Global Digital Policy Roundup: May 2024

Overview. The roundup serves as a guide for navigating global digital policy based on the work of Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI regulations and rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, the roundup summarizes the highlights of May 2024 in four core areas of digital policy.

• Content moderation, including the implementation of the EU Digital Services Act, the United Kingdom’s Online Safety Act, as well as proposed online content laws in Argentina, Australia, France, Russia, and Turkey.
• AI regulation, including the EU AI Act, the Council of Europe’s Convention on AI, the update to the OECD AI Principles, and the results of the AI Seoul Summit.
• Competition policy, including an outline of digital competition laws in the United Kingdom and Japan, China’s new antitrust regulation, the enforcement of the EU Digital Markets Act, and investigations in South Korea and Indonesia.
• Data governance, including proposals on data security, user rights, and data transfers, as well as cases against Worldcoin, TikTok, and Kakao.

Content moderation

Europe

The EU and its member states are continuing the implementation and enforcement of the Digital Services Act (DSA). At the EU level, the European Commission designated Whaleco/Temu as a very large online platform following its report of having more than 45 million monthly users in the EU. Within four months of the designation, Temu must comply with additional obligations under the DSA, including the surveillance of illegal products and the detection of systemic risks related to the dissemination of illegal content. At the national level, Germany’s designation of the Federal Network Agency as the “digital services coordinator” under the DSA entered into force.

In May, the European Commission opened a formal investigation into Meta regarding compliance with DSA obligations to ensure a high level of privacy, safety, and security for minors, with a focus on addiction. Previously, the Commission launched DSA proceedings against Meta over its handling of deceptive advertising and political content and requested information on its "subscription for no ads" model.

Moreover, the European Commission issued a request for information as part of the ongoing investigation into the content moderation practices of X. The platform has to provide information on its content moderation policies, as well as risk assessment and mitigation measures regarding generative AI and elections. Finally, the Commission opened investigations into AliExpress regarding risk assessment and consumer protection, as well as TikTok concerning the launch of TikTok Lite in France and Spain. The Commission also requested information from LinkedIn, Snap, Amazon, Apple, Google, and 17 other very large online platforms and search engines.

The EU’s European Media Freedom Act entered into force with a grace period until August 2025. The Act introduces safeguards against the "unjustified removal" of content produced by media providers that meet editorial standards. Before deleting such content, very large online platforms (as defined by the DSA) must notify media providers, specifying the violations of the terms of service, and wait 24 hours for responses.

France signed the bill to secure and regulate the digital space into law. The law tasks the Regulatory Authority for Audiovisual and Digital Communication with setting technical standards for age verification on pornographic sites and empowers it to order blockings and delistings of non-compliant sites. Online platforms must remove content including “child pornography,” the promotion of terrorism, and Holocaust denial within 24 hours.

Italy’s communications regulatory authority requested information from Meta on the alteration of the visibility of political and social content on Facebook, Instagram, and Threads. The authority further noted, in an intellectual property case against Meta, that an account deactivation following allegations of trademark infringement violated the DSA. Specifically, Meta did not provide clear reasons for the account deactivation and lacked an accessible complaint mechanism. The authority notified Meta's conduct to the European Commission for further action.

Russia’s president signed a decree establishing state control over computer games. The stated objective of the decree is to prevent the distribution of distorted historical events. The decree also aims to replace foreign educational platforms with Russian alternatives. A Russian court also fined streaming provider Ivi RUB 1.2 million (approx. USD 13,477) for displaying content depicting same-sex relationships without correct age labeling. Since 2022, Russia has prohibited online platforms from displaying “propaganda and promotion“ of “non-traditional sexual relations” but allows content demonstrating “non-traditional attitudes or preferences” on paid audiovisual services if users confirm they are adults.

