Global Digital Policy Roundup: December 2024

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of December 2024 in four core areas of digital policy.

• Content moderation, including Australia's online safety industry standards, the United Kingdom's implementation of the Online Safety Act through codes of practices, and the European Commission's enforcement action against TikTok.
• AI regulation, including South Korea's passage of the AI Basic Act, the EU's revised General-Purpose AI Code of Practice, and Brazil's Bill regulating AI usage.
• Competition policy, including Japan’s orders under the law on competition in smartphone software, the European Commission's assessment of Apple’s commitments under the Digital Markets Act, and China’s enforcement action against Nvidia.
• Data governance, including the European Union's new cybersecurity framework, China’s guidelines on national data infrastructure, and enforcement cases against Worldcoin and OpenAI in Germany and Italy.

Content moderation

Europe

The European Commission opened formal proceedings against TikTok for allegedly breaching the Digital Services Act (DSA) by failing to mitigate systemic risks to electoral integrity during Romania's presidential elections. The investigation will examine TikTok's recommender systems, political ad policies, and handling of inauthentic manipulation.

The Italian Communications Authority opened a consultation on amendments to influencer guidelines to require platforms to ensure influencers clearly identify themselves and provide contact details. Platforms must also implement reporting mechanisms and protect minors by labeling harmful content and using age-appropriate filters or warnings.

Russia’s media regulator published a draft order mandating communication operators to provide data on internet users accessing blocked websites. The data includes network addresses, geographic information, and identifiers of technical tools used for network security.

The United Kingdom’s Office of Communications (Ofcom) advanced the implementation of the Online Safety Act with the publishing of binding codes of practice for user-to-user and search service providers. These codes mandate providers to implement measures to address illegal content, including mechanisms for fraud reporting and anti-harassment controls. Subject to parliamentary approval, the codes will take effect in March 2025. Ofcom also issued additional guidelines on illegal content risk assessment,record-keeping requirements, and content moderation standards and established a register of risks. Additionally, Ofcom requested social media websites and apps to document the risks illegal content could present to children and adult users and opened a consultation on enforcement notices for addressing terrorism and child sexual exploitation and abuse content.

Asia and Australia

Australia signed into law a bill establishing a minimum age requirement of 16 for social media usage, backed by mandatory age verification mechanisms. The country also implemented the online safety industry standards for designated internet services and relevant electronic services. These standards require platforms, including apps, online games, storage services, and generative AI models, to prevent the distribution of child sexual abuse material and pro-terror content. Additionally, the eSafety Commissioner extended the deadline for the online industry to submit final drafts of enforceable codes to February 2025. The industry has to develop codes to protect children from exposure to graphic pornography and other harmful content, such as material related to suicide, serious illness, self-harm, and disordered eating.

China’s National Cybersecurity Standardization Technical Committee consulted on guidelines introducing a "minor mode" for mobile internet products. It requires devices to restrict minors’ access to educational and emergency apps with age-based time limits and parental controls. Separately, the Cyberspace Administration also imposed corrective measures on platforms, including Douyin and WeChat, for enabling predatory lending and fraudulent investment practices and mandated suspensions of accounts.

South Korea updated its advertising guidelines for recommendations and endorsements on blogs and text-based media, establishing additional transparency requirements for online content.

Americas

The Canadian Radio-television and Telecommunications Commission adopted a bargaining framework under the Online News Act, mandating online platforms to negotiate compensation with Canadian news businesses for hosted content. The framework outlines bargaining, mediation, and, arbitration processes, along with complaint mechanisms for unfair practices. Separately, a parliamentary report recommended stronger protections, including data rights for minors and EU-style disinformation standards to increase safety online. Meanwhile, TikTok appealed a government order requiring it to cease operations over national security concerns, challenging its fairness and proportionality.

Artificial Intelligence

Europe

The European Union implemented the General Product Safety Regulation to update the product safety framework in response to digitalization and AI-related products. The regulation focuses on consumer protection by addressing safety, cybersecurity, and data protection and applies specifically to AI embedded in physical consumer products rather than stand-alone AI software. Additionally, the European Commission published a second draft of the General-Purpose AI Code of Practice, creating a regulatory framework for compliance with the AI Act for general-purpose AI model providers. It also closed a consultation on guidelines clarifying the AI Act's definitions and prohibited practices, focusing on high-risk applications such as harmful manipulation and biometric misuse. Separately, the European Data Protection Board adopted an opinion on using personal data for AI model development, offering guidance on data anonymity, legitimate interest, and compliance with data protection requirements for both first- and third-party data.

The United Kingdom’s Information Commissioner's Office (ICO) updated its guidance on integrating individual rights into generative AI systems. The guidance clarifies that AI systems must adhere to data protection principles under the UK GDPR and Data Protection Act, ensuring lawfulness, fairness, and transparency. The ICO also addressed data collection practices, noting that web scraping can only be used when necessary, with organizations required to justify its use and ensure data anonymization or pseudonymization. Meanwhile, the Intellectual Property Office, alongside other government departments, opened a consultation on AI and copyright. The consultation seeks proposals to improve rights holders' control and payment for content used in AI model training, with potential interventions including transparency from AI developers and a copyright exception for data mining. Finally, the Parliament Science, Innovation, and Technology Committee launched an inquiry to examine the role of social media algorithms and generative AI in spreading harmful content.

