The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of August 2025 in four core areas of digital policy.

• Content moderation, including India's ban on online games with real-money stakes, Brazil’s bill on protecting children online, the implementation of the European Media Freedom Act, and France’s enforcement action against Kick.
• AI regulation, including the UN General Assembly’s resolution on the AI Scientific Panel and Global Dialogue, the implementation of obligations for general-purpose AI in the EU, and China’s guidelines for identifying AI-generated content.
• Competition policy, including the first review of the EU Digital Markets Act, China’s proposed rules on internet platform prices, and enforcement cases against large technology firms in Australia, India, Turkey, and the UK.
• Data governance, including the implementation of the UK’s Data (Use and Access) Act, China's cybersecurity standards framework covering AI and critical infrastructure, Brazil's continued ban on Tools for Humanity (Worldcoin), and Canada's case against Google.

Content moderation

Europe

The European Union’s Media Freedom Act entered into force. The Act establishes transparency rules regarding media ownership and introduces safeguards against the "unjustified removal" of content produced by media providers that meet the "editorial standards." Very large online platforms, as defined in the Digital Services Act, must notify media providers of any alleged terms of service violations and explain the reasons before removing their content. Platforms are required to give media service providers 24 hours or less in case of an emergency to respond before deleting the content. The Act also establishes the right of customization of the media offer, which will enter into force in May 2027.

The French government adopted two decrees implementing the obligations under the Law on Securing and Regulating the Digital Space. The first decree requires online platforms with 10 million unique monthly visitors from French territory to retain reported and removed illegal content. The second decree mandates the display of warnings for content simulating rape for producers of pornographic audiovisual works and online platforms hosting such content. The Regulatory Authority for Audiovisual and Digital Communication (ARCOM) confirmed that six pornographic websites, out of 17 designated in February 2025, complied with age verification requirements. Previously, ARCOM issued formal compliance notices to five Cyprus-based pornographic websites for alleged non-compliance. Separately, the Ministry for AI and Digital Affairs filed a lawsuit, and the Paris Prosecutor’s Office opened a criminal investigation into Kick, after a streamer died during a live stream on the platform.

A bill was introduced in the Russian State Duma to broaden content restrictions on online platforms to ban obscene and offensive language. Additionally, the Ministry of Digital Development opened consultation on a draft law for combating offenses committed using information and communication technologies.

The United Kingdom’s Office of Communications (Ofcom) issued a provisional notice of contravention to 4chan for failing to meet its illegal content duties. Meanwhile, the High Court rejected the Wikimedia Foundation’s challenge to its classification as a “category 1 service” under the Online Safety Act. Finally, 4chan, Gab, and Kiwi Farms filed a lawsuit in Washington, challenging the enforcement of the Online Safety Act against platforms based in the United States.

Asia and Australia

The Australian eSafety Commissioner issued a report on how eight companies, including Apple, Google, Meta, and WhatsApp, address child sexual exploitation, abuse, and sexual extortion under the Online Safety Act. It found gaps in detection, reporting, and response across platforms, including livestreams, emails, and direct messages. The report also warned of risks from AI-generated synthetic abuse content. Additionally, the eSafety Commissioner issued an official notice to the OmeTV app over alleged non-compliance with the Relevant Electronic Services Industry Standard regarding required child safety features.

The State Administration for Market Regulation of China consulted on the draft measures on supervision and administration of live e-commerce, requiring platforms to ensure food safety claims and promotions meet legal standards. The Cyberspace Administration also announced continued promotion of the "license and display"initiative for internet news and information services, requiring platforms to display proper licensing credentials.

The President of India signed a bill prohibiting online games with real-money stakes, including fantasy sports and card games. The bill bars banks and payment providers from handling related transactions and empowers authorities to block access to non-compliant platforms. The implementation date will be established by the government. In a separate case, the Delhi High Court ordered the blocking of Sci-Hub and Sci-Net for repeated copyright infringements.

Japan’s Ministry of Internal Affairs and Communications’ order designating Pinterest, CyberAgent, Shonan Seibu Home, and Dwango as large-scale specified telecommunications service providers comes into effect. The platforms are required to submit notifications regarding content moderation practices and user safety measures.

The Republic of Korea’s Fair Trade Commission opened a consultation on consumer protection guidelines in e-commerce, establishing recommendations regarding dark patterns, consent, pricing transparency, fair choice architecture, and accessible cancellation processes.

