Global Digital Policy Roundup: September 2024

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of September 2024 in four core areas of digital policy.

• Content moderation, including a proposed minimum age for social media in Australia, Brazil’s case against X, and a ruling declaring India’s Fact Check Unit as unconstitutional.
• AI regulation, including the UN-OECD collaboration on global AI governance, China’s new AI governance framework, and a voluntary AI safety standard in Australia.
• Competition policy, including rulings by the Court of Justice of the European Union and investigations in the United Kingdom concerning large technology providers, new online competition rules in China, and proposed digital competition bills in South Korea.
• Data governance, including the implementation of Saudi Arabia's data protection law, Turkey’s amended data transfer regime, proposed privacy reforms in Australia and Japan, a fine against Worldcoin in South Korea, and GDPR enforcement cases in Ireland.

Content moderation

Europe

The European Commission closed its consultation on guidelines to enhance online protection for minors under the Digital Services Act (DSA). The final version is expected in the first half of 2025. The Italian Communications Authority implemented two resolutions on the DSA, on trusted flaggers of illegal content and out-of-court dispute resolution between online platforms and users. EU member states also continued to implement the regulation on the dissemination of terrorist content online. For instance, Ireland designated the Media Authority as the competent authority to request the blocking of terrorist content.

Russia enacted a resolution to extend free access to socially significant online resources under the "available internet" program from 24 hours to 7 days. The telecom operators have to offer this access, with a government commission determining the eligible resources.

The United Kingdom advanced the implementation of its Online Safety Act. The Office of Communications closed a consultation on its draft code of practice and guidance on illegal harms. The Secretary of State tabled a regulation proposing to categorize the sharing of intimate images as a “priority offense.”

Asia and Australia

The Australian government announced a bill setting a minimum age for access to social media. At the sub-national level, a bill in South Australia was proposed to ban social media for children under 14 and require parental consent for those aged between 14 and 15. In terms of enforcement, the eSafety Commissioner issued notices to YouTube, Facebook, Instagram, TikTok, Snap, Reddit, Discord, and Twitch asking for details on policies and actions to enforce age limits. The Commissioner further issued a statement emphasizing the need for transparency concerning online child sexual abuse, following a court claim by X that the company was not obligated to respond to a notice under the Online Safety Act.

India's Ministry of Communications closed the consultation on draft rules on the temporary suspension of telecommunication services. The rules outline conditions for suspending services for public safety or emergencies for 15 days, based on the new Telecommunications Act. Additionally, the Bombay High Court ruled that the government's Fact Check Unit is unconstitutional in view of concerns about censorship and procedural safeguards.

Japan’s Ministry of Economy, Trade and Industry closed the consultation on a draft order requiring foreign e-commerce platforms to remove listings and advertisements for products that pose a risk to domestic consumers. Such platforms would further have to notify authorities of operations and appoint local representatives.

Saudi Arabia’s Data and AI Authority launched a public consultation on deepfake guidelines to mitigate the risks associated with malicious deepfakes, such as scams and disinformation. The guidelines address developers, regulators, and consumers, covering issues such as privacy, transparency, and accountability.

Americas

Brazil's Supreme Federal Court ordered the unblocking of Starlink and X's bank accounts following the payment of a BRL 18.35 million (USD 3.3 million) fine for non-compliance with court orders regarding content removal and legal representation. The court classified the companies as part of a "de facto economic group," rendering them jointly liable for the penalty.

Artificial Intelligence

International developments

The United Nations adopted the Pact for the Future, Global Digital Compact, and Declaration on Future Generations. The Pact aims to enhance digital cooperation among nations and advocates for a balanced, inclusive approach to AI. The Organisation for Economic Co-operation and Development and the United Nations announced a collaboration on global AI governance to ensure cohesive policy responses to AI's rapid development. Finally, UNESCO closed its consultation by discussing various emerging approaches to AI regulation.

