Global Digital Policy Roundup: June 2024

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of June 2024 in four core areas of digital policy.

• Content moderation, including new rules on online violence in the EU and China, online safety standards in Australia, and legislative proposals in Russia and Turkey.
• AI regulation, including a comprehensive AI bill in Turkey, the African Union’s Continental AI Strategy, new AI standards in China, and enforcement cases in South Korea.
• Competition policy, including a new law in Japan, legislative proposals in India and Russia, and enforcement cases against large providers in the EU, Canada, and Turkey.
• Data governance, including new regulations in Australia, China, and the EU, as well as enforcement cases in Brazil, South Korea, and the United Kingdom.

Content moderation

Europe

The European Commission launched an investigation into Pornhub, XVideos, and Stripchat under the Digital Services Act (DSA) concerning measures to protect minors and prevent gender-based violence. Further, the Commission requested information from Temu and Shein on minor protection and transparency measures. Additionally, the EU’s Directive on combating violence against women and domestic violence entered into force with a grace period until June 2027. The directive criminalizes various forms of violence against women, including cyber violence, such as non-consensual sharing of intimate images, cyberstalking, and harassment.

Russia's president signed a bill expediting blocking mirror sites that copy pirate sites. The bill transfers blocking powers to Russia’s media regulator (Roskomnadzor) and obliges all search engine operators to remove mirror sites. Additionally, the government limited access to 81 EU media resources as a response to the Council of the European Union’s decision to ban broadcasting by several Russian media outlets. Moreover, Russia introduced a bill to ban advertising on information resources considered undesirable or previously banned, such as Facebook and Instagram.

Asia and Australia

The Australian government closed its public consultation on the statutory review of the Online Safety Act. The review aims to evaluate the Act's effectiveness and the necessity for increasing the eSafety Commissioner's enforcement powers. In addition, the eSafety Commissioner registered two Online Safety Industry Standards under the Online Safety Act. The standards regulate designated internet services (apps, websites, storage services, and generative AI platforms) and relevant electronic services (dating sites, online games, and messaging services), respectively. The standards will enter into force in December 2024 and include obligations to eliminate child sexual abuse and pro-terrorism material. Additionally, the eSafety Commissioner signed an administrative arrangement with the European Commission on the enforcement of social media regulations. Finally, the Australian Communications and Media Authority mandated an audit of streaming provider Hubbl regarding a potential breach of gambling advertising regulations during live sports events streaming.

China adopted regulations on violent online content. The regulations require network information service providers to monitor online violence and prevent malicious activities. Providers must further verify users’ identity and establish a user credit system. Furthermore, the Cyberspace Administration of China executed a special campaign to address false information, issuing several suspension orders and blacklisting responsible entities.

South Korea’s Communications Commission announced an initiative to strengthen international collaboration to combat false online information. In partnership with the Organisation for Economic Co-operation and Development (OECD), the KCC will develop recommendations on information integrity.

Turkey introduced a bill to regulate internet publications and combat online crimes. The bill mandates TikTok to prevent access to content that contradicts “general morals, public interest, and the traditions, customs, and practices of Turkish society” before publication. Failure to comply would result in bandwidth throttling and, after 30 days of non-compliance, a complete restriction. The bill also requires all other social network providers to link user accounts to mobile phone numbers, delete fake accounts, and limit users' time on platforms.

Americas

Brazil’s Supreme Court closed the investigation into the role of Google and Telegram managers in the alleged disinformation campaign against the fake news bill. The court specified that the gathered evidence could still be used in proceedings against the companies. Telegram is currently under investigation by the Consumer Protection Authority and the Public Prosecution Office. Google is facing investigations conducted by federal police and consumer protection and competition authorities.

Canada’s Radio-television and Telecommunications Commission (CRTC) opened a public consultation on Google's exemption request under the Online News Act. The Act requires online platforms to compensate Canadian news organizations for their content – through bargaining or agreements that exempt platforms from bargaining. Google proposes to distribute CAD 100 million (approx. USD 72.8 million) to Canadian news organizations annually to be exempt from bargaining. Additionally, the CRTC opened a public consultation on implementing regulations for the Online Streaming Act targeting e-commerce platforms and streaming services. Providers with annual revenues over CAD 25 million would be obliged to invest at least 5% of their national revenues in Canadian content.

Artificial Intelligence

Europe

The European Commission proposed a decision to authorize the EU’s signing of the Council of Europe’s Convention on AI, Human Rights, Democracy, and the Rule of Law. If adopted, the decision would render the convention binding for all EU Member States. Additionally, the Commission launched a consultation on AI in the financial sector. The consultation analyzes use cases and risks to inform sector-specific guidance for the implementation of the AI Act.

The Council of the European Union adopted an amendment to the regulation on the European High-Performance Computing (EuroHPC) joint undertaking to include the development and operation of “AI factories.” AI factories will provide AI supercomputing service infrastructure to improve the EU's supercomputing capacity for AI model training, especially for start-ups and small and medium-sized enterprises.

