Global Digital Policy Roundup: March 2026

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of March in four core areas of digital policy.

• Content moderation, including the European Parliament's and Council's adoption of positions on the Digital Omnibus on AI Regulation, the entry into force of Brazil's law on the protection of children and adolescents in digital environments, the UK's adoption of the child sexual exploitation and abuse content reporting regulations, and Indonesia's adoption of the Regulation on Child Protection in Electronic Systems.
• AI regulation, including Russia's draft law on artificial intelligence, the UK government's report on copyright and AI proposals, and Brazil's enforcement case against Meta's update to the WhatsApp business terms.
• Competition policy, including the UK Competition and Markets Authority's strategic market status investigation into Microsoft's business software ecosystem, Brazil's advancement of the Digital Markets Bill on an urgency track, and Indonesia's Supreme Court upholding the IDR 202.5 billion fine against Google for abuse of dominance regarding app store payments.
• Data governance, including Germany's adoption of implementing legislation for both the EU Data Act and the EU Data Governance Act, the European Data Protection Board’s launch of its 2026 coordinated enforcement action on GDPR transparency and information obligations, and the data protection provision in the WTO E-Commerce Agreement, launched between 66 member states.

Content moderation

Europe

The European Parliament adopted its position on the Digital Omnibus on AI Regulation, introducing a ban on AI systems that generate or manipulate sexually explicit or intimate images resembling identifiable individuals without their consent, while exempting systems that incorporate safeguards to prevent such misuse. In parallel, the Council agreed on its general approach to the proposal, which also includes provisions addressing AI-generated non-consensual sexual content and child sexual abuse material. Following the adoption of both positions, trilogue negotiations have commenced.

The European Parliament voted not to extend the temporary derogation from the ePrivacy Directive, which had allowed companies to voluntarily detect and report child sexual abuse material (CSAM) online. As a result, the legal basis has expired. The Parliament supported a shortened extension of the regime until 2027, but subsequently rejected the European Commission’s proposal to extend it until 2028. Negotiations between the Parliament and the Council on a proposal to establish a permanent framework to combat child sexual abuse remain ongoing.

The European Commission continued the enforcement of the Digital Service Act (DSA). The Commission opened formal proceedings against Snapchat under the DSA over the safety, privacy, and security of minors, taking over an investigation previously initiated by the Dutch Authority for Consumers and Markets. The Commission also issued preliminary findings against Pornhub, XVideos, Stripchat, and XNXX for failing to protect minors from exposure to pornographic content under the DSA, finding that self-declaration of age, page blurring, and content warnings are insufficient and directing all four platforms to implement privacy-preserving age verification measures. The Commission announced the first reporting cycle under the Code of Conduct on Disinformation since its recognition as a DSA code of conduct, with signatories including Google, Meta, Microsoft, and TikTok submitting reports for July–December 2025.

At the member state level, the Amsterdam District Court issued a preliminary injunction prohibiting xAI from generating and distributing non-consensual “undressing” images and child sexual abuse material via the Grok chatbot in the Netherlands. The Court found existing safeguards insufficient, citing evidence that such content could still be generated, and imposed daily penalties of EUR 100,000 for non-compliance. The ruling also requires X to suspend offering Grok on the X platform while the violations persist.

The Italian Competition Authority fined Trustpilot EUR 4 million for misleading claims about review authenticity, inadequate disclosure of paid subscription services, and use of dark pattern techniques. Furthermore, Cloudflare appealed the EUR 14.25 million fine imposed by the Authority for Communications for failing to block access to illegal sports streaming services, arguing the penalty is disproportionate and breaches EU law.

In Russia, the law on digital subscriptions entered into force. It prohibits providers from using consumers’ stored payment data after a clear refusal and requires them to implement systems enabling users to easily withdraw consent electronically. Additionally, the rules on centralized management of the public communications network entered into force, authorizing the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) to restrict access to content on its official threat list. Finally, the Tagansky District Court fined Telegram RUB 35 million for failing to remove extremist content, child sexual abuse imagery, and drug-related material.