Europe

The European Commission closed a public consultation on AI in the financial sector under the EU AI Act. Concurrently, the European AI Office concluded a consultation on a general-purpose AI code of practice, focusing on transparency, copyright obligations, and risk assessment. Additionally, the European Parliament released an impact assessment proposing adjustments to non-contractual civil liability rules for AI, recommending a mixed liability framework and a shift toward broader software liability regulations to enhance accountability and market coherence.

The French National Commission on Informatics and Liberty concluded its consultation on guidelines for developing privacy-respecting AI systems. The recommendations emphasize how the General Data Protection Regulation supports innovative and ethical AI, addressing legal and privacy concerns while promoting transparency and alignment with fundamental rights.

Asia and Australia

The Australian Department of Industry issued a voluntary AI safety standard to assist organizations in the safe and responsible deployment of AI. The standard outlines ten voluntary guardrails related to accountability, risk management, data practices, and transparency. It aims to enhance AI reliability across the supply chain. The Department further opened a consultation on mandatory rules for high-risk AI systems to mitigate potential harms.

China’s National Information Security Standardization Technical Committee (TC260) adopted the AI safety governance framework, providing guidelines for AI development and safety risk management. The framework outlines principles for governance, identifies various safety risks (such as bias, data misuse, and supply chain security), and specifies technological and management measures to address these risks. Additionally, the TC260 completed its public consultation on the draft standard for labeling methods of AI-generated content.

The South Korean Personal Information Protection Commission (PIPC) issued a guide outlining data subjects' rights regarding automated decision-making involving AI. The guide mandates organizations to enhance transparency by publishing decision-making criteria on their websites, as well as enabling individuals to request explanations for these decisions. Additionally, the PIPC updated the internet blocking measures system, allowing more flexible use of AI and cloud services for personal data processing based on risk assessments.

Americas

Argentina’s Agency of Access to Public Information adopted a guide for public and private entities focused on transparency and personal data protection in AI use. The guide addresses organizations developing and utilizing AI, outlines risks, and offers recommendations to integrate principles such as lawfulness, consent, and transparency.

Canada's Department of Innovation concluded a public consultation on its inquiry into AI compute initiatives. It sought public input to inform the design and implementation of two government initiatives: the Canadian AI Sovereign Compute Strategy, which aims to develop AI infrastructure over the long term, and the AI Compute Access Fund, which provides immediate support to Canadian AI researchers and developers.

Competition

Europe

The Court of Justice of the European Union (CJEU) upheld a EUR 2.42 billion fine against Google for engaging in discriminatory practices by favoring its shopping services in search results. In another ruling, the CJEU annulled an EUR 1.49 billion fine against Google related to its AdSense for Search service, asserting that the Commission did not adequately demonstrate the negative impact of Google's restrictive clauses on competition. Other CJEU rulings upheld most of the Commission's findings concerning Qualcomm's abuse of dominant position but reduced the fine from EUR 242 million to EUR 238.7 million and asserted that Booking's price parity clauses could limit competition among hotel reservation platforms. Finally, the Commission initiated an investigation into Apple’s compliance with interoperability obligations of the Digital Markets Act.

The French Competition Authority concluded a consultation on competition dynamics in the online content creation sector. It analyzed competition among video-sharing platforms such as YouTube, Twitch, TikTok, and Dailymotion regarding content creator engagement and advertising revenue.

The German competition authority designated Microsoft as a company of "paramount significance for competition across markets," subjecting it to dedicated competition rules. The Authority also initiated a survey to examine the impact of Amazon's price checks on third-party retailers' behavior as part of a broader investigation into Amazon's algorithmic pricing.

The Italian Competition Authority concluded a public consultation on commitments proposed by Booking in response to allegations of abuse of its dominant position in the online hotel intermediation market. In another Italian case, the EU Advocate General noted that Google's refusal to grant third-party access to its Android Auto platform might violate competition rules. Previously, the Competition Authority fined Google EUR 102 million for favoring its own Google Maps service and requested it to allow all app developers access to the platform.

