Global Digital Policy Roundup: March 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of March 2025 in four core areas of digital policy.

• Content moderation, including the implementation of illegal content duties under the UK Online Safety Act, Indonesia's online child protection regulation, and Australia’s investigations into the handling of terrorist and violent extremist content.
• AI regulation, including ASEAN's Responsible AI Roadmap, the EU's draft General-Purpose AI Code of Practice, Italy’s bill on the governance of AI, and China's regulation on the identification of AI-generated content.
• Competition policy, including Japan’s designation of companies falling under its new smartphone software regime, the EU's Digital Markets Act investigations into Alphabet and Apple, and South Korea's enforcement actions regarding Kakao.
• Data governance, including Mexico’s new data protection law, the EU-South Korea Digital Trade Agreement, and investigations over children’s data processing in the UK.

Content moderation

Europe

The European Commission and European Union Member States continued implementing the Digital Services Act (DSA). The Commission adopted a decision restricting certain data subject rights under the DSA in relation to its supervision and enforcement activities. Ireland's Competition and Consumer Protection Commission opened a consultation on a levy for consumer online platforms to fund its oversight of the DSA.

The French Authority for the Regulation of Audiovisual and Digital Communication requested that the telecommunications satellite system provider Eutelsat stop the distribution of two Russian channels. The Authority found that these channels were subject to EU sanctions and had broadcast disinformation and content that could incite hatred.

Italy implemented a decree on the safety of minors in the digital environment, requiring manufacturers to ensure that electronic communication devices support parental control applications.

The United Kingdom implemented illegal content duties under the Online Safety Act (OSA). The Office of Communications (Ofcom) established binding codes of practice that required service providers, including search engines and "user-to-user" platforms, to complete a risk assessment by 16 March. The purpose of this assessment was to evaluate the likelihood of users encountering illegal content on their services, or, in the case of "user-to-user" platforms, how these services could be used to facilitate or commit criminal offenses.

Starting on 17 March, these providers were required to take appropriate measures to remove illegal content upon becoming aware of it, as well as implement steps to mitigate the risk of priority criminal content appearing on their platforms. Priority criminal content encompasses child sexual exploitation, human trafficking, terrorism, harassment and abuse, and hate crimes, among others.

Ofcom also launched two enforcement programs to ensure compliance with OSA. The first program assesses compliance with the obligation to conduct illegal harm risk assessments. The second investigates file-sharing and file-storage service providers to comply with their legal duties to address child sexual abuse material. Finally, Ofcom fined OnlyFans GBP 1.05 million for misreporting its age verification measures.

Asia and Australia

Australia‘s eSafety Commissioner concluded several investigations into technology platforms' measures addressing terrorism and violent extremism (TVE) content. Transparency reports were published summarizing responses from Google, Meta, WhatsApp, Telegram, and Reddit, specifying the approaches to proactive detection, user reporting, and strategies to mitigate TVE risks linked to recommender systems and generative AI. Additionally, the eSafety Commissioner appealed the Administrative Review Tribunal’s decision that the Tribunal has jurisdiction to review the eSafety Commissioner’s decision to alert X to a possible breach of their terms of service.

China implemented measures for the dissemination of military information on the internet, which include provisions on bothcontent moderation and user access controls. The measures prohibit the disclosure of classified information, misinformation, and content that could undermine the armed forces. It also mandates platforms to verify the identity of users accessing or publishing military information online.

The President of Indonesia signed a regulation on child protection in electronic systems. The regulation sets standards for age-appropriate design and age verification, personal data protection impact assessments, and default high privacy settings. It also prohibits harmful data practices, unjustified profiling, and manipulative designs. Additionally, the Ministry of Communication and Digital Affairs released a report detailing content moderation efforts, specifying that authorities addressed 1.35 million cases of online pornography and gambling, displayed primarily on X and Meta platforms.

Artificial Intelligence

International

The Association of Southeast Asian Nations (ASEAN) adopted the Responsible Artificial Intelligence (AI) Roadmap, which establishes a regional framework for AI governance and cooperation. It provides steps to align national AI initiatives with regional digitalisation goals, prioritizing public-sector AI capacity-building, digital infrastructure, and secure data-sharing.

Europe

The European Union continued the implementation of the EU AI Act. The European Commission published the third draft of the General-Purpose AI Code of Practice. The draft refines obligations related to transparency, copyright protection, risk assessment, and risk mitigation. The Commission also established a panel of independent AI experts to provide technical guidance on implementing the Act. Additionally, the Commission adopted model contractual clauses for the procurement of high-risk and non-high-risk AI systems, designed to support compliance with transparency, risk management, oversight, and cybersecurity requirements under the EU AI Act.

