The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of December in four core areas of digital policy.

• Content moderation, including Australia's implementation of the Social Media Minimum Age Act, India's bills criminalizing deepfakes and online harassment, South Korea's Network Act amendment expanding prohibited content, as well as the European Commission’s fine against X and Italy’s fine against Cloudflare.
• AI regulation, including Turkey's decrees establishing AI governance structures, India's bills on AI ethics and AI-generated works, and the European Commission's investigations into Meta and Google.
• Competition policy, including Japan's implementation of the Smartphone Software Competition Promotion Act, Germany's investigation and Italy’s fine concerning Apple’s App Tracking Transparency, Australia's fine against Google, and Brazil's cease-and-desist agreement with Apple.
• Data governance, including China's new cybersecurity standards, India's amendments to the Digital Personal Data Protection, and South Korea's enforcement against Coupang.

Content moderation

Europe

The European Commission proposed a regulation to further extend the temporary derogation from the ePrivacy Directive allowing online service providers to voluntarily detect and remove child sexual abuse material. The proposal serves as an interim measure pending the adoption of a long-term EU framework to combat online child sexual abuse, which is currently being negotiated between the Council and the European Parliament. Additionally, the Commission opened a consultation on the draft implementing regulation setting out the technical arrangements for the EU repository of online political advertisements.

The European Union continued the enforcement of the Digital Services Act (DSA). The European Commission fined X EUR 120 million for breaching transparency obligations under the DSA, citing misleading “blue checkmarks,” an incomplete advertising repository, and limits on researchers’ access to public data. X must implement corrective measures or risk further penalties, while the Commission’s broader investigation into illegal content and information manipulation continues. Further, the Commission accepted TikTok's commitments on advertising transparency to provide a searchable and reliable repository for advertisements. At the member-state level, the Irish Media Commission opened an investigation into TikTok and LinkedIn under the DSA, following concerns that their illegal content reporting mechanisms may involve potentially confusing “dark patterns.”

The Italian Authority for Communications fined Cloudflare EUR 14.25 million for failing to adhere to court orders regarding the disablement of domain name services and traffic routing linked to illegal live sports streaming.

The United Kingdom continued the implementation of the Online Safety Act. The Secretary of State adopted amended regulations designating cyberflashing and the encouragement or assistance of serious self-harm as priority offences. Online service providers must treat these offences as a priority under their illegal content duties, including preventing misuse of their services and removing or limiting user exposure in line with Ofcom’s codes of practice. The online safety super-complaints regulations entered into force, establishing eligibility criteria and procedures for submissions to the Office of Communications (Ofcom), including rules on evidence, decision-making, and the handling of rejected or repeat complaints.

Ofcom updated the guidance on online safety information powers and issued revised guidance for file-storage and file-sharing services. Ofcom also opened a consultation on guidance regarding providers’ obligations in responding to information requests from parents of deceased children.

In enforcement, Ofcom fined image hosting and file-sharing service Im.ge GBP 20,000 for failing to comply with statutory information requests during an investigation into alleged breaches of illegal content duties. Ofcom also confirmed that AVS Group implemented new age assurance measures across all adult websites covered by its investigation, bringing that investigation into the group’s compliance with age assurance obligations to a close.

Asia and Australia

Australia implemented the Social Media Minimum Age Act, requiring platforms such as Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, and Reddit to take reasonable steps to prevent users under 16 from holding accounts. Two days after the Act came into force, Reddit filed a lawsuit challenging its validity, arguing that it is invalid because it places an unjustified burden on political communication. Additionally, three industry codes under the Online Safety Act, covering hosting, extended internet carriage, and search services, have also come into force. The codes set out safeguards to protect children from Class 1C and Class 2 material, including content related to pornography, violence, suicide, self-harm, and disordered eating.

The eSafety Commissioner published the online safety codes and standards regulatory guidance to assist service providers in applying the codes and standards, including risk assessments, reporting, and compliance obligations. It also clarifies which services are covered, how the regulations interact, and provides additional guidance for areas such as generative AI and age assurance. Finally, the eSafety Commissioner and the Irish Media Commission signed a memorandum of understanding on online safety cooperation.

