Global Digital Policy Roundup: November 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of November 2025 in four core areas of digital policy.

• Content moderation, including the Council of the EU’s general approach on regulation to prevent and combat child sexual abuse, the UK’s amended Crime and Policing Bill, Australia’s list of applications subject to the social media ban for minors, as well as enforcement cases in France against Shein and TikTok, and in Indonesia and Japan against Cloudflare.
• AI regulation, including the European Commission’s Digital Omnibus on AI Regulation, Turkey’s bill establishing an AI legal framework, China’s standards and regulatory measures for generative AI, and South Korea's Enforcement Decree for the AI Framework Act.
• Competition policy, including the European Commission's enforcement of the Digital Markets Act, the UK’s guidance under the Digital Markets, Competition and Consumer Act, and enforcement cases from Italy and Brazil against Meta over the integration of its AI service in WhatsApp.
• Data governance, including the European Commission’s Digital Omnibus Regulation proposal, the UK’s Cyber Security and Resilience Bill, China’s new cybersecurity and data protection measures, India’s Digital Personal Data Protection Rules, Canada’s Budget Implementation Act amending PIPEDA, and South Africa’s Information Regulator settlement with WhatsApp.

Content moderation

Europe

The Council of the European Union agreed on its general approach to the Regulation on preventing and combating child sexual abuse. It requires online service providers to assess misuse risks, introduce mitigation measures, and classify their services by risk level. Authorities would be able to order the removal, blocking, or delisting of content, and high-risk providers could be required to support the development of safety technologies. The Council also proposes to make permanent the ePrivacy derogation that allows the voluntary detection of child sexual abuse material. Alongside this, the Council adopted the revised Alternative Dispute Resolution Directive, updating and simplifying procedures for resolving consumer–trader disputes outside the court.

The European Parliament adopted the Regulation on the safety of toys, which applies to online and offline sales and requires all toys to include a Digital Product Passport to prevent unsafe products from entering the market. It also adopted a resolution on protecting minors online, calling for a harmonized EU digital minimum age of 16 for social media and AI companions without parental consent, and 13 as the minimum age for any social media use.

The EU institutions and member states advanced the implementation of the Digital Services Act (DSA). The European Commission requested information from Shein under the DSA over the alleged sale of illegal goods and age-inappropriate content, including child-like sex dolls and weapons. Shein has to provide information on its age-assurance measures, methods to prevent illegal product circulation, and the effectiveness of its risk mitigation. At the member-state level, the Irish Media Commission opened an investigation into X for possible non-compliance with DSA transparency rules.

The Commission additionally published a report on the designation of very large online platforms and search engines under the DSA and its interaction with other laws. Together with the European Board for Digital Services, it also released a report on commonly used mitigation measures for systemic risks.

At the judicial level, the General Court rejected Amazon's challenge to its designation as a very large online platform under the DSA. In a separate opinion, the Advocate General found that Google is likely not liable for gambling advertisements on YouTube, as the e-Commerce Directive’s hosting exemption applies if Google had no actual knowledge of the illegal content.

The French Directorate General for Competition, Consumer Affairs, and Fraud Control announced the removal of illicit products from Shein and permitted operations to resume following corrective measures. The Paris Public Prosecutor's Office opened an investigation into TikTok over allegations of illicit transactions, data processing impairment, and promotion of content on suicide.

The Italian Communications Regulatory Authority (AGCOM)’s resolution establishing technical and procedural requirements for age verification systems to prevent minors from accessing pornographic content online came into force. The AGCOM identified 48 pornographic platforms that must implement age assurance systems in line with the resolution’s principles, such as privacy protection through a “double anonymity” model, and independent third-party involvement. Separately, AGCOM and the Institute for Advertising Self-Regulation adopted an agreement to align regulatory and self‑regulatory rules for digital advertising.

The United Kingdom’s Department for Science, Innovation, and Technology tabled amendments to the Crime and Policing Bill to prevent the misuse of AI models for creating child sexual abuse material. The bill was previously also amended to extend the prosecution window for non-consensual intimate-image offenses and to criminalize the possession and publication of pornographic content depicting strangulation or suffocation. Depictions of strangulation would additionally be designated a priority offense under the Online Safety Act. Separately, provisions that would have required online platforms to detect and report child sexual exploitation and abuse content to the National Crime Agency were repealed.

The Office of Communications (Ofcom) adopted guidelines to support the Online Safety Act implementation. Ofcom published guidance on women and girls' online safety for user-to-user services,notification guidance for online safety fees, and guidance on qualifying worldwide revenue. The regulator opened consultations on statutory reports examining the use and effectiveness of age assurance technologies and the role of app stores in children's online safety. In enforcement, the Office of Communications fined the nudification site operator Itai Tech GBP 50,000 for failing to implement effective age verification mechanisms under the Online Safety Act. Ofcom also prioritized its investigation into a provider of an online suicide discussion forum over potential breaches of the Act, including failure to assess illegal content risks. Additionally, Ofcom opened investigations into 20 more pornographic websites.

