Global Digital Policy Roundup: July 2024

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notifications service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of July 2024 in four core areas of digital policy.

• Content moderation, including new laws in Argentina, France, Germany, and Russia, as well as enforcement cases on minor protection, adult content, and deep fakes.
• AI regulation, including the entry into force of the EU AI Act, legislative proposals in Argentina and Brazil, as well as proposed security requirements in China.
• Competition policy, including proposed rules in Turkey, India, and South Korea, as well as investigations into Meta, Google, ByteDance (TikTok), and PayPal.
• Data governance, including the World Trade Organization’s Agreement on Electronic Commerce, Italy’s investigation into Crowdstrike following the global IT outage, and proposed Rules in China, Japan, Mexico, and Russia.

Content moderation

Europe

The European Commission advanced the implementation of the Digital Services Act (DSA). The Commission initiated proceedings against Belgium, Spain, Croatia, Luxembourg, the Netherlands, and Sweden for not properly designating the national Digital Services Coordinators. Additionally, the Commission designated adult content platform XNXX as a very large online platform that must comply with additional DSA obligations by mid-November 2024. These include implementing age-verification tools, providing data access to researchers, and publishing an advertisement repository. Regarding enforcement, the Commission issued preliminary findings on potential DSA breaches by X, namely misleading users with its "verified accounts" interface, inadequate advertisement transparency, and restricting researchers' access to public data. Furthermore, the European Commission requested information from Amazon regarding its transparency measures for recommender systems and user opt-out options.

France’s bill on securing and regulating the digital space, implementing the EU Digital Services Act and Digital Markets Act, entered into force. The Audiovisual and Digital Communication Regulatory Authority is to issue technical requirements for age verification systems regarding pornographic content. 3 months after publication, platforms must comply or face penalties of up to 4 percent of global revenue. Additionally, France implemented a law requiring parental control options on devices that allow access to internet content that may be harmful to minors.

Germany introduced abill that criminalizes the creation and distribution of deep fakes (media content that realistically depicts a person’s appearance, behavior, or speech) without consent. The protection would extend to deceased persons.

The Italian Communications Authority issued a methodological note detailing how to determine fair compensation for news publishers by social media platforms and search engines. The authority also issued its first decision on fair compensation, regarding the use of Gedi's publications on Bing. The authority rejected both parties' proposals and suggested a new calculation.

Russia passed abill banning advertising on websites considered undesirable, such as Facebook and Instagram. Specifically, the bill addresses the use of virtual private networks (VPNs) to bypass access restrictions. Additionally, Russia’s media regulator restricted access to Ficbook, a fanfiction website, for promoting LGBT themes, considered extremist under Russian law.

Asia and Australia

Australia's government announced an industry code to enhance user safety on online dating apps. The code requires platforms to implement systems for detecting online harm, enforce safety policies, and issue regular transparency reports. Additionally, the eSafety Commissioner issued legal notices to Apple, Google, Meta, Microsoft, Discord, Snap, Skype, and WhatsApp, requiring them to report their measures against online child sexual abuse. These reports must detail strategies for combating child sexual abuse material under the Online Safety Act. Finally, the eSafety Commissioner issued a deadline of six months for industry to develop enforceable codes to protect children from graphic pornography and other harmful content, including material related to suicide and self-harm.

The Cyberspace Administration of China launched a campaign to strengthen the protection of minors against violent content, including bullying. Additionally, the campaign will remove content that displays pornographic content or causes mental harm to children from short video and live broadcast platforms, social media platforms and e-commerce platforms. The Cyberspace Administration has also blocked accounts involved in spreading false information.

India’s Ministry of Electronics and Information Technology issued a guidance on preventing the dissemination of online misinformation, including deep fakes.

South Korea’s Ministry of the Interior and Safety signed a memorandum with other institutions on combating deep fake crimes through advanced video analysis. Additionally, the Ministry of Science and ICT announced measures against voice phishing in the telecommunications sector, including AI-based detection systems and the exploration of voice watermarking.

Saudi Arabia’s Communications and Technology Commission opened a public consultation on proposed requirements for internet service providers and digital content platforms to implement internet filtering. The commission would receive powers to investigate violations, suspend services. Additionally, providers would have to obtain approval to acquire significant shares or market control in the communication sector.

Americas

Argentina introduced two content moderation bills. The first bill criminalizes the unauthorized sharing of intimate images or recordings without consent. The Online Freedom and Fairness bill sets guidelines for content removal, requiring judicial orders or clear evidence of criminal activity, and mandates user notification and the right to challenge removals.

Brazil’s consumer protection authority fined Oi, Vivo, and TIM between BRL 1 and 2 million for misleading advertisements for misrepresenting their services as “5G” despite using 4G technology.