Russia passed a bill to strengthen consumer rights for paid digital subscriptions, requiring clear agreements on terms and cancellation procedures. Meanwhile, the Federal Antimonopoly Service announced that OZON, the country’s largest e-commerce platform, updated its seller policies to align with antimonopoly regulations. The platform enhanced its contract clarity and introduced new features to increase transparency following an investigation by the Authority.

The United Kingdom’s Competition and Markets Authority (CMA) closed investigations into Microsoft's hiring of former Inflection AI employees as well as the Amazon-Anthropic partnership. In other cases, the CMA provisionally concluded that Google abused its dominant position in the digital advertising sector through self-preferencing practices within the ad tech stack and raised concerns regarding Google’s revised Privacy Sandbox. Furthermore, the CMA initiated a new investigation into Ticketmaster, focusing on the transparency of its dynamic pricing system. Finally, the Payments Systems Regulator and Financial Conduct Authority closed their consultation regarding the influence of large technology companies such as Apple and Google on digital wallets. In addition, the

Asia

China's State Administration for Market Regulation (SAMR) enacted new rules to combat unfair competition online. The rules ban the use of algorithms and data to influence users, including fabricated user reviews and misleading displays that hide negative reviews. Furthermore, the regulation prohibits exclusivity agreements that force online merchants to use a specific platform or impose unreasonable prices or sales targets. Additionally, SAMR closed the consultation on a draft standard on penalties for violations of the amended Anti-Monopoly Law.

The Japan Fair Trade Commission closed the consultation on the implementation of a law seeking to promote competition in smartphone software. The consultation explored business transactions between software providers and concerns about unfair practices by large mobile platforms and app stores. The law requires operators to ensure fair treatment, transparency in data use, and interoperability while also mandating the facilitation of data transfer and obtaining user consent for software changes.

South Korea’s Fair Trade Commission announced two bills to amend antitrust laws. The first bill amends the Fair Trade Act, focusing on platforms with significant market influence, holding over 60% market share or 10 million users. It seeks to address anti-competitive practices such as self-preferencing, with fines increasing from 6% to 8% of related sales. The second bill revises the Large-Scale Distribution Business Act to protect vendors from platform abuse by establishing criteria based on revenue and transaction volumes. Intermediary platforms will also face stricter settlement deadlines and new transparency obligations.

Data governance

Europe

The European Commission announced new standard contractual clauses (SCCs) to govern personal data transfers to third-country controllers and processors subject to the General Data Protection Regulation (GDPR). The European Data Protection Board announced that it is collaborating with the Commission to develop guidance on the interplay between the Digital Markets Act and the GDPR.

Several GDPR enforcement cases were advanced by the Irish Data Protection Commission (DPC). The DPC fined Meta EUR 91 million for storing social media users’ passwords without encryption. Additionally, the DPC launched an investigation into whether Google conducted an impact assessment for its AI model. The DPC also closed its investigation against X for using user data from public posts in Europe to train its AI tool (Grok) after X agreed to stop and permanently restrict its data use. Finally, the Dutch Data Protection Authority fined Clearview AI EUR 30.5 million for creating a database of facial images scraped from the internet without consent.

The French Data Protection Authority (CNIL) issued guidelines to strengthen privacy protection in mobile applications. The guidelines clarify the responsibilities of each actor in the mobile app ecosystem and provide practical advice for legal security.

The German Federal Ministry for Digital and Transport approved a regulation enabling users to manage their consent decisions as an alternative to cookie banners. Additionally, the Conference of the Independent Data Protection Authorities adopted a resolution that clarifies data protection obligations for businesses engaged in asset deals.

The United Kingdom's Information Commissioner's Office (ICO) issued several statements. The ICO welcomed LinkedIn's decision to stop using its user data to develop generative AI models and emphasized the importance of transparency and user safeguards regarding Meta's plans to resume such processing. It highlighted that no regulatory approval was granted for this data processing. In addition, the ICO addressed Meta's introduction of teen accounts on Instagram, stressing that children's accounts must default to high privacy settings as required by the Children's Code. Furthermore, the ICO commended Instagram for its new protections for younger users and pledged to advocate for higher industry standards. Lastly, the ICO concluded its investigation into Sky Betting and Gaming, reprimanding the company for processing personal data without consent through advertising cookies.

