Global Digital Policy Roundup: August 2024

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of August 2024 in four core areas of digital policy.

• Content moderation, including the implementation of the European Union’s Digital Service Act, Chinese rules on violent online content, Indonesia's regulations on digital platforms and journalism, and Turkey’s lifted ban on Instagram.
• AI regulation, including the European Union’s AI Act, the Cartagena de Indias Declaration on AI, South Africa's AI policy framework, Brazil’s AI Plan, and China's newly released algorithm filings for deep synthesis services.
• Competition policy, including Australia’s proposed reform of merger rules, the European Union’s guidelines on abuse of dominance, Japan’s recommendations to Amazon and Apple, as well as investigations in South Korea, South Africa, and the United Kingdom.
• Data governance, including the United Nations draft cybercrime convention, Saudi Arabia’s new data transfer rules, and cases against Meta, X, WhatsApp, and Kakao Pay.

Content moderation

Europe

The European Commission has advanced the implementation of the Digital Services Act (DSA) by launching a consultation on new guidelines aimed at enhancing online protection for minors. Additionally, Shein's additional obligations as a very large online platform under DSA came into effect four months after its designation. Regarding enforcement, the Commission issued a formal request for information to Meta following the discontinuation of its CrowdTangle tool. The request seeks details on Meta's adherence to DSA requirements for researcher access to data and updates to its election and civic discourse monitoring tools.

Russia’s Tagansky Court imposed penalties on two companies for non-compliance with content rules. Google was fined RUB 3.5 million for failing to monitor and block illegal content as required under the law on self-regulation of social media. Similarly, Twitch was fined RUB 5 million for not complying with an order by Russia’s media regulator (Roskomnadzor) to remove content related to Ukraine.

The United Kingdom enacted the Media Act, granting the Office of Communications (Ofcom) the authority to review audience protection measures for non-UK on-demand service providers. The review focuses on ensuring effective protection from harmful content, particularly for children, including through age ratings, content warnings, parental controls, and age verification systems. Additionally, Ofcom opened a consultation on its draft codes of practice and guidance under the Online Safety Act. Finally, Ofcom issued an open letter to online service providers related to ongoing violence. The letter emphasizes that video-sharing platforms must prevent content that incites violence or hatred and highlights forthcoming Online Safety Act requirements.

Asia and Australia

Australia adopted a bill banning the creation and non-consensual distribution of deep fake pornography. The bill classifies such content as a form of abuse and criminalizes the use of technologies to create and disseminate it. The Communications and Media Authority (ACMA) issued a formal warning to Network Ten's streaming service, 10 Play, for breaching gambling advertising rules during two live-streamed sports events.

The Cyberspace Administration of China’s (CAC) regulations on violent online content entered into force. Internet service providers must implement content management systems, develop AI and manual review standards, and create early warning models for online violence. Providers must further verify users’ identity, manage accounts to prevent impersonation, and report significant activity spikes. Additionally, the Administration opened a consultation on draft measures for national online identity authentication.

India’s Ministry of Electronics and Information Technology reported that from March 2023 to June 2024, the Grievance Appellate Committees handled 1,065 cases related to social media intermediary obligations, resolving 937 of them. Under the IT Rules, such Committees address appeals against grievance officers’ decisions by issuing binding decisions for platforms.

Indonesia implemented regulations requiring digital platform companies to support quality journalism by curbing illegal content and ensuring fair treatment of press entities. Platforms must also develop algorithms to promote quality journalism and cooperate with verified press companies. The regulation mandates content remuneration, such as paid licenses or profit sharing, and encourages amicable dispute resolution. Additionally, the Ministry of Communication and Information sanctioned 21 payment service providers for online gambling and blocked 32 gambling-related websites.

Saudi Arabia’s Communications and Technology Commission closed a consultation on proposed requirements for internet service providers and digital content platforms to implement internet filtering. In case of non-compliance, platforms would face fines of up to SAR 25 million. The commission would receive powers to investigate violations and suspend services. Further, providers would have to obtain approval to acquire significant shares or market control in the communication sector.

Turkey's Transport and Infrastructure Minister lifted the Instagram ban imposed on August 2 after the platform agreed to address concerns about catalog crimes and user censorship. The ban was initially imposed due to Instagram's alleged non-compliance with local laws and societal sensitivities related to serious crimes.

Americas

Argentina introduced a bill to regulate influencers' content and advertising on digital platforms. The bill imposes obligations for legality and truthfulness, prohibits advertisements for gambling, and mandates clear identification of advertisements.