In the United Kingdom, the Secretary of State adopted the Content Reporting Regulations requiring regulated user-to-user services to report detected child sexual exploitation and abuse content (CSEA) to the National Crime Agency. The Office of Communications (Ofcom) published accompanying guidance on the CSEA reporting duty and released the results of its inquiry into CSEA, finding that 59% of surveyed offenders were first exposed to such material before age 18, and 29% reported viewing AI-generated content.

Furthermore, Ofcom opened four simultaneous consultations on the amended Illegal Content Codes of Practice for user-to-user services and search services, updated risk assessment guidance, and the register of risks. The amendments incorporate additional measures following the designation of content encouraging self-harm and cyberflashing as new priority offences. Ofcom and the Information Commissioner's Office also published a joint statement on age assurance clarifying how online safety and data protection obligations interact.

Regarding enforcement, Ofcom confirmed 4chan's non-compliance with the Online Safety Act, imposing total penalties of GBP 520,000, and opened an investigation into an unnamed image board provider over alleged failures to address child sexual abuse material and non-consensual intimate images. Ofcom also issued a provisional notice of contravention to First Time Videos for failure to implement age assurance.

Asia and Australia

The Australian Minister for Communications adopted amendment rules that define age-restricted social media platforms as services featuring recommender systems or logged-in engagement tools, such as endless feeds, “likes”, or ephemeral content. Services lacking these features are excluded from the obligation to restrict account access for users under 16.

The eSafety Commissioner published the first compliance report on the social media minimum age obligation and confirmed investigations into Facebook, Instagram, Snapchat, TikTok, and YouTube, identifying concerns over repeated age circumvention attempts, inaccessible parental reporting pathways, and insufficient measures to prevent new under-16 accounts. Additionally, the eSafety Commissioner published a transparency report summarising responses to notices issued in October 2025 to the AI companion service providers Chub AI, Chai Research, Glimpse.AI (Nomi), and Character Technologies (Character.AI). The report finds that the providers are not adequately protecting children from sexually explicit content or preventing the creation of child sexual exploitation material. It also notes that most providers do not consistently refer users expressing suicidal ideation or self-harm to support services or sufficiently warn about the risks and illegality of such content.

Separately, the Australian Federal Court fined Binance AUD 10 million for misclassifying retail clients as wholesale investors and exposing them to high-risk crypto derivatives. The Competition and Consumer Commission fined Photobookshop AUD 39,600 for instructing influencers not to disclose that reviews were incentivised.

In China, the classification measures for online information harmful to minors entered into force, prohibiting platforms from featuring such content in prominent positions and requiring algorithmic systems to exclude it from push recommendations. Furthermore, the Cyberspace Administration announced plans to standardize short video content labeling, and the State Administration for Market Regulation announced measures to strengthen advertising enforcement, noting 44,500 violations and RMB 252 million in fines in 2025.

India’s Ministry of Electronics and Information Technology (MeitY) opened a consultation on amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules relating to intermediary compliance. The amendments clarify that existing requirements for preserving removed content and retaining user registration data for 180 days apply without prejudice to longer or stricter retention obligations under other applicable laws. Separately, the Ministry of Information and Broadcasting directed Telegram to disable 3,142 channels distributing pirated content and blocked approximately 800 websites.

The Minister of Communication and Digital Affairs of Indonesia adopted the Regulation on Child Protection in Electronic Systems, establishing age classification requirements across five age groups. Operators must implement age verification, deactivate accounts of users under 16, and submit regular self-assessments on safety, content exposure, consumer protection, and data security to the Ministry. These assessments determine whether a service is classified as high-risk or low-risk, with social media platforms presumed high-risk by default. The Minister also announced that it is assessing Meta’s and Google’s compliance with the regulation and confirmed X’s compliance. Separately, the Ministry restored access to Wikimedia Commons after a temporary restriction caused by automated systems incorrectly flagging content as gambling-related, compounded by the platform not being whitelisted due to incomplete registration as a Private Electronic System Operator.