The Commission also launched several funding initiatives. The Digital Europe Programme allocates EUR 1.3 billion for AI development in healthcare, cloud infrastructure, data spaces, and cyber resilience. The industrial action plan will make EUR 1 billion available for the automotive sector, including the development of autonomous driving technologies. Finally, the European Union and South Africa issued a joint statement on their strategic partnership, which includes a EUR 4.7 billion Global Gateway Investment Package, with funding allocated to digital infrastructure and AI development.

The Italian Senate passed the bill on the governance of AI, designating the authorities in charge of implementing the EU AI Act and overseeing compliance. The bill also requires public procurement platforms to prioritise AI suppliers that process and store strategic data within national data centres to ensure disaster recovery, business continuity, and high security standards. Further, the bill includes provisions allowing the reproduction and extraction of works or materials available online, provided there is legitimate access, for data mining related to AI model development.

The United Kingdom introduced a bill regulating AI, proposing the establishment of an AI Authority with regulatory powers over high-risk AI systems, along with design requirements, regulatory sandboxes, and intellectual property provisions. Meanwhile, the Treasury Committee closed its inquiry into AI use in financial services, while the Public Accounts Committee issued a report on the government's use of AI, addressing public procurement practices. Finally, the Competition and Markets Authority concluded its investigation into Microsoft and OpenAI's partnership, determining it did not qualify for investigation under merger control regulations.

Asia and Australia

The Cyberspace Administration of China adopted methods for identifying AI-generated synthetic content, setting standardized practices for marking text, images, audio, video, and virtual scenes. AI service providers and businesses using synthetic media must implement both explicit and implicit content identifiers. To support this, the National Information Security Standardisation Technical Committee adopted a standard that establishes uniform marking requirements and issued coding guidelines. Additionally, the Cyberspace Administration published regulations on the safe use of facial recognition technology, covering data protection and registration.

Meanwhile, the Ministry of Commerce implemented an export control order affecting 15 United States companies dealing with dual-use technologies, including advanced AI components.

India’s Ministry of Electronics and Information Technology launched “AIKosha” as part of the IndiaAI Mission, creating a compute portal to support AI development, alongside an AI competency framework for training.

Japan’s Financial Services Agency published a discussion paper on promoting the responsible use of AI in the financial sector, outlining governance frameworks and risk management approaches. The Digital Agency launched a public consultation on draft guidelines for the procurement and use of generative AI technologies in governmental operations. Additionally, the Ministry of Transport consulted on guidelines for the utilization of autonomous driving technology in urban spaces, addressing safety and integration concerns.

The South Korea Communications Commission implemented binding guidelines for the protection of users of generative AI services. The guidelines require developers to design AI systems that users can understand and trust, provide clear explanations of how decisions are made, and ensure that the system's behavior is predictable and controllable. The guidelines also establish requirements regarding testing, performance monitoring, non-discrimination, and data protection.

Additionally, the Personal Information Protection Commission conducted an assessment of Kakao Corp's AI service Kanana, focusing on safety measures, data processing, and internal management. The assessment was conducted as part of the adequacy review system to address legal uncertainties associated with emerging technologies, particularly AI.

Competition

Europe

Fifteen European Union Member States adopted a blueprint for a new horizontal single market strategy addressing digital market integration and competition governance. The strategy calls for a coordinated approach to strengthening the European single market while ensuring fair competition in digital sectors. The Consumer Protection Cooperation Network adopted principles on in-game virtual currencies to regulate in-game currency exchanges and tackle unfair commercial practices.

In terms of enforcement, the European Commission issued two preliminary findings against Alphabet for failing to comply with the Digital Markets Act (DMA). The first concerns Google Search, where its service features were found to favor Alphabet’s own services over competitors, violating the DMA’s requirement for transparent, fair, and non-discriminatory treatment of third-party services.

The second relates to Google Play, which allegedly restricts app developers from directing users to alternative channels for better offers, contravening the DMA’s rules. In addition, the European Commission adopted two binding decisions under the DMA, specifying the measures that Apple has to implement to comply with the interoperability obligation. The decisions include measures to facilitate the integration of third-party products and services with iPads and iPadOS and iOS operating systems.

