Global Digital Policy Roundup: May 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of May 2025 in four core areas of digital policy.

• Content moderation, including the European Commission's DSA enforcement against adult content platforms, Australia's industry codes against age-inappropriate content, China's national network identity authentication measures, and Turkey's bill to repeal the internet regulation law.
• AI regulation, including the European Commission's AI Act implementation guidelines, Germany's court ruling on Meta's AI training practices, and China's deep synthesis algorithm registrations.
• Competition policy, including the European Commission's consultation on Microsoft Teams bundling, South Korea's enforcement actions against Meta and intermediary platform operators, China's private economy promotion law, and Brazil's digital markets regulation bill.
• Data governance, including the EU's proposed GDPR amendments, Ireland's EUR 530 million fine against TikTok, and Australia's ransomware reporting requirements.

Content moderation

Europe

The European Parliament’s Civil Liberties Committee adopted its draft position on the Directive to combat child sexual abuse material (CSA), including amendments to criminalize AI systems primarily designed or adapted for CSA offenses. The full Parliament is expected to vote on the draft in June, after which negotiations with the Council can begin.

Additional, the European Commission continued the implementation of the Digital Service Act (DSA). The Commission opened a consultation on draft guidelines for protecting minors online, outlining measures that platforms can adopt to meet their obligations under the DSA. The measures include implementing age assurance measures, setting children’s profiles to private by default, and adapting recommender systems to rely more on user feedback, preventing children from entering harmful content loops. To support these efforts, the European Commission is developing a temporary age verification app to help online platforms confirm users are over 18, ahead of the EU Digital Identity Wallet’s launch in late 2026. The Commission also noted that it is preparing a Digital Fairness Act to address online risks for minors not fully covered by the DSA.

Regarding enforcement, the Commission opened formal proceedings under the DSA against the adult content platforms Pornhub, Stripchat, XNXX, and XVideos over alleged non-compliance with the obligation to implement effective age verification measures. Following this announcement, the European Board for Digital Services adopted a coordinated action on age verification on pornographic platforms. Additionally, the Commission issued preliminary findings that TikTok violated the DSA's obligation to provide a searchable and reliable repository for advertisements. Finally, the Consumer Protection Cooperation Network and European Commission notified Shein of alleged EU consumer law infringements, requiring the platform to address practices including discount representations, sales tactics, consumer information disclosures, product labeling, and sustainability claims. Shein must also provide information regarding its product rankings, reviews, and ratings systems.

The Italian Communications Regulatory Authority (AGCOM) opened a consultation on the revised guidelines concerning the prominence of audio-visual and radio media services of general interest on user interfaces. The guidelines include local content requirements for streaming service providers and platforms. The AGCOM also issued multiple enforcement decisions related to copyright protection, ordering the blocking of Casacinema, GuardaFlix, and TubeRipper, among others.

Russia established a process for notifying website owners when their sites are deemed copies of blocked websites. The media regulator is now required to send electronic notifications in both Russian and English within 24 hours of receiving relevant reports from authorities or copyright holders. The process follows an October 2024 law that accelerated the blocking of mirror sites by shifting enforcement powers to the media regulator and requires search engines to delist such sites. Additionally, a Russian court fined Apple RUB 7.5 million based on three cases for allegedly promoting “non-traditional sexual relations,” and an additional RUB 3 million for not removing related content. Since 2022, online platforms in Russia have been banned from displaying what the government labels as “propaganda” of “non-traditional sexual relations.”

The United Kingdom’s Office of Communications (Ofcom) closed its consultation on draft guidance aimed at improving online safety for women and girls on user-to-user services under the Online Safety Act (OSA). The proposed guidance outlines measures to protect vulnerable users from harmful content. Ofcom also published an enforcement update on pornographic content providers’ compliance with age verification requirements and launched separate investigations into Itai Tech and Score Internet Group for allegedly failing to implement effective age assurance measures. In a separate case, Ofcom opened investigations into Kick Online Entertainment for allegedly failing to assess the risks of illegal content and to respond to a statutory information request. The investigation also covers the company’s pornography site, Motherless, following complaints about potentially illegal material, including child sexual abuse content and extreme pornography.

