Global Digital Policy Roundup: October 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of October 2025 in four core areas of digital policy.

• Content moderation, including the European Union's Regulation on political advertising and enforcement of the Digital Services Act, the United Kingdom's advancement of the Online Safety Act implementation, and Brazil's bills addressing online safety and child protection.
• AI regulation, including Italy's AI law, India's draft rules on synthetically generated content, China's guidelines for government AI deployment, Australia's consultation on AI and copyright, and the European Commission's Apply AI Strategy.
• Competition policy, including China's revised Anti-Unfair Competition Law, the United Kingdom’s Competition and Markets Authority's designation of Google and Apple as having “strategic market status”, and Germany's investigation into Temu's marketplace practices.
• Data governance, including the ASEAN Digital Economic Framework Agreement, the UN Cybercrime Convention, the European Parliament's regulation on GDPR enforcement procedures, and China's amendments to the Cybersecurity Law.

Content moderation

Europe

The European Union’s Regulation on the transparency and targeting of political advertising entered into force. It requires platforms to label paid political advertisements and set up mechanisms for reporting non-compliant content, and prohibits the use of minors’ data for political advertising. Political advertising funded by third-country sponsors is banned three months before elections or referendums. The European Commission also issued guidelines to support implementation. Furthermore, the Council adopted the regulation on toy safety, mandating a Digital Product Passport for all toys to prevent unsafe products from entering the EU market. The European Commission opened consultations on the evaluation of the Geo-Blocking Regulation and the development of the EU Delivery Act, and closed the consultation on the Digital Fairness Act.

The implementation of the Digital Services Act (DSA) continued. The delegated regulation on data access under the DSA entered into force, setting out requirements and procedures to enable authorized researchers to access data from very large online platforms and search engines to study systemic risks. The Commission further published the second version of the EU age verification blueprint to support compliance with DSA’s minor protection obligations.

Regarding enforcement, the European Commission issued preliminary findings that Meta and TikTok breached DSA transparency obligations by imposing restrictive conditions on researchers’ access to data. It also found that Facebook and Instagram lack user-friendly tools for reporting illegal content and that their appeal systems do not allow EU users to adequately challenge content moderation decisions. The Commission further requested information from Snapchat, YouTube, Apple, and Google about their age verification systems and how they prevent minors from accessing illegal products and harmful content. The European Board for Digital Services’ Working Group announced coordinated efforts with national authorities to help smaller platforms meet obligations related to the protection of minors.

France implemented a decree requiring pornographic platforms to display warnings on pornographic material depicting simulated rape or incest, in line with the Law on Confidence in the Digital Economy. The Directorate-General for Competition, Consumer Affairs, and Fraud Control referred Shein to the public prosecutor after identifying listings for child-like sex dolls and alleged failures to protect minors from exposure to pornographic content.

The Italian Data Protection Authority held a hearing on the updated Senate bill on the protection of minors, which proposes restricting social media and video-sharing accounts to users aged 15 and above. Furthermore, the Communications Regulatory Authority (AGCOM) identified the 48 pornographic platforms required to implement age verification mechanisms starting 12 November 2025 to prevent minors’ access. AGCOM additionally ordered Telegram to block a channel involved in large-scale copyright infringement of over 11,000 literary works.

Russia signed a law regulating paid digital subscriptions, requiring services to notify users of upcoming payments, allow cancellations, and prohibit charging removed bank cards. A separate amendment to the Criminal Code also took effect, establishing criminal liability for foreign agents who repeatedly fail to meet legal obligations.

A bill amending the Penal Code was introduced to Turkey’s Assembly to clarify the scope of obscenity and strengthen protections for children against pornographic content, criminalizing its access, distribution, or promotion.

The United Kingdom continued to advance the implementation of the Online Safety Act (OSA). The Secretary of State laid before Parliament draft regulations to designate cyberflashing and content encouraging or assisting serious self-harm as a priority offense under OSA, requiring platforms to take down such content. Additionally, the Secretary of State repealed two regulations that would have required user-to-user services to report child sexual exploitation and abuse material to the National Crime Agency. The Office of Communications (Ofcom) issued guidance for online video game providers on their obligations under OSA and opened consultation on draft rules on combating mobile messaging scams.