Three cases were referred to Brazil's Supreme Federal Court. The first case challenges the constitutionality of Article 19 of the Civil Rights Framework for the Internet, which mandates a court order before platforms can be held liable for third-party content. The second case addresses the obligation of internet service providers to remove harmful user-generated content after receiving an extrajudicial notice. The third case regards the legality of blocking WhatsApp, examining whether it violates freedom of expression and the principle of proportionality.

Canada’s Radio-television and Telecommunications Commission closed consultations on policies under the Online Streaming Act. Specifically, the policies regulate barrier-free access for blind and deaf consumers.

Artificial Intelligence

UNESCO launched a consultation on AI regulation, explaining key concepts and outlining nine emerging regulatory methods, for example, principle- and risk-based approaches. The paper also advises policymakers to create tailored regulations that address specific national needs.

Europe

The European Union’s AI Act entered into force, initiating a multi-step implementation process over the coming years. The Act establishes a risk-based approach, banning certain AI practices and imposing compliance requirements for "high-risk" AI systems. Prohibited practices include emotion recognition in the workplace and education, social scoring, biometric categorization for sensitive data inference, and certain types of predictive policing. For high-risk AI systems, obligations include testing, data governance, cybersecurity, monitoring, and conformity assessment. Fines are also tiered: EUR 35 million or 7% for violations of prohibitions, EUR 15 million or 3% for breaches of obligations, and EUR 7.5 million or 1.5% for providing incorrect information. Finally, the Act establishes the AI Office.

Russia and China issued a joint declaration announcing cooperation between both countries in AI and the creation of a working group to exchange experiences and best practices on the regulation and industrial application of AI.

The United Kingdom’s Information Commissioner's Office initiated a fifth consultation on generative AI concerning the allocation of controllership in the generative AI supply chain. The inquiry aims to clarify roles and responsibilities to ensure compliance with data protection obligations for developers and deployers. Meanwhile, the Department for Science, Innovation, and Technology closed consultations on two voluntary codes of practice on cybersecurity for developers and software vendors.

Asia

The Cyberspace Administration of China released the seventh batch of 487 deep synthesis service algorithms that were added to its algorithm filing system. Additionally, the MIIT launched a consultation on AI applications in traditional industries, such as steel, chemicals, and automotive, aiming to promote industry growth and innovation.

Japan signed two memorandums to enhance cooperation in regulating emerging technologies. The memorandum with Costa Rica targets advancements in AI, improvements to digital infrastructure, diversification of 5G vendors, and disaster prevention. The memorandum with Vietnam focuses on ICT collaboration, emphasizing digital infrastructure development, AI promotion, OpenRAN 5G networks, cybersecurity, and combating misinformation.

South Korea’s Fair Trade Commission launched a survey to examine the domestic generative AI market, focusing on 50 key companies. The aim is to identify issues, subsequently ensuring fair competition and fostering innovation in the AI sector.

Americas

Argentina, along with 15 other Latin American and Caribbean countries, signed the Cartagena de Indias Declaration committed to the ethical and responsible development of AI. The Declaration highlights the importance of establishing governance frameworks and AI ecosystems to promote safe, inclusive, and ethical AI practices throughout the region.

Brazil’s Ministry of Science, Technology, and Innovations published an AI Plan aiming to establish Brazil as a global AI leader with BRL 23 billion of investment. The plan includes the creation of a National Center for Algorithmic Transparency and Trustworthy AI to address AI risks and ensure transparency, security, and privacy.

Africa

South Africa adopted the national AI policy framework to foster a robust AI ecosystem that drives digital transformation and inclusion. The Framework emphasizes ethical AI development, transparency, and privacy, aiming to serve as the foundation for future AI regulation and legislation.

Competition

Europe

The European Commission opened a consultation on draft guidelines addressing exclusionary abuses of dominance under Article 102 of the Treaty on the Functioning of the European Union. The Article prevents dominant companies from harming competition. The guidelines reflect the Commission's views on EU case law and practices, focusing on goals of competition law enforcement, consumer welfare, assessing dominance, and evaluating conduct.

The Italian Competition Authority initiated a consultation on Booking's proposed commitments in response to accusations of market abuse in the online hotel booking sector. The Authority will review public feedback before deciding whether to accept the commitments, which aim to prevent Booking from using its market power to unfairly disadvantage other online travel agencies and restrict Italian hotels' rate-setting autonomy. Separately, the Authority fined the Radiotaxi 3570 cooperative EUR 140,043 for failing to modify its non-competition clauses to allow taxi drivers to use competing platforms.