Asia and Australia

The Australian eSafety Commissioner announced that the online industry submitted the final draft codes aimed at protecting children from age-inappropriate content under the Online Safety Act. These include codes for social media services, hosting services, designated internet services, relevant electronic services, internet services, search engine services, and app distribution services. The eSafety Commissioner will assess the draft codes and, if they do not provide adequate protections, may set mandatory standards. If approved, the codes will be binding, with penalties of up to AUD 49.5 million for non-compliance.

The Cyberspace Administration of China (CAC) adopted measures on national network identity authentication for public services. The measures encourage online platforms to integrate with public services to facilitate online identity verification. The Ministry of Industry and Information Technology (MIIT) opened a consultation on technical safety requirements for children's smartwatches, which prohibit pre-installed generative AI voice assistants and restrict access to high-risk apps. The MIIT also closed the consultations on industry standards for both thecommunications andelectronics industries, establishing design requirements and testing standards for software providers and infrastructure services. Regarding enforcement, the CAC reported the removal of 2,210 platformaccounts for alleged online rumors related to public policies and emergencies, and required the blocking of multiple accounts for spreading false financial information and promoting illegal activities.

The Japanese Ministry of Internal Affairs and Communications designated Pinterest, CyberAgent, Shonan Seibu Home, and Dwango as "large specified telecommunications service providers" under the Information Distribution Platform Regulation Act. The designated providers are required to implement procedures to remove unlawful or harmful content and ensure transparency in how they manage online information. The law obliges these providers to set up systems for handling takedown requests and to publicly disclose their content moderation standards. It also introduces procedural rights for users whose content is removed.

The South Korea Fair Trade Commission (FTC) announced the correction of 1,112 unfair terms found in copyright contracts used by 23 content producers, publishers, and serialization platforms in the webtoon and web novel sectors. Further, the FTC and the Consumer Agency announced a memorandum of cooperation on monitoring unfair labeling and advertising practices to enhance oversight of online advertising providers and e-commerce platforms.

Turkey introduced a bill to repeal the law on internet regulation, arguing that it enables administrative interventions, such as content removal and access blocking, without judicial authorization, thereby undermining freedom of expression and contradicting European Court of Human Rights case law.

Americas

The Brazilian Federal Senate passed a bill to prohibit communication, advertising, and promotional activities related to betting services. Also, the Ministry of Justice and Public Security announced a legal framework for the protection of users of digital services. The framework aims to address online harms such as fraud and would require platforms to implement risk mitigation measures.

Argentina introduced a bill criminalizing the creation of nude images using AI or other technologies without consent. The bill also requires platforms to identify, block, and remove such manipulated images.

Canada

The Office of the Privacy Commissioner of Canada opened a public consultation on the Children's Privacy Code. It covers measures regarding age verification requirements and design requirements for services handling children's data under the Personal Information Protection and Electronic Documents Act.

Artificial Intelligence

Europe

The European Commission published guidelines on the application of AI literacy requirements and the enforcement timeline under the AI Act, setting organizational standards for machine learning and AI developers. It also concluded its consultation on general-purpose AI models, finalizing definitions and obligations for providers, particularly regarding model classification and market entry.

Meanwhile, the European Parliament’s Committee on Internal Market and Consumer Protection recommended rejecting the Directive on adapting civil liability rules to AI. Previously, the Commission indicated plans to withdraw the directive in its 2025 work program, but has not done so formally yet. The European Insurance and Occupational Pensions Authority opened a consultation on the use of generative AI by European insurers, exploring how AI technologies are integrated and how governance frameworks for AI applications in financial services should be shaped.

In Germany, the Cologne Higher Regional Court ruled that Meta’s use of public user data for AI training complies with the General Data Protection Regulation (GDPR) and Digital Markets Act (DMA) requirements. Previously, the Irish Data Protection Commission paused Meta’s use of public content for AI training in June 2024 amid regulatory concerns and sought guidance from the European Data Protection Board. Following EDPB criteria issued in December 2024, Meta updated its practices, and the Court found them sufficient. The DPC will continue monitoring compliance and require Meta to submit an evaluation report by October 2025.