Asia and Australia

The Australian Minister for Communications published the list of applications that will be subject to the Social Media Minimum Age Act, confirming that Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, and Reddit will be required, from December 10, 2025, to take reasonable steps to prevent users under 16 from holding accounts. Separately, a bill to repeal the social media minimum-age requirement was introduced in the Senate. Another bill was introduced in the Senate to establish a complaints mechanism for non-consensual deepfakes, granting the eSafety Commissioner powers to investigate and require platforms to remove such content within prescribed timeframes.

The eSafety Commissioner also issued an enforcement action against a technology company providing AI-generated nudify services used to create deepfake pornography, concluding the investigation with corrective measures. In addition, Telegram withdrew its case against the eSafety Commissioner regarding the validity of a reporting notice issued during an investigation into the platform’s measures to address terrorism and violent extremist content.

The State Administration for Market Regulation of China (SAMR) closed consultations on the draft regulations on supervision of third-party platform providers' implementation of safety responsibilities, and the revised measures on management of the list of entities with serious illegal and dishonest conduct. The SAMR also published a second batch of enforcement actions as part of its investigation into online consumer protection, addressing deceptive marketing practices across e-commerce platforms. The Cyberspace Administration of China (CAC) directed platforms to suspend accounts involved in vulgar content, fabricated stories, or improper commercial activities such as unauthorized sales of military uniforms and paid misinformation. The CAC also issued enforcement decisions against group-broadcast accounts that used vulgar or inducive tactics to boost live-streaming tips, as part of a broader campaign to regulate tipping practices.

The Ministry of Communication and Digital Affairs of Indonesia announced that 25 global platforms had been asked to register as private electronic system providers. Cloudflare was among those notified and informed that failure to register could result in administrative sanctions or access termination.

In Japan, the Tokyo District Court found Cloudflare liable for aiding copyright infringement by two overseas manga piracy sites that relied on its CDN services, awarding roughly JPY 2.48 billion to four major publishers. The Court found that Cloudflare became liable after continuing its services despite repeated notices and ruled that its caching functions did not fall under the copyright exception.

The Fair Trade Commission (FTC) of South Korea opened investigations into eight online advertising agencies over alleged deceptive advertising practices. The FTC will investigate practices such as alleged impersonation of public institutions to secure contracts, refusal to issue refunds for undelivered services, and bulk charging of advertising fees.

Americas

The Brazilian Chamber of Deputies passed a bill regulating on-demand audiovisual content, requiring streaming providers, free or paid, to contribute 0.1–4% of annual gross revenue to the development of the national film industry. The bill also sets public-communication obligations for large providers, equal-access rules for smart TVs, and allocates 30% of funds to support independent producers. Separately, the Ministry of Justice’s content classification ordinance came into force for physical and broadcast media, requiring rating symbols and parental controls, with internet-app provisions starting in March 2026. The Ministry also concluded a consultation on digital age-verification standards. Meanwhile, the National Telecommunications Agency issued a report on illegal sales of unauthorized telecom products on e-commerce platforms.

Artificial Intelligence

Europe

The European Commission issued the proposal for the Digital Omnibus on Artificial Intelligence (AI) Regulation aimed at simplifying several provisions of the EU AI Act. It introduces new frameworks for testing high-risk AI systems, including an EU-level sandbox managed by the EU AI Office, giving priority access to small and medium-sized enterprises and start-ups. For certain AI-enabled products, a voluntary testing regime is proposed through agreements between Member States and the Commission. The proposal also establishes a legal basis for processing sensitive personal data to detect and mitigate bias in high-risk AI systems, subject to safeguards. Additionally, it removes the obligation for providers of AI systems who do not consider their systems high-risk to register them. The timeline for applying high-risk rules has been extended to a maximum of 16 months, allowing the rules to take effect once the Commission confirms that the necessary standards and support tools are in place, with final deadlines set for December 2027 and August 2028.

The AI Office has also begun drafting the Code of Practice on Transparent Generative AI Systems, which will guide providers on meeting transparency rules, including marking AI-generated or manipulated content so it can be detected automatically. In parallel, the Commission published a reporting template for serious incidents involving general-purpose AI models with systemic risk and launched an AI whistleblower tool to allow individuals to report potential breaches of the AI Act.

The European Parliament adopted a resolution on the impact of AI on the financial sector, calling on the Commission to provide guidance on how existing financial services legislation applies to AI. Separately, the European Data Protection Supervisor issued guidance for risk management of AI systems, offering recommendations on data protection safeguards in the deployment of AI.

