Global Digital Policy Roundup: October 2024

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights from October 2024 in four core areas of digital policy.

• Content moderation, including proposed age verification standards in France and Italy, Turkey's legislative proposal on online children's safety, and Indonesia's ban on Temu.
• AI regulation, including the G7 authorities' statements on data protection and competition concerns regarding AI, Australia's privacy guidelines for AI developers and users, and the European Union’s new directive on product liability.
• Competition policy, including Japan's implementation of the law on promoting competition in smartphone software, European cases against Meta, Apple, and Google, and South Korea's investigation into Kakao Mobility.
• Data governance, including Indonesia’s new personal data protection law, several new Chinese cybersecurity rules, and the United Kingdom’s bill on customer and business data access.

Content moderation

International developments

Data Protection Authorities from Canada, the Philippines, Gibraltar, Mexico, the United Kingdom, and Argentina issued a joint statement advocating a common international approach to age assurance. The statement aims to establish global standards for age verification in digital environments to better protect children and adolescents. It outlines shared principles to guide online commercial and industrial sectors in verifying user age.

Europe

The Council of the European Union adopted a declaration calling on Member States to implement national strategies against antisemitism online, including appointing special envoys. The Council’s declaration notes the responsibility of platforms to remove illegal hate speech and terrorist content in line with national legal requirements and the EU Code of Conduct on countering illegal hate speech.

The European Commission and Member States continued implementing the Digital Services Act (DSA). The Commission launched a consultation on a draft delegated regulation for data access under the DSA, establishing technical standards for very large online platforms and very large online search engines to share data with vetted researchers and Digital Services Coordinators to support investigations into systemic digital risks. The final regulation is expected in early 2025.

Concerning enforcement, the Commission initiated a formal investigation into Temu’s compliance with the DSA. The investigation focuses on potential violations in four areas: the sale of non-compliant products, addictive platform design, transparency in recommendation systems, and data access for researchers. Additionally, the Commission requested information from YouTube, Snapchat, and TikTok regarding their DSA compliance. YouTube and Snapchat must provide information on their algorithm parameters to assess impacts on elections, civic discourse, and mental health. TikTok must describe steps to address election manipulation, media pluralism risks, and threats to civic discourse.

At the member-state level, Ireland’s Media Commission adopted the Online Safety Code, requiring video-sharing platforms to protect users from harmful content, including cyberbullying and self-harm. Further, platforms must provide media literacy tools, facilitate content labeling, and implement age verification mechanisms to safeguard minors.

The French Regulatory Authority for Audiovisual and Digital Communication (ARCOM) adopted technical standards for age verification systems for platforms displaying pornographic content, which will be implemented in January 2025. The standards implement the bill securing and regulating the digital space.

The lower chamber of Germany’s federal parliament (Bundestag) passed a motion advocating for the abolition of the DSA. The motion criticizes social networks for suppressing legal user posts under internal policies against hate speech and health misinformation. It calls on the federal government to stop funding organizations that influence post deletions and refrain from appointing “trusted flaggers” under DSA.

The Italian Communications Authority adopted guidelines on the prominence of audio-visual and radio media services of “general interest.” The guidelines define criteria for general interest services and require their visibility on various platforms and devices, including smartphones and tablets. Additionally, the Communications Authority issued a draft regulation requiring online service providers to implement age verification mechanisms to protect minors from harmful content, particularly pornography.

Russia implemented the bill expediting the blocking of mirror sites that copy pirate sites. The bill transfers blocking powers to Russia’s media regulator and requires all search engine operators to remove mirror sites. Additionally, Discord was fined RUB 3.5 million (approx. USD 37,750) for failing to comply with the law on self-regulation of social networks, which requires platforms to independently identify and block illegal content.

The United Kingdom introduced a bill to safeguard children from excessive screen time and social media. The bill seeks to raise the age of internet adulthood from 13 to 16, establish smartphone-free schools, and empower the Office of Communications (Ofcom) to address addictive applications. Ofcom also closed a consultation on its guidance on information-gathering powers under the Online Safety Act. Finally, Ofcom announced that Google Search, LEGO Group, Pinterest, and Roblox voluntarily adopted its media literacy principles.

Asia and Australia

The Australian eSafety Commissioner welcomed Apple's new in-app reporting feature to improve online safety for children. Previously, the Administrative Appeals Tribunal concluded a case brought by X concerning a removal notice issued by the eSafety Commissioner under the Online Safety Act. The notice required X to remove content that depicted a terrorist attack on a religious leader. Additionally, the Federal Court ruled that X must comply with a transparency notice related to child sexual exploitation material, rejecting X’s objections and ordering it to bear the Commissioner's costs.

