The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of July 2025 in four core areas of digital policy.

• Content moderation, including the European Commission’s guidelines on protecting minors, the UK’s mandatory age verification requirements, Australia’s regulations on “age-restricted” social media platforms, and China’s technical specifications for implementing minors’ mode.
• AI regulation, including the EU’s General-Purpose AI Code of Practice, Australia’s standards for government use of AI, China’s six draft guidelines on managing and identifying AI-generated content, and Italy’s investigation into Meta.
• Competition policy, including the UK’s implementation of the Digital Markets, Competition and Consumers Act, Japan’s enforcement regulations for the Smartphone Software Competition Promotion Act, and cases against Google in Turkey and TikTok in Indonesia.
• Data governance, including the UK’s commencement regulations for the Data (Use and Access) Act, Australia’s Children’s Online Privacy Code, China’s draft cybersecurity standards, and South Korea’s updated standards and guidelines following amendments to the Personal Information Protection Act.

Content moderation

Europe

The European Commission advanced the implementation of the Digital Services Act (DSA) through several regulatory measures. The Commission adopted the delegated regulation on data access under the DSA for very large online platforms (VLOPs) and very large online search engines (VLOSEs). In addition, the regulation establishing templates for transparency reporting under the DSA and the Voluntary Code of Practice on Disinformation, incorporated into the DSA, took effect. The Commission also adopted guidelines under the DSA on protecting minors online, establishing a framework for age assurance measures. As an interim measure, the Commission issued the EU age verification blueprint designed to offer a standardized, privacy-preserving way for users to prove they are over 18 when accessing restricted content, compatible with future European Digital Identity Wallets. Finally, the Commission opened a consultation on draft guidance on the implementation of the regulation concerning political advertising transparency and targeting.

Regarding enforcement, the Commission issued preliminary findings that Temu is noncompliant with the DSA due to insufficient assessment and mitigation of risks related to illegal products on its platform. Additionally, the Commission published results from a coordinated enforcement action evaluating compliance with the General Product Safety Regulation.

The French Council of State upheld the order requiring certain EU-based pornographic content providers to implement age verification mechanisms in accordance with the Law on Securing and Regulating the Digital Space and its implementing rules. The Court noted that the order protects minors without infringing on freedom of expression or privacy, and found no immediate serious harm to the plaintiff’s economic situation. Without assessing the order’s constitutionality, the Court reaffirmed the authority of the Regulatory Authority for Audiovisual and Digital Communication to sanction violations. In a separate case, the French Directorate-General for Competition, Consumer Affairs, and Fraud Control fined Shein EUR 40 million for misleading consumers about price reductions.

The Italian Communications Regulatory Authority (AGCOM) amended rules to expand the scope of dynamic injunctions under the Piracy Shield platform to allow all rightsholders of live and audiovisual content to request rapid blocking of infringing material. The amended rules cover a wide range of service providers, including VPNs and search engines, and require reporters to act diligently to avoid overlocking. The resolution also allows for the unblocking of inactive or non-infringing resources and aligns national rules with the DSA. Additionally, AGCOM adopted a code of conduct for influencers, establishing obligations for content creators regarding transparency, advertising disclosure, and compliance with broadcasting standards. Finally, AGCOM issued an order setting the fair compensation Meta must pay to the GEDI publishing group for the use of its journalistic content on Facebook. The amount was based on Meta’s ad revenues linked to GEDI content, adjusted for redirect traffic benefits, with a rate of up to 70%.

The Russian State Duma amended a bill to introduce fines for deliberately searching for extremist content online, including via VPNs. The bill also penalises advertising tools that bypass access restrictions. Additionally, the European Court of Human Rights ruled in Google v Russia that imposing over RUB 28 billion in fines for not removing and restoring YouTube content violated Google’s freedom of expression. The Court found the measures disproportionate, lacking a legitimate aim. It also held that Russia violated the Convention for the Protection of Human Rights and Fundamental Freedoms by enforcing penalties based on flawed procedures.

The age verification obligations under the United Kingdom’s Online Safety Act and its implementing rules entered into force. User-to-user and search services were required to assess whether children are likely to use their platforms. Where this was the case, providers had to conduct a children’s risk assessment and comply with the Office of Communications’ (Ofcom) Protection of Children Codes of Practice. From 25 July, platforms accessible to children are required to deploy “highly effective age assurance” measures such as biometric facial age estimation, government-issued ID with selfie matching, or credit card verification to restrict access to primary priority content, including pornography and material that promotes self-harm, suicide, or eating disorders. The Codes further require platforms to adjust their algorithms to block or suppress particularly harmful content, such as bullying, hate, misogyny, or violence, especially within personalised recommendation systems, even where such material already breaches the platform’s terms of service. Ofcom also launched a programme focused on children’s risk assessment duties and opened formal investigations into 8579 LLC, AVS Group, Trendio, and Kick Online Entertainment, which collectively operate 34 pornography sites, to assess compliance with the age verification obligations.

