Global Digital Policy Roundup: November 2024

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, this roundup summarizes the highlights of November 2024 in four core areas of digital policy.

• Content moderation, including Australia’s minimum age for social media, Canada’s order for TikTok to cease operations, and South Korea’s sexual deepfake crackdown.
• AI regulation, including the G20 leaders’ declaration, Chinese standards on AI, and deliberations on regulatory approaches in Brazil and Japan.
• Competition policy, including India’s fine against Meta, the United Kingdom’s digital competition regime, and enforcement action in Europe and South Korea.
• Data governance, including China’s guidelines and initiative on data transfers, Turkey's enforcement action against Twitch and X, and privacy reforms in Australia and Russia.

Content moderation

Europe

The European Commission continued implementing and enforcing the Digital Services Act (DSA). The Commission published an implementing regulation on transparency reporting and released a draft delegated regulation on researchers’ access to data for consultation. The Commission also issued information requests to TikTok regarding content moderation during Romanian elections. The Commission also opened a consultation on Internet Governance. Regarding enforcement, the Consumer Protection Network raised concerns regarding Apple's geo-blocking practices and launched an investigation into Temu's consumer protection violations.

Russia implemented a law prohibiting content that advocates against childbearing. The law covers various sectors, including mass media, cinema, and advertising, and contains penalties of up to RUB 5 million. A Russian court fined Mozilla (RUB 3.5 million), Apple (RUB 3.6 million), and TikTok (RUB 4 million) for failing to remove prohibited content.

The United Kingdom’s Technology Secretary set priorities for the Office of Communications under the Online Safety Act, emphasizing safety by design and transparency, and launched an inquiry into social media's effects on children. The Office of Communication issued an open letter on how the Online Safety Act applies to AI-generated content. The Parliament opened a consultation on social media algorithms’ and generative AI's role in spreading harmful content.

Asia and Australia

Australia’s Senate adopted a law setting a minimum age of 16 for social media users, demanding that platforms implement age verification with mechanisms that are yet to be defined. The Australian Communications and Media Authority fined Tabcorp AUD 262,000 for allowing illegal in-play betting, in violation of the Interactive Gambling Act of 2021.

The Cyberspace Administration of China issued guidelines requiring mobile devices and apps to implement a "minor mode." The mode aims to protect young users through usage limits and content controls. The Cyberspace Administration also launched the "clear and bright" special action to improve algorithm transparency across internet platforms until February.

Indonesia's Ministry of Communication and Digital Affairs announced that it removed over 374,000 pieces of gambling-related content and created channels to report harmful content.

South Korea's Personal Information Protection Committee published a joint response plan for agencies to cooperate on combating deepfake sex crimes. The Korean Communications Commission announced that Telegram complied with its requests to address illegal content, including deepfake sexual abuse. The Korean Fair Trade Commission blocked hazardous products on AliExpress and Temu, announced amended advertising guidelines for endorsements, and closed a consultation on the amendments to the guidance on surcharges under the Fair Labeling and Advertising Act.

Americas

Several Brazilian authorities pursued enforcement action on online content. The Ministry of Finance blocked over 1,800 illegal betting sites, while the Ministry of Justice requested information from 17 betting companies. The Consumer Protection Authority of São Paulo launched an investigation into the advertising of vapes (electronic smoking devices) on Facebook and Instagram.

Canada ordered TikTok to cease operations due to national security concerns, albeit without blocking the application. Canadians retain access to TikTok. The Canadian Radio-television and Telecommunications Commission launched consultations on modernizing the broadcasting framework and improving consumer notification for wireless and internet services, as well as on the Code of Conduct on fair bargaining under the Online News Act.

Artificial intelligence

International developments

The United Nations adopted a resolution addressing AI in military domains, focusing on accountability, trust, and preventing arms races. The G20 leaders’ declaration emphasized pro-innovation AI governance while upholding human rights, transparency, and accountability, particularly highlighting workplace and educational applications.

Europe

The European Commission closed its consultation on establishing a scientific panel to support AI regulation enforcement. The panel would consist of up to 60 independent experts who will serve two-year terms advising on AI matters and supporting Member States.