The United Kingdom‘s Competition and Markets Authority closed its investigations into Google’s Play Store and Apple’s App Store, stating that it will instead focus on enforcing the novel Digital Markets, Competition and Consumers Act. Google was investigated for allegedly employing anti-competitive practices regarding its Google Play Store, while Apple was investigated regarding its distribution practices and commission rates for apps. Additionally, the Authority closed its consultations on the partnership between Alphabet and Anthropicand Google’s revised Privacy Sandbox. Finally, the Authority launched a merger inquiry regarding the partnership between Amazon and Anthropic.

Asia and Australia

The Australian Treasury completed its consultation on a draft bill to reform merger and acquisition laws. The proposed amendments include setting mandatory notification thresholds, introducing a phased review process, and improving the regulator's enforcement powers, particularly for serial acquisitions. Meanwhile, the Australian Competition and Consumer Commission closed its consultation on the final report of the digital platform services inquiry, seeking input on international regulatory trends and emerging competition issues. Additionally, the Commission accepted undertakings from TPG Telecom, preventing Google search services to be preinstalled on Android devices in Australia. The Commission's investigation into Google’s competitive practices remains ongoing.

China’s General Offices of the Central Committee and the State Council issued policies to improve the market access system, focusing on creating a transparent and competitive market environment. The measures include enhancing the negative list management system, relaxing restrictions in service sectors, and expanding market access pilots in strategic industries.

India’s Competition Commission approved Data Infrastructure Trust's acquisition of ATC Telecom Infrastructure. Both entities provide passive telecom infrastructure services.

The Indonesian Competition Authority reviewed Starlink's entry into the Indonesian market. The review raised concerns about compliance with local regulations, potential predatory pricing, and the impact on local manufacturing. The Authority found that Starlink meets many regulatory standards but called for further scrutiny to ensure fair competition and consumer protection.

Japan’s Ministry of Economy, Trade, and Industry published recommendations to Amazon and Apple based on the Act on Improving Transparency and Fairness of Digital Platforms. Amazon Japan must clarify fee categories, provide advance notice of fee changes, and report compliance every three months. Apple is required to improve terms of disclosure translations and compliance systems. METI also opened a consultation on transitional measures for the enforcement of a recent amendment to the Consumer Product Safety Act. The amendment requires foreign businesses selling products to domestic consumers through online platforms to establish local operations and demands that online platform providers remove products that pose a risk to domestic consumers.

South Korea enacted the amendment to the Basic Consumer Act and its enforcement decree. The amendment specifies the subjects and methods of investigations to promote consumer rights and enhance policy implementation, including provisions for online dispute mediation meetings. Additionally, the Fair Trade Commission closed a consultation on amendments to the enforcement decree of the Act on Consumer Protection in Electronic Commerce. These amendments aim to address deceptive online practices by requiring clearer consent rules for payment changes and service conversions. Furthermore, the Commission fined Weverse, YG Plus, SM Brand Marketing, and JYP 360 between KRW 2.5 million and KRW 3 million for improper withdrawal periods and unclear product information.

Africa

South Africa’s Competition Commission accepted Booking’s undertakings to fulfill the remedial actions included in the final report of the online intermediation platforms market inquiry. In particular, Booking committed to removing the wide and narrow price parity clauses from all contracts with accommodation providers in South Africa and from the participation criteria for Booking incentive and membership programs.

Data governance

The United Nations Office on Drugs and Crime announced the finalization of the draft cybercrime convention, marking the first global legally binding instrument on cybercrime. The convention aims to enhance international cooperation in combating cybercrime, focusing on prevention, prosecution, and technical support, especially for developing nations.

Europe

The European Union and China announced discussions to launch the cross-border data flow communication mechanism. The initiative aims to provide practical solutions for European companies managing non-personal data flows while adhering to Chinese regulations. In parallel, the European Commission opened a consultation seeking information for the report on the operation of the EU-US Data Privacy Framework. The report will assess new safeguards and mechanisms introduced, such as limits on US intelligence access to EU data and the establishment of an independent review court.