Asia and Australia

The Australian Minister for Communications issued regulations clarifying which services are exempt from classification as age-restricted under the Online Safety Act. From December 2025, platforms designated as “age-restricted,” such as Facebook, Instagram, Snapchat, TikTok, X, and YouTube, must prevent users under 16 from creating accounts. Additionally, the Federal Court upheld the eSafety Commissioner’s infringement notice against X, confirming it was bound by Twitter’s obligations under the Online Safety Act. In a separate case, the Administrative Review Tribunal overturned the eSafety Commissioner’s removal notice sent to X regarding a social media post, for not meeting the Online Safety Act’s threshold for cyber-abuse targeting an Australian adult.

The Cyberspace Administration of China (CAC) implemented the measures on national network identity authentication for public services. The measures encourage online platforms to integrate with public services to facilitate online identity verification. The CAC also issued enforcement guidelines on the application of the Advertising Law, providing standards for commercial content moderation. The National Cybersecurity Standardisation Technical Committee (TC260) opened consultations on two draft national standards on technical requirements for implementing “minors’ mode” and on graded personal information protection requirements for products and services aimed at minors. Regarding enforcement, the CAC concluded actions against fraudulent accounts and launched investigations into those spreading false, unlawful, or defamatory content online. The Internet Information Office detailed measures taken under the campaign targeting harmful content and malicious marketing on short video platforms such as Douyin, Kuaishou, and Weibo.

The Ministry of Information and Broadcasting of India announced the blocking of 43 over-the-top (OTT) platforms for the dissemination of prohibited content, including fake news, misinformation, and other harmful material.

The obligations under Japan’s order designating Google, LINE, Yahoo, Meta, TikTok, and X as “large specified providers” under the Information Distribution Platform Regulation Act entered into force. The designated platforms must implement enhanced content moderation procedures, establish transparent takedown systems, and publicly disclose their content moderation standards.

South Korea's Fair Trade Commission closed the consultation on draft amended guidelines for review of deceptive labeling and advertising. The guidelines strengthen standards for commercial content moderation across platforms and advertising providers. Additionally, the Communications Commission adopted a transparency report on handling illegal filming materials by online platforms, including Google.

Artificial Intelligence

International

BRICS leaders adopted the Declaration on Strengthening Global South Cooperation, which includes measures on artificial intelligence (AI). It notes AI’s potential to drive global development and calls for governance frameworks that manage risks, respect national sovereignty, and address the needs of all countries.

Europe

The European Commission and AI Board released the General-Purpose AI Code of Practice and determined it as an adequate voluntary tool to demonstrate compliance with the AI Act’s obligations in force from 2 August 2025. The code includes three chapters: transparency, copyright, and safety and security. The Code requires providers to maintain documentation of training processes, bias mitigation measures, and intellectual property compliance protocols. Additionally, the Commission adopted guidelines on the scope of obligations for general-purpose AI models under the AI Act, clarifying regulatory expectations for foundation model providers regarding model classification, provider identification, and market placement requirements. Additionally, the Commission adopted the template for the public summary of training data for general-purpose AI models. The Commission also closed consultations on the classification of AI systems as high-risk and the development of the Digital Networks Act, which will establish authorization requirements for cloud computing and telecommunications infrastructure supporting AI development.

The French National Commission on Informatics and Liberty (CNIL) adopted recommendations on the application of the General Data Protection Regulation to the development of AI systems. It notes that models trained on personal data may trigger data protection obligations due to memorisation risks. The CNIL also issued a clarification on the use of augmented camera technology for selling products prohibited to minors, addressing AI-powered age verification and content filtering systems. Additionally, the General Directorate of National Gendarmerie opened an investigation into X over the suspected use of algorithms for foreign interference, examining potential manipulation of content distribution and user engagement through AI systems.

The German Federal Office for Information Security published a white paper on bias in AI, including guidance on identifying, measuring, and mitigating algorithmic bias across various AI applications, particularly in high-risk sectors. The Federal Commissioner for Data Protection and Freedom of Information opened a consultation on the compliant handling of personal data in large language models, providing regulatory clarity for AI developers processing personal information.