The United Kingdom’s Office of Communications (Ofcom) continued implementing the Online Safety Act, which was adopted in 2023. Ofcom closed the public consultation on additional duties for certain platforms to protect users from online harms, including through user empowerment tools and fraudulent advertising prevention. The government is expected to issue thresholds for platforms’ categorization in the Autumn of 2024. Ofcom further announced that it will not open an investigation into Twitch in view of steps taken to implement recommendations. Specifically, Twitch prevented users who are not logged in or are under 18 from accessing harmful content, including sexual themes and gambling and removed harmful content from the homepage.

Asia and Australia

Australia introduced a bill banning the creation and non-consensual distribution of deep fake pornography. The bill classifies such content as a form of abuse and criminalizes the use of technologies, including AI, to create and disseminate it. Furthermore, the government consulted on a review of the Online Safety Act to address the evolving landscape of online threats and harms. Australia’s federal court also ruled not to extend an injunction requiring X to hide content related to a terrorist incident in Sydney. Previously, the court had granted and then extended the injunction requested by the eSafety Commissioner. Subsequently, the eSafety Commissioner discontinued legal action against X.

Indonesia issued a warning to internet service providers, calling for active measures to combat online gambling. The government cautioned that non-compliance with content moderation requirements would lead to license revocations and fines of IDR 500 million (approx. USD 30,700) for each piece of non-compliant content.

South Korea’s Personal Information Protection Commission announced a new phase of its eraser service. Launched in April 2023, the service assists individuals in removing online content that includes personal information from when they were a minor. Initially available to individuals under 24, the service has since been expanded to those under 30.

Turkey introduced a bill to establish a new procedure for removing and blocking access to online content. The bill follows a ruling by the Constitutional Court that annulled the Advertising Council’s power to block access to content. Specifically, the Advertising Board would need to request content removal by online platforms and wait 24 hours before demanding internet service providers to block access.

Americas

Argentina introduced two online content bills. The Preventing Gambling Addiction Bill would require websites to restrict online advertising for games of chance and publish warning messages about the negative consequences of gambling. The Bill on Audiovisual Communication on Digital Platforms would require broadcasting and on-demand audiovisual services to ensure that at least 20% of the content in their catalogs is of national origin, with at least half of this content being independent productions.

Brazil’s consumer protection authority ordered Amazon and Mercado Livre to remove listings for cell phones that do not meet regulatory standards within 48 hours. The order is part of an investigation into the sale of illegal phones on e-commerce platforms, which found irregularities, including a lack of governmental certification, the absence of standard chargers, and non-compliant warranty periods.

Artificial Intelligence

International cooperation

The Council of Europe adopted the Convention on AI, Human Rights, Democracy, and the Rule of Law, which will be available for signature in September 2024. The convention’s scope, which changed throughout the negotiations, now covers public authorities and enables signatories to submit declarations outlining how they intend to apply the convention to private actors. Specifically, the convention establishes principles and obligations for the design, development, use, and decommissioning of AI systems, including privacy. In addition, the convention demands AI testing as well as the assessment and mitigation of risks arising from AI systems.

At the AI Seoul Summit, the continuation of the UK AI Safety Summit, countries signed several documents regarding international collaboration on AI. 27 countries signed the Declaration on Commitments to Address Severe AI Risks, while China engaged in the discussions but did not sign the declaration. In addition, a group of countries, including Australia, Canada, the European Union, France, Germany, Italy, Japan, South Korea, Singapore, the United States, and the United Kingdom, signed the Seoul Declaration for safe, innovative, and inclusive AI and the Statement of Intent toward international cooperation on AI safety science.

The OECD updated its Principles on Artificial Intelligence. The Principles aim to provide AI actors with guidelines for achieving trustworthy AI, including by promoting values such as transparency, explainability, security, and accountability. The revisions focused on combating disinformation, promoting responsible business conduct throughout the AI system lifecycle, enhancing transparency and disclosure, and risk management.

The G7 Hiroshima AI Process was complemented by the Hiroshima AI Process Friends Group, which includes over 40 countries. The Friends Group expands the countries committed to implementing the Hiroshima AI Process, which includes the International Code of Conduct and the International Guiding Principles for Organisations Developing Advanced AI Systems.