The French Audiovisual and Digital Communication Regulatory Authority and the National Music Centre opened a consultation on how audiovisual media and digital platforms influence the discovery and promotion of music to examine AI's impact on content distribution.

In Germany, the Munich Regional Court ruled that OpenAI’s ChatGPT unlawfully reproduced copyrighted German song lyrics embedded during training, rejecting reliance on text- and data-mining exceptions and finding that memorization in model weights constitutes reproduction. The Court held OpenAI responsible for infringing outputs due to its control over training data and system architecture.

In Turkey, a bill establishing an AI legal framework was submitted to the Grand National Assembly. The bill sets requirements for anonymous and non-discriminatory datasets, cybersecurity testing, content verification mechanisms, and labeling of AI-generated content. It also introduces expedited removal obligations for certain AI content, grants the Information Technologies and Communication Authority emergency blocking powers, and amends the Penal Code to address liability for offenses committed through AI. Further, the Personal Data Protection Agency published a guide on generative AI specifying data protection obligations for AI developers.

In the United Kingdom, the High Court ruled that Stability AI partially infringed Getty Images’ iStock and Getty Images trademarks with certain images from Stable Diffusion versions. The Court rejected the other trademark and copyright claims and confirmed that Stability AI is not responsible for models shared on GitHub or Hugging Face. Additionally, the Digital Regulation Cooperation Forum closed its consultation as part of the inquiry into Agentic AI regulatory challenges.

Asia and Australia

The Australian Government established the AI Safety Institute to support regulation, advise on legislation, and provide technical capability for monitoring, testing, and analyzing emerging AI technologies to identify future risks and protect the public.

China implemented a series of standards and regulatory measures for generative AI. The standard on basic requirements for security of generative AI services sets obligations for AI providers throughout development and post-release, covering training data, model security, audits, monitoring, copyright, and data protection. Providers must ensure data diversity, limit harmful content, secure training environments, and implement measures for reliable outputs, emergency management, and service continuity. The standard on data security specifications for pre-training and optimization training also entered into force. It requires classification and management of pre-training and fine-tuning data with detailed metadata, authorized collection, multiple data sources, and comprehensive keyword databases to identify security and intellectual property risks. It further sets design requirements and cybersecurity requirements for AI training processes.

The Cyberspace Administration (CAC) released the fourteenth batch of domestic deep synthesis service algorithm filing list and issued the filing information for generative AI services. The CAC also required mobile apps and content platforms to add explicit and implicit identifiers to AI-generated content, include metadata and warning labels, implement verification, and allow users to declare synthetic content.

The Ministry of Industry and Information Technology opened a consultation on the fourteenth batch of standards, addressing design requirements for AI development and consumer technology products. The Ministry of Commerce also concluded a consultation on an anti-dumping investigation into US analog chip imports, announcing export exemptions for Nexperia to stabilize the semiconductor supply chain.

The Ministry of Electronics and Information Technology of India released AI governance guidelines, establishing principles for responsible AI development and deployment. The Ministry closed its consultation on the draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, addressing synthetically generated information, and establishing content moderation requirements for AI-generated content on platforms.

The Ministry of Science and Information and Communication Technology of South Korea opened consultations on the Enforcement Decree of the Framework Act on the Development of AI, addressingdesign requirements,AI authority governance, anduser rights in AI systems. The Ministry of the Interior and Safety also releasedpublic sector AI ethics principles, establishing guidelines for government use of AI technologies.

Saudi Arabia and the United States signed a strategic AI partnership to support semiconductor supply, AI development, and cloud infrastructure. The agreement includes co-development of AI tools, large-scale infrastructure, skills expansion, and security cooperation.

Competition

Europe

The European Commission published a proposal for a Regulation on the establishment of European Business Wallets. It would create a harmonized digital framework across the EU, enabling businesses and public authorities to identify, authenticate, and exchange data with legal effect.

The Commission also launched three market investigations into cloud computing services under the Digital Markets Act (DMA). The first investigation will assess the DMA’s effectiveness in addressing practices that may limit competitiveness and fairness in the cloud sector. Two market investigations will examine whether Amazon and Microsoft should be designated as gatekeepers for their cloud services, Amazon Web Services and Microsoft Azure, even though they do not meet the DMA thresholds for size, user numbers, or market position. Additionally, the Commission initiated an investigation into Google for a potential DMA breach related to the demotion of publishers’ content in search results when these sites feature content from commercial partners.

The French Competition Authority fined Doctolib EUR 4.665 million for abusing its dominant position in the healthcare platform market. Additionally, the Authority rejected Qwant's complaint against Microsoft, dismissing allegations of abusive practices in the search syndication and online advertising sectors.

