Global Digital Policy Roundup: January 2026

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of January in four core areas of digital policy.

• Content moderation, the European Commission's designation of WhatsApp as a very large online platform, France's bill prohibiting minors under 15 from accessing social networks, and enforcement cases from Australia, Indonesia, India, and South Korea against X.
• AI regulation, including the European Union's regulation on AI gigafactories, South Korea's Framework Act on AI, China's cybersecurity standards for AI chips, and Brazil's court suspension of order against Meta's AI service integration.
• Competition policy, including the European Commission's specification proceedings against Google under the Digital Markets Act, the UK's conduct requirements for Google, and enforcement actions against Coupang in South Korea.
• Data governance, including the European Commission's cybersecurity package, China's Cybersecurity Law Amendment, the UK's implementation of the Data (Use and Access) Act, and enforcement actions against X in Canada.

Content moderation

Europe

The European Union's Regulation on the safety of toys and the revised Alternative Dispute Resolution Directive entered into force with a grace period. The regulation requires all toys placed on the EU market, including those sold online, to comply with updated safety and quality standards and to carry a Digital Product Passport, to prevent unsafe products from entering the market. The revised directive updates and streamlines procedures for resolving consumer–trader disputes outside the courts. Furthermore, the European Union Agency for Fundamental Rights published a report assessing the impact of the Regulation addressing the dissemination of terrorist content online. It examines how the one-hour removal requirement and related obligations affect freedom of expression, and recommends reviewing legislative definitions and providing clearer guidance to avoid general monitoring of online content.

The European Commission opened a consultation on the development of an action plan addressing online fraud, and began examining the European Citizens' Initiative Stop Destroying Video games, which calls for EU legislation preventing publishers from remotely disabling video games sold to consumers.

In enforcement, the European Commission designated WhatsApp as a very large online platform under the Digital Services Act (DSA), subjecting the service to additional obligations, including requirements related to risk assessment and transparency reporting. The Commission also opened a formal investigation into X’s compliance with its obligations to conduct risk assessments and mitigate identified risks before deploying Grok’s functionalities on the platform. In addition, the Commission expanded its existing investigation into X to assess whether the platform has adequately identified and mitigated systemic risks under the DSA in relation to its recommender systems, following its announced switch to a Grok-based recommender system.

At the member-state level, the President of Poland vetoed the bill that would have implemented the DSA and designated national competent authorities. The Netherlands Authority for Consumers and Markets opened an investigation into Roblox over alleged risks to minors under the DSA, examining whether the gaming platform adequately protects young users from harmful content and practices. In Ireland, the High Court certified X’s appeal against the Media Commission’s Online Safety Code provisions, recognizing questions of exceptional public importance regarding their compatibility with EU law and the Digital Services Act.

The French National Assembly passed a bill to prohibit minors under 15 from accessing online social network services. The bill would also classify profiling-based recommendations for minors as editorial activity, ban targeted advertising to minors, and require warnings on promotions. The French government reported the deepfakes generated by Grok for immediate removal and referred the matter to the Regulatory Authority for Audiovisual and Digital Communication to assess potential breaches of the DSA regarding illegal content.

The Italian Communications Regulatory Authority adopted the list of general interest services specifying the audiovisual and radio services that must be given prominence on connected devices and television platforms to ensure their discoverability by users.

In Russia, a bill on the prevention and control of offenses related to the distortion of historical truth was introduced to the State Duma. It would give authorities the power to engage with individuals allegedly spreading historical misinformation, with the aim of addressing foreign influence and propaganda.

In Turkey, the bill on the protection of children and young people in the digital environment was introduced to the Grand National Assembly. The bill establishes age verification requirements for digital services,content moderation obligations for platforms accessible by minors,design requirements including child-safe default settings, andprohibitions of certain services harmful to children. Separately, the Ministry of Family and Social Services announced a draft omnibus bill addressing social media regulation for children under 15, proposing restrictions on minors' access to social media platforms.

In the United Kingdom, the amended regulations designating cyberflashing and the encouragement or assistance of serious self-harm as priority offenses entered into force. Online service providers must treat these offenses as a priority under their illegal content duties, including preventing misuse of their services and removing or limiting user exposure in line with the Office of Communications (Ofcom)’s codes of practice. The Secretary of State also adopted the commencement regulations no. 5, bringing several measures of the Data (Use and Access) Act into force. The regulations make it an offence to produce or request the production of intimate images of an adult without consent or a reasonable belief in consent.