The State Administration for Market Regulation of China adopted technical requirements for children’s watches for users aged 3 to under 14, covering data security, personal information protection, anti-addiction and guardian-controlled features, secure communication and emergency functions, content controls, labeling, account management, and compliance testing. The Cyberspace Administration of China (CAC) announced the annual compliance audit timeline under the Regulations on the Protection of Minors on the Internet, requiring processors to audit their handling of minors’ data and submit reports by the end of January. The CAC also issued a notice regulating internet celebrity accounts, including a list of negative behavior. Platforms must update community rules and user agreements to prohibit vulgarity, pornography, distortion of public morals, false information, cyberbullying, and unlicensed activities. Separately, the State Administration for Market Regulation, together with 14 other departments, issued an action plan to enhance the quality and safety of industrial products sold online.

In India, several legislative measures were introduced to address online harms and digital safety. The bill on deepfakes criminalizes creating or sharing such content without consent or identifying watermarks, including sexually explicit material, content that may incite violence or disrupt official processes, and uses for fraud, impersonation, or identity theft. A separate bill amending the Information Technology Act introduces provisions criminalizing online harassment and deepfakes. It defines and penalizes online harassment, stalking, threats, incitement to violence, false panic-inducing content, and harmful deepfakes, while requiring intermediaries to maintain grievance redressal mechanisms before legal action. Additional measures include a bill on the liability of digital navigation services and amendments to the Digital Personal Data Protection Act, which prohibit processing children’s personal data in ways that could cause harm, including through behavioral profiling, targeted advertising, risky data sharing, or activities that may affect their mental health.

Indonesia’s Ministry of Communication and Digital Affairs confirmed that X paid an administrative fine of IDR 78.125 million over content moderation violations.

South Korea’s National Assembly adopted a partial amendment to the Network Act, which will come into force in July 2026. The amendment expands prohibited content to include material that incites violence or discrimination based on race, nationality, region, gender, disability, age, or social status, and bans the distribution of false or manipulated information that infringes on personal or property rights. Large-scale service providers must establish policies to identify and manage such content and publish semi-annual transparency reports. The Act also establishes user objection rights and media protection and introduces punitive damages, allowing courts to award up to five times the actual damages for intentional or negligent distribution of harmful false information. The Communications Commission may impose fines of up to KRW 1 billion on platforms that repeatedly distribute illegal or manipulated content following a final court ruling.

Americas

The Canadian Radio-television and Telecommunications Commission introduced changes under the Broadcasting Act to improve accessibility for Canadians who are blind or partially sighted, including described video for scripted programs and audio description for news content.

Artificial Intelligence

International

The G7 Industry, Digital, and Technology Ministers issued a ministerial declaration outlining their intentions to address secure and responsible AI development, quantum technologies, and semiconductor supply chain resilience.

Europe

The Council of the European Union adopted a position on a regulation supporting the EuroHPC initiative for start-ups, establishing governance, funding, and operational rules for AI gigafactories and a quantum pillar, with safeguards for third-country participation. The European Parliament’s Legal Affairs Committee rejected a proposal to challenge the European Commission over the withdrawal of the AI Liability Directive.

The European Commission opened consultations on the first draft of the Code of Practice on marking and labeling AI-generated content, guidance on machine-readable opt-out protocols regarding the copyright chapter of the GPAI Code of Practice, and the draft implementing regulation on AI Regulatory Sandboxes.

In enforcement, the European Commission opened an investigation into Meta's blocking of AI business communications on WhatsApp for competing AI providers. The Commission also initiated a formal investigation into Google over potential competition breaches, examining whether it unfairly uses web and YouTube content for AI purposes. The investigation focuses on alleged lack of compensation, limited opt-out options for creators, and possible abuse of dominant market position. Meanwhile, the European Union Agency for Fundamental Rights published a report assessing high-risk AI and its potential impact on fundamental rights. Finally, the European Union and Canada signed a memorandum of understanding to strengthen cooperation on AI governance and development.

The French Competition Authority published a report examining the energy use and environmental impact of AI, highlighting issues around access to energy, AI efficiency as a competitive factor, and standardisation of environmental footprints. The report emphasizes the need for reliable environmental data and standards to support competition and sustainability.

In Germany, a regional court upheld a previous ruling that using a photograph in an AI training dataset was lawful. The Court found the use fell under the text and data mining and scientific research exceptions in the German Copyright Act, as the website’s usage restrictions were not machine-readable and the dataset creation was part of systematic research.

The Italian Competition Authority ordered Meta to suspend the application of its new business solution terms, including restrictions on third-party AI services, as part of an investigation into the pre-installation of Meta’s AI service on WhatsApp.

The President of Turkey signed two decrees expanding AI and digital government responsibilities. The first decree renamed a directorate under the Ministry of Industry and Technology as the General Directorate of National Technology and AI, tasking it with developing national data and cloud infrastructure, formulating AI policies and strategies, and supporting AI research and development. The second decree expanded the Cyber Security Directorate’s mandate to oversee national policies and the coordination of AI integration and use across public institutions.

