Global Digital Policy Roundup: January 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of January 2025 in four core areas of digital policy.

• Content moderation, including France's bill securing and regulating the digital space, the United Kingdom's age verification requirements under the Online Safety Act, enforcement cases from the European Union against platforms ahead of German elections, and Brazil’s assessment of Meta’s revised content moderation policies.
• AI regulation, including ASEAN's expanded Guide on AI Governance and Ethics, South Korea's signing of the AI Basic Act, China's proposed AI safety standards, and the UK's AI cyber security code of practice.
• Competition policy, including Indonesia's fine against Google for market dominance, India's Court decision in the Meta case, the United Kingdom's investigations into Google and Apple's mobile ecosystems, and South Korea's actions against gaming companies and Kakao.
• Data governance, including China's data security measures and guidelines for facial recognition payments, Italy's Data Protection Authority order blocking DeepSeek from processing personal data, South Korea's fines against tech companies for unauthorized data transfers, and Brazil's restrictions on Worldcoin’s biometric data collection.

Content moderation

Europe

The European Commission and European Union Member States continued implementing and enforcing the Digital Services Act (DSA). The Commission and Germany’s digital services coordinator engaged with large online platforms and search engines to assess their risk-minimizing measures implemented ahead of German elections.

Additionally, the Commission expanded its investigation into X by requesting additional information about its recommender system. It also sought access to the platform’s technical interfaces to enable direct fact-finding on content moderation and account virality. In a parallel development, the Commission announced the integration of the revised code of conduct on countering illegal hate speech online into the framework of the DSA. At the Member State level, Poland's Ministry of Digital Affairs adopted guidelines outlining implementation procedures for content moderation under the DSA.

France’s law to secure and regulate the digital space came into force. The law mandates the removal of illegal content, such as child pornography, terrorism promotion, and Holocaust denial, within 24 hours and empowers the Regulatory Authority for Audiovisual and Digital Communication (ARCOM) to block or delist non-compliant sites. Additionally, ARCOM’s technical standards for age verification systems on platforms hosting pornographic content have also taken effect.

Italy's Communications Regulatory Authority advanced its regulatory framework by concluding consultations on guidelines for influencer compliance with the Law on Audiovisual Media Services. The guidelines establish standards for content creators and require platforms to implement reporting mechanisms and protect minors by labeling harmful content and using age-appropriate filters or warnings.

Russia implemented a law requiring website and program owners to authenticate users through national systems, excluding foreign email services. Approved methods include national mobile numbers, state ID systems, or biometric data authentication. Additionally, Russia fined Google RUB 8 billion (approx.USD 77.9 million) for failing to comply with previous administrative penalty orders imposed for alleged hosting of prohibited content and non-compliance with previous administrative penalties.

The United Kingdom’s Office of Communications (Ofcom) issued an age assurance code of practice under the Online Safety Act. Platforms publishing their own pornographic content were required to implement effective age assurance measures immediately, while user-to-user services must comply by July 2025. Additionally, Ofcom launched investigations into platforms hosting adult content to assess compliance with these measures and fined MintStars GBP 7,000 for non-compliance with rules on protecting minors from restricted material. The Competition and Markets Authority also announced that it secured commitments from Google to address fake reviews.

Asia and Australia

China’s Cyberspace Administration (CAC) launched a consultation on draft regulations for multi-channel network agencies. The draft mandates registration and compliance with cybersecurity and content standards and prohibits practices such as fabricating data or spreading false information. Additionally, the CAC investigated online manipulation networks, shutting down illegitimate platforms, removing unlawful content, and directing platforms to strengthen technical defenses and block malicious software. The CAC also launched a campaign to address extreme confrontation, misinformation, and vulgar content.

Indonesia's Ministry of Communication and Information continued its enforcement against illegal online content, announcing the removal of over 43,000 gambling-related content and accounts.

South Korea's Communications Commission adopted guidelines addressing dark patterns in subscription services. The guidelines establish standards to protect consumers from manipulative design practices in digital services, particularly focusing on streaming and subscription-based platforms.

Americas

Brazil’s Attorney General (AG) released an interim assessment of Meta’s revised content moderation policies, expressing concerns about their potential violations of national legislation and constitutional rights. The AG confirmed that it will continue reviewing these changes. Additionally, the AG instructed Facebook to remove a manipulated AI video about the Minister of Finance within 24 hours.