Americas

In Brazil, the law on the protection of minors in digital environments entered into force. The law requires providers of services deemed inadequate or legally restricted for children to implement age verification mechanisms to restrict access. In addition, the law requires preventive and protective measures, including restrictions on the profiling of minors and the establishment of accessible content reporting mechanisms. Providers with over one million users under 18 must further publish semi-annual transparency reports on content moderation, data protection, parental consent, and risk assessments. The law also sets specific obligations for electronic games and requires providers to appoint a representative in Brazil.

The President signed three implementation decrees, which further outline obligations regarding the removal of illegal content and designate the Federal Police as the central reporting authority for serious violations involving children. The National Data Protection Authority also published guidelines on age verification mechanisms and broader implementation guidance clarifying that self-declared age is no longer valid. Additionally, the provisions applicable to internet applications under the content classification ordinance entered into force.

Regarding enforcement, the Ministry of Justice and Public Security formally requested information from TikTok on measures to address misogynistic content following the circulation of videos depicting simulated violence against women under the "if she says no" trend.

Artificial Intelligence

Europe

The European Parliament adopted its position on the Digital Omnibus on AI Regulation, proposing to postpone the application of certain rules for high-risk AI systems due to delays in the development of relevant standards, while setting fixed implementation dates to provide legal certainty. Requirements for high-risk AI systems would apply from December 2027 for stand-alone systems and from August 2028 for systems covered by EU sectoral safety legislation. The position also extends deadlines for watermarking obligations on AI-generated content until November 2026 and introduces flexibility measures, including conditions for processing personal data to detect and correct bias and support for smaller market actors.

The Council also adopted its general approach, aligning on similar application dates for high-risk AI rules and requiring registration of high-risk systems even where exemptions may apply. It also maintains provisions on processing sensitive personal data for bias mitigation, postpones national AI regulatory sandboxes until December 2027, and clarifies the supervisory role of the AI Office for general-purpose AI systems, while tasking the Commission with issuing guidance for compliance. Following the adoption of both positions, trilogue negotiations have commenced. Additionally, the European Parliament adopted recommendations on copyright and AI, calling for EU copyright law to apply to all generative AI regardless of training location, mandatory training data logs, and a European Union Intellectual Property Office-managed opt-out register.

The European Commission opened two consultations on draft implementing regulations under the AI Act. The first concerns enforcement procedures for proceedings against general-purpose AI model providers, including interim measures and a five-year limitation period for fines. The second addresses access to data, including APIs, source code, and model weights. Furthermore, the second stakeholder consultation on the Code of Practice on Transparency of AI-Generated Content was completed. The code covers marking and detection obligations under Article 50 of the AI Act. Finally, the European Data Protection Supervisor adopted a strategy for supervising AI systems used by EU institutions, combining ex ante conformity assessments and ex post enforcement.

In Germany, the bill implementing the EU AI Act was submitted to Parliament. It designates the Federal Network Agency as the primary market surveillance authority and provides for an AI Market Surveillance Chamber for high-risk systems in law enforcement and border management.

Russia's Ministry of Digital Development opened a consultation on the draft Law on Fundamentals of State Regulation of AI Technologies. It would impose obligations on AI developers to eliminate features capable of producing discrimination based on behavioral or personal characteristics, to document model architecture, functional logic, and limitations, and to conduct risk modeling for technologies under development. It would also restrict the use of AI in state information systems and critical information infrastructure owned by state bodies, institutions, and enterprises to designated "trusted" AI models, which would be required to process data exclusively within Russian territory. The draft law also includes measures regarding governance, design requirements, performance monitoring, testing obligations, user rights, and copyright protection measures.