The United Kingdom’s Department for Science, Innovation, and Technology opened a consultation on its AI Management Essentials tool, focusing on SMEs' responsible AI practices. The Department further issued a report on the AI assurance market, where 524 firms currently generate GBP 1.01 billion in revenue, with projected growth to GBP 6.53 billion by 2035. The Information Commissioner's Office issued a report on AI in recruitment, addressing bias and transparency concerns. Finally, the United Kingdom signed a Memorandum of Understanding with Singapore on AI cooperation.

Asia and Australia

Two Chinese authorities held consultations on AI rules, focusing on standardization efforts. The National Information Security Standardisation Technical Committee (TC260) closed its consultation on mandatory standards for labeling AI-generated content. The Ministry of Industry and Information Technology closed its consultations on large language models and humanoid robots.

Japan's Fair Trade Commission closed the consultation on its discussion paper on generative AI and competition. The paper distinguishes the three layers of generative AI markets – infrastructure, models, and applications — and highlights competition concerns, including access restrictions and self-preferencing.

South Korea's Personal Information Protection Committee issued a draft AI Privacy Risk Assessment and Management Model. The model enables AI companies to conduct autonomous risk management.

The Turkish Data Protection Authority published a note on AI chatbots. The note provides guidance for respecting data protection rules when developing AI chatbots, emphasizing transparency, user control, and data security.

Americas

Brazil's National Data Protection Authority launched a consultation on AI regulation. Focusing on automated decision-making transparency and appeal rights under data protection law, the consultation outlines the rules in the data protection law and formulates 15 technical questions.

Canada announced plans to create an AI Safety Institute, with CAD 50 million of funding over five years. The Institute will focus on understanding and protecting against advanced AI risks, aiming to promote the safe development and deployment of AI.

Competition

Europe

The European Commission advanced several enforcement cases on digital competition. The Commission fined Meta EUR 797.72 million for tying Facebook Marketplace to its social network, Facebook. The Commission also initiated investigations into data center construction firms regarding potential no-poach agreements. Furthermore, the Commission launched probes into Booking's and Apple's (iPadOS) compliance with Digital Markets Act obligations. Finally, the Commission closed an investigation into Apple’s terms for competing ebook and audiobook app developers to use its App Store.

Italy's Competition Authority opened a consultation on updated guidelines for calculating competition law infringement fines. The update would cap fines at 10% of global turnover and integrate supplemental penalties for severe violations.

The United Kingdom’s Competition and Markets Authority (CMA) published its draft guidance on the digital markets competition regime under the Digital Markets, Competition and Consumers Act. The guidance covers the criteria for designating firms with strategic market status, as well as the CMA's investigatory powers and enforcement strategies, among others. The CMA also opened consultations on amendments to the Enterprise Act and the market regime therein. In terms of enforcement, the CMA closed its probe into the Google-Anthropic partnership, finding no material influence by Google, and updated its report assessing Google's privacy sandbox implementation. The CMA is reconsidering Google’s commitments following the firm’s decision to give users the choice of whether to allow third-party cookies rather than remove them. Finally, the CMA opened a consultation on its provisional findings in the inquiry on mobile browsers and cloud gaming competition.

Asia and Australia

China’s State Administration for Market Supervision and Administration signed a Memorandum of Understanding on cooperation with Italy. The agreement facilitates information exchange and capacity building on competition issues of mutual interest between the countries.

The Competition Commission of India fined Meta INR 213.14 crore due to WhatsApp's 2021 privacy policy update. The policy enabled data sharing with Meta’s other applications. The Commission, having won a Supreme Court case on whether it can initiate the investigation, argued that users were presented with unilateral “take it or leave it” terms, without transparency or consent. In addition to the fine, WhatsApp cannot share user data with Meta's other applications for advertising or other non-service-related purposes for a period of five years. The Commission also launched an investigation into Google's practices in the real money gaming sector.

Indonesia's Competition Commission closed its investigation into Shopee after the company agreed to behavioral commitments addressing discriminatory courier practices.

Japan's Fair Trade Commission closed its consultation on the threshold for new rules on smartphone software providers to apply. To implement the recently adopted Act on Promoting Competition Regarding Specific Software Used in Smartphones, the Commission proposed to set a threshold of 40 million average monthly users for obligations to apply.

South Korea’s Fair Trade Commission ordered AliExpress and Temu to revise 47 unfair terms that excluded platform liability and misused personal information.