Additionally, Ofcom opened consultations on the draft code of practice for regulated television selection services and on the proposed removal of listed events conditions from broadcast licenses. It also published guidance on age verification for pornography sites, detailing where and how checks must be implemented to prevent access by minors. In addition, Ofcom released interim guidance on super-complaints under the Online Safety Act, explaining how eligible entities can raise systemic concerns about platform conduct.

In enforcement actions, Ofcom informed a suicide forum provider of its intent to issue a notice of contravention over potential failures to assess illegal content risks and expanded its investigation into Sun Social Media. It also issued an information notice to First Time Videos for failure to respond to a previous notice regarding the implementation of age verification mechanisms and concluded its compliance remediation with Snap. Additionally, Ofcom opened an investigation into X over alleged failure to protect users and children from illegal and harmful content, including concerns about AI-generated material distributed through the platform. Finally, Ofcom also announced an investigation into Novi regarding its generative AI services, examining alleged failure to implement effective age assurance measures.

Australia and Asia

The Australian eSafety Commissioner issued a notice raising concerns over the use of Grok in X, citing alleged risks of sexualised and exploitative content generation, including potential child sexual exploitation material. The notice requested information on safeguards implemented to prevent harmful outputs from the AI system.

China’s Ministry of Public Security opened a consultation on the Law on Prevention and Control of Cybercrime, which sets rules for monitoring and blocking illegal or false information by service providers, search engines, and AI platforms. The law also requires AI-generated content to be clearly marked and restricts the inappropriate naming of websites and apps. Furthermore, the Cyberspace Administration adopted the classification measures regarding the online information that may affect the physical and mental health of minors. The measures establish categories for content deemed potentially harmful to young users and require platforms to implement appropriate access restrictions.

In Indonesia, the Criminal Code came into force, establishing the offenses that can be committed using information technology, including insulting government figures or institutions, inciting violence or hate crimes, facilitating criminal activity, and distributing unlawfully recorded images. The regulation on game classification also took effect, introducing a system for registering, classifying, and displaying game content. The Ministry of Communications and Digital Affairs consulted on the draft implementing rules for the regulation concerning governance of electronic systems, addressing age verification and parental consent requirements for digital services. Regarding enforcement, the Ministry of Communications and Digital Affairs has temporarily suspended access to the Grok and requested clarification from X regarding potential negative impacts associated with its use.

India’s Ministry of Electronics and Information Technology opened an investigation into X over alleged misuse of Grok to generate and share obscene content, reviewing the platform’s compliance with intermediary guidelines and content moderation obligations.

In South Korea, a bill to prohibit value-added service providers from using dark patterns in the design and operation of online interfaces was introduced to the National Assembly. Specifically, the amendment prohibits practices that interfere with users’ rational decision-making, including making cancellation procedures more complex than the subscription process without justifiable cause, or limiting cancellation to methods other than those used at the time of subscription.

In enforcement, the Media and Communications Commission ordered X to establish safety measures to protect youth in relation to its Grok AI chatbot service, requiring implementation of age verification and content filtering before the service could continue operating.

Americas

In Argentina, a bill to establish a comprehensive protection system for consumer rights was introduced to the Chamber of Deputies. It would require platforms to verify provider information, ensure accurate listings, maintain records, and enable user reporting. Platforms and providers would share liability for breaches, defective products, regulatory violations, and unpaid import duties.

In Brazil, the National Data Protection Authority, the Federal Public Prosecutor's Office, and the National Consumer Secretariat issued joint recommendations to X regarding the generation of non-consensual sexual synthetic content by Grok, requiring the company to implement safeguards against image-based abuse and establish mechanisms for victims to request content removal.

The Federal Court of Canada set aside the order to wind up TikTok's operations following the Department for Innovation, Science and Industry Development's investigation under the Investment Act. The Court remitted the matter for a new review, finding procedural deficiencies in the original decision-making process that required reconsideration.

Artificial Intelligence

Europe

The Council of the European Union regulation on AI gigafactories came into force, allowing the European High Performance Computing Joint Undertaking to acquire and operate AI-optimized supercomputers to support AI development and innovation in Europe. The European Parliament adopted a resolution on copyright and generative AI, calling for remuneration to protect creators’ rights while enabling AI innovation. The resolution recommends that the European Union Intellectual Property Office manage a central register for opt-outs and licenses and calls for transparency and source documentation from AI providers regarding all copyright-protected works used for training or fine-tuning.

The European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the Digital Omnibus on AI, evaluating proposed AI Act amendments and their implications for data protection and regulatory consistency. The Commission opened a consultation on the Open Digital Ecosystem Strategy, focusing on cybersecurity for AI systems and cloud infrastructure. The EU and Vietnam adopted a joint statement upgrading their relations to a Comprehensive Strategic Partnership, including provisions for cooperation on AI development, digital infrastructure, and cybersecurity standards.

