Global Digital Policy Roundup: February 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of February 2025 in four core areas of digital policy.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of February 2025 in four core areas of digital policy.

• Content moderation, including the thresholds under the United Kingdom’s Online Safety Act, Russia's order restricting access to BestChange, and Brazil’s suspension of Rumble.
• AI regulation, including the Paris Charter on AI in the public interest, the EU AI Act's prohibitions on certain systems posing unacceptable risk, and restrictions on DeepSeek.
• Competition policy, including South Korea's amended e-commerce rules, investigations into Google in China and the EU, and Germany's assessment of Apple's App Tracking Transparency.
• Data governance, including South Korea’s Bill amending the Personal Information Protection Act, China’s Personal Information Protection Compliance Audit Guidelines, and Russia's enforcement of data localization requirements.

Content moderation

Europe

The European Commission and the European Board for Digital Services published an Elections Toolkit for Digital Services Coordinators to enforce the Digital Services Act election guidelines. The Code of Practice on Disinformation, including measures to enhance transparency and risk mitigation, was integrated into the Digital Services Act framework, with obligations set to enter into force in July 2025. The European Commission issued a request for information to Shein under the Digital Services Act, investigating the platform's compliance with requirements on risk mitigation for illegal goods and services and its recommender system. Finally, Ireland's Competition and Consumer Protection Commission opened a consultation on a levy for consumer online platforms to fund its regulatory activities under the Digital Services Act.

Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media issued an order restricting access to BestChange, a cryptocurrency exchange aggregator platform.

The United Kingdom's House of Lords approved the category thresholds of the Online Safety Act that determine which providers face more stringent requirements. The Home Office announced new legislation to criminalize AI tools that generate child sexual abuse material. The Office of Communications launched a consultation on guidance for women and girls' online safety, proposing measures against online harassment and AI-generated image abuse.

Asia and Australia

The Australian eSafety Commissioner issued an advisory on the risks associated with AI chatbots and companions to children and young people, highlighting concerns about inappropriate content and privacy. The Commissioner also fined Telegram AUD 1 million over failure to comply with transparency reporting requirements under the Online Safety Act, following an investigation into measures implemented to address terror and violent extremism content. Finally, the Australian Government adopted counter-terrorism financing sanctions against Terrorgram, prohibiting financial interactions with the platform to combat terrorism financing through digital channels.

The Cyberspace Administration of China’s Administrative Measures for the Dissemination of Military Information on the Internet entered into force, introducing provisions on both content moderation anduser access controls. The Cyberspace Administration also closed its consultation on draft regulations for managing multi-channel network organizations that produce online content, seeking to enhance oversight of content creators and distributors.

Indonesia's Ministry of Communication and Digital Affairs announced the development of child protection regulations in the digital realm, focusing on age restrictions, measures against harmful content, and enhancing digital literacy

Americas

Brazil's Federal Supreme Court ordered the suspension of Rumble's operations for non-compliance with judicial orders on content removal, payment of fines and appointment of legal representatives.

Canada's Radio-television and Telecommunications Commission opened a consultation on revising the definition of Canadian content for audio services under the Online Streaming Act, aiming to support the creation and promotion of Canadian and indigenous content.

Africa

South Africa's Competition Commission closed an inquiry into the media and digital platforms market, including recommendations for content remuneration. The inquiry examined online advertising providers, social media content platforms, and search services, focusing on how generative AI developers have benefited from South African news content.

Artificial Intelligence

International developments

At the Paris AI Action Summit, the Paris Charter on AI in the Public Interest was adopted by ten countries, establishing principles for responsible AI development. Furthermore, the African Union, the European Union, the G20, the G7, and the United Nations adopted a Statement on Inclusive and Sustainable AI for People and the Planet. Finally, Canada and Japan signed the Council of Europe Framework Convention on AI Artificial Intelligence, Human Rights, Democracy, and the Rule of Law.

The OECD launched a framework to monitor the application of the G7 Hiroshima AI Code of Conduct, facilitating a risk management reporting mechanism for organizations developing advanced AI systems. Data protection authorities from Australia, France, Ireland, South Korea, and the United Kingdom signed a declaration on AI data protection regulation.

Europe

The EU AI Act's prohibitions of certain AI systems posing unacceptable risk entered into force. The European Commission published guidelines defining AI systems and outlining prohibited AI practices. The Commission further announced its 2025 work program, including the withdrawal of the previously proposed AI liability directive. The Court of Justice of the European Union ruled that individuals subject to automated creditworthiness assessments have the right to obtain a meaningful explanation.