Asia and Australia

Australia introduced a bill to reform the Privacy Act. It expands the Information Commissioner's enforcement powers to issue civil penalties for privacy breaches and establishes a children's online privacy code. The bill also seeks to clarify measures regarding significant data breaches and introduces legal remedies for serious invasions of privacy. Additionally, the Australian Cyber Security Centre issued an advisory on malware.

The Chinese National Information Security Standardization Technical Committee (TC260) released guidelines to enhance the management and protection of sensitive personal information. The guidelines categorize sensitive data types, such as biometric data, religious beliefs, and medical and financial data, providing organizations with a framework for recognizing, processing, and safeguarding such data. Additionally, TC260 concluded its consultation on a draft national standard focused on compliance audit requirements for personal information protection. Meanwhile, the Ministry of Industry and Information Technology closed consultations on various industry standards related to mobile IoT development, which aim to create a secure ecosystem utilizing 4G and 5G networks. Finally, the Cyberspace Administration of China signed a memorandum with Macao's Financial Affairs Bureau to promote secure cross-border data flows.

India’s Ministry of Communications closed consultations on two draft rules. The first rule outlines cybersecurity measures for all telecommunication providers, requiring them to adopt security policies, report incidents within 6 hours, and establish infrastructure to monitor and mitigate cyber threats. The second rule imposes additional security obligations specifically for providers of critical infrastructure.

The Japanese government concluded its public consultation on draft rules to amend the enforcement regulations in the Act on the Protection of Personal Information. These amendments aim to facilitate cross-border data transfers by revising the criteria for recognizing foreign countries with equivalent personal information protection standards to encompass both the public and private sectors.

South Korea implemented a decree outlining conditions for obtaining valid consent, such as ensuring clarity and legibility of consent information under the Personal Information Protection Act (PIPA). The Personal Information Protection Commission (PIPC) fined Worldcoin KRW 720 million and Tools for Humanity Corporation KRW 379 million for non-compliance with PIPA. The companies failed to notify users about data collection purposes and retention periods when transferring data overseas. The PIPC mandated Worldcoin to obtain separate consent for processing sensitive information and implement deletion mechanisms. Tools for Humanity was directed to enforce age verification for users under 14 on the World App.

Saudi Arabia's Personal Data Protection Law (PDPL) and its accompanying regulations entered into force. The PDPL establishes rights for data subjects, including the right to be informed about the purpose of data collection, as well as the right to access, rectify, and delete personal data. It also delineates the legal bases for data collection and processing and establishes cross-border data transfer rules. Furthermore, the Saudi Data and Artificial Intelligence Authority released a guide on personal data processing activities records and clarified rules regarding rules for data destruction, anonymization, and pseudonymization.

Turkey implemented amendments to the Personal Data Protection Law, including new mechanisms for data transfers. Transfers are permitted if they comply with processing conditions, and there is an adequacy decision for the destination country or organization. Without adequacy, data can only be transferred by employing appropriate safeguards, such as binding corporate rules or standard contracts.

Americas

Brazil implemented cybersecurity rules for the telecommunications sector, establishing compliance requirements and mandating the reporting of security incidents to the National Data Protection Authority. Additionally, the rules provide updated guidelines for assessing the cybersecurity of data processing and cloud services.

The Canadian Privacy Commissioner concluded its consultation on age-assurance systems, highlighting significant privacy concerns and recommending the use of such systems only in high-risk scenarios. Meanwhile, at the sub-national level, the Quebec Commission on Access to Information enacted provisions to enhance the portability of personal information. The Federal Court of Appeal also upheld the Privacy Commissioner’s ruling that Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) by failing to obtain meaningful consent and adequately protect user data between 2013 and 2015.

Mexico’s National Institute of Transparency, Access to Information, and Personal Data Protection published guidelines detailing the conditions and procedures for certifying compliance with personal data protection obligations.