Canada’s Centre for Cyber Security issued a joint advisory, in collaboration with its US and Dutch counterparts, warning social media companies about the Russian state-sponsored AI software “Meliorator.” The software is used to create fake personas, mimic legitimate user content, and amplify false information.

Artificial Intelligence

International developments

The OECD launched a pilot for a reporting framework to monitor the voluntary application of the international Code of Conduct for organizations developing advanced AI systems. The Code of Conduct, issued under the G7 Hiroshima Process, offers guidance for organizations developing advanced AI systems, including foundation models and generative AI, to promote safe, secure, and trustworthy AI. The pilot phase will assess the specific mechanisms organizations use to apply the Code of Conduct, including risk management, transparency reporting, and content authentication.

The European Commission, the United Kingdom’s Competition and Markets Authority, as well as the US Federal Trade Commission and Department of Justice (DOJ) issued a Joint Statement on competition in generative AI foundation models and products. The statement outlines competition risks, such as concentrated control of inputs, and highlights the importance of fostering innovation through common principles of fair dealing, interoperability, and choice.

Europe

The European Union’s AI Act was published in the official journal, initiating a multi-step implementation process over the coming years. The Act establishes a risk-based approach, prohibiting certain AI practices and establishing a range of compliance obligations for "high-risk" AI systems. The prohibition applies to emotion recognition in the workplace and educational institutions, social scoring, biometric categorization to infer sensitive data, and some forms of predictive policing, among others. The European Commission published the AI Pact, a mechanism for voluntary early compliance with the AI Act. The European Data Protection Board released a statement on the role of data protection authorities under the AI Act, highlighting the need for effective supervision and suggesting the designation of national data protection authorities as “market surveillance authorities” for high-risk AI systems.

Russia’s president signed a bill regulating the responsibility for damages incurred during AI testing, set to enter into force in January 2025. The bill also provides mechanisms for identifying individuals responsible for AI-related incidents and establishes a commission to address damages caused by AI.

The United Kingdom’s Competition and Markets Authority initiated a merger inquiry into Microsoft's hiring of former employees of Inflection AI. The inquiry will decide whether to proceed with a “phase 2” investigation and is part of a broader assessment of competition in the AI sector. The Office of Communications issued guidance on red teaming to evaluate and mitigate harms posed by generative AI technologies. The initiative is part of a broader strategy under the Online Safety Act 2023, which mandates risk assessment and mitigation regarding illegal and harmful content.

Asia and Australia

China‘s National Information Security Standardisation Technical Committee (TC260) closed a consultation on draft requirements for generative AI cybersecurity. The draft outlines requirements regarding the security of training data and models, as well as security obligations after release for public use. The draft also requires providers to obtain data subjects' consent before using their personal information in training data. In addition, the Ministry of Industry and Information Technology closed a consultation on a set of AI technical standards under the Industry Standards Development and Revision Plan 2024. The consultation covers 12 proposed industry standard projects on AI within different industries. Finally, the Cyberspace Administration of China issued guidelines regarding a comprehensive national AI standardization system.

South Korea’s Personal Information Protection Commission published standards for processing public data used in AI development. The standards clarify the legal requirements for collecting and using public personal data for AI development and provide minimum safety standards. In addition, the Ministry of Science and ICT closed the consultation in its inquiry on AI regulation under the "New Digital Order Establishment Plan."

Americas

Argentina introduced three bills related to AI. The first bill would require watermarking for advertising with digitally retouched human images, to ensure transparency and protect consumers. The second bill would establish a federal observatory on AI. The third bill would implement regulatory sandboxes to promote the intensive use of technology and innovation.

Brazil proposed three bills on AI, too. The first bill would protect children's images, prohibiting their use to train AI without explicit parental consent. The second bill would establish data protection criteria for the legal use of personal data to train and improve AI systems. The third bill would clarify that only natural persons can be authors of copyright, regardless of the degree of AI system use.

Competition

Europe

The General Court of the European Union dismissed ByteDance’s lawsuit against the European Commission for designating it as a gatekeeper under the Digital Markets Act (DMA). The court confirmed that ByteDance’s social network platform TikTok met the quantitative thresholds established under the DMA, justifying its classification as a gatekeeper. The European Commission announced an investigation into anti-competitive agreements between Delivery Hero and Globo, two online food delivery companies. The Commission will examine whether the companies allocated geographic markets, shared commercially sensitive information, and agreed not to poach each other’s employees before Delivery Hero fully acquired Glovo in July 2022. The Commission also issued preliminary findings that Meta’s “pay or consent” model breaches the DMA. The Consumer Protection Cooperation Network also initiated an investigation into Meta's "pay or consent" model. Finally, the Commission closed its investigation into Apple’s access restrictions to Near-Field Communication technology for contactless payments, accepting Apple’s commitments.