The Italian Competition Authority (AGCM) opened an investigation into Meta over alleged abuse of dominant position following its decision to pre-install its AI service on WhatsApp. The AGCM noted that bundling the AI service with a dominant messaging app could distort competition and create exclusionary effects. Concerns include rapid user acquisition and the use of user interactions for training AI models.

The United Kingdom’s Office of Communications published a discussion paper on attribution tools to address harmful deepfakes. It explores watermarking, metadata, AI labels, and context annotations to improve content traceability and support moderation. The paper also notes implementation challenges and stresses the need for complementary measures such as AI classifiers and red teaming. The Department for Science, Innovation and Technology adopted the compute roadmap focusing on AI infrastructure development, establishing governance frameworks for high-performance computing resources supporting AI research and deployment.

Asia and Australia

Australia’s Department of Industry, Science, and Resources issued a report on assessing risks in multi-agent AI systems, highlighting six common failure patterns. These include cascading reliability failures, communication breakdowns, monoculture vulnerabilities, conformity bias, poor modelling of other agents, and conflicting objectives. The report aims to support organisations in identifying and mitigating systemic risks in such AI networks. Additionally, the Digital Transformation Agency adopted a technical standard for government use of AI, establishing public procurement requirements and governance protocols for AI implementation.

The Cyberspace Administration of China published the twelfth batch of registered Deep Synthesis Service Algorithms, listing 389 newly filed algorithms under regulations requiring providers with public opinion or mobilisation capabilities to complete filing procedures. The National Cybersecurity Standardisation Technical Committee of China (TC260) closed consultations on six draft guidelines for managing and identifying AI-generated content. The guidelines set out technical specifications for securing such content using metadata and detection technologies. They include a general guide on metadata-based identification and specific standards for embedding metadata in image, text, audio, and video files, as well as tools for detecting synthetic content across formats. Finally, the Government issued the Action Plan on Global AI Governance. The Plan outlines 13 voluntary commitments covering AI infrastructure, cross-border open-source ecosystems, and sustainability. It also calls for international cooperation on standards, risk assessments, and capacity building.

The Securities and Exchange Board of India closed the consultation on guidelines for responsible use of AI in securities markets, establishing performance monitoring requirements and design standards for applications in financial trading and market analysis.

The Indonesian Ministry of Communication and Digital announced plans to draft a Presidential Regulation to govern AI utilization. The regulation will set standards for acquiring, deploying, and overseeing AI systems across public agencies.

The Saudi Data and Artificial Intelligence Authority launched the National AI Index, establishing metrics for tracking AI development. The index creates standardized measurements for AI capabilities, research progress, and regulatory compliance.

South Korea’s Ministry of Science and ICT approved an AI-based early response system to combat online child and youth sexual exploitation. The system uses self-learning AI to monitor platforms, automatically detect harmful content, and enable real-time reporting and removal via APIs, replacing manual processes. The Personal Information Protection Commission also approved a feasibility review for an AI-based voice phishing detection service proposed by LG Uplus Corporation and KT Corporation. Finally, the Intellectual Property Office opened an inquiry into strengthening the patent competitiveness of AI innovation companies.

Americas

The Brazilian Parliament is deliberating on a bill to amend electoral rules, including measures to restrict the use of AI. The bill requires clear warnings on synthetic or manipulated content. It bans the use of AI to simulate the image or voice of real or fictional individuals, living or dead, in electoral ads, regardless of consent or intent to deceive. The ban covers uses such as promotion, defamation, fabricated political messages, presenting achievements through synthetic characters, and using AI-generated hosts in political broadcasts.

Competition

Europe

The European Commission launched a consultation to assess the effectiveness of the Digital Markets Act (DMA), including its impact on users and businesses and the possible need to revise obligations or expand its scope. The information gathered will inform a report on whether the DMA’s goals are being met and if additional policies are required. The Commission also opened a consultation on the revision of EU antitrust procedural rules, aiming to modernize enforcement tools, improve efficiency, and address fragmentation risks. Proposed changes include enhanced investigative powers, faster decision-making, and streamlined access for third parties and complainants. The European Commission also approved Zalando's acquisition of About You and adopted a cooperation arrangement with the Japan Fair Trade Commission on competition enforcement.

The Competition Authority of Turkey resumed imposing a daily administrative fine on Google for failing to comply with previous obligations to address anti-competitive practices in local search and hotel price comparison services. Although Google initially made changes and the fine was suspended in June 2024, the Authority found that new "Business Ads" introduced in June 2025 replicated the same features, leading to a renewed penalty of around TRY 355 million.