The French Competition Authority fined Apple EUR 150 million for abusing its dominant position in app distribution on iOS and iPadOS between April 2021 and July 2023. The Authority found that Apple's App Tracking Transparency (ATT) framework imposed stricter consent requirements on third-party apps, distorting competition in digital advertising. The investigation followed complaints from industry associations in 2020, and ATT's mechanism was found to violate French data protection law.

Germany’s Federal Court of Justice upheld the classification of Apple as having paramount cross-market significance for competition under the Act against Restraints of Competition. The ruling reinforces the Federal Cartel Office’s authority to apply stricter regulatory oversight even in the absence of immediate anticompetitive conduct.

The United Kingdom’s Competition and Markets Authority (CMA) published its Mergers Charter, outlining engagement principles with businesses during merger investigations. The CMA also published its final report on Apple's policies as part of the mobile browsers and cloud gaming market investigation, highlighting competition concerns. The CMA also issued a final report on Google's market power in mobile browsers and cloud gaming, withdrawing concerns over Google’s choice architecture. Furthermore, the CMA approved the acquisition of Ansys by Synopsys based on proposed divestments to address competition concerns in power analysis, optics, and photonics software.

Asia and Australia

China’s State Administration for Market Regulation (SAMR) announced measures to regulate online trading platforms. The measures will address uncompetitive practices, automatic price-following mechanisms, and complex fee structures. The SAMR also adopted a legislative plan that includes the development of competition regulations for electronic commerce, including revisions on monopolies and trade secrets rules.

The Japan Fair Trade Commission (FTC) designated Apple, iTunes, and Google as operators providing “essential software” under the law on promoting competition in smartphone software. Following the designation, the companies are subject to obligations on data use, the fair treatment of app providers, and interoperability. Moreover, the law requires operators to facilitate data transfer, allow changes to default settings, and obtain user consent for incorporating additional software. The FTC also approved Synopsys' acquisition of Ansys based on commitments to address competition concerns.

South Korea introduced two legislative proposals focused on improving consumer and business protections. The first bill proposes changes to the Act on Prevention of Unfair Competition, establishing a fact-finding system for trade secret cases and expanding evidence submission requirements. The second bill amends the Act on Consumer Protection in Electronic Commerce, aiming to address dark patterns through measures like periodic inspections, consumer compensation, and liability insurance.

In terms of enforcement, the Korea Fair Trade Commission closed a consultation on payment practices in electronic commerce, assessing payment practices and exploring procedural methods. The Commission also approved Samsung Electronics' acquisition of a stake in Rainbow Robotics, determining that the transaction would not substantially restrict competition. The Commission further fined Carrot Market for non-compliance with the Electronic Commerce Act’s obligations on the disclosure of seller information. Additionally, the Commission began consultations on a proposed consent order on Kakao's unfair trade practices, addressing concerns over suppliers' lack of choice in shipping methods, delayed contract documentation, and unjustified product returns.

The Turkish Competition Authority launched an investigation into Apple for potential violations of the Law on Competition. The investigation examines whether Apple coordinated buyback prices for Apple-branded products with certain resellers, including Support Informatics, Easycep, Getmobile, and HB Informatics.

Africa

South Africa’s Competition Commission closed its consultation on guidelines clarifying the handling, access, and confidentiality of information under the Competition Act. The guidelines aim to clarify the process for claiming confidentiality and the Commission's approach to such claims.

Data governance

Europe

The European Union Health Data Space Regulation came into force with a grace period, establishing a framework for secure and interoperable access to electronic health data. It grants individuals control over their health data and sets rules for cross-border access. Meanwhile, the European Commission proposed extending the 2021 adequacy decision for the free flow of personal data between the European Economic Area and the United Kingdom.

The European Data Protection Board (EDPB) published guidelines on the approval procedure for Binding Corporate Rules to facilitate lawful cross-border data transfers. Additionally, the European Commission and Singapore issued a joint statement reaffirming their commitment to continued cooperation on data protection, cross-border data flows, and privacy technologies.

Lastly, the EU and the Republic of Korea concluded negotiations on a comprehensive Digital Trade Agreement, covering cybersecurity, cross-border data transfers, and consumer protection, among others.

Regarding enforcement, the Advocate General of the Court of Justice of the European Union (CJEU) recommended overturning a prior ruling on WhatsApp's challenge to a binding decision by the EDPB. This decision instructed the Irish Data Protection Commission to revise its stance and raise proposed General Data Protection Regulation (GDPR) fines. The Advocate General argued that the EDPB’s decision had binding legal effects on WhatsApp, making its challenge admissible, and recommended that the case be reassessed.