Regarding enforcement, Ofcom fined 4chan GBP 20,000 for failing to comply with statutory information requests related to its obligation to assess the risks of users encountering illegal content on its platform. It opened investigations into Im.ge, Nippybox, Yolobit, and DStorage for compliance with obligations to prevent access to or sharing of child sexual abuse material, while cases involving Krakenfiles, Nippydrive, Nippyshare, Nippyspace, and Wojtek/Gofile were closed.

Additionally, Ofcom opened investigations to assess the compliance of 8579 LLC, AVS Group, Cyberitic, Web Prime, Youngtek Solutions, ZD Media, and XGroovy's provider with age assurance requirements to prevent minors’ access to pornographic content. Ofcom also released responses to its consultation on additional duties for categorized services and closed consultations on several regulatory documents, including additional safety measures for online platforms, proactive technology measures guidance, updated illegal content codes of practice for user-to-user services and search services, a protection of children code of practice for user-to-user services, as well as a highly effective age assurance guidance and amended guidance on illegal content judgements.

Asia and Australia

The Office of the Australian Information Commissioner issued guidance for social media and age assurance providers on complying with the Privacy Act and the Online Safety Act. From 10 December 2025, providers must take reasonable steps to prevent users under 16 from holding accounts. Separately, the eSafety Commissioner announced that Apple and Google removed OmeTV from their app stores over alleged non-compliance with the Relevant Electronic Services Industry Standard. In addition, the Commissioner issued removal notices to X and Meta for hosting violent footage.

China's revised Anti-Unfair Competition Law entered into force, establishing consumer protection measures and new rules for fair digital market practices. It prohibits false advertising, manipulative algorithms, deceptive sales schemes, and coercive pricing. The Cyberspace Administration (CAC) closed its consultation on measures for identifying internet platform service providers with large numbers of minor users and a significant impact on minors.

Regarding enforcement, the CAC launched a campaign on rectification of abnormal live-streaming tipping practices and issued results of an investigation into illegal and irregular self-media accounts involved in the dissemination of military-related information. The State Administration for Market Regulation published enforcement actions against illegal online advertising, presenting 10 typical cases to illustrate recent enforcement outcomes.

India’s Ministry of Electronics and Information Technology released the draft implementing rules on the law banning online money games. The rule establishes a game classification framework, registration scheme, and oversight authority. Additionally, the Ministry of Information and Broadcasting opened a consultation on guidelines for accessibility of content on OTT platforms for persons with hearing and visual impairment. The Department of Consumer Affairs announced an investigation into e-commerce platforms over alleged misleading dark patterns, focusing on online retailers charging extra cash-on-delivery fees to mislead consumers.

The Fair Trade Commission (FTC) of South Korea amended consumer protection guidelines in e-commerce, establishing specific interpretation standards and recommendations for dark pattern regulation following amendments to the Electronic Commerce Act. Separately, the Constitutional Court dismissed constitutional challenges to the technical and administrative measures for preventing the distribution of illegally filmed materials under the Telecommunications Business Act. In enforcement, the FTC fined Spotify KRW 1 million for failing to disclose operator identity and withdrawal information. Furthermore, the FTC fined the e-commerce platform Coupang KRW 2.5 million for deceptive dark patterns, the content platform Wavve KRW 4 million for obstructing consumer contract cancellations, and the online music service NHN Bugs KRW 3 million for impeding subscription cancellations.

Americas

Brazil’s Chamber of Deputies passed a bill regulating digital influencer activities and the participation of children in audiovisual productions. The bill requires transparent and truthful advertising and clear identification of sponsored content. Several other bills regarding online safety were introduced to the Chamber of Deputies, including on the "eroticisation" of children and adolescents, technical standards for detecting child sexual abuse material, and restrictions on online betting for vulnerable people.