The Cyberspace Administration of China (CAC) launched two initiatives to address harmful content online. The first initiative aims to standardize online language by addressing distorted expressions, such as slang and incivility. The second focuses on regulating online news services to eliminate illegal practices and promote high-quality content. In addition, the CAC reported the actions taken in its initiative to improve the internet environment for minors. The CAC removed over 4.3 million pieces of illegal and harmful content related to minors and blocked over 130,000 accounts and 2,000 websites. In a different initiative, the CAC blocked 8,583 accounts associated with the dissemination of false information about public policies.

The Telecom Regulatory Authority of India implemented a directive that mandates access providers to block URLs that are not whitelisted, android package kits, or over-the-top links in messages, effective on 1 October 2024. Registered senders must upload their approved links.

The Indonesian Minister of Communications and Informatics of Indonesia (MIC) blocked access to the e-commerce platform Temu. The MIC specified that Temu failed to register as an electronic system operator and that its direct-from-factory sales model is hurting local small and medium-sized businesses. The MIC described the competition as "unhealthy" and emphasized the need to safeguard domestic enterprises.

Saudi Arabia implemented a regulation mandating digital content platforms, including social media, video-sharing, and e-sports services, to adhere to new licensing, registration, and notification obligations. Internet protocol television providers must obtain a 10-year license. Social media, video-sharing, and e-sports platforms with over 100,000 users must register with the Communications and Space Technology Commission. Over-the-top platforms with over 35,000 subscribers and on-demand radio services with over 50,000 users must also register.

The South Korean Fair Trade Commission fined Booking KRW 1.95 billion (approx. USD 1.41 million) for misleading advertisements related to taxi services it offers. Booking must cease misleading advertisements and comply with fair advertising standards.

Turkey introduced a bill to improve children's online safety. The bill requires platforms to restrict access for users under 13 and set default privacy settings for children’s accounts to the highest level. Furthermore, the Turkish Constitutional Court’s ruling annulling blocking powers for the Information and Communication Technologies Authority came into effect. Finally, Discord was blocked due to concerns over potential child sexual abuse and obscene content.

Americas

Brazil's Supreme Court reinstated X’s operations following its compliance with laws, including blocking disinformation profiles and appointing a local representative. In a separate development, the Ministry of Finance blocked over 2,000 unauthorized betting sites, permitting only 96 regulated operators until the end of 2024.

Canada’s Radio-television and Telecommunications Commission (CRTC) opened a consultation on the code of conduct for bargaining between digital news intermediaries and eligible news businesses under the Online News Act. Furthermore, the CRTC approved Google's exemption request under the Online News Act. Google agreed to distribute CAD 100 million (approx. USD 72.8 million) to Canadian news organizations annually to be exempt from bargaining.

Artificial Intelligence

International developments

The G7 Data Protection Authorities issued statements emphasizing the need for age-appropriate safeguards in artificial intelligence (AI) systems to protect children's rights, alongside promoting digital literacy and international cooperation. The statements called for the integration of data protection principles in AI governance to address risks such as bias and discrimination, urging international collaboration.

The G7 Competition Authorities issued a statement addressing competition concerns related to the development of generative AI, noting the risks of market power concentration. The statement outlined guiding principles for ensuring fair competition, equitable access, consumer choice, interoperability, and innovation while committing to mitigate competition risks in AI markets. Finally, the G7 Finance Ministers established an expert panel to assess AI's impact on economic and financial services.

Europe

The European Commission opened a consultation on a draft regulation to establish a scientific panel of independent experts on AI. The panel will issue alerts and support Member States in enforcing AI regulation, with assistance from the AI Office and the European Commission's Joint Research Centre.

The Council of the European Union adopted a directive addressing the liability for defective products, including digital products such as AI systems. The directive establishes a process for individuals to seek compensation for damages and requires Member States to incorporate these rules into their national legislation within two years.

Australia and Asia

Australia’s Information Commissioner released guidelines on privacy for AI developers and users. Developers are encouraged to use high-quality datasets, perform thorough testing, and effectively manage biases and accuracy risks. Users are required to meet privacy obligations, conduct due diligence, and ensure transparency in their communication. Furthermore, the Department of Industry, Science and Resources completed its consultation on a proposal to establish mandatory obligations for high-risk AI systems. Finally, the Securities and Investments Commission issued recommendations for financial services to update their governance frameworks in light of the integration of AI tools.