Saudi Arabia’s Communications, Space and Technology Commission closed two consultations, on the regulatory framework in the telecommunications market and the regulations for the identification and classification of said market.

The Turkish Public Procurement Authority and Competition Authority adopted the protocol for AI-enabled competition analysis in public procurement. The protocol aims to ensure competitive tender processes by introducing AI-enabled tools and joint statistical modeling to detect anti-competitive behavior.

Americas

Brazil's Competition Authority launched an investigation into Apple, concerning its iOS operating system. The Authority alleges that Apple’s terms and conditions restrict competition in app distribution and in-app purchase systems. It issued a preventive measure, requiring Apple to allow developers and users to select alternative distribution channels and payment systems. Following a 20-day compliance deadline, a daily fine of BRL 250'000 will be imposed.

Canada's Competition Bureau opened a consultation regarding its updated merger guidelines, which clarify the new “structural presumption” for high market concentration, among others. The Bureau further announced that it would take legal action against Google over ad tech practices, seeking the divestment of two tools, a penalty, and prohibitions for Google to continue the alleged anti-competitive practices.

Data governance

International developments

The Global Privacy Assembly passed resolutions on data protection certification, data protection in neuroscience, and the Data Free Flow with Trust principles to facilitate cross-border transfers.

Europe

The European Commission’s implementing regulation for the NIS2 Directive on cybersecurity entered into force. The European Union Agency for Cybersecurity opened a consultation on its guidance on the NIS2 Directive. The Council of the European Union adopted a declaration on international law in cyberspace. The European Data Protection Board issued a report on the EU-US data privacy framework and closed a consultation on guidelines concerning legitimate interest as a lawful basis for data processing under the General Data Protection Regulation.

Member States of the European Union were also active. France's Data Protection Authority issued guidance on AI-powered cameras in freight vehicles and initiated a collaboration with Singapore on quantum-resistant cryptography. Germany's Federal Court overturned a ruling concerning damages for privacy violations by Facebook, finding that even short-term loss of control over personal data could constitute non-material damage. Germany’s Federal Council further proposed several amendments to the draft Data Governance Act. Italy’s SData Protection Authority fined Foodinho EUR 5 million for unlawfully processing riders’ data and highlighted privacy violations in an agreement between GEDI and OpenAI, specifically regarding the legal basis and transparency.

Several Russian laws regarding data governance advanced. A law requiring mobile phone service operators to verify the identity of foreign citizens through the unified identification and authentication system before providing services entered into force. A bill introducing stricter data breach notification requirements, with penalties of up to RUB 500 million, was adopted.

Asia and Australia

Australia’s Parliament passed a privacy reform, expanding enforcement powers and children's privacy protection. The Privacy Commissioner ruled that Bunnings’ use of facial recognition technology violated the Australian Privacy Act. The Commissioner also issued guidance on facial recognition and tracking pixels.

China advanced several policies on data governance, focusing on data transfers and the establishment of a national data infrastructure. The Cyberspace Administration of China issued guidelines on compliance with rules on cross-border transfers under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. It also launched the Global Cooperation Initiative on cross-border data flows. The National Data Administration issued guidelines for the construction of national data infrastructure and opened a consultation thereon. In addition, different agencies issued guidelines on important data in telecommunications, emergency response plans for data security incidents, and adopted standards for “digital human technology.”

South Korea‘s Personal Information Protection Commission announced that it considers EU privacy protections to be equivalent to those provided under South Korean Law. The Commission further adopted a public-private partnership self-regulatory code concerning the online platform recruitment sector.

The Turkish Data Protection Authority fined Twitch TL 2 million regarding a data breach and X TL 1.47 million for using email addresses and phone numbers collected for security purposes for advertising purposes.

Americas

Brazil's National Data Protection Authority initiated proceedings against TikTok regarding children's data handling. The Authority further signed a Memorandum of Understanding with Canada on cooperation and mutual assistance in the oversight of data protection rules.

Canadian Data Protection Authorities at the federal and provincial level adopted a joint resolution to combat the use of deceptive design patterns that infringe on privacy rights. Facebook appealed a Federal Court ruling alleging that it failed to obtain meaningful consent prior to data disclosure and to safeguard user data appropriately.