelligence Industry (No. 2210957)” to the 22nd National Assembly (the Bill). The Bill forms part of South Korea’s strategy to support the AI industry to secure AI sovereignty, strengthen national competitiveness and drive economic growth.

The Bill builds on the South Korea’s promulgation of the “Basic Act on the Development of Artificial Intelligence and Creation of a Trust Base”, enacted this year. The Bill adds concrete mechanisms for fostering AI innovation and development, including:

• National strategic plan: Supporting the creation and operation of AI mega clusters and new AI research projects, providing legal grounding for supporting strategic initiatives, and establishing corporate joint research institutes.
• Fostering AI workforce: Laying out a comprehensive plan for workforce development, including attracting international talent, monitoring labour market trends, and investing in youth development via training programmes.
• Building infrastructure: Proposing the designation of AI data centre special zones.
• Financial incentives: Expanding support through tax incentives, employment subsidies, and establishing an AI industry Promotion Special Account.

The Bill is currently under committee review. If the committee votes in favour of the Bill after deliberation, the Bill will be considered by the plenary, and if passed the Bill will be to be sent to the President for promulgation.

Read more about the Bill here (in Korean only).