The French Competition Authority opened a consultation on an ex officio inquiry into the competitive functioning of the conversational agent sector, examining market dynamics for AI chatbots and potential concerns regarding vertical integration, data access, and cloud computing dependencies.

In Turkey, abill to amend the Law on the Protection of Personal Data to introduce an administrative fine for social media services and digital platforms permitting the sharing of AI-generated content without the consent of the represented person was introduced to the Turkish Grand National Assembly.

The United Kingdom Treasury Committee published its final report concluding its inquiry into AI in financial services, examining the opportunities and risks of AI deployment in banking, insurance, and investment services. The report also makes recommendations on algorithmic accountability, non-discrimination, and regulatory oversight.

Australia and Asia

The Australian Cyber Security Centre published guidance on managing cybersecurity risks of AI for small businesses, providing recommendations on secure deployment of AI tools, data protection, and supply chain considerations.

The Cyberspace Administration of China released the fifteenth batch of the domestic deep synthesis service algorithm filing list. The National Cybersecurity Standardisation Technical Committee (TC260) adopted the network security standard practice guide on technical specifications for security functions of AI acceleration chips, establishing cybersecurity requirements for AI hardware, including authentication, access control, and secure boot mechanisms. The TC260 also consulted on guidelines on general principles for AI application security, the AI application security for broadcasting and network audiovisual services, the user security for using AI services, and security for AI training data cleansing.

The Ministry of Industry and Information Technology issued the Action Plan for the High-Quality Development of Industrial Internet Platforms, establishing interoperability requirements and design standards for AI integration in industrial applications. The Ministry also closed its consultation on a proposed standard on metaverse classification and identification requirements for digital human identity, addressing user rights and authentication in virtual environments.

South Korea's Framework Act on the Development of Artificial Intelligence and Establishment of Trust-Based Foundations entered into force, establishing design requirements for AI systems, including safety and reliability standards, user rights, transparency, and explanation requirements, and governance provisions. The Enforcement Decree of the Framework Act also entered into force, implementing AI authority governance provisions. The Ministry of Science and ICT adopted guidelines to further clarify obligations. The guidelines set operational standards for transparency and explainability, provide technical and procedural guidance for safe AI deployment, establish frameworks for assessing AI system impacts, and define provider obligations and criteria for classifying high-impact AI systems. Separately, the Broadcasting and Media Communications Commission published legal guidance on telecommunications-related laws for AI service providers, clarifying how existing telecommunications statutes apply to AI services. Finally, the Special Act on the Promotion of AI Data Centres was introduced to the National Assembly, proposing tax relief measures to incentivize AI infrastructure investment.

Americas

In Brazil, the Federal District Court ordered the suspension of the interim preventive measure adopted by the Administrative Council for Economic Defence (CADE) against Meta. The measure concerned CADE’s investigation into alleged anti-competitive conduct related to AI service integration with messaging platforms, and the suspension allows Meta to continue its planned deployment pending a full review of the competition concerns.

Competition

Europe

The European Commission closed its consultation on the delegated regulation updating the list of designated trading venues with significant cross-border dimensions for market abuse supervision and refining indicators of market manipulation. In enforcement, the European Commission opened two specification proceedings to guide Google in complying with its obligations under the Digital Markets Act (DMA). The first focuses on providing third-party developers with free and effective interoperability with Android features, particularly those used by Google’s AI services, such as Gemini, ensuring that third-party AI providers have equal access and opportunities to innovate on mobile devices. The second concerns third-party search engine providers' access to anonymized ranking, query, click, and view data on fair, reasonable, and non-discriminatory terms, and eligibility for AI chatbot providers to enable genuine alternatives to Google Search.

Russia’s Federal Antimonopoly Service opened an investigation into telecommunications provider MTS concerning an alleged breach of a settlement agreement on mobile tariffs reached in a previous investigation. The new investigation examines whether MTS’s notification of tariff increases for February 2026 violated commitments made in the settlement agreement to provide subscribers with options regarding tariff reductions.

The Ministry of Trade of Turkey implemented previously notified 25.49% fee increases on administrative fines against e-commerce companies under Law No. 6563 for violations such as inadequate customer information, unclear contract terms, and unsolicited commercial messages.