Italy’s Competition Authority initiated an investigation into Google for requesting consent for linking services offered to users. The investigation focuses on allegations that Google provides incomplete and misleading information about the implications of user consent, namely regarding cross-use of data among Google's various services.

The United Kingdom’s Competition and Markets Authority (CMA) opened a consultation on Google’s revised Privacy Sandbox. The CMA will review Google’s new approach to Privacy Sandbox, which consists of introducing a user-choice prompt that will allow users to choose whether to retain third-party cookies from Chrome instead of removing third-party cookies. The CMA also issued guidance for trader recommendation platforms and closed two public consultations on its digital markets competition regime, and merger reporting requirements for firms with strategic market status under the Digital Markets, Competition and Consumers Act. Finally, the United Kingdom’s Payments Systems Regulator and Financial Conduct Authority opened an inquiry into digital wallets.

Asia and Australia

Australia‘s Parliament opened a consultation on a proposed reform of merger control rules. The focus lies on capturing creeping acquisitions, acquisitions of nascent competitors, and expansions into related markets, including by digital platforms. The Federal Court of Australia ruled that PayPal used an unfair contractual clause towards small businesses, allowing it to retain erroneously charged fees. The Australian Competition and Consumer Commission (ACCC) opened an investigation into Google over alleged abuse of market power regarding pre-installed search engines on Android devices. The investigation was initiated after the ACCC's Digital Platform Services Inquiry (DPSI) determined that Google's dominance as the primary search engine in Australia is largely due to its pre-installation as the default search service on devices. The ACCC also opened a consultation on the final report of the Digital Platform Services Inquiry.

The Competition Commission of India closed the consultation on a proposal to strengthen its regulatory oversight. The proposal would give the CCI the power to demand assistance from other agencies to implement its orders, remove the 90-day deadline for issuing final orders, and require investigated entities to submit financial statements. The commission also approved Dixon’s acquisition of Ismartu, two engineering and manufacturing service providers.

Indonesia’s Competition Commission announced that Shopee and Nusantara Ekspres Kilat signed a behavioral change integrity pact, initiating a 90-day oversight period. The pact stipulates that Shopee acknowledges its violations, including discriminating against business actors and abusing its dominant position to determine trading conditions, and commits to cooperate. The commission also announced that Google issued a response in the investigation of its requirement for app developers to use the Google Play Billing System.

South Korea’s National Cabinet adopted the enforcement decree for recent amendments to the Basic Consumer Act. The decree clarifies the scope of investigations, covering transactions, prices, labeling, advertising, and consumer damages, and requires the Fair Trade Commission to prepare an investigation plan. The Fair Trade Commission in turn opened a consultation on a proposed amendment of the enforcement decree of the Act on Consumer Protection in Electronic Commerce. The amendment addresses deceptive online marketing practices (dark patterns, specifying requirements for prior consent and notification periods for increases in regular payment amounts or changes to paid services. Finally, the Fair Trade Commission fined Eduwill KRW 5 million for advertising online lecture products as discounted for a limited period although the discounts continued to be advertised after the announced deadline.

Turkey introduced a bill regarding the calculation of licensing fees for e-commerce platforms. Previous amendments introduced a licensing obligation for e-commerce platforms but exempted foreign transactions from calculation of the license fee. The bill would extend exemptions. Turkey’s Competition Authority closed its investigation into Google’s alleged abuse of dominance in the general search services market. The investigation focused on whether Google used search result features, such as "users also asked this," to unfairly lower the visibility of other websites. The Authority found that Google holds a dominant position but did not abuse this position.

Data governance

International developments

The co-convenors of the World Trade Organization’s Joint Initiative on Electronic Commerce announced that the parties agreed on a stabilized text for the Agreement on Electronic Commerce. Under the agreement, over 80 countries would commit to adopting or maintaining a legal framework aimed at protecting the personal data of electronic commerce users. The agreement also includes provisions specifying that it does not restrict a party adopting it from implementing measures to protect personal data and privacy, including rules for cross-border data transfers. However, the parties must ensure that their laws allow for such transfers under conditions that are generally applicable and objective.

The Ibero-American Data Protection Network signed a memorandum of understanding on data protection cooperation across Ibero-America. The memorandum establishes a collaborative framework for information exchange, technical assistance, and the development of public policies and regulations concerning personal data protection and privacy.

The amendment integrating provisions regarding the free flow of data in the economic partnership between the European Union and Japan entered into force. The amendment states that data flows between the EU and Japan will not be restricted by unjustified data localisation measures and supports the “Data Free Flow with Trust” initiative aiming to foster international cooperation regarding data flows based on shared values.

The European Union and Singapore concluded negotiations for a bilateral Digital Trade Agreement, building on the Digital Partnership and Digital Trade Principles agreed upon in 2023. The Agreement includes rules on cross-border data flows and unsolicited commercial electronic messages, among others.