At the national level, Ireland's government announced the Regulation of AI Bill in its Spring 2025 Legislation Programme. The Dutch Data Protection Authority opened a consultation on prohibiting AI systems for criminal risk assessment. Poland's Ministry of Digital Affairs published a revised draft Act on AI Systems. France's National Commission on Informatics and Liberty published recommendations on responsible AI innovation.

In terms of enforcement, DeepSeek was the focus of national data protection authorities:

• Luxembourg's National Commission for Data Protection adopted guidelines on using DeepSeek, highlighting data protection concerns.
• Poland's Data Protection Commissioner issued guidance cautioning against DeepSeek due to data protection concerns.
• The Dutch Data Protection Authority announced an investigation into DeepSeek's cross-border data transfer compliance with the General Data Protection Regulation.
• The State Commissioner for Data Protection in Lower Saxony issued guidelines on DeepSeek use, highlighting potential non-compliance with data protection rules.
• The European Data Protection Board expanded its ChatGPT task force to include DeepSeek.

The UK's Treasury Committee launched an inquiry into AI in financial services. The Intellectual Property Office, Department for Science, Innovation and Technology, and Department for Culture, Media and Sport closed their consultation on copyright and AI.

Asia and Australia

Australia's Department of Home Affairs ordered the blocking of DeepSeek on government systems and mobile devices. South Australia's Government implemented similar restrictions at the subnational level.

China's National Information Security Standardization Technical Committee (TC260) closed its consultation on the "AI Safety Standard System" and closed its consultation on coding rules for AI-generated content identification. At the subnational level, the Hangzhou Internet Court ruled that an AI platform was liable for copyright infringement.

Japan's Cabinet announced the Bill on the Promotion of Research and Development and Application of AI-Related Technologies. The Ministry of Economy, Trade, and Industry published a Contract Checklist for the Use and Development of AI and a report on autonomous delivery robots. Finally, Japan and Singapore released a joint testing report for large language model safety under their bilateral AI governance partnership.

India's Ministry of Electronics and Information Technology closed its consultation on AI governance guidelines development, outlining a lifecycle-based, techno-legal strategy for AI compliance, risk mitigation, and stakeholder accountability.

South Korea's Personal Information Protection Commission temporarily banned DeepSeek over violations of the Personal Information Protection Act pertaining to third-party communication functions and privacy policies.

Competition

Europe

The Court of Justice of the European Union issued a ruling finding that Google’s refusal to ensure interoperability between its Android Auto platform and the JuicePass app developed by Enel could constitute an abuse of a dominant position under EU competition law. The European Commission issued a Communication on E-Commerce aiming to mitigate consumer risks in the online environment.

Germany's Federal Cartel Office published its preliminary assessment of Apple's App Tracking Transparency Framework, raising concerns that it imposes stricter data access restrictions on third-party applications while exempting Apple's own services. Apple now has the opportunity to address these allegations.

The UK Competition and Markets Authority (CMA) closed its consultation on provisional findings in its cloud services market investigation. The CMA also published reports summarising responses from Apple and Google to its provisional decision report on mobile browsing and cloud gaming, part of its wider investigations into potential market dominance. The Authority also closed additional consultations on investigations into Google's mobile ecosystem, Apple's mobile ecosystem, and Google's search and search advertising services.

Turkey's Competition Authority adopted guidelines on administrative fines for agreements, concerted practices, and decisions restricting competition and abuse of dominant position. The guidelines outline a framework for calculating administrative fines for competition law violations, considering factors including severity, duration, intent, and cooperation.

Asia and Australia

Australia's Treasury closed its consultation for a new digital competition regime, developing a framework to address competition concerns in digital markets. The Australian Competition and Consumer Commission concluded its investigation into terms and conditions of electronic commerce websites, issuing corrective measures for violations of consumer law. The eSafety Commissioner published a report highlighting widespread underage social media use, focusing on inadequate age verification measures by platforms.

China's State Administration for Market Regulation opened an investigation into Google over alleged monopolistic practices in the search and advertising markets. The investigation examines potential violations of China's Anti-Monopoly Law.

Japan's Ministry of Economy, Trade and Industry published revised interpretative guidelines on electronic commerce and information property trading. The guidelines clarify legal requirements for e-commerce platforms and digital services operating in Japan.

