Navigating Global AI Compliance

3 minute read | October.03.2025

Christian Schröder, Shannon Yavorsky and Matthew Coleman joined with Dr. Avishay Klein from Barnea for an in-depth discussion on AI compliance across jurisdictions.

The compliance challenge: Companies operating globally face a complex maze of emerging AI regulations. Our panel provided practical guidance for those navigating these fast-moving and divergent legal regimes.

United States: Operating in a Regulatory Patchwork

Shannon presented the U.S. perspective.

Current landscape: No comprehensive federal AI law exists, forcing companies to navigate a patchwork of sectoral laws.

State-level activity is extensive:

160+ AI-specific laws addressing transparency and automated decision-making
Employment-focused laws in Illinois and New York City
Comprehensive AI frameworks in Colorado and Texas
Mental health bot regulations and chatbot disclosure requirements

Federal developments:

TAKE IT DOWN Act criminalizes non-consensual AI-generated intimate imagery
Proposed decade-long moratorium on state AI laws failed to advance

Litigation trends: Growing disputes over training data and fair use, online privacy and biometric privacy suits, consumer protection claims and employment discrimination cases.

Open questions: Key questions remain on whether the use of training data will qualify as fair use and how to allocate liability when AI systems cause harm.

Israel: Innovation-Forward Policy Approach

Avishay presented the Israeli perspective.

Regulatory philosophy: No comprehensive AI act, with policy explicitly favoring innovation over restrictive regulation.

Current framework:

Non-binding national policy aligned with OECD principles.
Sectoral regulation beginning in financial services.
Existing laws already impact AI development and deployment.

2025 Privacy Protection Authority guidance:

Draft rules require DPOs, DPIAs and internal procedures for AI systems processing personal data.
Most controversial requirement: explicit consent for online data scraping.
Strong industry criticism as impractical.

Regulatory outlook: Israeli officials view separate AI rules as unnecessary since companies must already comply with EU and U.S. frameworks. Revised guidance expected following September 2025 consultation period.

European Union: Comprehensive Risk-Based Framework

Christian presented the European perspective.

The EU AI Act overview: Single framework designed to prevent member state fragmentation and build AI trust across the bloc.

Implementation timeline:

February 2025: Prohibitions and AI literacy obligations active.
August 2025: General-purpose AI model requirements effective.
August 2027: High-risk system rules fully applicable.

Key transparency requirements:

Disclosure when content is AI-generated.
Notice when individuals interact with AI systems.
Code of Practice is currently being discussed.

Critical compliance note: The AI Act doesn’t replace the GDPR or the Data Act.

Getting Started with AI Governance

Comprehensive AI mapping:

Document all AI systems, their uses, data sources and purposes.
Classify systems by regulatory risk level.
Update internal policies to reflect AI-specific requirements.

Leadership structure:

Technology teams should lead governance efforts.
Legal and compliance provide support, not leadership.
Cross-functional approach is essential for success.

Formal accountability framework:

European regulators expect documented organizational structure.
Recommended steering committee including legal, IT, product, HR and procurement.
Clear documentation of roles and responsibilities.

Accountability and Risk Management Strategies

Assigning responsibility:

Unlike privacy law, AI regulations do not define specific officer roles. Companies must internally assign roles and document accountability.
European regulators will expect written evidence of these allocations.

Risk mitigation priorities:

Assess legal compliance and perform data protection impact assessments where required.
Implement contracts, insurance and technical safeguards.
Regular monitoring and assessment procedures.

Immediate Action Items for Legal and Compliance Teams

Essential next steps from our panel:

Define roles under the EU AI Act and other applicable frameworks.
Maintain comprehensive documentation of AI systems and governance decisions.
Update contracts to address AI-related risks and responsibilities.
Ensure AI literacy training across the organization.

Bottom line: Developing or using AI now comes with AI compliance obligations. Companies that establish robust governance frameworks now will be better positioned as regulations continue evolving across jurisdictions.

Related Lawyers

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
White Collar
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Dr. Schröder berät Mandanten zu den Auswirkungen neuer Technologien im Recht der Daten. Dies betrifft Datenschutzrecht, Cyber, IP und die zahlreichen neuen EU-Vorgaben für den Umgang mit Daten sowie der künstlichen Intelligenz. Außerdem unterstützt er sie bei ihren Compliance-Programmen und hilft ihnen, in aufsichtsbehördlichen Verfahren oder vor Gericht. Ein besonderer Schwerpunkt seiner Arbeit liegt auf internen Datenübertragungsvereinbarungen, externen Datenübertragungen mit externen Anbietern und Produkteinführungen, die internationalen Datenschutzstandards entsprechen, sowie auf den Datenschutzanforderungen für vernetzte Autos. Darüber hinaus berät er Unternehmen in Fragen des Datenrechts bei der Entwicklung, dem Erwerb, der Nutzung, der Lizenzierung und dem Verkauf von Technologien, Daten und geistigem Eigentum, einschließlich M&A-Transaktionen und Joint Ventures mit Schwerpunkt auf geistigem Eigentum. Weiterhin unterstützt er bei Verträgen über Hard- und Softwarelizenzen und IT-Projekte (Informationstechnologie).

