Global Digital Policy Roundup: April 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of April 2025 in four core areas of digital policy.

• Content moderation, including Russia's advertising ban on "undesirable" platforms, Japan's designation of large companies, China's mobile internet “minor mode” implementation, and the UK's binding codes under the Online Safety Act.
• AI regulation, including the European Commission's consultations on the Apply AI Strategy and the Cloud and AI Development Act, the BRICS declaration on AI governance, and South Korea's enforcement action against DeepSeek.
• Competition policy, including fines against Apple and Meta under the EU's Digital Markets Act, Japan's order against Google over app distribution restrictions, and the UK's implementation of the Digital Markets Act.
• Data governance, including the adoption of the EU-Singapore Digital Trade Agreement, the EU’s implementation of the Digital Services Act, and South Korea's amended Personal Information Protection Act.

Content moderation

Europe

The European Commission published the ProtectEU strategy. The strategy outlines coordinated approaches for addressing illegal content across digital platforms, enhancing cooperation between Member States, and standardizing content moderation practices. It also noted that the Commission will introduce an age verification mechanism intended to remain in use until the EU Digital Identity Wallet becomes operational by the end of 2026. Additionally, the Commission opened a consultation on combating online piracy of live content to assess the effectiveness of current measures targeting unauthorized streaming of sports and entertainment events.

The German Administrative Court rejected Aylo’s appeal against an order blocking access to its adult content platforms due to inadequate age verification. The decision requires Aylo to implement robust age verification mechanisms to avoid minors' exposure to such content.

The Italian Communications Regulatory Authority (AGCOM) adopted a rule requiring platforms displaying pornographic content to implement age verification measures within six months. The system must involve certified independent third parties and follow a two-step process. The AGCOM also issued multiple enforcement decisions related to copyright protection, ordering the blocking of Library Genesis, haltnow.ca, Guardaflix, and Casacinema for copyright infringements.

Russia signed a law banning advertising on websites considered undesirable, such as Facebook and Instagram. Specifically, the bill addresses the use of virtual private networks (VPNs) to bypass access restrictions and will enter into force in September. Additionally, Russia has also implemented a law requiring advertising providers to pay a quarterly fee equal to 3% of their income and allocate 5% of their annual advertising volume to campaigns promoting important social causes.

The United Kingdom continued the implementation of the Online Safety Act. The Office of Communications (Ofcom) published the binding codes on the protection of children online for user-to-user platforms and search engines. Providers must complete children’s risk assessments by 24 July 2025 and implement safety measures outlined in the codes or alternative effective measures to protect children from harmful content. The measures include safer feeds, effective age checks, fast action on harmful content, more control and support for children, easier reporting and complaints, and strong governance with named accountability.

To support the implementation of the codes, Ofcom also issued guidance on content harmful to children, risk assessment, and children's risk profiles, as well as a register of risks listing known harms and required mitigation measures. Additionally, Ofcom updated the guidance on highly effective age assurance and children's access assessments. Finally, Ofcom opened an investigation into an online suicide discussion forum for potentially breaching the Online Safety Act, including failure to assess illegal content risks and respond to enforcement requests.

Asia and Australia

The Cyberspace Administration of China (CAC) implemented the “minor mode” for the mobile internet, establishing a unified operational framework across mobile devices, applications, and app distribution platforms. Once activated, the mode enables content filtering, usage time limits, application management, and access to usage statistics. Complementing the measures, the National Information Security Standardization Technical Committee issued guidelines establishing technical standards for content filtering and age-appropriate design. Regarding enforcement, the CAC launched investigations into platforms over issues such as misinformation and privacy violations, with a focus on content moderation and data protection practices. In parallel, the CAC also initiated a campaign to address "malicious marketing chaos" on short video platforms, targeting misleading content and deceptive advertising tactics.

The High Court of India upheld an order requiring the Wikimedia Foundation to remove defamatory content against ANI Media on Wikipedia. However, the Court suspended two earlier directives: removing page protection and banning all future defamatory edits. Instead, the Court established a process allowing ANI to report new defamatory content to the Wikimedia Foundation, which must act within 36 hours or face further legal action.

The Ministry of Internal Affairs and Communications of Japan designated Google, LINE, Yahoo, Meta, TikTok, and X as "large specified telecommunications service providers" under the Information Distribution Platform Regulation Act. The designated providers are required to implement procedures to remove unlawful or harmful content and to ensure transparency in how they manage online information. The law obliges these providers to set up systems for handling takedown requests and to publicly disclose their content moderation standards. It also introduces procedural rights for users whose content is removed.

The South Korea Ministry of Culture, Sports and Tourism adopted the enforcementregulations for the Game Industry Promotion Act. The regulations establish content moderation requirements for gaming platforms, including provisions addressing harmful content and player protection measures. Additionally, the Korea Fair Trade Commission announced an investigation into online advertising providers to examine alleged deceptive advertising tactics and unfair business practices.