Canada concluded its consultation on modernizing the Broadcasting Act, focusing on updating regulations for user-generated content and streaming services. The consultation aimed to adapt the country's broadcasting framework to the evolving digital media landscape and establish appropriate oversight mechanisms for online content.

Artificial Intelligence

Europe

The European Commission published the Competitiveness Compass, which outlines several measures to support AI development. Among these is the AI Continent strategy, aimed at establishing AI factories alongside the EU Cloud and AI Development Act. The legislation would facilitate the creation of AI gigafactories for training large AI models and set minimum standards for cloud services. The Compass was issued shortly before the European Union’s AI Act provisions on prohibited AI practices became applicable. The Act prohibits AI systems that pose unacceptable risks, such as those deploying manipulative or deceptive techniques.

Russia implemented a bill regulating responsibility for damages arising from AI testing, establishing a framework for controlled testing and deployment of AI technologies. The bill outlines mechanisms for identifying those accountable for AI-related incidents and creates a commission to address damages caused by AI.

The United Kingdom Department for Science, Innovation and Technology (DSIT) released the AI cyber security code of practice, incorporating requirements for testing, designing, and monitoring AI systems. It also released the AI opportunities action plan, featuring 50 measures to promote AI development and the adoption of adequate safeguards. Additionally, the DSIT concluded its consultation on the AI management essentials tool, designed to offer practical guidance for responsible AI deployment, especially for small and medium-sized enterprises.

Asia and Australia

Australian Cyber Security Centre (ACSC), along with cybersecurity agencies from Australia, Canada, and the UK, adopted guidelines on content credentials to enhance multimedia integrity in generative AI. These guidelines recommend using cryptographically signed metadata, digital watermarks, and media fingerprinting to verify the authenticity of digital content. They aim to prevent misuse, such as impersonation and cyber threats, and protect content from unauthorized use in AI training.

China’s National Cybersecurity Standardization Technical Committee (TC260) opened consultations on the draft AI safety standard system and proposed coding rules for service providers of AI-generated synthetic content. Additionally, China implemented regulations requiring platforms to provide users with transparency regarding recommendation algorithms.

South Korea signed the AI Basic Bill, which will enter force in one year. The bill establishes user rights protections and governance frameworks for AI development and deployment. Specifically, the bill includes design requirements for AI systems and creates an AI authority to oversee implementation and issue further rules.

India's Ministry of Electronics and Information Technology concluded its consultation on AI governance guidelines development, which aims to establish a framework that promotes innovation while ensuring responsible AI deployment. Additionally, India signed a strategic technology partnership with the United States to increase cooperation on AI and quantum computing. Specific commitments include promoting reciprocal investments in AI technology and strengthening cooperation around national security applications of AI.

The Association of Southeast Asian Nations’s (ASEAN) Digital Ministers adopted the Expanded Guide on Artificial Intelligence (AI) Governance and Ethics, establishing policy recommendations for AI governing authorities across Southeast Asian nations.

Americas

Canada's Competition Bureau concluded its inquiry into AI and competition. The Competition Bureau noted that AI advancements are reshaping market dynamics, with significant investments from large firms potentially hindering competition. It highlighted concerns that AI could facilitate anti-competitive behavior, raising questions about the effectiveness of existing antitrust laws.

Competition

International

The Organisation for Economic Co-operation and Development concluded its consultation as part of an inquiry into competition in online marketplaces. The inquiry analyses the functioning of online marketplaces from the seller's perspective to identify potential issues and propose actionable recommendations.

Europe

The European Commission opened a consultation to revise the technology transfer block exemption regulation and its guidelines, aiming to clarify which technology transfer agreements are exempt from competition law. It has also initiated a case at the World Trade Organization against China over royalties on standard essential patents in the European high-tech sector, arguing that China's approach undermines competition by pressuring telecom companies to lower rates. Additionally, the Commission closed the consultation on Apple’s proposed measures to ensure interoperability between its iOS and connected devices, as required by the Digital Markets Act (DMA). Under the DMA, large digital platforms designated as gatekeepers must provide interoperability and access to their software and hardware features. Meanwhile, the European Data Protection Board adopted a position paper calling for improved cooperation between data protection and competition authorities to protect users and promote fair competition, recommending the integration of market and competition factors into data protection practices.