The United Kingdom Department for Business and Trade opened a consultation on a draft order that would establish a category of technology transfer agreements exempt from the prohibition of anticompetitive agreements under the Competition Act. The Department also opened a consultation as part of an inquiry on refining the competition regime, which proposes to empower the Competition and Markets Authority (CMA) to require information about algorithms. Separately, the Office of Communications (Ofcom) opened a consultation on draft guidance on how regulated television selection services and designated internet programme services can act consistently with the Communications Act’s agreement objectives.

In enforcement, following Google’s designation as having strategic market status under the Digital Markets, Competition and Consumers Act, the CMA opened a consultation on proposed conduct requirements for Google search services. The possible measures include publisher controls in relation to Google’s AI overview, fair rankings of search results, choice screens on Android devices and the Chrome browser, and data portability. Separately, Ofcom opened an investigation into Meta to examine whether it provided inaccurate or incomplete information regarding the WhatsApp for Business messaging service in response to information provision notices.

Asia

In China, the Anti-Monopoly Commission of the State Council opened an investigation into market competition in the food delivery platform service industry to assess potential monopoly risks, collect information from operators and consumers, and consider measures to support compliance with market regulations. TheState Administration for Market Regulation announced an investigation into Trip.com, which provides several online travel services, over alleged abuse of the dominant market position.

South Korea’s Personal Information Protection Commission announced an investigation into e-commerce platform Coupang over alleged forced redirection advertisements, which redirected users to sponsored content without adequate user control. The Fair Trade Commission fined Yanadu KRW 5 million for misleading advertising of scholarship programmes, MyRealTrip KRW 500,000 for unfair terms and inadequate consumer protections, and imposed a corrective order and administrative fine on KT Corporation for deceptive pre-order advertisements that misrepresented product availability and delivery terms.

Americas

The Competition Bureau of Canada closed its consultation on updated guidelines outlining the Bureau’s enforcement approach to anti-competitive conduct and agreements in light of recent amendments to the Competition Act.

Data governance

International

The G7 Cyber Expert Group published a statement on advancing a coordinated roadmap for transition to post-quantum cryptography in the financial sector, establishing a framework to manage cryptographic risks introduced by quantum computing.

Europe

The European Commission introduced a cybersecurity package, including a proposal for the Cybersecurity Act 2, which updates the cybersecurity certification framework and introduces a Union-level supply chain security mechanism. Under the proposal, the suppliers identified as high-risk by the Commission would be excluded from public procurement procedures. The Commission would also be empowered to prohibit entities in sectors of high criticality and critical sectors from using, installing, or integrating ICT components from high-risk suppliers in key assets. Further, the proposed Act would update the mandate of the European Union Agency for Cybersecurity, making it the single entry point for cybersecurity reporting and responsible for issuing early cyber threat alerts. As part of the cybersecurity package,the Commission also proposed an amendment to the NIS2 Directive to align with the Cybersecurity Act 2, including updated criteria for essential entities and requirements for national member states authorities to integrate post-quantum cryptography transitions into their national security strategies. The European Commission also issued a proposal for the Digital Networks Act which consolidates and updates the regulatory framework for electronic communications infrastructure. The proposal includes authorization requirements for network and cloud infrastructure providers,user rights provisions ensuring access to services and transparency, and quality of service requirements for AI-related cloud computing and data center services.

The Regulation laying down additional procedural rules relating to the enforcement of the General Data Protection Regulation (GDPR) entered into force with a grace period. It establishes uniform admissibility standards for complaints, binding deadlines for lead supervisory authority decisions, and enhanced cooperation mechanisms between data protection authorities. Separately, the Commission’s decision recognizing Brazil as providing an adequate level of personal data protection entered into force. The decision allows transfers of personal data from the European Economic Area to Brazil without requiring additional safeguards.

The European Data Protection Board (EDPB) took a number of actions on cross-border data transfers. The EDPB adopted an informal cooperation procedure for data protection authorities to jointly approve ad hoc contractual clauses for international data transfers. Further, the EDPB opened a consultation on draft recommendations on processor binding corporate rules for EU businesses engaging in joint economic activities. Regarding the EU-US Data Privacy Framework, the EDPB updated the rules of procedure for the informal panel of EU Data Protection Authorities and published updated guidance for European businesses regarding the self-certification mechanism for US organizations.

The French National Commission for Information Technology and Civil Liberties imposed a total of EUR 42 million in fines against telecommunications providers FREE MOBILE and FREE for violations of cybersecurity obligations, finding that they failed to implement adequate security measures to protect subscriber data from a significant data breach affecting millions of customers.

In Germany, the Hamburg Commissioner for Data Protection and Freedom of Information published a questionnaire to guide data controllers in determining legitimate interest as a legal basis for data processing under the GDPR.