The United Kingdom’s Competition and Markets Authority (CMA) opened a consultation on draft guidance on price transparency requirements for digital markets. The draft guidance clarifies legal obligations under the Digital Markets, Competition and Consumers Act (DMCCA) concerning misleading pricing, including when pricing rules apply and what constitutes an “invitation to purchase.” It requires traders to show the total price where possible or explain how to calculate it, and addresses practices such as drip and partitioned pricing. The CMA also closed a consultation on draft rules on the strategic market status levy under the DMCCA.

Regarding enforcement, the CMA issued its final decision in the cloud services market investigation and closed consultations on proposed decisions to designate Google and Apple as having under the DMCCA. If designated as such, CMA may impose conduct requirements or pro-competition measures. Additionally, the CMA closed the consultation on its notice of intention to release commitments previously accepted regarding Google's "Privacy Sandbox" investigation, addressing concerns about the company's proposed changes to third-party cookie policies and their impact on digital advertising competition.

Asia and Australia

The Australian Competition and Consumer Commission (ACCC) issued public warnings against four online retailers for misleading consumers by posing as local businesses while drop-shipping low-quality goods from overseas. At least 360 reports since January 2025 raised concerns about similar deceptive 'ghost stores' using AI-generated content and false local identities. The ACCC urged consumers to verify online retailers and called on Meta and Shopify to take appropriate action against the operators of ghost stores.

The State Administration for Market Regulation of China (SAMR) issued enforcement cases highlighting violations in live e-commerce platforms and released a second batch of typical cases addressing fair marketing and advertising practice requirements in live streaming commerce. Additionally, SAMR approved Synopsys' acquisition of equity in Ansigma Technologies, subject to commitments. These include divestitures, non-discriminatory pricing, ensuring interoperability with third-party tools, and a ban on bundling products. The obligations apply for ten years, with penalties for non-compliance.

The Competition Commission of Indonesia announced an investigation into TikTok's alleged delay in notifying Tokopedia's share acquisition, examining potential merger control violations and market concentration concerns in the e-commerce platform sector. The investigation addresses whether TikTok failed to properly notify authorities of the acquisition and assesses the competitive impact of increased market concentration in digital commerce.

The Japan Fair Trade Commission and the Ministry of Economy, Trade, and Industry adopted amendments to enforcement regulations and guidelines for the Act on Promoting Competition Regarding Specific Software Used in Smartphones. The measures establish specific obligations for smartphone operating system providers and application stores to ensure fair competition, including requirements for alternative application distribution and payment processing options.

The South Korea Fair Trade Commission (FTC) opened consultation on a provisional consent resolution addressing Google’s alleged anti-competitive bundling of YouTube Premium and Music Premium. Google committed to offering a lower-cost, ad-free video-only subscription (YouTube Premium Lite) for at least four years and freezing prices on existing services. It also pledged KRW 30 billion in consumer and industry support, including free trials, discounts, and music sector funding. The FTC also fined Tium Communication KRW 110 million for violations of the Electronic Commerce Act, addressing quality of service failures and consumer protection breaches. Finally, the FTC opened an investigation into e-commerce platforms' compliance with the amended Consumer Protection Act, examining fair marketing and advertising practices across multiple online commerce providers.

Americas

Brazil’s Administrative Council for Economic Defence (CADE) opened an investigation into Microsoft following Opera Software’s complaint alleging anti-competitive practices favouring Microsoft Edge. Opera claims Microsoft uses its dominance in Windows and Microsoft 365 to pressure PC manufacturers and steer users toward Edge through interface design and default settings. CADE will examine contracts, technical settings, and stakeholder input to determine whether competition laws were breached.

The Competition Bureau of Canada obtained a court order to advance its investigation into Amazon over alleged abuse of dominance relating to the Amazon Marketplace Fair Pricing Policy, addressing concerns about the platform's impact on seller pricing and market competition. The Competition Bureau also closed its inquiry into algorithmic pricing and its potential for market manipulation or coordination.

Data governance

Europe

The European Commission published a draft decision renewing and amending the adequacy decision for the United Kingdom. This follows a previous decision that temporarily extended the adequacy decision for six months, to allow the assessment of the UK Data (Use and Access) Act. The draft confirms the UK continues to provide adequate protection for EU personal data. The European Union and China also issued a declaration establishing a working group on cross-border data flows in the automotive sector.

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued an opinion on the Commission's proposal amending the General Data Protection Regulation (GDPR) as part of the Simplification Omnibus Bill IV. The EDPB and EDPS emphasized that records of processing remain an essential instrument for demonstrating compliance, recommending clearer references in the GDPR and stressing that simplifications must be necessary, proportionate, and respect fundamental data protection rights. The EDPS also released a statement on the Commission's recommendation regarding draft non-binding model contractual terms on data sharing under the Data Act.