Dr. Schröder unterhält enge Arbeitsbeziehungen zu deutschen Datenschutzbehörden und EU-Aufsichtsbehörden, die für Fragen des Datenrechts zuständig sind. Er verteidigt Unternehmen effektiv bei Untersuchungen von Aufsichtsbehörden und auch bei Fragen zur Cybersicherheit und zum Datenschutz. Er verhandelt mit Behörden im Namen seiner Mandanten und hilft ihnen, Verfahren und mögliche Rechtsstreitigkeiten zu vermeiden. Wenn sich ein Rechtsstreit nicht vermeiden lässt, verteidigt Dr. Schröder seine Klienten mit Nachdruck.

Unternehmen, die mit globalen Cybersecurity-Vorfällen konfrontiert sind, hilft Dr. Schröder bei der Krisenbewältigung. Dies umfasst unter anderem die Beratung zu Datenpannenmeldungen, Koordination von Medienstrategien und die Vertretung vor Datenschutzbehörden bei entsprechenden regulatorischen Untersuchungen.

Dr. Schröder schreibt regelmäßig nützliche Beiträge für internationale Medien und deutsche Datenschutzbücher und -zeitschriften. Er ist Autor des Kapitels V (Internationale Datenübermittlung) des führenden deutschen GDPR-Kommentars Kühling/Buchner (4. Auflage) und Mitautor des Handbuchs Betrieblicher Datenschutz. Als aktives Mitglied der Sedona-Conference treibt Dr. Schröder die Entwicklung und das Verständnis von grenzüberschreitendem Datenschutz voran. Er ist regelmäßig Gastgeber oder Moderator von Vortragsreihen zum Daten- Cyber- oder AI-Recht, die er mit Kollegen aus anderen Kanzleien, Mitgliedern von Datenschutzbehörden und anderen Akademikern abhält.

Legal 500 Deutschland hat Dr. Schröder zu einem der 15 besten Anwälte im Jahr 2023 ernannt und bezeichnet ihn als einen „Pionier auf dem Gebiet des Datenschutzes“. Dr. Schröder und Orrick werden für den internationalen Beratungsansatz gelobt und für ihre Fähigkeit jederzeit Thought Leaders unterschiedlicher Regionen zur Diskussion herausfordernder Anforderungen an einen gemeinsamen Tisch zu bringen.

Vor seiner Tätigkeit als Wirtschaftsanwalt absolvierte Dr. Schröder ein Praktikum beim deutschen Bundesdatenschutzbeauftragten und bei www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Behördliche Untersuchungen und Vollstreckungsmaßnahmen
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Matthew E.S. Coleman Partner, Cyber, Privacy & Data Innovation, Technology Transactions

New York; Boston

See my bio

D:+1 212 506 3569
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Mergers & Acquisitions
Artificial Intelligence (AI)
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Matthew E.S. Coleman Partner

New York; Boston

Matthew helps clients comply with the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act of 2018 (CCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the General Data Protection Regulation (GDPR), the Telephone Consumer Protection Act (TCPA), and state breach notification, biometric privacy, and cybersecurity laws. He counsels on self-regulatory privacy programs, including Binding Corporate Rules, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPRs); programs covering online behavioral advertising, including the Digital Advertising Alliance (DAA), the European Interactive Digital Advertising Alliance (EDAA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI); and programs covering payment card processing. Matthew also provides compliance solutions for emerging technologies, including artificial intelligence and blockchain.

Matthew’s federal regulatory experience helps clients stay compliant and avoid regulatory scrutiny. His comprehensive data management knowledge helps him counsel beyond the letter of the law and facilitates worldwide expansion, interoperable business processes, and innovative uses of consumer data while maintaining user trust. His all-encompassing, risk-based approach involves developing and executing internal and external policies for the collection, use, disclosure, sharing, retaining, transferring, and destruction of personal information. This includes managing contractual relationships with vendors, employees, acquired entities, and creditors as well as building privacy into companies’ product development life cycle and change management strategies.

Prior to joining Orrick, Matthew was an Enterprise Privacy Solutions Manager for TrustArc (formerly TRUSTe), a San Francisco-based privacy consulting and certification firm, and an adjunct law professor of Privacy Law at Santa Clara University. Matthew is a Certified Information Privacy Manager and a Certified Information Privacy Professional with a specialization in United States privacy law.