Europe

The Council of the European Union adopted the AI Act. Once the Act is signed by the presidents of the European Parliament and Council and is published in the official journal, its multi-step implementation process begins. The Act establishes a risk-based approach, prohibiting certain AI practices and establishing a range of compliance obligations for "high-risk" AI systems. The prohibition applies to emotion recognition in the workplace and educational institutions, social scoring, biometric categorization to infer sensitive data, and some forms of predictive policing, among others.

Obligations for high-risk AI cover testing, data governance, cybersecurity, post-marketing monitoring, and conformity assessment, among others. Fines are calculated as a percentage of global annual turnover and comprise EUR 35 million or 7% for violating prohibitions, EUR 15 million or 3% for violations of obligations, and EUR 7.5 million or 1.5% for supplying incorrect information. Finally, the Act establishes the AI Office to oversee compliance.

The European Commission also requested information from Microsoft regarding the generative AI features of Bing. The request refers to potential breaches of the Digital Services Act due to a lack of measures addressing risks such as the spread of deepfakes and the automated manipulation of services that could mislead voters.

The United Kingdom’s Information Commissioner's Office (ICO) closed its investigation into Snap's "My AI" chatbot. The investigation analyzed whether Snap's pre-launch risk assessment for "My AI" adequately considered data protection risks, especially concerning minors. Snap’s measures to conduct a comprehensive risk review of "My AI" and demonstrate suitable mitigation mechanisms were subsequently deemed sufficient. In addition, the ICO opened a series of public consultations on generative AI, specifically on individual rights, purpose limitation, the accuracy principle, and the lawful basis for web scraping. Finally, the UK Department for Science, Innovation, and Technology issued the AI Cyber Security Code of Practice and the Code of Practice for Software Vendors for consultation.

Asia and Australia

China continued to develop its AI regulatory regime, which builds on three technology-specific regulations covering recommendation algorithms, deep synthesis services, and generative AI, respectively. China’s standardization committee released a draft standard on cybersecurity for generative AI for consultation. Specifically, the draft requires providers to implement security measures regarding training data, conduct security assessments regarding data sources, and ensure that harmful content does not exceed 5%. The draft further includes measures on copyright and data protection.

South Korea’s Personal Information Protection Committee announced guidelines on the use of public personal information for AI development and services. The guidelines aim to establish procedures for safely processing openly available personal data.

Americas

Brazil introduced a bill on artificial intelligence that establishes objectives for AI development and implementation, including respect for intellectual property rights, human rights, democratic values, and freedom of expression. The bill would require providers of AI systems to establish independent audits and comprehensive governance structures, enhance transparency, and pursue data management to prevent discrimination. The bill further outlines individual rights, namely to information, explanation, contestation, human determination and participation, and non-discrimination.

Canada announced that eight companies signed on to the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. The Code of Conduct is part of the ongoing development to create a safe environment for AI in Canada and identifies applicable measures regarding operations involving generative AI systems.

Competition

Europe

The European Union continues to enforce the Digital Markets Act (DMA). The DMA imposes rules for “gatekeepers” based on their “core platform services.” Initially, gatekeepers included Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. In May, the European Commission designated Booking as a gatekeeper based on its Booking.com platform. Since the designation, Booking must inform the Commission of any intended mergers or acquisitions. After 6 months, Booking must allow business users to promote their offers and conclude contracts with customers outside of the Booking platform and give business users access to data they have generated.

In another decision, the European Commission decided not to designate X as a gatekeeper based on its online advertising service (X Ads) but opened a market investigation to assess X’s appeal against the designation as gatekeeper based on its social network. Finally, the Commission decided not to designate ByteDance as a gatekeeper based on its online advertising service (TikTok Ads), although ByteDance is already a gatekeeper based on the classification of the TikTok social network as a core platform service.

The Court of Justice of the European Union ruled against an Italian regulation regarding fairness and transparency in online intermediation services in cases filed by Airbnb, Expedia, Google, Amazon, and Vacation Rentals. The ruling held that EU law precludes Italy's regulation and that Italy can thus not impose additional obligations. Finally, Apple filed an appeal against the European Commission’s EUR 1.8 billion (approx. USD 2 billion) fine over alleged abuse of its dominant position based on its App Store rules. The Commission found that Apple imposed restrictions on app developers, preventing them from informing users about alternative music subscription services.