The General Court annulled the European Data Protection Board’s (EDPB) decision refusing the plaintiff access to a file concerning her complaint against Meta Platforms, affirming her autonomous right to access under Article 41(2)(b) of the EU Charter, regardless of whether she was adversely affected by the final decision. The Court rejected the EDPB’s argument that such access is limited to specific cases. At the Member State level, the High Court of Ireland granted TikTok leave to proceed with a legal challenge against the EUR 530 million GDPR fine and data transfer suspension imposed by the Data Protection Commission.

The French National Commission on Informatics and Liberty (CNIL) released a self-assessment tool for implementing audience measurement solutions exempt from consent requirements. It provides practical guidance for website operators on privacy-compliant analytics deployment. The CNIL also opened a consultation on guidelines on the deployment of web filtering. Additionally, the CNIL closed consultations on draft recommendations on tracking pixels in emails and the economic impact assessment of these recommendations, addressing the privacy implications of email tracking technologies.

The Russian State Duma passed a bill amending the Criminal Code to clarify foreign agents' liability for failure to fulfill registration and reporting obligations, which will be applicable to non-compliance with data protection regulations.

The United Kingdom’s Minister of State at the Department for Science, Innovation and Technology adopted the first commencement regulations, bringing into force several provisions of the Data (Use and Access) Act. These include rules on data protection, data governance mechanisms, data transfer, and copyright protection. The government will phase in the remaining provisions over four stages, with most measures coming into force by early 2026.

The Information Commissioner's Office (ICO) has opened consultations on updated guidance for storage and access technologies, as well as its proposed approach to regulating online advertising under the Privacy and Electronic Communications Regulations. The ICO also opened a consultation on guidance on profiling tools for online safety, addressing the intersection of data protection and content moderation technologies. Finally, the First-tier Tribunal upheld the fine against TikTok for violations of children's data processing practices.

Asia and Australia

The Office of the Australian Information Commissioner closed its preliminary consultation on the Children's Online Privacy Code, which will set binding rules for services likely to be accessed by children under the Privacy Act. The consultation explored age-based obligations, privacy expectations, and safeguards for children’s data across digital platforms. A draft Code will be released in early 2026, with registration planned for December 2026

China's National Information Security Standardisation Technical Committee (TC260) opened consultations on draft standards on cybersecurity product interconnection and interoperability, personal information protection requirements for minors' products and services, technical requirements for minors' mode in mobile internet, and industrial control system cybersecurity protection capability maturity model. The Cyberspace Administration (CAC) opened a consultation on draft technical requirements for electronic product information erasure using data security technology and on personal information protection requirements for scan-to-order services. The CAC also announced a nationwide inquiry into personal information protection practices across digital platforms.

Indonesia’s Constitutional Court clarified that companies handling personal data must appoint a Data Protection Officer if any one of three risk-related conditions is met, rather than only when all three apply. The Court found that the original wording wrongly limited this obligation and weakened protections. Additionally, Indonesia and the United States advanced negotiations on a trade agreement framework, which is poised to cover digital trade and data.

Saudi Arabia’s National Cybersecurity Authority released the national cybersecurity risk management framework, establishing guidelines for cybersecurity governance across critical infrastructure and digital service providers. The framework creates standardized approaches to risk assessment, incident response, and security management.

The South Korea Personal Information Protection Commission opened consultation on pseudonymised data combination and external transfer notification amendments, the revised standards for measures to ensure the safety of personal information, and the regulation of uniform internet network blocking measures for personal information processing systems. The Commission also adopted an integrated guide on personal data processing following the amendments made to the Personal Information Protection Act. It clarifies when consent is not required, and outlines conditions for data use in emergencies and additional processing. The guide also sets out rules for data destruction, subcontracting, and legal grounds for processing. Additionally, the Commission issued improvement recommendations following its investigation into Kakao Talk, Naver, Coupang, Baemin, and Karrot over data processing practices and launched an inquiry into the protection of personal information of children and adolescents.

Americas

Argentina’s Chamber of Deputies is deliberating on a bill to amend the banking security law to establish obligations related to cybercrime, digital evidence, and chain of custody. The bill requires financial institutions and payment providers to implement both physical and digital safeguards against a wide range of cyber offences, including AI-driven impersonation and biometric data abuse.

The President of Mexico signed the Law of the National System of Investigation and Intelligence in Public Security Matters. The law empowers the Secretariat of Security and Citizen Protection to collect and centralise data from public and private sources. Such data includes vehicle, property, telecommunications, biometric, and commercial data to support criminal investigations.