South Korea's amended Act on Consumer Protection in Electronic Commerce and its enforcement decree and rules entered into force, strengthening requirements to tackle deceptive practices by online platforms. The Fair Trade Commission initiated a consent procedure for Broadcom regarding alleged violations of the Monopoly Regulation and Fair Trade Act in the semiconductor market. The Commission also issued corrective measures to Naver for deceptive advertising regarding its membership benefits. The Korea Communications Commission issued administrative guidance to Apple for the introduction of next-generation text and data transmission services, promoting interoperability in messaging services.

Americas

Canada's Radio-television and Telecommunications Commission closed its consultation on an inquiry into market dynamics under the modernized Broadcasting Act. The inquiry examines competition issues in the broadcasting and digital media sectors.

Africa

South Africa's Competition Commission closed its consultation on draft guidelines regarding the handling of confidential information under the Competition Act. The guidelines aim to clarify procedures for managing commercially sensitive information in competition proceedings.

Data governance

Europe

The European Data Protection Board adopted a comprehensive statement on age assurance, addressing how to implement age verification systems while respecting data protection principles. The Board also closed its consultation on Pseudonymisation Guidelines, which provide technical guidance on implementing pseudonymisation under the GDPR. The European Data Protection Board published updated criteria for selecting cases of "strategic importance" for closer cooperation between Data Protection Authorities, and streamlining enforcement of the GDPR in cross-border cases. The European Commission submitted a proposal for a Council Recommendation on an EU Blueprint for cybersecurity crisis management, enhancing coordination of responses to major cyber incidents. The Commission also announced a work program withdrawing the proposal for an ePrivacy Regulation containing data governance measures.

The European Union and Brazil adopted a joint statement following their 13th Digital Dialogue, addressing cooperation on cross-border data flows and digital governance issues. The EU and India adopted a joint statement following their Trade and Technology Council's second meeting, including cybersecurity measures and digital governance frameworks.

National data protection authorities also issued rulings. France's Data Protection Authority issued a compliance reminder to Qwant in an investigation regarding the alleged misrepresentation of pseudonymized data in its privacy policy. Ireland's Data Protection Commission submitted a draft decision under Article 60 of the GDPR to other concerned supervisory authorities regarding its investigation into TikTok for alleged violations of data transfer provisions. Italy's Data Protection Authority issued a warning to users of the "Graphite" spyware from Paragon Solutions and similar systems for alleged privacy violations. X announced it would challenge the Berlin Regional Court's ruling requesting the platform to grant Democracy Reporting International access to data for researchers.

Russia's Tagansky District Court fined Telegram RUB 80 million for breaching data localization rules. The court also issued rulings against Match Group, Discord, and Spotify for non-compliance with data localization requirements, imposing fines between RUB 10-15 million.

The United Kingdom's Data (Use and Access) Bill was passed by the House of Lords, covering for data protection, data transfers, and oversight. The Information Commissioner's Office released guidance for employers on employment records management, focusing on the appropriate handling of workers' health data.

Asia and Australia

Australia's Department of Home Affairs implemented a directive banning Kaspersky software on government devices by April 2025.

The Cyberspace Administration of China introduced the Personal Information Protection Compliance Audit Guidelines and closed its consultation on the certification of data transfers. The Administration also took enforcement action against 82 applications for data protection violations. The National Information Security Standardization Technical Committee concluded its consultation on Cybersecurity Standard Practice Guidelines for Personal Rights Protection in Shake Advertising. The State Administration for Market Regulation closed its consultation on draft Interim Measures for the Management of Data Reporting in Online Transactions. The Shanghai Municipal Internet Information Office issued a negative list for data exports in the Shanghai Pilot Free Trade Zone and the Lingang New Area.

South Korea's National Assembly Political Affairs Committee passed a Bill amending the Personal Information Protection Act to strengthen the domestic representative system for overseas businesses. The Personal Information Protection Commission published guidelines on enhancing the security of auto-login services in web browsers, addressing security vulnerabilities in browser-saved credentials.

Saudi Arabia's Data and AI Authority published Risk Assessment Guidelines, providing a framework for evaluating risks, analysing impacts and ensuring regulatory compliance in cross-border personal data transfers.

Turkey's Data Protection Authority published guidelines on standard contracts concerning cross-border data transfers, mandating authorized signatures, translations to Turkish, and minimal modifications.

Americas

Brazil's National Data Protection Authority rejected an appeal by Tools for Humanity, upholding the suspension of financial compensation grants in the form of cryptocurrency for biometric data collection through the Worldcoin project.

Canada's Office of the Privacy Commissioner opened an investigation into X (formerly Twitter) over its alleged collection, use, and disclosure of Canadians' personal information to train AI models without appropriate consent.