The United Kingdom‘s Digital Markets, Competition, and Consumers Act received Royal Assent. The Act, expected to enter into force in late 2024, introduces an ex-ante regulatory regime for companies with "strategic market status" in digital markets. The Competition and Markets Authority (CMA) can designate companies with a global turnover of over GBP 25 billion or a UK turnover of over GBP 1 billion as having "strategic market status" when they hold substantial market power or have strategic influence. Designated firms are subject to unilateral conduct requirements, must uphold dedicated codes of conduct, and can be subject to behavioral and structural remedies. In addition, the Act introduced new merger control thresholds, imposing mandatory notification for mergers in which the acquirer has a 33% supply share in the UK and turnover exceeding GBP 350 million (approx. USD 445,16 million) in the UK. Moreover, the CMA opened consultations on draft guidance regarding digital markets competition and merger reporting requirements.

The Competition and Markets Authority also opened a public consultation on Meta’s revised commitments to address competition concerns regarding Facebook Marketplace. The original commitments, accepted in November 2023, required Meta to implement technical systems preventing the use of certain advertiser data in Facebook Marketplace operations and product development. The proposed changes aim to broaden data use restrictions in Facebook Marketplace to include all advertisers, not just competitors. Moreover, the CMA closed its merger investigation into the partnership between Microsoft and Mistral AI but will continue investigations into Amazon and Anthropic, as well as Microsoft and Inflection AI.

Asia and Australia

China’s State Administration for Market Regulation adopted the Interim Provisions on Internet Anti-Unfair Competition, to be implemented in September 2024. The provisions ban the use of algorithms and data to influence users, including fabricated user reviews and misleading displays that hide negative reviews. Furthermore, the regulation prohibits exclusivity agreements that force online merchants to use a specific platform or impose unreasonable prices or sales targets.

Indonesia’s Competition Commission announced investigations into e-commerce platforms Shopee and Lazada. The investigations focus on discriminatory algorithm settings and self-preferencing practices.

Japan passed a bill, to promote competition regarding specific software used in smartphones. The bill contains competition measures for providers of operating software, app stores, browsers, and search engines that meet specific thresholds that have yet to be established by decree. Obligations cover data use, unfair treatment of app providers, discriminatory practices, and data disclosure.

Turkey’s Competition Board advanced three cases against large technology companies. First, the Board accepted Meta’s proposed measures following an investigation into data combination across core services, imposing a fine of approx. TRY 552 million (approx. USD 17,076 million). The investigation determined that Meta's merging of data from Facebook, Instagram, and WhatsApp negatively affected competition. Subsequently, Meta implemented measures to allow users to prevent data merging unless they choose to combine their accounts.

Second, the Board issued its final ruling regarding Meta’s linking of Threads and Instagram without user consent. The Board considered Meta’s proposals for "profile-less usage" insufficient and imposed a penalty of approx. TRY 336 million (approx. USD 10,39 million), after Meta disabled Threads for Turkish users.

Third, Google filed an appeal against the Board’s fine for failing to implement design requirements for hotel search services. The Board determined that Google was favoring its own local search and accommodation price comparison services and fined Google approx. TRY 296 million (approx. USD 9,15 million).

South Korea’s Fair Trade Commission announced investigations into AliExpress and Temu, regarding transparency. Specifically, the investigation scrutinizes whether the e-commerce platforms displayed the necessary seller information, including identity and contact details. Additionally, the Communications Commission launched an inquiry into digital media’s impact on competition in the broadcasting market.

Americas

Canada’s Competition Bureau closed its consultation on the competition impact of AI. The Bureau issued a discussion paper on competition in AI markets and gathered feedback regarding monopolistic practices, cartels, deceptive marketing practices and measures that regulators could implement to promote competition.