Americas

The Brazilian Senate adopted a bill on the protection of minors in digital environments. The bill requires providers of services deemed inadequate or legally restricted for children to implement age verification mechanisms to restrict access. In addition, the bill requires preventive and protective measures, including restrictions on the profiling of minors and the establishment of accessible content reporting mechanisms. Providers with over one million users under 18 must further publish semi-annual transparency reports on content moderation, data protection, parental consent, and risk assessments. Throughout August, over 30 other child online protection bills were introduced in the Chamber of Deputies. They ranged from criminalizing the “adultization” of minors’ images to requiring the notification of authorities regarding criminal content, to demanding children’s risk assessments, to requiring content removals without court orders.

Regarding enforcement, the Attorney General and the Office of the Solicitor General ordered Meta to remove chatbots on Instagram and Facebook using child-like language in erotic contexts and to report on measures to prevent minors’ access to sexual content.

Artificial Intelligence

International

The UN General Assembly adopted a resolution on the establishment of an Independent International Scientific Panel on AI and the launch of the Global Dialogue on AI Governance. Additionally, the Asia-Pacific Economic Cooperation adopted the Digital and AI Ministerial Statement, emphasizing secure and responsible AI use to support innovation, productivity, and economic development.

Europe

The provisions of the European Union’s AI Act establishing obligations regarding general-purpose AI (GPAI) and requiring Member States to designate and empower national competent authorities entered into force. Providers placing GPAI models on the EU market must maintain technical documentation, provide training dataset summaries, publish model evaluations, and comply with EU copyright law. Models identified as posing systemic risks must be reported to the European AI Office with documented risk assessments, mitigation measures, and serious incident reports. Non-EU providers are required to appoint a representative to retain documentation and cooperate with authorities. Additionally, the European Commission and AI Board determined that the General-Purpose AI Code of Practice is an adequate voluntary tool for demonstrating compliance with AI Act requirements. The code specifies obligations on quality of service, transparency in performance monitoring, copyright, and testing.

Several provisions of the United Kingdom’s Data (Use and Access) Act came into force. The Act requires the Secretary of State to prepare and publish a report on the use of copyrighted works in the development of AI systems. The report must also address disclosure duties, enforcement mechanisms, and overseas AI systems.

Asia and Australia

The Productivity Commission of Australia opened a consultation on its interim report on harnessing data and digital technology. The report proposes outcomes-based AI regulation, new pathways to expand data access, an alternative compliance option under the Privacy Act, and mandatory digital financial reporting. It also suggests introducing fair dealing exceptions for text and data mining in AI training.

The State Council of China released opinions on deepening the implementation of the AI Plus Action. It sets national priorities for AI development and integration across sectors. Additionally, the Ministry of Industry and Information Technology and other departments released a draft of new trial rules for governing AI ethics in research and development. The National Information Security Standardisation Technical Committee (TC260) adopted six guidelines on identifying AI-generated content in line with previous measures and a national standard on labeling methods, which come into effect in September 2025. The guidelines set out methods for implicit metadata identification of synthetic text, images, audio, and video, along with metadata protection and detection frameworks. The TC260 also opened a consultation on AI security standard application practice cases and closed the consultation on the standard on network security, addressing software provider requirements for AI security systems.

The Reserve Bank of India released a report on responsible AI use in the financial sector. It sets seven principles and 26 recommendations across infrastructure, governance, risk mitigation, and consumer protection.

Saudi Arabia’s Data and AI Authority released areport on Agentic AI outlining its core capabilities, applications in sectors such as healthcare and education, and its evolution. It reviews global policy approaches, the national initiatives, and challenges such as transparency, cybersecurity, and ethics. The report proposes a governance framework and a four-phase adoption roadmap to support safe and responsible deployment.

The Republic of Korea’s Personal Information Protection Commission released guidelines for personal information processing in generative AI development and deployment. The guidelines provide a framework for lawful data use throughout the AI lifecycle and cover processing goals, training safeguards, deployment procedures, and technical safeguards.

Americas

A bill on personal data protection in AI systems was introduced to Argentina’s Chamber of Deputies. The bill establishes transparency obligations, requires risk evaluations with mandatory registration for medium to high-risk systems, and empowers authorities to conduct audits and impose sanctions, including fines.

Competition

Europe

The European Commission opened a consultation on the review of the Digital Markets Act (DMA) to assess its effectiveness in ensuring contestable and fair digital markets. The review covers gatekeeper obligations, designation and compliance processes, emerging challenges such as AI-powered services, and options for administrative simplification. In parallel, the Commission’s decision under the DMA requiring Apple to improve interoperability for third-party developers and device manufacturers was published. Separately, the Commission conditionally approved Naspers’ acquisition of Just Eat under the EU Merger Regulation.