Separately, the Ministry of Justice and Public Security opened a consultation on a proposed methodology for age verification in digital services. The Ministry of Justice adopted an ordinance regulating the national indicative content classification system for minors, applicable across streaming, video games, and applications. The National Data Protection Authority outlined regulatory and supervisory measures for implementing the law on the protection of children online.

Africa

The Film and Publication Board of South Africa (FPB) requested social media platforms to remove a video showing violence against a child, in line with the Films and Publications Act. The FPB will monitor compliance and noted that sharing such content can lead to fines up to ZAR 150,000 or two years’ imprisonment.

Artificial Intelligence

Europe

The European Commission adopted the Apply AI Strategy to promote AI adoption across strategic and public sectors, including healthcare, energy, and manufacturing. It also adopted the European Strategy for AI in Science, setting out a coordinated approach to accelerate the uptake of AI across all scientific disciplines, focusing on building leading European AI scientific models, addressing fragmentation of research resources, and securing access to computational capacity. Additionally, the Commission closed its consultation on guidelines for transparency requirements under the AI Act. The European Data Protection Supervisor published revised orientations for ensuring data protection compliance when EU institutions and bodies use generative AI systems.

Italy implemented the law on the governance of AI, establishing a national framework to complement the EU AI Act. The law governs AI deployment across healthcare, public administration, judicial activity, national security, defense, and employment. The law introduces specific safeguards for minors and a framework for healthcare AI research, allowing secondary use of anonymized or pseudonymized data under oversight. It also introduces copyright protection for AI-assisted works with meaningful human authorship and permits text and data extraction for AI model training, provided there is legitimate access. The law further requires public procurement platforms to prioritize AI suppliers that process and store strategic data within national data centers to ensure disaster recovery, business continuity, and high security standards. Additionally, the Data Protection Authority temporarily restricted the ClothOff “deep nude” service from processing Italian users’ data, citing the company’s failure to provide requested information and insufficient watermarking of manipulated images, which breaches principles of fairness, accountability, and data protection by design and by default.

The United Kingdom’s Digital Regulation Cooperation Forum opened its consultation on agentic AI regulatory challenges, focusing on AI systems capable of autonomous decision-making and initiating actions without direct human prompts. The Department for Science, Innovation, and Technology opened a consultation on establishing an AI Growth Lab, which aims to support innovation in AI-enabled products and services by relaxing targeted regulations. The Upper Tribunal ruled that Clearview AI's processing of UK residents' personal data fell within the scope of UK GDPR and confirmed the Information Commissioner's Office's authority to issue monetary penalties and enforcement notices.

Asia and Australia

The Attorney General of Australia announced a consultation on potential updates to Australia's copyright laws to address challenges arising from AI. The Government confirmed it will not introduce a text and data mining exception. The National AI Centre published an AI Policy Guide to support organizations in developing and maintaining internal policies promoting ethical and responsible use of AI. The Signals Directorate issued guidance on supply chain risks and mitigation for organizations and personnel involved in the development or deployment of AI systems. Additionally, the eSafety Commissioner issued legal notices to CharacterAI, Glimpse.AI., Chai Research Corp, and Chub AI requiring them to detail measures protecting children from online harms, including sexually explicit conversations.

China’s National Information Security Standardisation Technical Committee implemented six cybersecurity national standards covering operational security and automated decision-making. Additionally, the Cyberspace Administration of China adopted guidelines for the deployment and application of large-scale AI models in government.

The Ministry of Electronics and Information Technology of India opened a consultation on the draft Intermediary Guidelines and Digital Media Ethics Code. The draft rules introduce labeling, metadata embedding, and traceability requirements for synthetically generated content. The Competition Commission released a market study report on the dynamics of AI adoption in India, implications for competition, and the regulatory landscape. Finally, India and the United Kingdom issued a joint statement reaffirming their commitment to cooperate on frontier technologies, including AI, under the Technology Security Initiative.

Japan's Minister of State for Intellectual Property Strategy released a statement on OpenAI's Sora2 compliance with copyright protection regulations, addressing concerns about AI-generated anime-style content. OpenAI announced plans for an opt-out system, increased data transparency, and stronger content filters, with the case expected to inform potential reforms under the AI Promotion Act.