Data governance

Europe

The EU member states continued the national implementation of the “NIS 2” Directive on cybersecurity. Germany published a draft of the NIS 2 Implementation and Cybersecurity Strengthening Act, aiming to expand the scope of cybersecurity requirements and incident reporting obligations. The Act requires data breach reporting to the Federal Office for Information Security within 24 hours.

The European Data Protection Board published a report on the work of the ChatGPT Taskforce, formed by data protection authorities from Member States to coordinate their investigations into OpenAI. The report touches upon the lawfulness of web scraping, as well as the transparency and data accuracy of OpenAI's data processing practices. Specifically, the report notes that OpenAI should inform users that ChatGPT's responses are probabilistic and may contain biases or inaccuracies.

Germany’s Conference of Data Protection Supervisors (Datenschutzkonferenz - DSK) published guidelines on using AI in compliance with data protection rules. The guidance includes considerations regarding AI training, transparency, and the deployers’ responsibility.

Italy’s data protection authority issued guidance on safeguarding personal data against web scraping. The guidance explains measures to prevent the indiscriminate collection of data by third parties, including for the training of generative AI models.

Russia published the draft bill on the collection and storage of industrial data, aiming to establish a framework for the sharing of industrial data between companies. The draft would further require industrial data to be stored in Russia.

Asia and Australia

Australia’s Privacy Commissioner closed its preliminary privacy inquiry into TikTok. The Commissioner stated that tracking tools, including pixels and cookies, are "harmful, invasive and corrosive of online privacy" but noted that there is no clear and obvious breach of law, calling for an amendment of the privacy framework.The Australian government also announced its intention to amend the Privacy Act to criminalize doxing, defined as releasing private information online with malicious intent. The Bill will be submitted in August 2024 and aims to increase individuals’ control over personal data.

China adopted “interim measures” for the Data Security Management of Accounting Firms, which entered into force in October 2024. Among a range of cybersecurity requirements, accounting firms must store data in China, including audit documents and encryption keys. In 2023, government access to audit data caused tensions between China and the United States. Furthermore, China advanced efforts to facilitate international data transfers at the subnational level, specifically in Tianjin and Shanghai/Lin-Gang.

Indonesia published a draft regulation on Child Protection Governance in Electronic Systems. The draft includes provisions prohibiting the profiling and processing of children's personal data, unless necessary to provide digital services, and requiring age verification. The draft implements the amended Law on Electronic Information and Transactions and will be adopted after stakeholder feedback.

Saudi Arabia’s amended User Protection Regulations entered into force. Regarding cybersecurity, ICT providers must implement security measures against unauthorized access and breaches. Regarding data protection, providers must uphold data minimization and provide clear information on data collection practices. Regarding user rights, the regulations specify the rights to access, rectify, and delete information and be informed of data breaches.

South Korea’s Personal Information Protection Commission issued a fine of KRW 15.1 billion to Kakao for violating privacy law and corrective orders. The fine relates to a data breach in the KakaoTalk open chat rooms, which Kakao discovered in March 2023 but subsequently did not report and notify to users. In addition, the Commission opened consultations on a draft guide regarding data subject rights, implementing a recent decree, and draft standards for actions by personal information processors.

Turkey’s data protection board issued draft regulations on international data transfers. The regulations implement the recently amended data protection law, which introduces a new data transfer regime that enters into force on 1 September 2024. The regulations specify accepted data transfer mechanisms, including adequacy decisions, appropriate safeguards – such as binding corporate rules, standard contracts, and governmental authorization – and explicit consent.

Americas

Argentina issued a resolution regarding Worldcoin, covering data privacy, contractual rights, consent, and minor protection. Currently, the Argentinian data protection authority is investigating WorldCoin’s personal data processing and coordinating a working group on Worldcoin within the Ibero-American Data Protection Network.

Brazil’s data protection authority closed its public consultation on the processing of high-risk personal data. The authority, established in 2020, aims to clarify the concept of high-risk processing in the context of rapid technological advancements and their implications for privacy and data subject rights.