The United Kingdom’s National Cyber Security Centre, alongside security agencies from the United States, Australia, and New Zealand, issued guidance on AI data security. The guidance outlines risks, such as data supply chain vulnerabilities, and prescribes mitigations, including digital signatures and provenance tracking, to ensure AI system integrity and protect sensitive data, particularly for defense and national security stakeholders.

Asia and Australia

The Cyberspace Administration of China published the eleventh batch of record information for deep synthesis service algorithms, which mandates providers with public opinion or social mobilization functions to complete filing, update, and cancellation procedures. The latest update includes 211 newly registered algorithms. The Ministry of Industry and Information Technology opened a consultation on communication standards covering AI evaluation and network infrastructure. Additionally, the Ministry of Commerce imposed trade restrictions impacting several US AI and technology companies, including export control on 12 US companies for dual-use restrictions and the inclusion of 6 companies, including Shield AI and Sierra Nevada Corporation, to the unreliable entity list.

Japan adopted a bill on the promotion of research and development and the application of AI-related technologies. The bill establishes a governance framework for AI advancement, including provisions for research funding, ethical guidelines, and institutional oversight of AI applications. Additionally, the Digital Agency closed its consultation on draft guidelines for the procurement and utilization of generative AI in public administration.

South Korea’s Personal Information Protection Commission issued preliminary findings an recommendations on data protection for AI digital textbooks. It recommended improving privacy policies, consent procedures, and data management, alongside stronger regulatory oversight and clearer guidelines to better protect student data.

Saudi Arabia’s Communications, Space, and Technology Commission closed its consultation on the draft Global AI Hub Law. The law aims to establish regulatory frameworks for various digital services, including AI development, cloud computing, and platform intermediaries operating in the country. It establishes obligations for foreign entities and measures on international collaboration.

Brazil implemented an order establishing a working group to operationalize the AI plan, create governance structures for coordinating national AI development initiatives, and establish design and testing standards for machine learning applications. Additionally, the Federal Public Prosecutor's office issued a formal recommendation to OpenAI to include special notices concerning personal data processing practices, in line with the General Law on the Protection of Personal Data.

Competition

Europe

The European Commission published a Single Market Strategy that includes user identification requirements, interoperability standards, and design obligations for cross-sector digital services. The Commission also opened a consultation on the review of EU merger guidelines, which aim to modernize the framework for assessing the impacts of mergers, particularly in digital markets characterized by network effects, data concentration, and platform dynamics.

Concerning enforcement, the Commission opened a consultation on commitments offered by Microsoft to address competition concerns related to the bundling of Teams with Office products. The Commission will assess whether the proposed behavioral remedies would sufficiently address the exclusionary impact on competing communication and collaboration tools. The European Court of Justice issued a decision clarifying that online intermediaries that do not directly offer the goods or services being compared are not considered “comparative advertisers” under the Misleading and Comparative Advertising Directive. As a result, these platforms are not subject to the Directives’ obligation even if they enable consumers to contract with actual providers.

The United Kingdom Competition and Markets Authority closed its consultation on the review of its approach to merger remedies, updating the framework used to evaluate and implement competition remedies in merger control proceedings. The review aligns with the CMA’s recently published Mergers Charter, which sets out engagement principles under the Digital Markets, Competition and Consumers Act.

Asia

China implemented the law on promoting the private economy, establishing transparency measures, and equal treatment requirements in public procurement processes. The State Administration for Market Regulation opened a consultation on draft guidelines regulating platform charging practices, which aim to protect merchants and prohibit unreasonable fees in the online trading sector. SAMR, together with other government departments, engaged with food delivery platform companies to address compliance with competition and consumer protection laws and clarify obligations under China’s platform governance framework.

The Indonesian Competition Commission announced that it will investigate the proposed Grab-GoTo merger. The Commission will examine the potential competitive impacts of consolidation between the software provider and the ride-sharing and delivery platform.

The Japan Fair Trade Commission (FTC) and the Ministry of Economy, Trade and Industry (METI) opened consultations on draft implementation orders and guidelines for the Act on Promotion of Competition Related to Specified Software Used on Smartphones. The Act establishes conduct rules for app stores, browser providers, and other designated software operators, including prohibitions on self-preferencing, discriminatory treatment, and restrictive pre-installation practices. Finally, the FTC also issued a report on improving transactional fairness in the gaming and animation sectors.