Americas

A bill was introduced to Argentina’s Chamber of Deputies to establish a special legal remedy for protecting image rights against content generated by AI. It allows affected individuals, their representatives, or heirs to file digital claims before any first-instance judge without fees. Judges may order the immediate blocking, removal, or de-indexing of disputed content and, if unauthorized use is confirmed, require its permanent deletion from digital platforms.

A bill amending the Copyright Law was introduced in the Chamber of Deputies of Brazil to prohibit the unauthorized use of realistic AI-generated digital imitations without express consent. It defines realistic digital imitation as audio-visual, sound, or hybrid content capable of misleading the public. Additionally, the National Data Protection Authority published the final results of its regulatory sandbox on AI and data protection.

Competition

Europe

The European Commission closed its consultation on the revised Technology Transfer Block Exemption Regulation, allowing certain technology licensing agreements to be exempt from anti-competition rules. It also concluded its consultations on guidelines for applying EU competition law to technology transfers and the proposal to update EU antitrust procedural rules.

The German Federal Cartel Office opened an investigation into Temu’s marketplace to assess whether its seller terms and pricing practices unlawfully restrict competition and raise prices in other sales channels.

The United Kingdom’s Competition and Markets Authority (CMA) opened a consultation on the revised merger remedies guidance. It expands the circumstances under which behavioral remedies may be accepted and clarifies when structural remedies are necessary. The CMA also designated Google and Apple as having strategic market status in mobile platforms, including their operating systems, app stores, and browsers, under the Digital Markets, Competition and Consumers Act. Google was further designated as having strategic market status in general search and search advertising services. Following the designation, the CMA can impose behavioral and structural remedies. The CMA also referred Getty Images' proposed acquisition of Shutterstock to an in-depth phase two investigation after identifying competition concerns. Finally, the Competition Appeal Tribunal ruled that Apple holds a monopoly in iOS app distribution and in-app payments and imposed exclusionary practices. The Tribunal found Apple’s 30% commission excessive and set competitive rates at 17.5% for distribution and 10% for payments.

Asia and Australia

The Australian Competition and Consumer Commission filed a lawsuit against Microsoft alleging misleading or deceptive conduct and false or misleading representations under the Australian Consumer Law, with regard to Microsoft 365 and Copilot.

The second revision of China’s Anti-Unfair Competition Law entered into force, introducing rules targeting unfair practices in digital business operations, including the misuse of data, algorithms, or platform rules to influence users or disrupt competitors. It prohibits platforms from forcing operators to sell below cost and requires platforms to establish fair competition rules, complaint mechanisms, and reporting obligations. Additionally, the State Administration for Market Regulation opened an investigation into Qualcomm for allegedly failing to declare its acquisition of Autotalks.

The South Korean Fair Trade Commission (FTC) ordered Baemin to revise nine categories of unfair merchant contract terms, including clarifying distance-based restaurant exposure limits and specifying payment settlement procedures. Coupang Eats was also directed to amend ten contract terms, including ending charges for intermediation and payment processing based on pre-discount prices.

Data governance

International

The ASEAN Economic Community Council announced the substantial conclusion of negotiations on the Digital Economic Framework Agreement, which includes provisions on digital payments, data transfers, and service interoperability, among others. Separately, 72 states signed the United Nations Convention against Cybercrime. The Convention criminalizes acts such as child sexual abuse, online fraud, and ransomware attacks, and includes measures for extradition, mutual legal assistance, and the exchange of electronic evidence.

Europe

The European Parliament passed the regulation laying down additional procedural rules relating to the enforcement of the General Data Protection Regulation. The regulation aims to harmonize the criteria for assessing the admissibility of cross-border complaints and clarify the coordination mechanisms between supervisory authorities. The Commission issued the Cloud Sovereignty Framework, which includes criteria for assurance levels and scoring methodology for assessing the sovereignty of cloud services. Additionally, the European Commission closed the consultation on the Digital Omnibus, which aims to reduce compliance costs and simplify regulations. It proposes amendments to the Data Governance Act, e-Privacy Directive, and the AI Act, among others.