The French Data Protection Authority (CNIL) opened a consultation on recommendations for the development of AI systems. The guidelines outline CNIL's efforts to address legal, ethical, and privacy concerns related to AI, highlighting that the General Data Protection Regulation supports the creation of innovative and responsible AI. CNIL also adopted guidelines on personal data and AI development.

Asia and Australia

China’s Ministry of Industry and Information Technology issued 12 industry standards for public consultation, including data processing for large AI model training. In addition, the Cyberspace Administration of China published the sixth batch of domestic deep synthesis services that have entered its algorithm filing regime. The batch includes 492 newly filed algorithms detailing algorithm names, uses, record numbers, and remarks. Moreover, China’s National Information Security Standardisation Technical Committee closed its consultation on data security specifications for AI training and optimization. The specifications include design requirements for data classification and cybersecurity measures, such as identity verification.

India’s competition commission concluded its call for proposals for a market study on AI and competition. The study explores the implications of AI for competition, aiming to understand the implications of AI applications on market efficiency and innovation.

South Korea’s Personal Information Protection Committee (PIPC) concluded several investigations into AI providers. SKT must implement corrective measures to store and monitor access logs, minimize data retention periods, and strengthen anonymization. Snow must improve user communication and safety mechanisms. DeepL received recommendations to improve transparency, specifically to disclose the use of user-entered text in AI learning. Vuno’s AI for medical diagnosis was considered compliant with all data protection regulations. Furthermore, the South Korean Ministry of Science and ICT launched an inquiry into the development of safe and trustworthy AI.

Turkey introduced a bill establishing a regulatory framework for AI. The bill aims to ensure the safe, ethical, and fair use of AI technology with a risk-based approach. The bill covers providers, distributors, users, importers, and distributors of AI systems and enshrines the principles of safety, transparency, fairness, accountability, and privacy. High-risk AI system providers must conduct risk and conformity assessments and register with regulatory authorities.

Americas

Brazil established a working group to draft a national AI plan to promote sustainable and ethical AI development. At the sub-national level, the Consumer Protection Authority of São Paulo launched an inquiry into the use of AI in online shopping. The inquiry focuses on AI applications in e-commerce, including data collection, consumer behavior analysis, and personalized advertising.

Africa

The African Union, including South Africa, adopted the Continental AI Strategy. The strategy aims to harness AI's potential while addressing challenges across education, health, agriculture, and governance. The strategy further emphasizes developing human capital, fostering innovation ecosystems, and creating a conducive regulatory environment. Additionally, the strategy outlines a unified approach to leveraging digital technologies for sustainable development and economic growth throughout the continent.

Competition

Europe

The European Commission pursued the enforcement of longstanding antitrust rules against Microsoft and the novel Digital Markets Act (DMA) against Apple.Regarding Microsoft, the Commission issued a statement of objections in its investigation into the bundling of Teams with Microsoft 365, emphasizing that the bundling could restrict competition in the communication and collaboration market. Regarding Apple, the Commission opened a new investigation into the contractual terms for application developers, scrutinizing whether they restrict access to new features enabled by the DMA, including alternative application distribution channels. In another ongoing case against Apple, the Commission issued preliminary findings regarding the app store steering rules. The Commission found that Apple’s terms did not permit developers to steer their customers freely, in a breach of the DMA. Specifically, developers should be able to inform customers about cheaper purchasing options and direct them to the alternatives. Based on the preliminary findings, the Commission closed an older investigation into the same conduct to avoid duplicative investigations.

In addition, the European Union’s Market in Crypto Assets Regulation entered into force. The regulation imposes additional obligations on crypto-asset issuers classified as "significant" to promote effective competition in the sector. Obligations include ensuring fair remuneration, implementing effective risk and liquidity management strategies, and maintaining a minimum reserve of 3% of their own capital as reserve assets.

The Italian Competition Authority fined Meta EUR 3.5 million for unfair commercial practices related to Facebook and Instagram. Meta failed to inform Instagram users about the commercial use of their data and failed to adequately inform users regarding account suspensions. Additionally, the Italian Communications Authority closed its consultation on the identification of individual markets within the integrated communications system.

Russia introduced a bill to prevent providers of app stores and operating systems from imposing discriminatory conditions. The goal is to ensure that Russia’s unified app store (RuStore) is accessible on all devices, aiming to counter foreign manufacturers' access restrictions on Russian applications. The bill mentions impeding functionalities and limiting payment options as discriminatory practices. Additionally, Russia signed memorandums of understanding with Nigeria and Brazil on improving legislation and enforcement in digital markets.

Asia and Australia

India’s competition commission opened a consultation on proposed amendments to its powers. The amendments aim to strengthen regulatory oversight and give the commission the power to appoint agencies to assist in implementing and monitoring the commission’s orders. India is also deliberating the Digital Competition Bill, an ex-ante regulatory framework targeting large digital enterprises. The bill proposes the designation of certain enterprises as “systemically significant digital enterprises,” triggering a range of prohibitions, including prohibitions on self-preferencing and bundling services.