The Turkish Ministry of Trade implemented a regulation on oversight procedures for e-commerce platforms. It also requires platforms to ensure compliance with product safety laws by enabling visibility of safety information, providing contact points for regulators, and facilitating content removal and supply chain traceability. Additionally, a bill amending the Law on the Establishment and Broadcasting Services was introduced to clarify that independent content creators on digital platforms will not be subject to broadcasting licenses. The requirement will only apply to entities conducting regular, large-scale broadcasts.

Americas

The Brazilian consumer protection authority issued an order requiring online betting platforms to register. Separately, it ordered YouTube, Instagram, TikTok, Enjoei, and Mercado Livre to remove content and advertisements promoting illegal products.

The Canadian Radio-television and Telecommunications Commission closed the consultation on the revision of the order on the definition of Canadian content for audio services under the Online Streaming Act. The order aims to ensure online streaming services contribute to Canadian and Indigenous content.

Africa

The South African Film and Publication Board reported on investigations into cases involving online child sexual abuse material distributed on digital platforms. The Board received 21 cases reporting on such content and issued interim rulings demanding content removal and enhanced monitoring.

Artificial Intelligence

International

The Organisation for Economic Co-operation and Development (OECD) concluded the first reporting period under the Hiroshima Process International Code of Conduct for AI developers, setting performance monitoring standards for advanced AI systems across participating nations. Furthermore, the BRICS+ Foreign Ministers signed a declaration on AI governance, outlining shared principles for regulation and international cooperation. Finally, delegates at the Africa AI Summit adopted a declaration on AI, which focuses on responsible AI development, governance structures, and data protection tailored to the African context.

Europe

The European Commission launched consultations on several AI-related initiatives. The first focuses on the upcoming AI Strategy, aiming to accelerate AI adoption in sectors like manufacturing, energy, and healthcare, while addressing challenges related to the EU AI Act. The second supports the development of the Cloud and AI Development Act, seeking input on managing data volumes, high-performance computing, and secure cloud services to foster AI innovation and strengthen the EU's digital infrastructure. The third covers draft guidelines for general-purpose AI models (GPAI) under the AI Act, clarifying definitions and obligations for GPAI providers, particularly around model classification, provider identification, and market placement.

Meanwhile, the European Data Protection Board released a report on the privacy risks and mitigations associated with large language models. The report identifies privacy challenges posed by these models and offers recommendations for data protection safeguards in AI development and deployment.

Regarding enforcement, the Irish Data Protection Commission initiated an investigation into X's data processing practices for training the Grok generative AI model, assessing compliance with the General Data Protection Regulation. In Germany, the Saxon Commissioner for Data Protection and Transparency released an advisory on Meta's data processing practices for AI training.

The French National Commission for Informatics and Liberties published recommendations on its sandbox project to support AI initiatives. The sandbox creates a controlled environment for AI experimentation with regulatory guidance, helping developers address data protection considerations in innovative AI applications.

The United Kingdom’s Government Office for Science published the AI 2030 Scenarios report, including recommendations on dedicated governance structures. The report outlines potential AI development trajectories and corresponding regulatory approaches.

Asia and Australia

Japan’s House of Representatives passed the bill on the promotion of research and development and the application of AI-related technologies. The bill establishes a governance framework for AI advancement, including provisions for research funding, ethical guidelines, and institutional oversight of AI applications. Additionally, the Digital Agency closed its consultation on draft guidelines for the procurement and utilization of generative AI in public administration.

The Personal Information Protection Commission (PIPC) of South Korea issued corrective recommendations to DeepSeek, requiring the company to establish legal grounds for transferring personal information overseas, promptly delete any unnecessarily transferred data, and improve transparency by publishing a detailed privacy policy in Korean. The PIPC also advised strengthening AI-related data protection measures, enhancing the security of processing systems, and appointing a domestic representative to oversee compliance. Additionally, the Supreme Court launched the Judiciary AI Committee to oversee AI applications in judicial proceedings.

Saudi Arabia’s Communications, Space, and Technology Commission opened a consultation on the draft Global AI Hub Law. The law aims to establish regulatory frameworks for various digital services, including AI development, cloud computing, and platform intermediaries operating in Saudi Arabia.

Competition

Europe

The European Commission continued enforcement actions under the Digital Markets Act (DMA), imposing a EUR 500 million fine on Apple for violating anti-steering provisions by restricting app developers from informing users about alternative payment options. Simultaneously, the Commission fined Meta EUR 200 million for its "consent or pay" model's non-compliance with DMA obligations regarding data usage and user consent. The Commission also closed its investigation into Apple concerning its offered choice of services under the DMA, finding the company's compliance measures satisfactory.