At the national level, the Irish Competition and Consumer Protection Commission approved Equinix’s acquisition of BT Datacentres. In Poland, the Competition Authority found Booking in breach of consumer rights rules for using ambiguous terms of service. Meanwhile, the Danish Competition and Consumer Authority stated that Uber was required to notify its merger with Greenfleet Holding (Dantaxi).

The Competition Authority of Turkey opened an investigation into Google over alleged abuse of dominance in Play Store billing practices. The investigation examines whether Google forces developers to use Google Play Billing and blocks them from informing users about alternative payment methods.

The United Kingdom’s Competition and Markets Authority (CMA) opened a consultation on a revised markets regime guidance introducing a framework focusing on pace, predictability, proportionality, and process with project roadmaps. Additionally, the CMA released guidance on business collaboration under the Competition Act, clarifying the chapters on prohibition on anticompetitive agreements and on abuse of dominance. Finally, the CMA also closed consultation on proposed decisions to designate both Google and Apple as having Strategic Market Status under the Digital Markets, Competition and Consumers Act. The consultation sought feedback on the proposed competitive constraints, market power, and barriers to entry.

Asia and Australia

The Australian Competition and Consumer Commission (ACCC) accepted commitments from Google, including an AUD 55 million penalty, to address concerns that its contractual practices restricted competition in the Australian search engine market. Google agreed to let device makers and mobile operators set any default search engine, license Google Mobile Services separately, and avoid restrictions on third-party search services, except in Chrome. The ACCC found Google’s agreements with manufacturers and operators risked limiting rivals’ distribution since 2017, though Google did not admit all findings but committed to a compliance programme.

The State Administration for Market Regulation of China (SAMR) opened consultation on draft measures revising complaint and report handling procedures. The draft updates the Consumer Rights Protection Law rules on complaints, non-acceptance notices, and misuse of complaints. Additionally, SAMR, alongside other departments, opened a consultation on rules on internet platform pricing. The rules define price conduct and establish legality, fairness, and transparency principles. The rules also prohibit algorithmic price discrimination, collusion, and hoarding, with a five-year application period aimed at promoting structured platform economy development.

The Competition Commission of India advanced several enforcement actions against Google. The Commission opened investigations into Google's alleged abuse of dominance in ad-tech intermediation services and online display advertising services. The Commission simultaneously closed its investigation into Google's online search advertising after finding the issues raised mirrored previously adjudicated cases with no new circumstances. The Commission also closed its consultation on Google’s commitments addressing Winzo Games’ complaint over the exclusion of Real Money Games from Google Play and the selective onboarding of Daily Fantasy Sports. Google proposed to allow distribution of all lawful real-money games certified by third parties, permit advertising of certified skill games, and introduce uniform eligibility criteria.

The Republic of Korea’s Fair Trade Commission fined accommodation platforms Nol Universe KRW 540 million and YeogiEottae KRW 1 billion for abusing their bargaining power with service providers. Both platforms are also required to adjust their business practices to prevent future anti-competitive conduct. The Commission also closed the consultation on Google's commitments over alleged anti-competitive bundling of YouTube Premium and YouTube Music Premium. Google committed to price freezes on existing products and KRW 30 billion in support measures, including extended trials, reseller discounts, and funds for the domestic music industry.

Data governance

Europe

The European Commission’s delegated regulation under the Radio Equipment Directive entered into force, expanding obligations to radio equipment that processes personal, location, or traffic data. It establishes cybersecurity, privacy, and anti-fraud requirements that manufacturers of devices such as mobile phones and fitness trackers must follow when designing and producing products for the EU market. The Commission also concluded consultations on the European Biotech Act, the draft implementing regulation outlining peer review rules for national cybersecurity certification authorities, and the implementing regulation amending the cybersecurity certification scheme.

At the Member State level, the Austrian Federal Administrative Court upheld the Data Protection Authority's decision against Der Standard media group for violations related to "pay-or-consent" mechanisms in online advertising. The decision found bundled consent to be invalid under the General Data Protection Regulation (GDPR), requiring granular user choices.

Germany’s Federal Commissioner for Data Protection and Freedom of Information closed a consultation on data protection-compliant handling of personal data in large language models. The Commissioner also released an updated Information Brochure on the GDPR and Federal Data Protection Act. Meanwhile, a German regional court rejected an emergency application against Meta regarding the use of customer data for AI training. The Court noted Meta’s prior notifications, delay in filing, and held that GDPR violations must be addressed in the main proceedings.