Europe

The European Commission closed its consultation on the implementing regulation for the NIS 2 Directive. The regulation outlines technical and methodological requirements for cybersecurity risk management and specifies which incidents are considered to be significant. The European Data Protection Board published guidelines regarding the EU-US Data Privacy Framework, outlining its purpose and eligibility criteria for US companies to participate in the DPF. Finally. the Court of Justice of the European Union (CJEU) issued a ruling clarifying that a consumer protection association can bring a representative action under the General Data Protection Regulation.

Germany announced an agreement with mobile operators to prohibit the use of critical components made by Chinese companies Huawei and ZTE in core parts of the country's 5G networks. The agreement will be implemented in two phases starting in 2026.

Italy’s Data Protection Authority announced an investigation into cybersecurity company CrowdStrike following the wide-ranging IT system blackout. The focus lies on personal data protection, particularly in relation to public services.

Russia introduced a bill to improve mechanisms for preventing the excessive processing of personal data. The bill focuses on the e-commerce sector and mandates that consent for personal data processing is to be obtained separately from other documents.Russia’s Public Communication Network Monitoring and Management Center published information on its actions against distributed denial-of-service (DDoS) attacks, phishing resources, and malware.

In the United Kingdom, the King’s Speech announced two bills by the new government relating to data governance. The Digital Information and Smart Data Bill would update the data protection regime, enable innovative uses of data to be safely developed, and reform the Information Commissioner's Office. The Cyber Security and Resilience Bill would introduce new cybersecurity measures, expanding the scope of regulation to a broader range of digital services and supply chains, and mandating increased incident reporting.

Asia and Australia

China’s National Information Security Standardisation Technical Committee opened a consultation on a new draft standard on data security, specifically on personal information protection compliance audits. The Committee further closed a consultation on guidelines for external vehicle data, proposing a one-click feature to disable all sensors and stop data collection instantly. The Chinese Ministry of Industry and Information Technology opened a consultation for the establishment plan for a new technical committee on brain-computer interface standardization.

Japan‘s Personal Information Protection Commission closes its consultation on the interim review of the Act on the Protection of Personal Information. The review focuses on the protection of individual rights and interests, effective monitoring and supervision, and support for data utilization. Moreover, it reviews the adequacy of current criminal penalties for severe violations and contemplates additional measures for the most egregious cases.

South Korea‘s Personal Information Protection Commission fined AliExpress approximately KRW 1.9 billion for privacy violations. AliExpress provided Korean users' personal information to approximately 180.000 overseas sellers without adequate consent or disclosure. The commission further designated three new pilot institutions as "Personal Information Safe Zones" to enhance the analysis and utilization of land and transportation data.

Saudi Arabia‘s Data and Artificial Intelligence Authority opened a consultation on draft rules for appointing a personal data protection officer. The draft sets requirements, including adequate qualifications, knowledge of regulatory measures, and ethical integrity.

The Turkish Personal Data Protection Board’s Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad entered into force. The regulation specifies the mechanisms for data transfers to other jurisdictions, namely an adequacy decision or appropriate safeguards (such as binding corporate rules approved by the Board). The regulation also lists exceptional cases in which transfers are allowed, such as the data subject’s explicit consent.

Americas

Brazil strongly scrutinized Meta’s new privacy policy, which allows the use of personal data from its platforms for AI training. First, the Data Protection Authority issued a preventive measure requesting Meta to suspend its new privacy policy. Following Meta’s request for reconsideration, the authority issued an order upholding its preventive measure. Non-compliance will result in a daily fine of BRL 50.000. Furthermore, the Consumer Protection Authority requested information from Meta regarding its use of personal data for training Artificial Intelligence. In addition, the Federal Public Prosecutor's Office and the Consumer Defence Institute filed a public lawsuit seeking BRL 1.733 billion in compensation from WhatsApp for alleged violations of its privacy policy. Finally, Brazil’s regulation on data protection officers under the Law on General Personal Data Protection entered into force, and amendments to the cybersecurity regulation for the telecommunications sector were adopted.

Mexico introduced a bill on neuro-rights and neurotechnologies. The bill would establish a legal framework for the protection of human rights in the context of neurotechnological advances, focusing on the protection of human dignity, privacy, autonomy, and integrity. The bill sets out principles for equitable access, confidentiality, governance, and compliance, among others, and introduces specific provisions for the safe and ethical use of neurotechnologies across various sectors, including medical, educational, labor, public security, and national defense. Furthermore, Mexico’s Data Protection Authority opened an investigation into Ticketmaster for allegedly disclosing personal data in violation of the federal data protection law.

Correction - August 7, 2024: An earlier version of this article included content from the June 2024 issue of this roundup. It has been corrected to include the content for July 2024. We regret the error.