The United Kingdom Home Office opened a consultation on a new legal framework for law enforcement use of biometrics and facial recognition, and related technologies such as AI, covering acquisition, use, retention, and privacy safeguards. Additionally, the Office of Communications issued guidance on how the Online Safety Act applies to AI chatbots, clarifying that those within user-to-user, search, or pornographic services must assess and mitigate risks, especially to children. Chatbots operating independently without user interaction, web searches, or pornographic content generation are not covered.

Asia and Australia

Australia’s Department of Industry and Science published the National AI Plan outlining a framework for AI development, adoption, and governance. The Office of the Information Commissioner issued guidance on privacy risks and considerations associated with the use of generative AI in the workplace, setting out data protection requirements for AI applications. In parallel, the Cyber Security Centre, together with international partners, released principles for the secure integration of AI in operational technology for internet and telecommunications services, cloud computing, storage and databases, and network hardware providers.

The Cyberspace Administration of China opened a consultation on draft measures for the administration of anthropomorphic interactive AI Services, defined as AI that simulates human personality, thinking, and communication across text, images, audio, and video. The measures would prohibit content that threatens national security, promotes obscenity, gambling, violence, or crime, or infringes on others’ rights. Providers would be required to identify minor users and enable minor mode, giving guardians control over settings, usage time, and risk alerts. The draft also addresses user rights,design requirements,data protection, and governance structures. Separately, the Ministry of Industry and Information Technology issued measures establishing operational license requirements for internet and telecommunications services, cloud computing, storage, and network hardware providers involved in AI development. The Cyberspace Administration also published an initiative on deepening China–ASEAN cooperation on digital governance, including commitments on AI governance collaboration.

Two bills were introduced in the Parliament of India to regulate both the ethical use of AI and the legal treatment of AI-generated works. The Artificial Intelligence (Ethics and Accountability) Bill seeks to establish a nationwide framework for ethical use and accountability of AI in decision-making, surveillance, and algorithmic systems. The bill proposes the creation of a central government ethics committee to issue guidelines, monitor compliance, investigate misuse or bias, authorize AI use in surveillance, and promote capacity-building. Developers would be required to follow design and transparency standards, conduct regular audits, mitigate bias, and provide explanations for AI decisions, particularly in sensitive areas such as law enforcement, finance, and employment. Meanwhile, the Machine-Created Intellectual Asset Bill sets a legal framework for AI-generated works, defining authorship, economic and moral rights, derivative works, and introducing registration, disclosure, and fair-use rules for developers, platforms, and users. Separately, the Department for Promotion of Industry and Internal Trade opened a consultation on generative AI and copyright, focusing on remuneration for copyright holders.

The National Assembly of South Korea adopted the Act on Promotion of Industrial Digital Transformation and Utilization of Artificial Intelligence, which establishes a framework for the use of AI in industry and the broader digital transformation of the economy. The Act sets out governance for AI authorities, organizational requirements, data governance standards, cybersecurity regulations, and interoperability obligations to ensure secure, responsible, and coordinated deployment of AI technologies across industrial sectors. Additionally, the Ministry of Science and Information and Communication Technology consulted on the Enforcement Decree of the Framework Act on the Development of AI, addressing design requirements,AI authority governance, and user rights in AI systems. The Act is set to enter into force in January 2026, and enables the government to establish AI ethics principles, including safety and reliability, accessibility, and assurance of AI that contributes to human life and prosperity.

Americas

The Law establishing the National System for the Development, Regulation, and Governance of Artificial Intelligence (SIA) was introduced to Brazil’s Chamber of Deputies. SIA would include the Council for Artificial Intelligence (CBIA), the Data Protection Authority (ANPD), expert and civil-society committees, and other public bodies to oversee AI development, regulation, and governance. The CBIA would set AI guidelines and advise on policy, while the ANPD would act as the supervising authority, regulating high-risk AI, issuing binding rules, and coordinating with sectoral agencies to safeguard fundamental rights, social inclusion, and digital security. The statement of reasons notes that Congress is also reviewing Bill 2338/2023, and the Executive must be prepared to implement the adopted regulatory model.

Competition

Europe

The European Commission opened consultations on the implementing regulation for onboarding users to European Digital Identity Wallets via electronic identification, as well as on the rules updating the list of trading venues with a significant cross-border dimension in market abuse supervision, refining indicators of market manipulation.