Asia

South Korea’s National Assembly passed the AI Basic Act, which incorporated 19 other separate bills. The Act introduces user rights protections and establishes governance frameworks for AI development and deployment. The bill includes specific design requirements for AI systems and creates a new AI authority to oversee implementation. The Act will be implemented within one year of its official publication. Additionally, the Personal Information Protection Committee issued an AI privacy risk assessment and management model to guide AI companies in managing privacy risks. The model offers a framework for assessing risks throughout the AI lifecycle, addressing specific concerns for generative and discriminative AI.

China’s National Technical Committee on Cybersecurity ran a consultation on cybersecurity guidelines for generative AI service security response. The guidelines provide a framework for AI service providers to classify and manage security incidents, detailing a four-level grading system based on impact and severity. Additionally, the Ministry of Commerce implemented new export controls on dual-use items to the United States. The expanded export control framework also includes stricter checks on dual-use graphite materials following the United States’s announcement of its export controls on semiconductor equipment. The regulations are expected to impact various advanced technology sectors, including AI and quantum computing.

Americas

Brazil’s Senate passed a bill regulating AI usage. The bill adopts a risk-based approach, imposing additional rules on high-risk AI systems affecting public safety and human rights. It includes provisions for algorithm design, technical standards, and data protection measures. The bill permits AI model training with copyrighted material if obtained for non-profit purposes. Additionally, it establishes an authority to ensure compliance and impose penalties for non-compliance, with fines reaching up to BRL 50 million (approx. USD 1.6 million) or 2% of the company’s turnover. Moreover, the National Data Protection Authority (ANPD) closed the public consultation on its AI and data protection regulatory project. The consultation, aligned with the General Personal Data Protection Law, addresses transparency, automated decision-making, and rights such as consent revocation and data erasure. The ANPD also issued a supervisory decision requiring X Corp to cease processing minors' data for AI training and clarify its data processing practices in relation to Brazil’s regulations. Non-compliance could lead to further regulatory actions.

Canada established an AI Safety Institute to address AI risks and complement the country’s existing AI governance frameworks. Separately, the Office of the Privacy Commissioner of Canada (OPC) concluded its investigation into LinkedIn's use of Canadian users' data for generative AI training. LinkedIn paused the practice and committed to working with the OPC to ensure compliance with federal privacy laws.

Competition

Europe

The European Commission launched a consultation on proposed measures to ensure interoperability between Apple’s iOS and connected devices, as required by the Digital Markets Act (DMA). Under the DMA gatekeepers, large digital platforms, such as Apple, are required to provide interoperability and access to their software and hardware features. The proposed measures focus on features such as notifications, Bluetooth switching, AirDrop, and NFC functionality. Additionally, the Commission approved NVIDIA's acquisition of Run: ai Labs and opened investigations into data center construction firms regarding potential no-poach agreements.

Italy's Competition Authority (AGCM) concluded its investigation into Booking, following the platform's commitments to address concerns of market dominance. Booking agreed to measures ensuring fairer pricing practices, enhanced transparency, and the provision of regular data to partners. Additionally, AGCM introduced guidelines for calculating competition law fines, capping penalties at 10% of global turnover, and launched investigations into algorithmic pricing in the air transport sector.

The United Kingdom’s Competition and Markets Authority (CMA) closed the consultation on its market investigation into mobile browsers and cloud gaming. The CMA found that Apple's policies on mobile browsers and in-app browsing restrict competition, while agreements between Apple and Google limit their financial incentives to compete. However, the CMA concluded no intervention was needed in mobile cloud gaming following Apple's changes to the App Store terms. Additionally, the CMA’s guidance for the Digital Markets, Competition, and Consumers Act of 2024 was approved. The guidance outlines the criteria for strategic market status designation and penalties for non-compliance, reaching up to 10% of global turnover.

Asia and Australia

Australian Competition and Consumer Commission published an interim report on digital platform services, focusing on competition and consumer issues in the general search service sector. The report revisits market dominance, particularly of Google, and examines the impact of generative AI on competition. While not proposing new recommendations, it advocates for reforms to address digital platform-related harms, referencing proposals from its September 2022 report.

The Chinese State Administration for Market Regulation (SAMR) opened an investigation into Nvidia for alleged violations of the national anti-monopoly law. SAMR also stated that Nvidia may have violated commitments made during the acquisition of Mellanox Technologies, a chip designer, under terms outlined in SAMR's conditional approval of the acquisition in 2020.