Japan signed a law to promote smartphone software competition. The law empowers the Fair Trade Commission to designate business operators providing essential software, such as operating systems, app stores, browsers, and search engines, subjecting them to a range of obligations. Obligations cover data use, the fair treatment of app providers, and interoperability. Additionally, the law requires operators to facilitate data transfer, allow changes to default settings, and obtain user consent for incorporating additional software. Subsequent government ordinances will specify the thresholds for designation and the implementation date of the law.

Turkey’s Competition Authority stopped imposing daily fines on Google in view of updates to local search and hotel price comparison services. Previously, the Competition Authority found that Google self-referenced its own services, imposed corrective measures, and issued daily fines for non-compliance totaling TRY 482 million (approx. USD 14.6 million). Additionally, the Competition Authority opened a new investigation into Apple’s contracts with application developers and the App Store payment system. The investigation scrutinizes Apple’s practice of requiring application developers to use its payment system, including a 30% commission on in-app purchases.

Americas

A Canadian court order required Amazon to provide information requested by the Competition Authority in its investigation of misleading claims. The investigation focuses on the alleged use of misleading claims in Amazon's marketing, particularly regarding reviews and ratings that affect product rankings and visibility.

Data governance

Europe

The European Commission released a draft act clarifying when a cyber incident is deemed significant under the revised Network and Information Security Directive (NIS2 Directive). The NIS2 Directive enhances cybersecurity risk management and standardizes incident reporting for operators across the EU. In view of the cross-border operations of many digital entities, this act aims to harmonize the national implementation of the rules in the NIS2 Directive. Furthermore, the Council of the European Union adopted its general approach to the regulation of procedural rules relating to the enforcement of cross-border cases concerning the General Data Protection Regulation. The regulation aims to expedite the handling of cross-border complaints and investigations by harmonizing procedural steps.

Ireland’s Data Protection Authority announced that Meta paused its plans to train large language models using Facebook and Instagram content. The announcement follows ongoing discussions between Meta and European data protection authorities to ensure compliance with data protection regulations. In Germany, data protection authorities in North Rhine-Westphalia and Hamburg issued statements raising concerns regarding Meta's plan to use personal data from Facebook, Instagram, and Threads for AI training.

France’s Data Protection Authority adopted recommendations on the reuse of data published on the Internet. The recommendations aim to help professionals balance their responsibilities with individuals' privacy rights and assist open data distributors in understanding their obligations.

The Italian Data Protection Authority issued guidelines regarding the processing of metadata in the workplace. The guidelines advise employers to review and adjust default settings to prevent unnecessary metadata collection and limit retention periods. Additionally, the authority issued a decision concluding that the use of biometric data for attendance tracking lacks a legal basis.

The United Kingdom's Information Commissioner's Office announced a joint investigation with Canada’s Privacy Commissioner into 23andMe regarding a data breach. The investigation aims to determine the extent of the data breach, assess the adequacy of the company's safeguards for sensitive data, and verify compliance with notification requirements.

Asia and Australia

Australia’s Prudential Regulation Authority issued a communication emphasizing expectations regarding cybersecurity, particularly regarding the restoration of data during a cyber incident.

China’s National Information Security Standardisation Technical Committee adopted guidelines for large internet platforms to prevent cybersecurity risks that could impact social stability and public interests. The Committee also opened consultations on three guidelines regarding sensitive personal information, data collection on vehicles, and best practices for data security and personal information protection. Finally, the Committee announced four national standards for network security and closed the consultation on the draft security standard for data transfers based on individual requests.

South Korea’s Communications Commission fined Google and Apple for failing to disclose location information handling policies under the Location Information Act. In addition, the South Korean Personal Information Protection Commission announced an expansion of cybersecurity measures to all personal information processors, effective September 2024.

Turkey implemented the amendments to the Personal Data Protection Law. Data controllers can now process special categories of data if it is necessary to establish, exercise, or protect a right or fulfill obligations in areas such as employment, health and safety, and social security.

Americas

The Consumer Protection Authority of the Brazilian state of São Paulo initiated an investigation against Ticketmaster regarding a data breach. The authority scrutinizes whether Ticketmaster failed to address inquiries about a data breach and to provide evidence of data security and mitigation strategies.

Canada’s Privacy Commissioner opened a consultation on privacy and age-assurance systems to inform the issuance of an upcoming guidance thereon. The consultation document outlines the privacy issues with current methods to determine users' age for online safety. The Commissioner notes that the use of age-assurance systems should be proportional to the risks and that alternatives such as parental controls should be considered. Additionally, the Commissioner and the Privacy Commissioner for British Columbia opened an investigation into Certn regarding compliance with privacy laws in tenant screening processes.