China’s Ministry of Industry and Information Technology opened a consultation on standards for AI applications, covering areas such as large language models, cross-domain integration, and ethical guidelines to ensure responsible deployment across various sectors.

The Japan Fair Trade Commission opened a public consultation on generative AI, addressing its three-tier market structure: infrastructure, models, and applications. The consultation paper addresses competition concerns, including the reliance on cloud service providers, the debates surrounding open-source versus closed-source methodologies, and industry partnerships.

Saudi Arabia’s Data and AI Authority closed the consultation on its deepfake guidelines. The guidelines aim to mitigate the risks associated with malicious deepfakes, such as scams and disinformation. The guidelines address developers, regulators, and consumers, covering issues including privacy, transparency, and accountability.

South Korea’s Ministry of Science and ICT adopted an exemption from the Personal Information Protection Act for certain technologies, including a real-time AI fraud detection service that combats voice phishing through language models and speaker recognition. Additionally, the Personal Information Protection Commission released guidelines for mobile video information processing devices, detailing responsibilities in AI development for autonomous driving.

Americas

Argentina's Agency of Access to Public Information concluded its consultation on the guide on transparency and personal data protection concerning AI development and use. The guide addresses transparency and privacy risks and outlines how principles such as lawfulness, consent, and transparency can be integrated into AI systems.

Competition

Europe

The EU and the United Kingdom (UK) finalized technical negotiations on a competition cooperation agreement. The agreement facilitates collaboration between the European Commission, national competition authorities of EU Member States, and the UK Competition and Markets Authority.

The European Commission initiated an investigation into NVIDIA’s proposed acquisition of Run Labs following a referral from Italy, raising concerns about competition regarding AI computing resources. Additionally, the Commission decided not to designate X as a gatekeeper regarding its online advertising service, X Ads, under the Digital Markets Act (DMA). Finally, the Commission concluded a consultation on guidelines regarding exclusionary abuses of dominance.

The German Competition Authority closed its investigation into Meta’s combination of user data across its services and third-party sources. This occurred after Meta introduced new consent processes and tools, such as the accounts center and business tools, enabling users in Germany to manage the linkage of their data across Meta's services and third-party sources.

The Italian Competition Authority extended its investigation into Apple’s alleged abuse of market dominance in the app market until October 2025. Initiated in May 2023, the investigation examines Apple's privacy policies for third-party apps, the design of its consent prompts, and the data provided to developers and advertisers.

The United Kingdom’s Competition and Markets Authority launched an investigation into the partnership between Alphabet (Google) and Anthropic. It aims to assess whether this partnership could lead to significant merger situations that might affect competition in the UK. A preliminary decision is expected by December 2024.

Asia and Australia

The Japan Fair Trade Commission opened a consultation on criteria for the scope of the law on promoting competition in smartphone software. The draft specifies that operators of operating systems, app stores, browsers, and search engines with over 40 million average monthly users will be subject to the law. The law’s obligations cover data use, the fair treatment of app providers, and interoperability. Additionally, the law requires operators to facilitate data transfer, allow changes to default settings, and obtain user consent for incorporating additional software.

South Korea’s Federal Trade Commission proposed amendments to the Fair Transactions in Large-scale Retail Business Act to ensure fairness and transparency in the online intermediary market. The amendments categorize large online platforms based on revenue and transaction volume, mandating that they settle payments to vendors within 20 days and maintain sales revenue in separate accounts. Furthermore, the Commission proposed a fine of KRW 72.4 billion (approx. USD 52.47 million) against Kakao Mobility for abusing its market dominance in the ride-hailing sector. The FTC alleges that Kakao pressured rival taxi platforms to share confidential data in exchange for access to its service, a practice the FTC argues increased Kakao's market share to the detriment of competition.

Americas

The Brazilian Ministry of Finance released recommendations for a new regulatory framework following an inquiry into the economic and competitive aspects of digital platforms. The Ministry recommends introducing specific obligations for large platforms, updating existing rules for all digital market entities, and implementing procedural and transparency requirements for platforms deemed to be “systemically relevant.”

Data governance

International developments

A coalition of global data protection authorities issued a statement on data scraping. The statement builds on a statement from August 2023 and calls on social media platforms to implement safeguards against data scraping, particularly in view of the development of large AI language models. Additionally, G7 Data Protection Authorities adopted an action plan to enhance global enforcement cooperation.