At the member state level, Luxembourg’s Administrative Court confirmed the decision of the National Data Protection Commission to impose a EUR 746 million fine against Amazon. The fine was imposed for breaches of the GDPR rules by using personal data for targeted advertising without obtaining proper consent.

France’s National Commission on Informatics and Liberty consulted on a draft recommendation focused on location data from connected vehicles. It provides guidance on data processing under the GDPR.

Germany’s independent data protection supervisory authorities of the federal states issued a statement on the Draft Data Act Implementation Law, citing legal and regulatory concerns over shifting GDPR oversight to the federal level. Meanwhile, the Hamburg Commissioner for Data Protection published guidelines on data deletion, highlighting revised retention periods and GDPR compliance requirements.

In a separate development, the Federal Court of Justice ruled that consumer protection associations and competitors can take legal action against data protection violations under competition law. The case involved Facebook's “App Centre,” where users were allegedly insufficiently informed about the collection and use of their personal data, including email addresses and profile information, when accessing third-party games.

Russia’s media regulator published a draft order on the depersonalization of personal data. The order specifies approved methods, including the introduction of personal data identifiers and modifications to their composition or semantics.

The United Kingdom’s Department for Science, Innovation and Technology conducted an inquiry into data brokers assessing their activities, risks, and regulatory frameworks. The inquiry focused on national security threats from hostile actors and their impact on national security. The Information Commissioner's Office (ICO) issued guidance on anonymization and pseudonymization for organizations processing personal data in sectors such as healthcare and artificial intelligence development.

The ICO also launched investigations into TikTok, Reddit, and Imgur regarding their handling of children's data, focusing on age verification and privacy protection. The ICO further imposed a penalty of GBP 3.07 million on Advanced Computer Software Group for data protection failures. The ICO and the Office of the Privacy Commissioner of Canada also issued provisional findings in their investigation into 23andMe's compliance with cybersecurity regulations over data breaches involving genetic data.

Asia and Australia

Australia’s Securities and Investments Commission filed a lawsuit against FIIG Securities Limited at the Federal Court of Australia, over failure to meet cybersecurity requirements that resulted in a data breach exposing client data.

China’s Cyberspace Administration of China opened a consultation on Cybersecurity Law (Second Draft). The draft updates the liability framework and increases fines for violations. The Cyberspace Administration also updated its register of cloud computing platforms that passed the national security assessment, including Alibaba and Huawei. Additionally, the National Data Administration initiated the deployment of a national public data resource cataloging platform to enhance data resource management.

Furthermore, the State Administration for Market Regulation released the National Standard for Digital Transformation Infrastructure, guiding industries in aligning digital transformation with economic and technological developments. Finally, the Ministry of Industry and Information Technology published guiding opinions aimed at strengthening compliance management for small and medium enterprises, including network and data security aspects.

Japan’s House of Representatives passed two cybersecurity bills. The first bill introduces cybersecurity measures for critical electronic infrastructures by establishing frameworks for reporting specific exploitative incidents and regulating the collection and analysis of related communication information. The second bill includes measures to develop cyber ​​response capabilities.

India’s Ministry of Electronics and Information Technology closed public consultations on the draft Digital Personal Data Protection Rules 2025, which covers data protection, governance, cross-border data transfer, and government access to data.

South Korea’s Personal Information Protection Commission announced the full implementation of the MyData system, enhancing individuals' control over their personal information. The National Assembly passed an amendment to the Personal Information Protection Act, establishing a representative system for overseas businesses. Additionally, the Supreme Court dismissed Meta's challenge against the Personal Information Protection Commission's KRW 6.7 billion fine for sharing user data with third parties without consent. The Commission also fined Modutour Network KRW 757.2 million for personal information leaks and announced investigations into smart car manufacturers and robot vacuum cleaners.

Turkey’s Cybersecurity Law entered into force, establishing security obligations, including the protection of critical infrastructure, data security, and the role of cybersecurity response teams for public institutions and professional organizations. The law includes labor law regulations for cybersecurity professionals and import tariff exceptions for certain cybersecurity equipment. The Personal Data Protection Authority also adopted guidelines on processing special categories of personal data, clarifying sensitive information handling.

Americas

Mexico implemented the Law on the Protection of Personal Data Held by Private Parties, amending its comprehensive data protection law from 2010. The law sets out data processing principles such as lawfulness, purpose limitation, and safeguards for sensitive data. Private entities must provide detailed privacy notices outlining data usage. The law grants individuals the right to access, correct, delete, and object to data processing. For international transfers, recipients must ensure equivalent protection.