The Personal Data Protection Authority of Turkey published a report on agentic AI, describing systems that can autonomously pursue goals, coordinate multi-step tasks, and adapt to changing conditions. It notes potential applications in areas such as research, customer support, finance, healthcare, and incident management, alongside risks related to transparency, accountability, bias, security, and accuracy.

In the United Kingdom, the Departments for Science and for Culture, Media and Sport published a report on copyright and AI pursuant to the Data (Use and Access) Act. It proposes exploration of a personality's right to address AI-generated voice and likeness impersonation. Further, the Competition and Markets Authority published a research paper on agentic AI and consumers, identifying risks including manipulative design and ecosystem lock-in, and guidance confirming that consumer protection law applies equally whether customers interact with humans or AI agents, with fines of up to 10% of worldwide turnover for non-compliance.

Asia and Australia

The Cyberspace Administration of China announced that 48 new generative AI services and 46 AI applications completed their respective filing and registration procedures between January and February 2026. The National Cybersecurity Standardisation Technical Committee opened a solicitation for membership of the AI Security Standards Working Group (WG9), which will develop and review AI security standards. The National Computer Network Emergency Response Technical Team issued an advisory on OpenClaw AI agent software, warning that weak default security settings and elevated system privileges may increase the risk of system compromise. It noted risks such as prompt injection and malicious plugins, and recommended mitigation measures such as access restrictions, stronger authentication, secure credential management, trusted plugins, and regular security updates.

The Personal Information Protection Commission of South Korea issued recommendations on AI data processing. It noted that several providers’ policies contained limited detail regarding data descriptions, legal bases, and accessibility. The Commission recommended providing more specific information, including explanations of data use for AI training, retention periods, and available opt-out options.

Americas

Brazil's Administrative Council for Economic Defense upheld the preliminary injunction requiring Meta to suspend its update to WhatsApp Business Solution Terms that would have blocked third-party AI chatbot providers from API access. Meta subsequently announced a USD 0.0625 per-message fee for AI chatbots using the API.

Competition

Europe

The European Commission announced that the gatekeepers designated under the Digital Markets Act (Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft) submitted updated compliance reports. These reports outline changes implemented over the past year, including measures related to DMA obligations and independently audited information on consumer profiling techniques. The Commission will assess the effectiveness of the reported measures, taking into account input from third parties as well as ongoing regulatory dialogue and proceedings.

France's Competition Authority consulted on the competitive functioning of the conversational AI agent sector. It examined issues such as market concentration, barriers to entry, and potential challenges for new market participants, as well as the adequacy of existing regulatory frameworks, including the EU Digital Markets Act and the EU AI Act. A formal opinion is expected to follow based on the findings.

The German Federal Cartel Office approved Adobe’s proposed acquisition of Semrush Holdings. The Authority assessed potential competition concerns, including foreclosure risks and market strengthening, but found that sufficient alternatives remain available, allowing the transaction to proceed.

Italy's Competition Authority opened a sector inquiry into quantum computing, examining barriers to entry linked to proprietary standards and the risk of quantum technologies being absorbed into existing dominant cloud ecosystems.

In the United Kingdom, the Secretary of State adopted the regulations on alternative dispute resolution (ADR) under the Digital Markets, Competition and Consumers Act. The regulations establish requirements for ADR providers on fees and information disclosure, including obligations to ensure transparency about costs and to provide clear information to parties using ADR services.

The Competition and Markets Authority (CMA) consulted on the commitments provided by Apple and Google on app store fairness and iOS interoperability, as the first measures following their strategic market status designations. The CMA also published voluntary commitments by AWS and Microsoft to remove data egress fees for switching customers and improve cloud interoperability, and announced a strategic market status investigation into Microsoft's business software ecosystem to launch in May 2026. The CMA advanced its investigation into Shutterstock's acquisition of Getty Images, closing a remedies consultation following a provisional finding of a substantial lessening of competition in editorial content supply. Finally, the CMA opened an investigation into Adobe over potentially unlawful early cancellation fees.