The South Korea Fair Trade Commission (FTC) advanced several investigations. The FTC fined Meta KRW 6 million and issued corrective orders for violating the Act on Consumer Protection in Electronic Commerce, citing failures to meet consumer protection obligations on Facebook and Instagram. The FTC also initiated a consent decision procedure following Google's application concerning alleged violations of the Monopoly Regulation and Fair Trade Act in the online music and streaming markets. The proposal includes launching a standalone YouTube Premium Lite plan, excluding YouTube Music, and establishing a KRW 30 billion fund to support consumer welfare and the domestic music industry.

The FTC issued corrective orders against BikeBank and Logiol for restrictive trade practices in the food delivery market, and finedKM Solution KRW 3.882 billion for anti-competitive conduct related to contract terms in KakaoTaxi's operations. The FTC created a Task Force to centralize and expedite investigations in the platform intermediary sector. The FTC also issued rulings against e-commerce platforms TMON and WeMakePrice for failing to refund customers within legal timeframes for cancelled orders, with TMON withholding approximately KRW 67.5 billion and WeMakePrice KRW 2.3 billion. Finally, the FTC closed its consultation on a provisional consent decision against Broadcom addressing exclusive dealing practices in the set-top box semiconductor market. The decision includes a KRW 13 billion fund to support Korea’s chip ecosystem and mandates annual compliance reporting through 2031.

The Turkish Competition Authority initiated an investigation into Apple and several resellers over suspected resale price maintenance and coordination in the buyback market for Apple products. Separately, the Authority approved Uber’s acquisition of an 85% stake in Trendyol Go, a local food delivery platform, concluding that the transaction would not harm competition.

Americas

Brazil's Ministry of Justice and Public Security announced abill on the economic regulation of digital markets, establishing ex ante rules for systemically relevant platforms, including user-generated content services and e-commerce intermediaries. The bill would empower authorities to designate platforms with significant market influence and apply tailored competition obligations. Additionally, the Administrative Council for Economic Defence rejected Apple's voluntary appeal and upheld a preventive order targeting alleged anti-competitive conduct in iOS app distribution, including restrictions on alternative payment systems and the imposition of in-app commissions.

Data governance

Europe

The European Commission proposed amendments to the General Data Protection Regulation (GDPR) as part of the Simplification Omnibus Bill IV. It would establish that record-keeping obligations apply only to high-risk processing and extend existing exemptions to organizations with fewer than 750 employees, including small mid-cap enterprises (SMCs). The European Data Protection Board and European Data Protection Supervisor issued a joint letter on this proposal, supporting burden reduction for small mid-cap companies while calling for further analysis of its impact on accountability. Additionally, as part of the Omnibus Bill IV, the Commission proposed amendments to the Critical Entities Resilience Directive.

In parallel, the Commission opened consultations on two initiatives. The first concerns the impact assessment on data retention obligations for service providers in criminal proceedings. The second addresses the Data Union Strategy to streamline EU data sharing rules, reduce administrative burdens, and support voluntary data collaboration, particularly for SMEs and AI development.

Regarding enforcement, the Irish Data Protection Commission fined TikTok EUR 530 million and ordered the suspension of data transfers to China for violating GDPR data transfer rules. The DPC found that TikTok failed to assess risks posed by Chinese surveillance laws and did not implement effective supplementary measures, rendering its use of Standard Contractual Clauses insufficient. The decision also cited a lack of transparency in TikTok’s privacy policies between 2020 and 2022.

At the international level, the European Union (EU) and Singapore signed a Digital Trade Agreement, which includes provisions on cross-border data transfer regulation,cybersecurity principles, and prohibition ofcustoms duties on electronic transmissions. Additionally, the EU and Japan issued a Digital Partnership Council Joint Statement, which includes provisions on cross-border data transfer andcybersecurity.

The French National Commission on Informatics and Liberty (CNIL) closed its consultation on a draft recommendation addressing GDPR compliance for location data from connected vehicles. The CNIL fined Solocal EUR 100,000 for placing marketing cookies without valid user consent and using improperly configured consent banners across local business websites.