In a related investigation, the Commission issued preliminary findings that Apple’s terms for alternative app distribution violate the DMA, citing restrictive conditions and a core technology fee that undermine third-party app stores and direct downloads. Additionally, the Commission concluded its investigation into Facebook Marketplace, issuing a decision specifying that the service no longer qualifies as a core platform service under the DMA. The European Commission also released its second annual report on the implementation of the Digital Markets Act, evaluating the effectiveness of enforcement mechanisms and compliance by designated gatekeepers.

The Commission also continued its consultation on the revision of the Technology Transfer Block Exemption Regulation, which clarifies exemptions for technology transfer agreements, with revisions expected to address issues including data licensing and market share thresholds. Additionally, the European Securities and Markets Authority published guidelines on supervisory practices for competent authorities to prevent and detect market abuse under the Markets in Crypto Assets Regulation, establishing risk-based supervision.

The French Ministry of Economy, Finance, and Industrial and Digital Sovereignty published the National Plan for Regulation and Security of e-commerce, which includes the elimination of the EUR 150 duty-free threshold for imported goods. The measure aims to level the playing field between domestic and foreign e-commerce providers by standardizing import tariff application.

The German Federal Cartel Office (FCO) concluded two investigations into Google. The first related to alleged anticompetitive practices pertaining to Google Automotive Services. The FCO closed the investigation following commitments to unbundle Google Automotive Services, enhance interoperability, and end exclusive incentives restricting competition. The second investigation related to Google Maps Platform, finding that the company's modified practices addressed competition concerns.

The United Kingdom’s Digital Markets, Competition and Consumers Act entered into force, enhancing both consumer protection authority governance and consumer protection regulation. The legislation grants the Competition and Markets Authority (CMA) expanded enforcement powers and establishes new user rights in digital markets. In a separate enforcement action, the CMA imposed a GBP 25,000 penalty on Keysight Technologies for non-compliance with merger control requirements in the company's anticipated acquisition of Spirent Communications.

Asia and Australia

The Australian Competition and Consumer Commission (ACCC) closed consultations on draft merger assessment guidelines and merger process guidelines, updating its approach to evaluating the competition impacts of business combinations. The revised frameworks address specific considerations for digital markets and platform ecosystems. At the international level, the upgraded ASEAN-Australia-New Zealand Free Trade Agreement (AANZFTA) entered into force, including enhanced competition provisions. The agreement establishes international standards for addressing anticompetitive practices in cross-border e-commerce.

The State Administration for Market Regulation of China adopted an industry standard regulating individual-operated online stores. The standard establishes business registration requirements for small e-commerce operators, enhancing market transparency and fair competition in digital retail.

The Competition Commission of India adopted an order approving Google's settlement over alleged anti-competitive conduct in the smart television market. The ruling resolves concerns regarding the company's licensing practices for Android TV operating systems.

The Japan Fair Trade Commission issued a cease and desist order against Google, requiring the company to stop imposing restrictions in its app distribution and revenue-sharing agreements. The ruling addresses violations of the Antimonopoly Act related to app store policies and developer terms.

South Korea’s Fair Trade Commission (KFTC) closed a public consultation on a proposed consent order pertaining to Kakao over alleged unfair trade practices in e-commerce operations, including restricted shipping options and delayed contracts. The Commission also continues its consultation on a provisional consent decision against Broadcom for violation of the Monopoly Regulation and Fair Trade Act related to semiconductor sales.

Furthermore, the Korea Communications Commission (KCC) announced an evaluation of user protection by telecommunications and online service providers, examining service quality, user rights compliance, and adherence to fair marketing and advertising requirements. The evaluation seeks to protect users and promote the timely resolution of complaints. Additionally, the KCC released a report following its inquiry into in-app payment systems, highlighting developer concerns over high commissions and review delays, user refund issues, and future plans to improve app market fairness.

Americas

Brazil’s Senate approved the Social Affairs Committee's request to discuss the rights and benefits of connected app workers. The inquiry will examine worker classification and protection regulations for platform-based employment, addressing competitive implications of labor practices in the gig economy.

Data governance

Europe

The European Commission advanced several consultations on data governance initiatives, including on the development of a Digital Product Passport system under the Ecodesign for Sustainable Products Regulation, which will standardize data collection and sharing for product sustainability information. The Commission also advanced consultations on technical descriptions for critical products under the Cyber Resilience Act, the revision of the Cybersecurity Act, and implementing regulations on notification procedures for qualified trust services. Further, the European Data Protection Board initiated consultations on guidelines for processing personal data through blockchain technologies, focusing on data protection impact assessments.