Regarding enforcement, the Dutch Data Protection Authority fined Uber EUR 290 million for inadequately protecting European taxi drivers' personal data, namely through unauthorized data transfers to the US. In addition, the Irish Data Protection Commission concluded proceedings against X regarding the processing of users’ public posts to train its AI tool (Grok) after X agreed to permanently restrict such processing. Finally, the Polish Data Protection Authority ordered Meta to stop displaying false ads on Facebook and Instagram in Poland that misuse a journalist's data.

The United Kingdom’s Information Commissioner’s Office (ICO) issued recommendations addressing barriers that businesses face in adopting privacy-enhancing technologies. Additionally, the ICO opened a consultation on the children’s code strategy, which covers the use of children’s personal information in recommender systems. Concerning investigations, the ICO issued a statement noting that following discussions with Meta, it is assessing how UK data protection laws would impact the implementation of a potential ad-free subscription service.

Furthermore, the ICO stated that it expects Meta to address and resolve any data protection issues it identifies before launching such a subscription service for users in the UK. The ICO also fined Advanced Computer Software Group approx. GBP 6 million for failing to implement adequate measures to protect the personal information of 82'946 individuals. Finally, the UK’s National Crime Agency shut down Russian Coms, holding it responsible for 1.8 million scam calls and tens of millions in financial losses.

Asia and Australia

The Australian Cyber Security Centre, along with partners, published guidance on best practices for event logging and cyber threat detection for cloud services. Separately, the Office of the Australian Information Commissioner determined that, while Clearview AI was previously found to have breached privacy laws by collecting sensitive data without consent, no further action was warranted.

China's National Information Security Standardisation Technical Committee (TC260) launched two consultations. The first focuses on guidelines for security requirements during the suspension of data processing on internet platforms. These guidelines outline operators' obligations to ensure data security and offer a reference for regulators in security oversight and assessment. The second consultation addresses a national standard on network security technical identification, covering the design, use, and testing of password authentication systems, encryption technologies, and related areas. Additionally, TC260 concluded its consultation on draft guidance for social responsibility in data security and personal information protection.

India’s Securities Exchange Commission issued the cybersecurity and cyber resilience framework for regulated entities. It sets guidelines to enhance cyber resilience, align with industry standards, and ensure compliance through audits to address evolving cyber threats.

Japan opened a consultation on the draft rules amending the process for recognizing foreign countries with equivalent personal data protection standards, covering both public and private sectors for cross-border data transfers.

South Korea Financial Supervisory Service found that Kakao Pay shared the personal data of all registered users, including those who had not consented to overseas payment services, with Alipay. Over 5.5 billion instances of data, such as account names, phone numbers, emails, and credit information, were shared during its overseas payment services investigation.

The Saudi Authority for Data and Artificial Intelligence (SDAIA) adopted standard contractual clauses and binding common rules based on the amended Personal Data Protection Law and its regulations, which enter into effect on September 14, 2024. The SDAIA also issued a guide outlining obligations for entities transferring personal data abroad, rules for appointing data protection officers, and a guideline for minimum personal data determination.

The Turkish Data Protection Authority issued guidelines clarifying the legal conditions for processing personal data under both Turkish and EU law. The guidelines also highlight key differences between Turkish law and the GDPR, particularly regarding data processing for legal obligations. Additionally, the Authority imposed fines totaling TRY 503 million on over 16'000 data controllers for failing to comply with registration requirements under Turkish law.

Americas

The Brazilian Data Protection Authority (ANPD) implemented regulations on cross-border data transfers. The National Telecommunications Agency expanded its cybersecurity regulation, now covering all telecom providers, including submarine cable operators. Concerning enforcement, a Brazilian court ruled against WhatsApp, preventing data sharing within the Meta Group for advertising. WhatsApp must also enable users to opt out of its 2021 privacy policy within 90 days. Additionally, the Ministry of Justice ordered Google and Apple to enhance security measures in email applications as part of the Safe Cell Phone program to combat device theft, requiring features like passwords and biometrics for access.

Canada signed a memorandum of understanding with the United States to cooperate on information-sharing and enforcement of personal data protection in the private sector. Both parties commit to mutual assistance while recognizing confidentiality and potential limitations in the exchange of information.

Mexico’s Federal Telecommunications Institute (IFT) and National Institute of Transparency (INAI), Access to Information, and Protection of Personal Data (NTAI) issued opinions expressing strong concerns about a proposed constitutional amendment that aims to transfer their powers to other executive bodies. The IFT warned that its dissolution would regress telecommunications access, harm market competition, and negatively impact users, while the INAI argued that its removal would undermine transparency and human rights by compromising its independent decision-making.