Italy’s Data Protection Authority issued an order requiring the immediate removal of private audio content from YouTube and Instagram, citing breaches of data protection principles and rights. The order mandates deletion, bans further dissemination, and warns of fines for non-compliance.

Turkey’s Personal Data Protection Authority announced an investigation into Biletal regarding a data breach, affecting about 7,800 customers, after stolen data was offered for sale online.

Several provisions of the United Kingdom’s Data (Use and Access) Act came into effect along with the first commencement regulations. These include measures enabling access to customer and business data for smart data schemes and the obligation to report data breaches to the Information Commissioner’s Office (ICO) without undue delay, and where possible, within 72 hours of becoming aware of them. The provisions concerning the ICO’s duties to establish panels for codes of practice, among others, also become applicable. The ICO issued draft guidelines to support implementation, opening consultations on recognized legitimate interest as a lawful basis for data processing, complaints, and a framework for handling data protection complaints. The ICO also issued draft guidance for distributed ledger technologies, clarifying compliance obligations, controller–processor roles, and the use of privacy-enhancing technologies. Finally, the ICO closed its consultation on online advertising regulation under the Privacy and Electronic Communications Regulations.

Asia and Australia

The Australian Information Commissioner filed civil penalty proceedings in the Federal Court against Optus under the Privacy Act. Optus allegedly failed to take reasonable steps to prevent a 2022 breach affecting 9.5 million people. Each contravention carries penalties of up to AUD 2.22 million. Meanwhile, the Australian Signals Directorate and Department of Industry, Science and Resources released guidelines on managing cryptographic keys and secrets, recommending management plans, secure generation and storage, access controls, certificate trust chains, and auditing for oversight.

China implemented several regulations relating to data governance. The general framework for confidential computing sets standards for trusted execution environments, defining a layered architecture with mechanisms such as secure boot, remote attestation, encrypted storage, and isolated computing. The regulations on the use of commercial encryption in critical information infrastructure require certified encryption, regular security assessments, and reporting obligations. The administrative penalty measures standardize how authorities impose fines.

The National Information Security Standardisation Technical Committee (TC260) adopted standards covering public key infrastructure security, timestamp specifications, cybersecurity risk management, and security frameworks for AI computing platforms. TC260 also opened consultations on network security authentication and authorization, third-party resource authorization, personal information anonymization, and security in the Internet of Things. TC 260 also closed consultations regarding entity authentication, storage security, and personal data protection in scan-to-order services. Finally, TC260 approved 28 national cybersecurity standards related to automotive data, cryptography, IoT, industrial control, satellite internet, AI security, personal data protection, and blockchain systems.

Finally, the Ministry of Industry and Information Technology issued notices to mobile and software applications for violating data governance and personal information protection rules.

Japan’s Personal Information Protection Commission announced an inquiry into how 17,000 small and medium enterprises manage personal data security to assess current practices and inform future policy measures.

The Republic of Korea implemented the Communications Secrets Protection Act, which establishes procedures for government data access requests, biannual reporting requirements, three-year retention periods, and compliance fines. The Personal Information Protection Commission closed the consultations on uniform internet network blocking, standards for cross-border privacy rules certification, notification requirements for combination and external transfer of pseudonymized data, and safety standards. Regarding enforcement, the PIPC imposed a fine of KRW 134.791 billion and a KRW 9.6 million penalty on SK Telecom for violating personal information protection laws following a data breach affecting 23 million users.

Americas

A bill on the succession of digital assets was introduced in the Brazilian Chamber of Deputies. It defines digital assets as including virtual currencies, social media accounts, digital content rights, and online financial data, and sets rules for their inheritance. Additionally, the National Data Protection Authority upheld a ban on Tools for Humanity (Worldcoin), citing concerns that monetary rewards undermine genuine consent.

Canada’s Office of the Privacy Commissioner found Google non-compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) for not following the Commissioner's recommendation to de-list specific articles from search results where harm to the complainant's safety and dignity outweighed public interest in access. Additionally, the Commissioner adopted guidance for businesses processing biometrics under PIPEDA, providing private-sector organizations with requirements for the collection, use, disclosure, retention, and safeguarding of physiological and behavioral biometric information. Finally, the OPC closed its consultation on the development of a Children's Privacy Code under PIPEDA.