Japan adopted an order specifying criteria for designating operators subject to its law on promoting competition in smartphone software. Operators of operating systems, app stores, browsers, and search engines with over 40 million monthly users must comply with obligations on data use, the fair treatment of app providers, and interoperability. Moreover, the law requires operators to facilitate data transfer, allow changes to default settings, and obtain user consent for incorporating additional software. Furthermore, the Ministry of Trade and Industry (METI) launched a consultation on draft reports evaluating the transparency and fairness of e-commerce platforms, app stores, and the digital advertising sector under the Transparency Act. The evaluation examines platform practices such as ranking criteria, merchant fees, and dispute resolution. METI aims to monitor compliance and encourage voluntary improvements.

South Korea’s Federal Trade Commission (FTC) concluded its investigation into Kakao Mobility's market dominance in the ride-hailing sector, imposing a fine of KRW 15.1 billion for anti-competitive practices. The FTC found that Kakao pressured rival taxi platforms to share confidential data in exchange for access to its service, which led to its increased market share.

Americas

Canada implemented amendments to its Competition Act, expanding anti-competitive collaboration provisions to include non-competitors if their agreements substantially harm competition. The changes also grant the Tribunal the power to address anti-competitive acts by companies with substantial control over markets, including excessive pricing.

Mexico adopted constitutional amendments that restructure the governance of competition oversight. The reforms abolish autonomous bodies, including the Federal Economic Competition Commission (COFECE) and the Federal Telecommunications Institute (IFT), and transfer their responsibilities to executive agencies. A new competition agency will be established to take over the functions of COFECE and IFT.

Data governance

Europe

The European Union (EU) advanced several cybersecurity and data protection initiatives. The Cyber Resilience Act, which sets security requirements for products with digital components, came into force and will be effective in three years. The Platform Work Directive, regulating digital platforms' processing of worker data, also entered into force, prohibiting the use of data on workers' emotional or psychological states. Additionally, the Council of the European Union adopted the Cyber Solidarity Act, aimed at enhancing the EU's cyber threat detection, response capabilities, and technological sovereignty. The Council also issued a declaration recommending that the EU and its Member States facilitate access to data by law enforcement authorities. Furthermore, the European Data Protection Board opened a public consultation on guidelines regarding the legal basis for transferring personal data to non-EU countries, and the European Data Protection Supervisor launched a compliance review of the European Commission’s use of Microsoft 365.

The French Data Protection Authority found several website publishers in violation of the Data Protection Act by presenting misleading cookie consent banners. Non-compliant practices included unclear refusal options and ambiguous information. The Authority requested publishers to update their practices within one month.

The Bavarian State Office for Data Protection Supervision concluded its investigation into Worldcoin's processing of biometric data, specifically iris scans, to create a "World ID." The company was instructed to implement General Data Protection Regulation (GDPR) compliant data deletion procedures and obtain explicit consent for processing data.

The Italian Data Protection Authority fined OpenAI EUR 15 million for GDPR violations related to ChatGPT, including failure to report a data breach, inadequate privacy policies, and a lack of age verification mechanisms. OpenAI was ordered to run a six-month awareness campaign in Italy. As of February 2024, OpenAI established its European headquarters in Ireland, and the Irish Data Protection Authority is now taking the lead on the case under the GDPR's one-stop shop rule.

Russia implemented a law amending its Criminal Code to establish liability for the illegal use, transfer, collection, and storage of personal data in computer systems.

United Kingdom’s Information Commissioner's Office (ICO) opened a consultation on updated guidance for using storage and access technologies, including cookies and device fingerprinting. The guidance clarifies compliance and consent practices, replacing the 2019 cookie guidelines. The ICO also announced that it intends to challenge Google's policy change allowing fingerprinting in advertising, citing concerns over privacy and user consent. Additionally, the United Kingdom formally joined the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), which includes provisions on data protection and prohibits the imposition of data localization requirements as a condition for conducting business in member territories.

Asia and Australia

Australia’s Privacy Legislation Amendment Act received Royal Assent. The Act broadens the Office of the Information Commissioner (OAIC) 's enforcement powers. It empowers the OAIC to impose mid-tier civil penalties for privacy violations and introduces a low-level penalty for administrative breaches. The OAIC is also charged with developing a Children's Online Privacy Code for digital services accessed by children. In a separate action, the OAIC reached an AUD 50 million settlement with Meta Platforms over the Cambridge Analytica data breach.

China's National Data Administration closed a consultation on draft guidelines for building national data infrastructure. The guidelines aim to enhance data circulation, security, and support for the digital economy.

India's Ministry of Commerce approved Shein's re-entry into the market through a technology agreement with Reliance Retail Ventures following its initial ban in 2020 due to data security concerns. The approval is contingent on Shein complying with India's data localisation requirements, ensuring all platform data remains within India.

South Korea's Personal Information Protection Commission (PIPC) is consulting on an amendment to the Personal Information Protection Act that would align data transfer procedures with existing usage and disclosure requirements. The amendment includes measures on data transfer security and defines the roles of personal information management agencies and the PIPC's supervisory responsibilities.

Africa

South Africa's Information Regulator issued a guidance note on complying with the Protection of Personal Information Act for direct marketing. The note specifies that entities must conduct a legitimate interest assessment to ensure lawful data processing practices and to obtain explicit consent from data subjects.