At the international level, the European Union and Singapore published their Digital Trade Agreement, which includes provisions on cross-border data transfers, cybersecurity, interoperability requirements, and consumer protection through transparent digital marketing and user redress rights. The European Union and Japan adopted a declaration on data protection and data flows, reinforcing cooperation on privacy standards and facilitating secure cross-border transfers.

France’s National Commission for Information Technology and Civil Liberties announced an inquiry into browsing session recording and replay tools, examining the privacy implications of user activity tracking.

Germany’s Consent Management Ordinance entered into force, setting recognition criteria for independent, user-friendly consent services as alternatives to cookie banners. Further, the Hamburg Commissioner for Data Protection published guidelines on the European Data Act, clarifying implementation requirements for data sharing and access provisions. Finally, the State Commissioner for Data Protection and Freedom of Information Mecklenburg-Western Pomerania issued a warning to public bodies against using third-country cloud computing providers, addressing cross-border data transfer risks.

The Italian Data Protection Authority opened an investigation into Lusha Systems over alleged unauthorized processing of contact data. Additionally, the Communications Regulatory Authority adopted a Regulation for the Protection of Minors in the Digital Environment, requiring platforms to verify users' age using certified third parties for content access. In an international development, the United States and Italy adopted a joint leaders' statement to strengthen their strategic alliance across security, economic, and technological issues, focusing on emerging technologies and data security in critical sectors.

The United Kingdom’s Department for Science, Innovation & Technology published a policy statement on the Cyber Security and Resilience Bill, broadening regulatory scope and enhancing cyber regulators' powers. The Information Commissioner's Office (ICO) published the results of its review into Children's Data Protection in the Financial Services Sector, recommending improvements in privacy practices and marketing distinctions to enhance compliance. The ICO also disclosed Transfer Risk Assessments for several technology providers, including Canva, Grammarly, Nasstar Calabrio, and Workday, providing transparency on cross-border data transfer risk evaluations. At the bilateral level, Japan's Personal Information Protection Commission and the United Kingdom's Department for Science, Innovation and Technology signed a joint statement on data adequacy, strengthening the bilateral framework for data transfers.

Asia and Australia

Australia’s Department of Home Affairs banned the use of Kaspersky software on government devices, citing security concerns over potential foreign influence. All Kaspersky products and web services must be removed from government systems. The Office of the Information Commissioner issued an update on the development of the Children's Online Privacy Code, addressing data protection for platforms serving minors and establishing enhanced safeguards for children's information. At the international level, the ASEAN-Australia-New Zealand Free Trade Agreement (AANZFTA) entered into force with several digital provisions, including a prohibition on data localization requirements, enhanced interoperability standards, and a strengthened consumer protection framework for digital services.

China’s National Data Administration announced the establishment of the National Data Development Research Institute, creating a centralized authority to drive research, policy recommendations, and international collaboration on data integration, sharing, and strategic development. The Administration also launched consultations on several model contracts for data processing activities, including templates for providing data to recipients, commissioned data processing, data merging, and data intermediary services.

Further, the Cyberspace Administration of China closed its consultation on the second draft of the Cybersecurity Law and released guidelines on data outbound security management policy, addressing cross-border data transfers. The State Administration for Market Regulation also implemented a national standard on data security technology for internet platforms and product service personal information processing, setting rules to strengthen user data protection and regulate service practices.

Meanwhile, several national cybersecurity standards entered into force, including a batch of nine standards covering various aspects of information security. The National Information Security Standardisation Technical Committee initiated consultations on multiple cybersecurity standards, including binary sequence randomness detection, secret sharing mechanisms, SM9 cryptographic message format, and quantum key distribution.

India’s Ministry of Finance, Ministry of Electronics and Information Technology, and the Computer Emergency Response Team released the Digital Threat Report 2024, outlining cybersecurity threats and regulatory recommendations for the financial services sector.

South Korea’s President signed the Personal Information Protection Act, including a domestic representative requirement. The Personal Information Protection Commission fined KT Alpha for insufficient safeguards concerning a credential stuffing breach affecting 98,000 users and ClassU for a data breach affecting 1.6 million users due to poor security, ordering stronger safeguards.

Meanwhile, the Korea Communications Commission announced evaluations of telecom and online service providers, including assessments of data protection risk management practices across 47 companies, including Temu and Facebook.

The Saudi Data and AI Authority concluded a consultation onGeneral Rules for Secondary Use of Data and continued consultations on amendments to the Implementing Regulation of the Personal Data Protection Law, addressing bothdata protection andbusiness registration requirements for data controllers.

Turkey’s Personal Data Protection Authority issued aguide on the protection of personal data in the payment and electronic money sector, focusing on the roles of data controllers and processors, legal bases for data processing, and rules for data transfers.

Americas

Argentina introduced a bill to amend its data protection law, strengthening individual rights, processing conditions, and safeguards for sensitive and inferred data.