France implemented the law to secure and regulate the digital space, establishing unilateral conduct regulations for digital platforms and cloud services. The law implements the European Digital Service Act (DSA) and Digital Markets Act (DMA) in the national legislation. It prohibits data transfer fees and mandates service interoperability to prevent access barriers.

The United Kingdom's Competition and Markets Authority (CMA) launched investigations into both Google’s and Apple’s mobile ecosystems under the Digital Markets, Competition and Consumers Act 2024. The CMA is assessing whether to designate Google and Apple as having strategic market status (SMS) for their mobile operating systems, app stores, and mobile browsers. If designated as such, the platforms would be subject to conduct requirements to guide their behavior and pro-competition interventions to address specific competition issues arising from their market power. Additionally, the companies would face stricter merger reporting requirements. The CMA also opened a consultation on its provisional findings in the cloud services market investigation.

Asia and Australia

Indonesia’s Competition Commission fined Google IDR 202 billion (USD 12.37 million) over abuse of dominant market position. The investigation found that Google’s mandatory Google Play billing system monopolized the Android app distribution market in Indonesia, raising app prices and limiting competition. Developers faced penalties for non-compliance, leading to reduced choices and financial losses. Google has 30 days to pay the fine, with a 2% monthly penalty for delays.

Japan’s Ministry of Trade and Industry (METI) closed its consultation on draft reports evaluating the transparency and fairness of e-commerce platforms, app stores, and the digital advertising sector under the Transparency Act. The evaluation examines platform practices such as ranking criteria, merchant fees, and dispute resolution. The Act requires providers to disclose terms and conditions to sellers and consumers, notify them of any changes, and implement fair procedures based on METI guidelines.

South Korea's Fair Trade Commission (FTC) initiated a consent resolution procedure in its investigation of Kakao regarding alleged violations of the Large-Scale Retail Business Act. Kakao proposed self-corrective measures, including expanding delivery options to allow suppliers to choose between free and paid delivery and providing marketing support, among others. Additionally, the FTC imposed sanctions against three game developers, Krafton, Nexon Korea, and NCSOFT, for violations of subcontracting regulations.

India's National Company Law Appellate Tribunal stayed the five-year ban on Meta sharing user data for advertising imposed by the Competition Commission of India (CCI), citing concerns over its impact on WhatsApp's business model. However, the Tribunal upheld certain CCI provisions, including requirements for WhatsApp to disclose full data-sharing information and allow users to opt out of non-advertising data sharing. Meanwhile, the Central Consumer Protection Authority (CCPA) launched an investigation into Ola and Uber over allegations of discriminatory pricing based on whether users accessed their platforms through iPhones or Android devices.

Turkey implemented an amendment to the Electronic Commerce Law requiring intermediary service providers with a net transaction volume of TRY 10 billion (approx. USD 277.9 million) and over 100,000 transactions per year to obtain or renew an e-commerce license.

Americas

Canada’s Competition Bureau concluded its consultation on merger enforcement guidelines, proposing updates that clarify a new "structural presumption" for high market concentration and market evaluation techniques such as the hypothetical monopolist test. These updates follow amendments to the Competition Act.

Data governance

Europe

The European Union advanced several cybersecurity and data protection initiatives. The Digital Operational Resilience Regulation (DORA) was implemented, setting cybersecurity and risk management standards for the financial sector, including requirements for resilience testing and third-party risk management. The Council also adopted the European Health Data Space regulation, introducing an opt-out mechanism for individuals to control their health data. It also enables Member States to designate trusted data holders to ensure secure, efficient access to health data. Additionally, the General Court upheld the European Data Protection Board's (EDPB) authority under the General Data Protection Regulation (GDPR) to issue binding decisions, affirming the EDPB’s directive for the Irish Data Protection Commission (DPC) to expand its investigation into Meta’s data processing practices. The Court dismissed the DPC’s challenge, reinforcing the EDPB's legal remit.

The French Data Protection Agency published recommendations for designing mobile applications that respect user privacy, with a focus on the role of permissions. Permissions in mobile applications allow users to control which features and data are accessible to each app, such as sensors or memory on their devices.

Italian Data Protection Authority (DPA) ordered an immediate limitation on the processing of data of Italian users by DeepSeek. The order follows the communication from the company regarding the information on the personal data collected, its sources, purposes, legal basis, processing and storage locations, as well as how its AI system is trained. In particular, DeepSeek denied operating in Italy and claimed that European regulations do not apply to the company. The DPA deemed the response insufficient and subsequently launched a formal investigation.