The Italian Data Protection Authority (DPA) opened a consultation on its inquiry into the compatibility of “Pay or OK” models with data protection rules. The DPA will examine whether offering access to digital content in exchange for consent to extensive profiling, rather than payment, constitutes freely given and informed consent under the GDPR.

Russia implemented a law expanding penalties for data protection violations, allowing fines to be calculated based on the entity’s capital. The Ministry of Digital Development implemented an order authorizing officials to request information from financial institutions and digital asset operators as part of anti-corruption inspections. Further, the Centre for Monitoring and Management of the Public Communication Network (CMM PTN) blocked over 2,500 phishing sites and 22 domains distributing malware.

The United Kingdom Department for Science, Innovation and Technology (DSIT) published the Software Security Code of Practice. The Code covers secure design, development, deployment, and customer communication. The DSIT also closed its inquiry into the role of data brokers in national security risks, examining how data trading practices could be exploited by hostile actors. The Information Commissioner's Office opened a consultation on updated guidance concerning encryption under the UK GDPR. The draft covers multiple encryption types, emphasizing that failure to apply suitable measures may trigger enforcement. Finally, the United Kingdom concluded negotiations with India on a Free Trade Agreement that includes provisions for cross-border data transfer regulation and data localization requirements.

Asia and Australia

Australia implemented ransomware reporting requirements under the Cyber Security Act. Critical infrastructure providers and organizations with an annual turnover above AUD 3 million must report ransomware or cyber extortion payments to the Signals Directorate within 72 hours. Additionally, the Office of the Australian Information Commissioner (OAIC) opened a consultation on the Children's Online Privacy Code under the Privacy and Other Legislation Amendment Act. The Code will establish data protection rules for digital services targeting children, with a draft expected in early 2026 and implementation by the end of the year. The OAIC also adopted guidance on disclosing genetic data.

The Cyberspace Administration of China’s measures for the administration of compliance audits on personal information protection entered into force, establishing operating conditions, cross-border data transfer regulations, and independent oversight mechanisms for major platforms, among others. The National Information Security Standardiation Technical Committee (TC260) adopted guidelines outlining service capability requirements for personal information protection compliance auditors. The TC260 also closed consultations on cybersecurity standards, including incident management guidelines, audit and certification requirements, incident management principles, and personal information protection compliance.

The People's Bank of China adopted measures for the administration of data security for entities processing personal data within its business domain, covering cybersecurity, cross-border data transfers, and data localization requirements. Entities must classify data by sensitivity, apply appropriate safeguards, assess cross-border transfers, and store domestic data within China as required.

The Indonesian Ministry of Communications and Digital continued its review of Worldcoin's biometric data storage practices following the suspension of its local operations. Authorities are assessing risks associated with the storage of over 500,000 retinal scans and may require data deletion depending on the outcome of a technical and privacy compliance review.

The Personal Information Protection Commission in Japan issued administrative measures against Business Planning for unlawful data transfers. The company was ordered to strengthen internal compliance, verify data recipients, and submit regular reports, reinforcing enforcement of data protection rules under Japan’s anti-fraud strategy.

South Korea’s Personal Information Protection Commission (PIPC) opened a consultation on amendments to the Enforcement Decree of the Personal Information Protection Act. The amendments clarify requirements for designating domestic agents for overseas businesses and detail the supervision obligations. Regarding enforcement, the PIPC fined Temu KRW 1.369 billion for cross-border data transfer violations of the Personal Information Protection Act. The PIPC approved Meta's celebrity impersonation blocking service, following a review of privacy controls and technical safeguards. Additionally, the National Geographic Information Institute extended its review of Google's request to export high-precision map data, citing national security concerns tied to cross-border geospatial data transfers.

The Saudi Data and AI Authority closed two consultations on proposed amendments to the Implementing Regulation of Personal Data Protection Law. Data protection amendments would introduce data controller obligations and complaint handling procedures. The proposals would also establish business registration obligations for controllers processing sensitive data.

Americas

Argentina’s Senate received the Personal Data Protection Bill, introducing rules on cross-border data transfers, oversight by an independent data protection authority, data protection regulations, cybersecurity frameworks, and conditions for government access to data. This comprehensive legislation would modernize data governance frameworks for Argentina's digital economy.