In enforcement, the European Commission announced that Meta will give EU users a choice on personalised ads, concluding its investigation into Meta’s “pay or consent” model under the Digital Markets Act. At the member-state level, Spain’s Competition Authority accepted Google’s commitments to ensure transparency in publisher remuneration, closing its investigation into alleged anticompetitive practices.

At the judicial level, the Court of Justice of the European Union ruled on Amazon's challenge to a French law setting minimum delivery charges for books, finding it must be assessed under EU rules on the free movement of goods rather than as a mere “selling arrangement.” The measure affects overall book prices and particularly impacts distance selling and traders from other Member States, making it a restriction with equivalent effect. In a separate case, the Court clarified that Member State courts have both international and territorial jurisdiction over anticompetitive digital pricing practices affecting consumers across multiple EU countries, in lawsuits involving Apple.

Germany's Federal Cartel Office announced a market test of commitments proposed by Apple in its investigation into the App Tracking Transparency Framework, examining alleged anticompetitive practices in online advertising and app store markets. Additionally, the Berlin Regional Court ruled that Booking must compensate 1,099 accommodation providers for the use of narrow best-price clauses in contracts.

The Italian Competition Authority fined Apple EUR 98.6 million for its App Tracking Transparency policy, determining that the company’s requirement for a double consent request was abusive and harmed third-party app developers. The Authority found the measure disproportionate, excessively burdensome, and exploitative given Apple’s market dominance.

The Ministry of Trade of Turkey announced a 25.49% increase in administrative fines for e-commerce companies under Law No. 6563, covering violations such as inadequate customer information, unclear contract terms, and unsolicited commercial messages.

The United Kingdom Competition and Markets Authority updated the guidance on unfair commercial practices under the Digital Markets, Competition and Consumer Act, establishing fair marketing and advertising practice requirements.

Asia and Australia

The Australian Federal Court ordered Google to pay a penalty of AUD 55 million following the ACCC’s investigation into alleged abuse of market power over pre-installed search engines on Android devices. Separately, the ACCC accepted a court-enforceable undertaking from Equifax after investigating alleged exclusive dealing in income verification data. The ACCC also filed lawsuits against HelloFresh and Youfoodz, alleging misleading representations in their subscription services.

The State Administration for Market Regulation of China adopted the rules on internet platform pricing behavior set to enter into force in April 2026. The regulations prohibit operators from imposing unreasonable conditions on businesses, including forced discounts, price matching, or use of automated price-tracking systems, and ban price discrimination against consumers or businesses using data, algorithms, or platform rules. Platforms and businesses must clearly display all prices, including ancillary fees, promotions, and dynamic pricing, and are prohibited from deceptive practices such as false shortages, misleading discounts, or hidden charges.

In India, the bill amending the Consumer Protection Act was introduced to the House of the People. It expands the definition of “unfair trade practices” to include undisclosed terms, fees, or dynamic pricing, and addresses algorithmic influence on consumer behavior and barriers to cancelling subscriptions or returning goods. Separately, the National Company Law Appellate Tribunal clarified that the remedial directions issued by the Competition Commission regarding data sharing apply only to the sharing of WhatsApp user data with other Meta companies for advertising purposes.

Japan implemented the Smartphone Software Competition Promotion Act, which prohibits Apple and Google, designated as operators providing “essential software”, from engaging in prohibited conduct and requires them to comply with obligations aimed at promoting competition. The Act prohibits operators from using their market position to unfairly disadvantage competitors or limit consumer choice, including favouring their own products, discriminating against individual app developers, or restricting payment methods, web pages, or browser engines without justified reasons such as cybersecurity. Moreover, the law requires operators to facilitate data transfer, allow changes to default settings, and obtain user consent for incorporating additional software.

The bill on the fairness of online platform intermediary transactions was introduced in South Korea’s National Assembly. It establishes rules preventing online platform providers from engaging in practices such as unjustified suspension of services, discriminatory treatment of users, coercion into transactions, forced economic benefits, or the imposition of disadvantageous terms, while also protecting businesses from retaliation for participating in associations, dispute mediation, or cooperating with Fair Trade Commission investigations.

Americas

Brazil’s Administrative Council for Economic Defense (CADE) signed a cease-and-desist agreement with Apple, requiring the company to allow third-party app distribution and alternative in-app payment options, addressing alleged anticompetitive practices. The three-year agreement also sets neutral user notices, fee structures, and compliance deadlines, with penalties of up to BRL 150 million for noncompliance.