The United Kingdom Home Office opened a consultation on proposed measures to protect businesses from cybercrime, including banning ransomware payments by owners of critical national infrastructure and requiring ransomware victims to engage with authorities. The Information Commissioner’s Office (ICO) issued guidance on the "consent or pay" model for online advertising, ensuring compliance with the UK's data protection legislation and emphasizing that user consent must be freely given and informed. In addition, the ICO launched an investigation into harmful tracking practices, particularly targeting organizations that fail to give users meaningful control over how their data is used. Meanwhile, the Office of Communications concluded a consultation on improving independent researchers’ access to information from online services to support research into online safety issues under the Online Safety Act.

Asia and Australia

China implemented several data governance measures. The National Cybersecurity Standardization Technical Committee issued guidelines for facial recognition payments and personal rights protection in digital advertising, while the State Administration for Market Regulation developed frameworks for data reporting compliance in online transactions. The country also implemented the network data security management regulation, establishing requirements for data transfers, data protection, and cybersecurity. Additionally, the Ministry of Industry and Information Technology adopted measures to enhance customer data security protection for Internet data centers.

The strategic partnership agreement between Japan and the European Union came into force, strengthening bilateral cooperation on combating cybercrime. The agreement emphasizes enhanced collaboration on data-sharing and cyber policies to address terrorism, international crimes, and cyber threats. Additionally, Japan and the United Kingdom issued a joint statement following the third ministerial Digital Council meeting, noting progress in data governance and cross-border data flows. The statement emphasized efforts to improve interoperability, security, and regulatory alignment.

South Korea Personal Information Protection Commission (PIPC) fined Kakao Pay KRW 5.968 billion (approx. USD 4. 2 million) for transferring data of 40 million users to Alipay without consent, while Apple was fined KRW 2.45 billion (approx. USD 1.7 million) for failing to disclose Alipay as its overseas data trustee. Both companies were ordered to ensure compliance and disclose the violations on their websites. In a separate case, the Seoul Administrative Court upheld fines and corrective orders imposed by PIPC on Google and Meta for collecting users' behavioral data without proper consent. Both companies argued their privacy policies covered consent, but the court supported the PIPC's stance, citing similar sanctions in the EU and the US.

Russia’s Public Communication Network Monitoring and Management Center reported detecting and resolving 113 traffic routing violations from 59 organizations, repelling 122 DDoS attacks, blocking two phishing sites, and shutting down a website distributing malware.

Saudi Authority for Data and Artificial Intelligence (SDAIA) advanced its data protection framework by concluding consultations on personal data protection certification and licensing rules. The SDAIA's initiatives focused on establishing comprehensive frameworks for data protection and security compliance.

The Information Technologies and Communication Authority of Turkey opened a public consultation on a draft regulation aimed at enhancing national cybersecurity. The draft outlines measures for safeguarding critical infrastructure, managing cyber threats, and improving resilience, including mandatory incident reporting and security measures such as encryption.

India’s Ministry of Electronics and Information Technology launched a public consultation on the draft Digital Personal Data Protection Rules aimed at implementing the Digital Personal Data Protection Act of 2023. The rules focus on data protection frameworks, including consent principles, data fiduciaries' responsibilities, and security measures. They also ensure data principals' rights to access, correct, and erase their data, with exceptions for research, and require regular assessments and audits for significant data fiduciaries.

Americas

Brazil's National Data Protection Authority (ANPD) ordered Tools for Humanity (Worldcoin) to suspend offering cryptocurrency or financial incentives in exchange for biometric data, citing concerns over privacy and consent. The decision follows an investigation into the company's World ID project, which involves collecting sensitive biometric information such as iris and facial scans. The ANPD noted that such practices may violate the General Data Protection Law.

Canada’s Special Parliamentary Commission concluded the consultation on its inquiry into protecting young people's personal information online. The inquiry aims to develop recommendations for safeguarding youth privacy and promoting healthy digital engagement practices.

Mexico’s government announced institutional reforms to its data protection enforcement framework, proposing to transfer powers from the Federal Institute for Access to Public Information and Data Protection to the Anti-Corruption and Good Governance Institute. These reforms aim to restructure the oversight of data protection and transparency measures within the country's regulatory system.