Asia and Australia

China's State Administration for Market Regulation opened a consultation on fair competition review implementation measures. The measures include prohibitions on preferential treatment for local enterprises in credit assessments and require policy-drafting bodies to ensure compliance with fair competition standards.

Indonesia's Supreme Court rejected Google's appeal against a IDR 202.5 billion fine related to the mandatory use of Google Play Billing, upholding findings of abuse of dominance given Google Play Store’s approximately 93% market share. The ruling requires Google to allow alternative payment methods with at least a 5% fee reduction.

Americas

Brazil’s Chamber of Deputies approved an urgency request for the bill on systemic relevance in digital markets. The measure allows the bill to bypass committee review and proceed directly to a plenary vote under an expedited legislative timeline. The bill would establish ex-ante regulation for systemically relevant digital platforms in Brazil, allowing the Competition Authority to designate large firms and impose tailored obligations on merger control, unilateral conduct, data access, interoperability, and transparency. The Bill also includes provisions on competition authority governance and local operations requirements. It provides that designated companies face administrative review, mandatory compliance, and fines for violations. Separately, the Ministry of Justice and Public Security adopted an ordinance introducing transparency requirements for price composition on digital transport and delivery platforms. Platforms must disclose how total prices are allocated, including amounts received by the operator, service providers (including tips), and senders, where applicable.

Data governance

International

Sixty-six World Trade Organization (WTO) members agreed to bring the WTO E-Commerce Agreement into force through interim arrangements, rather than in the multilateral setting. It will take effect once 45 instruments of acceptance are deposited. The E-Commerce Agreement contains a provision on data protection. The moratorium on customs duties on electronic transmissions ended after the WTO Ministerial Conference concluded without agreement to extend it.

The Global Cross-Border Privacy Rules Forum adopted the CBPR System Program Requirements, expanding from 50 to 57 requirements with new obligations on sensitive data, children's data, risk assessment, and data breach notification. Additionally, the Global Privacy Enforcement Network published a report on children's privacy practices across 876 platforms, finding 88% relied on easily circumvented self-declaration for age assurance and only 56% set personal information to private by default.

Europe

The European Union Agency for Cybersecurity released the third version of its cybersecurity market analysis framework under the EU Cybersecurity Act. The framework introduces standardized tools, templates, and taxonomies to support structured cybersecurity market analyses across areas such as cloud services and managed security. The Body of European Regulators for Electronic Communications published its early assessment of the proposed Digital Networks Act, raising concerns on competition objectives, spectrum regulation, and institutional design. Furthermore, the European Data Protection Board (EDPB) and the European Data Protection Supervisor adopted a joint opinion on the Cybersecurity Act 2 and the European Biotech Act. The EDPB launched its 2026 coordinated enforcement framework action on General Data Protection Regulation (GDPR) transparency and information obligations, with 25 data protection authorities conducting enforcement actions across all sectors.

Regarding bilateral cooperation, the EU and Australia concluded negotiations for a Free Trade Agreement containing digital trade provisions, including prohibitions on unjustified data localization, and signed a Security and Defence Partnership on cybersecurity and AI cooperation. The EU and Canada launched negotiations for a Digital Trade Agreement, while the EU-Australia FTA negotiations concluded, including a digital trade chapter. Additionally, the EU and Kenya launched a first Digital Dialogue on AI, infrastructure, and e-governance as part of the EU's Global Gateway strategy.

At the member state level, the Luxembourg Administrative Court annulled the National Data Protection Commission’s decision in the Amazon case and referred it back for reassessment. The case concerned a previous EUR 746 million fine for alleged GDPR violations, including issues related to legal basis for processing, transparency, and data subject rights.

Germany’s Parliament adopted the Act implementing the EU Data Act and the Act implementing the EU Data Governance Act, both designating the Federal Network Agency as the principal enforcement authority.