Data governance

Europe

The European Commission adopted an implementing decision on the further extension of the 2021 adequacy decision for the free flow of personal data between the European Economic Area and the United Kingdom. It also opened a consultation on a draft implementing regulation for the establishment and operation of the European Health Data Space Board. Meanwhile, the European Data Protection Board opened a consultation on recommendations regarding the legal basis for requiring user accounts on e-commerce websites. These recommendations address the common practice of mandating account creation to access offers or complete purchases. In addition, the Court of Justice of the European Union issued its judgment in X v Russmedia Digital, clarifying that online marketplaces are responsible for the use of personal data in advertisements.

The French Data Protection Authority fined Nexpublica EUR 1.7 million for failing to implement adequate safeguards and security measures to protect personal data in its software package.

Germany's Implementation and Cybersecurity Strengthening Act, transposing the EU’s Directive on measures for a high common level of cybersecurity (NIS2) in national legislation,entered into force. The Act also includes provisions expanding the Federal Office for Information Security's powers. Further, the Hessian Commissioner for Data Protection and Freedom of Information (HBDI)adopted the guideline on data protection in medical research, establishing data protection standards for medical service providers.

The United Kingdom Information Commissioner’s Office (ICO) published a Children’s Code Strategy Progress Update, outlining developments in the protection of children’s data on user-generated content platforms. The ICO also issued an update on its ongoing review of cookie banner implementations and consent mechanisms across the top 1,000 websites. In addition, the ICO opened an investigation into children’s online privacy in ten popular mobile games, examining data protection practices by app stores and software providers.

Asia and Australia

China's National Information Security Standardisation Technical Committee (TC260) adopted several standards that will be implemented in July 2026. These include the technical requirements for cryptography,asset information format,alarm information format,data interface security risk monitoring methods,network security test platform architecture, wireless network access security, and security requirements for data transaction services. The TC260 also opened consultation on standards on cryptographic device application interface specification, sensing terminals for technological consumer goods, blockchain consensus mechanisms, cloud platform security monitoring methods, and cryptographic modules. Additionally, TC260 released the cybersecurity standards practice guide on cross-border processing protection requirements for personal information in the Guangdong-Hong Kong-Macao Greater Bay Area.

The Cyberspace Administration of China (CAC) opened a consultation on the draft measures for network data security risk assessments. The CAC also published guidelines for the filing of professional certification bodies for cross-border transfer of personal information and released the list of three professional institutions that have completed filing procedures for providing cross-border transfer certification services.

In India, two bills were introduced to amend the Digital Personal Data Protection Act. The first bill defines a “child” as individuals aged 13–16, expands lawful grounds for data processing, and allows future rules on children’s self-consent based on cognitive development. The proposal also enables risk-based restrictions on tracking and targeted advertising to children and introduces conditional exemptions for parental consent and self-assessment processing with government approval. The second bill aims to strengthen children’s data protection by imposing data minimization obligations and requiring data protection impact assessments for fiduciaries processing large volumes of children’s data. Finally, a bill was introduced to amend the Information Technology Act to establish rules for managing users’ digital assets after death, including through recognized digital wills and executors.

South Korea’s government approved revisions to the Enforcement Decree and Enforcement Rules to expand the Personal Information Protection Commission’s (PIPC) capacity to prevent and investigate personal data incidents. In parallel, the PIPC and the Ministry of Science and ICT announced measures to strengthen the effectiveness of the information security management systems certification framework.

In enforcement, the PIPC convened an emergency plenary meeting requiring Coupang to issue corrective notifications, make public disclosures, and strengthen mitigation measures following a customer and account data leak. The PIPC also closed several investigations after completing compliance reviews, including assessments of social login service providers’ data deletion practices upon account termination, Meta’s processing of sensitive personal data, and cloud service providers’ compliance with data processing facility security requirements, covering Amazon Web Services, Microsoft Azure, and Naver Cloud Platform. In addition, the PIPC fined 2K Games KRW 217.1 million for a personal data breach affecting approximately 486,000 users and announced an investigation into Shinhan Card over the alleged unlawful sharing of merchant personal data.

The Saudi Data and AI Authority (SDAIA) released general rules for the secondary use of data. The rules establish a framework to enable responsible data sharing between government and private entities, promoting public interest, research, development, and innovation. They complement SDAIA’s Data Sharing Policy by setting controls and procedures for data use beyond its original collection purpose.

Americas

The Public Information Access Agency of Argentina opened an investigation on its own initiative after becoming aware, based on information that circulated publicly, of an alleged data breach that would include personal data of Argentine citizens. The Agency has not specified the name of the entity.