In Turkey, a bill that was introduced would prohibit game companies from processing personal or location data of children under 16 for commercial purposes. The Personal Data Protection Authority published a public announcement clarifying that consent for push notifications sent via mobile applications must be specific and that service-related notifications may not be conditioned on accepting marketing notifications.

The United Kingdom’s Department for Science, Innovation, and Technology issued the commencement regulations no.5, which will bring several provisions of the Data (Use and Access) Act into force in February 2026. The provisions update UK GDPR criteria for legitimate interest and purpose limitation, alter the information and response period requirements for controllers towards data subjects, and amend data protection by design requirements to include higher protection standards for children. Further, the commencement regulations will update the UK GDPR’s data transfer framework, fully implementing ministerial powers to issue regulations approving data transfers based on a data protection test, as well as revising the criteria for appropriate safeguards for data transfers. Finally, the commencement regulations will implement changes to the Information Commissioner’s enforcement powers under the Data Protection Act 2018, including giving the Commissioner the power to require data controllers and processors to prepare reports and attend interviews.

A parliamentary committee opened a consultation on the Cyber Security and Resilience Bill, aiming to collect evidence on the proposed expansion of cybersecurity obligations to additional sectors and enhanced incident reporting requirements. The Information Commissioner's Office (ICO) updated its guidance on international data transfers, including a revised test to identify restricted transfers. The ICO also closed its consultation on the Data Protection Enforcement Procedural Guidance, detailing its own procedures for using its investigatory and enforcement powers. In enforcement, theICO fined Allay Claims and ZMLUK for sending unsolicited marketing messages without valid consent for receiving direct marketing communications. Finally, the memorandum of understanding between Singapore and the UK on mutual recognition of IoT cybersecurity standards entered into force, allowing certified products to be sold in both countries without repeat testing.

Asia

China’s Cybersecurity Law Amendment entered into force, introducing increased penalties for violations, including fines of up to RMB 10 million for critical information infrastructure operators who fail to meet security requirements. Measures for the authentication of personal information exported abroad also entered into force, setting out the certification mechanism for cross-border personal data transfers. Further, the annual deadline set by the Cyberspace Administration of China (CAC) for platforms with significant numbers of minor users to submit audit reports under the Regulations on the Protection of Minors on the Internet passed.

The CAC opened a consultation on new draft regulations for mobile applications. The regulations would establish a framework for the collection and use of personal information by applications, establish listing requirements for app stores,app cybersecurity requirements, and create an enforcement framework sharing responsibility among multiple levels of government. The CAC also consulted on guidelines setting out how the four-tier cybersecurity data classification framework applies to financial information services. Finally, the CAC closed a consultation on its draft measures for network data security risk assessments.

Three mandatory standards for intelligent connected vehicles entered into force, covering security for electronic control units, safety for software-upgradable vehicles, and requirements for autonomous driving data collection systems. The National Information Security Standardisation Technical Committee (TC260) closed consultations on two practice guides, namely the guide on cross-border processing requirements for personal information in the Guangdong-Hong Kong-Macao Greater Bay Area, and the guide on database network security requirements. TC260 ran a further consultation on a practice guide on the industrial enterprise data security capability maturity model. TC260 further announced the commencement of drafting work on the first batch of cybersecurity standards for the year 2026. In enforcement, the Shanghai Municipal Cyberspace Administration published a batch of typical enforcement cases, including investigations of cybersecurity violations,data protection violations, and unauthorized data transfers.

The Constitutional Court of Indonesia issued rulings in two cases on the Personal Data Protection Law. It affirmed the constitutionality of Article 56 on cross-border data transfers, rejecting arguments that adequacy decisions require parliamentary approval. It also rejected a petition challenging the prohibition on unlawful disclosure of personal data on legal certainty grounds. The Ministry of Communication and Digital Affairs also held a clarification meeting with Meta over an alleged Instagram user data leak.

Japan’s Information and Communications Council opened a consultation on its draft second report on basic telecommunications services.

The Personal Information Protection Commission of South Korea announced an investigation into Coupang over alleged unauthorised analysis of CCTV footage of workers.

Americas

Brazil's National Data Protection Agency (ANPD) implemented a resolution recognizing the European Union as providing an adequate level of personal data protection for international data transfers. The ANPD also postponed the deadline for 37 technology companies, including Amazon, Apple, and Google, to submit information regarding their implementation of measures under the Law for the Protection of Children and Adolescents in Digital Environments.

The Office of the Privacy Commissioner of Canada expanded an ongoing investigation into X to include consideration of the data protection implications of the use of the chatbot Grok to generate deepfake images.