The European Data Protection Board (EDPB) and European Commission opened a consultation on joint guidelines clarifying the interaction between the Digital Markets Act and the General Data Protection Regulation (GDPR) to ensure consistent interpretation. The EDPB also closed its consultation on guidelines regarding the interplay between the Digital Services Act and the GDPR, providing technical clarification on personal data processing provisions. Additionally, the EDPB adopted recommendations on audit cycles for EU large-scale IT systems and issued an opinion on the EU draft decision assessing the adequacy of UK personal data protection for international transfers.

In France, a bill on securing digital public procurement was introduced to the Senate. The bill would require cloud contracts for public data to prevent the application of foreign extraterritorial laws and ensure data is stored within the EU.

The Italian Data Protection Authority issued a notice against ICF Technology, which manages the CamHub website. The Authority stated the website streams sexually explicit videos, including private chat rooms, and collects and shares such content without a lawful basis.

The United Kingdom Information Commissioner’s Office (ICO) issued guidance on "consent or pay" advertising models and opened a consultation on guidance regarding data protection enforcement procedures. The ICO also concluded consultations on profiling tools for online safety, recognised legitimate interest under the Data (Use and Access) Act, draft complaints guidance, and a framework for handling data protection complaints.

Separately, the Department for Science, Innovation and Technology (DSIT) closed a consultation on updates to the Telecommunications Security Code of Practice. The Office of Communications concluded its consultation on guidance for data preservation notices under the Data (Use and Access) Act, which requires providers to retain data on a child’s online activity posthumously. Finally, the DSIT signed an agreement with Singapore on mutual recognition of consumer Internet-of-Things cybersecurity regimes.

Asia and Australia

The Australian Signals Directorate (ASD) issued guidance for critical infrastructure operators and additional recommendations to strengthen network security and advise executive and technical staff on protecting both internet-facing and internal networks from cyber threats. Meanwhile, the Australian Cyber Security Centre issued guidance on the cloud shared responsibility model, clarifying how security duties are divided between customers and cloud service providers. In enforcement, the Federal Court ordered Clinical Labs to pay a civil penalty of AUD 5.8 million for failing to take reasonable steps to protect patients’ personal and sensitive health information.

China’s National People’s Congress adopted amendments to the Cybersecurity Law. It includes measures supporting AI development, updates personal information handling requirements, and raises penalties for data breaches, unapproved network equipment, and cybersecurity violations. Serious breaches may result in fines up to RMB 10 million, license revocation, business suspension, or asset freezes for foreign entities. The Cyberspace Administration adopted measures for the authentication of personal information exported abroad, which will enter into force in January 2026. The Cyberspace Administration also concluded its consultation on draft regulations for establishing personal information protection supervisory committees on large-scale online platforms. Meanwhile, the Ministry of Industry and Information Technology released guidelines for building a comprehensive cloud computing standardization system and issued a notice ordering producers of 20 IoT devices to stop the illegal collection and use of personal information. The National Network Security Standardisation Technical Committee closed consultations on standards covering network security authentication, third-party resource authorisation, personal information anonymisation, and IoT cybersecurity.

Indonesia's Ministry of Communication and Digital Affairs lifted the temporary suspension of TikTok after the company submitted the requested data on traffic escalation and TikTok live monetization.

Japan’s Personal Information Protection Commission issued guidelines on sharing data with foreign third parties under the Global Cross-Border Privacy Rules (CBPR) System, explicitly referencing the Global CBPR Forum certification mechanism.

South Korea implemented amendments to the Personal Information Protection Act, requiring foreign businesses with local subsidiaries to designate a domestic representative.

Americas

A bill was introduced in the Brazilian Chamber of Deputies to prohibit the commercialization and improper sharing of sensitive personal data, allowing disclosure or transfer only when expressly authorized. Separately, another bill on information security and cybersecurity services removes the 20% national capital requirement for fiscal benefits, instead focusing on legal establishment in Brazil to ensure full national jurisdiction.