The Prime Minister of France adopted a decree requiring personal health data to be hosted exclusively within the EU or EEA, with transfers elsewhere permitted only under a GDPR adequacy decision or appropriate safeguards. Additionally, the National Commission on Informatics and Liberty closed its case against KASPR following the deletion of a database of approximately 160 million contacts and full compliance with its 2024 decision.

The Turkish Personal Data Protection Board adopted a decision requiring data controllers to prepare disclosure (notice) texts and explicit consent texts separately. The decision requires disclosure obligations to be fulfilled independently before processing, with consent obtained as a distinct, specific, and informed declaration, and prohibits combining or embedding consent within disclosure texts, with non-compliance subject to enforcement measures.

The United Kingdom’s Information Commissioner's Office (ICO) published updated guidance on legitimate interests and guidance on reuse of personal data, and opened a consultation on automated decision-making and profiling guidance. Additionally, ICO published a draft guidance on automated decision-making in recruitment. Furthermore, the Financial Conduct Authority adopted guidance on operational incident reporting, establishing a two-tier framework with a four-hour reporting limit for payment service providers, and guidance on material third-party arrangements.

Asia and Australia

The Office of the Information Commissioner of Australia opened a consultation on the Privacy (Children's Online Privacy) Code, introducing privacy-by-default requirements and parental consent requirements for users under 15, and published privacy guidance on age assurance technologies. Furthermore, the Cyber Security Centre issued a joint advisory with New Zealand on INC Ransom ransomware, which uses double-extortion tactics and has targeted healthcare organizations in Australia and the Pacific.

China established the World Data Organization (WDO) in Beijing with over 200 members from more than 40 countries, aimed at aligning national data policies and reducing compliance costs. Furthermore, the National Cybersecurity Standardization Technical Committee announced the initiation of the drafting of 14 national cybersecurity and data security standards. The standards under development cover areas such as threat intelligence evaluation methods, graded requirements for consumer smart connected devices, security classification and grading methods for AI applications, blockchain system security implementation, physical unclonable function specifications, cloud computing frameworks, electronic authentication services, and desktop cloud security.

The Personal Information Protection Commission of Japan announced a bill to amend the Act on the Protection of Personal Information. The bill introduces new definitions, including specific biometric personal information, and requires prior notification of purpose when such data is processed. It also strengthens individual rights, including the ability to request suspension of use or third-party sharing of biometric data, and provides protections for children under 16, including parental representation and consideration of the child’s best interests. Separately, the Ministry of Economy, Trade and Industry, and the National Cybersecurity Office released guidelines on the roles expected of cyber infrastructure providers. In addition, Japan and the United Arab Emirates concluded negotiations on the Comprehensive Economic Partnership Agreement, including provisions on digital trade. The agreement allows the transfer of data between the two countries and addresses measures regarding data localization. Finally, Japan and Singapore signed a memorandum of cooperation on the mutual recognition of Internet of Things cybersecurity schemes.

The President of South Korea signed the amended Personal Information Protection Act, expanding breach notification to cover data forgery and introducing surcharges of up to 10% of total sales for serious violations. Additionally, the National Assembly adopted a bill amending the Network Act, introducing a 24-hour incident reporting requirement and penalty surcharges of up to 3% of revenue for negligent violations. The Personal Information Protection Commission adopted revised guidelines on pseudonymized information, introducing a risk-based framework that accommodates AI training use cases.

Americas

Brazil's President signed a decree confirming the National Data Protection Agency's institutional autonomy and its powers to investigate infringements, issue fines, and define standards for age verification and parental controls applicable to digital services directed at children.

Canada's Office of the Privacy Commissioner found Loblaw Companies in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA) for untimely responses to deletion requests and retention of loyalty program data without demonstrating sufficient anonymization. Loblaw agreed to commission an independent third-party anonymization assessment.