Europe

The European Union’s Member States were required to transpose the Network and Information Security Directive (NIS2) and Directive on the Resilience of Critical Entities into their national laws by 17 October 2024. Concerning the Directive on the Resilience of Critical Entities, Member States were required to identify and notify "critical entities" that must conduct risk assessments and implement specified security measures. NIS2 applies cybersecurity obligations such as mandatory incident reporting within 24 hours across various sectors. The obligations, specified in an implementing regulation, vary for entities classified as "essential" or "important."

The Council of the European Union adopted the Cyber Resilience Act, which establishes security requirements for products with digital components, such as smart appliances and toys. The Act outlines requirements that products have to meet before they enter the market and will become effective in 3 years. The Council also adopted the platform work directive, which governs how digital platforms can process worker data. It prohibits the processing of data on workers' emotional or psychological state.

The European Data Protection Board (EDPB) released guidelines on the application of the ePrivacy Directive to emerging tracking technologies. In addition, the EDPB opened a consultation on guidelines concerning the use of legitimate interests as a lawful basis for processing personal data under the General Data Protection Regulation (GDPR). In terms of enforcement, the EDPB launched its fourth coordinated enforcement action, focusing on the implementation of the right to erasure, also known as the right to be forgotten. Furthermore, the Irish Data Protection Commission fined LinkedIn EUR 310 million (approx. USD 338.81 million) regarding insufficient legality, fairness, and transparency of its data processing activities.

The United Kingdom introduced a bill to regulate the access, sharing, and protection of customer and business data across sectors. It empowers the Secretary of State and the Treasury to establish regulations for handling customer data and allows individuals to request their information. In addition, the Information Commissioner's Office (ICO) published a data protection audit framework to help organizations assess their compliance with data protection standards. The ICO also issued a report with recommendations for platforms to improve their data protection measures for children. Furthermore, the ICO issued information notices to Fruitlab, Frog, and Imgur, requiring them to disclose details about their privacy practices regarding geolocation, privacy settings, and age assurance.

Asia and Australia

Australia introduced a cybersecurity bill that establishes obligations for entities handling smart devices. The bill includes security requirements and mandates a 72-hour reporting obligation for ransomware payments. It also creates a Cyber Incident Review Board responsible for analyzing significant breaches and recommending improvements. Additionally, the Office of the Information Commissioner implemented a privacy credit reporting code that outlines the responsibilities of credit providers and reporting bodies in managing credit information. Lastly, the Cybersecurity and Infrastructure Security Agency adopted guidelines on safe software to enhance software reliability during deployment, particularly for mobile and cloud services.

Several authorities in China issued data protection frameworks. The Ministry of Finance and the Cyberspace Administration of China implemented rules on the data security management of accounting firms. Among a range of cybersecurity requirements, accounting firms must store data in China. Further, the State Administration for Market Regulation and the National Standardization Administration adopted nine national cybersecurity standards, including information security control and smart door locks. Finally, the National Cybersecurity Standardization Technical Committee closed the consultation on guidelines for academic and technological service platforms. The guidelines specify that platforms must establish secure and transparent mechanisms for sharing data and include rules on data localization and cross-border data transfers.

Indonesia implemented its personal data protection law following a two-year grace period. The bill establishes data subject rights, including the right to access and delete their data, the right to withdraw consent for data processing, and the right to be informed about how their data is processed. Entities must obtain user consent before collecting personal data. Additionally, the bill establishes mechanisms for data transfers and cybersecurity measures.

The Personal Information Protection Commission of South Korea announced plans to implement an equivalence recognition system to facilitate data transfers to the European Union. The PIPC also implemented measures to combat illegal online data distribution, aiming to prevent secondary damage such as identity theft. Additionally, the PIPC fined e-commerce platforms Neopharm KRW 151.7 million (approx. USD 109,934) and Ilhak KRW 18 million (approx. USD 13,044) for failing to protect personal data.

The National Cybersecurity Authority of Saudi Arabia closed its consultation on proposed updates to basic cybersecurity controls, focusing on confidentiality, integrity, and availability across four domains: governance, defense, resilience, and third-party/cloud services. The Saudi Data and AI Authority issued a guide demanding controllers to notify personal data breaches within 72 hours and inform affected individuals if risks such as identity theft or fraud arise.

Americas

The Canadian Centre for Cybersecurity issued guidelines on the cyber resilience of critical infrastructure. Meanwhile, the Office of the Privacy Commissioner of Canada issued recommendations to amend the Privacy Act, advocating for additional privacy rights and enforcement powers.