The Italian Competition Authority expanded its investigation into Meta to determine whether the integration of its AI service with WhatsApp amounts to an abuse of dominance. The investigation focuses on new WhatsApp terms that restrict access for third-party AI chatbot providers, potentially affecting services such as Copilot, ChatGPT, and Perplexity.

The United Kingdom Competition and Markets Authority (CMA) issued updated guidance on unfair commercial practices and price transparency under the Digital Markets, Competition and Consumer Act, setting standards for fair marketing. The CMA also opened several investigations into suspected non-compliance with the Act, including into Stubhub and viagogo over transparency of mandatory fees, and into Wayfair, Marks Electrical, and Appliances Direct regarding time-limited sales claims and alleged automated purchasing. Additionally, the CMA accepted commitments addressing competition concerns related to Getty Images’ planned acquisition of Shutterstock. Finally, the Competition Appeal Tribunal refused Apple’s request for permission to appeal the earlier ruling, which found it liable for exclusionary practices in the App Store. The ruling also set the competitive commission rate for distribution at 17.5% and for in‑app payments at 10%. The plaintiff was also awarded damages for previous overcharges.

Asia and Australia

China’s State Administration for Market Regulation closed consultations on draft measures for establishing demonstration zones for online market supervision and services. It also closed consultations on its guidelines on anti-monopoly compliance of internet platforms, which set out standards for platform conduct in relation to unilateral practices.

In India, the National Company Law Appellate Tribunal issued a ruling that partly upheld and partly modified the Competition Commission’s order against Meta and WhatsApp. It confirmed the INR 213.14 crore fine on Meta and removed the five-year restriction that would have prevented WhatsApp from sharing user data with other Meta companies for advertising. The Tribunal upheld the remaining directions, requiring WhatsApp to ensure transparency on data sharing with other Meta entities.

Americas

The Competition Bureau of Canada concluded that the use of algorithmic pricing tools by RealPage Canada and Yardi Canada in the rental housing sector was not sufficiently widespread to substantially affect competition, finding no evidence of abuse of dominance or anticompetitive collaboration. Although no violations were established, the Bureau noted ongoing concerns about the potential competitive effects of algorithmic pricing.

The Brazilian Administrative Council for Economic Defence opened an investigation into Meta following complaints that the new WhatsApp Business Solution terms unfairly blocked AI providers while favoring Meta AI. The investigation will examine potential exclusion of competitors, self-preferencing, and abuse of dominant position.

Africa

South Africa’s Department of Trade, Industry, and Competition closed its consultation on the draft online intermediation platforms guidance note. Additionally, the Competition Commission released the final report on the media and digital platforms market inquiry, finding that news media are under pressure due to declining advertising income, limited subscription growth, and the prominence of global platforms across search, social media, AdTech, and AI. The Commission outlined remedies such as additional monetization measures by major platforms, AdTech transparency requirements, limits on self-preferencing, AI content controls, and recommendations for collective bargaining.

Data governance

International

Leaders of the Asia-Pacific Economic Cooperation (APEC) released the Gyeongju Declaration, including commitments to enhance cooperation on cross-border data flows. The Group of Seven (G7) adopted a Communiqué outlining measures to address cybercrime, while the Group of Twenty (G20) issued a declaration following the South Africa Summit, addressing AI, data governance, and innovation for sustainable development. In addition, the Parties to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Association of Southeast Asian Nations (ASEAN) issued a Trade and Investment Dialogue Joint Ministerial Statement, establishing data transfer frameworks across the Asia-Pacific region. CPTPP parties and the European Union also released a Joint Ministerial Statement under the Trade and Investment Dialogue, including provisions on cross-border data transfers.

Europe

The Council of the European Union adopted the Regulation laying down additional procedural rules relating to the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. It sets uniform admissibility standards, binding deadlines, and mechanisms for cooperation and early resolution. The European Parliament and Council also reached agreements on the Third Payment Services Directive (PSD3) and the Payment Services Regulation for the internal market, establishing data protection frameworks for digital payment providers.

The European Commission issued its Proposal for a Digital Omnibus Regulation. The proposal would amend several existing EU regulations, including the GDPR, the Data Act, the AI Act, and the Directive on Security of Network and Information Systems, while repealing the EU Platform-to-Business Regulation (P2B Regulation). The Omnibus would also consolidate the Data Governance Act, the Regulation on the Free Flow of Non-Personal Data, and the Open Data Directive into a single, consolidated Data Act. Proposed GDPR changes amend the definition of personal data, adjust restrictions on sensitive data processing, and clarify processing under legitimate interests for AI development. Cookie consent rules would be updated, and the Data Act would strengthen trade secret protections and set rules for reusing public sector, research, and high-value data. The Commission also published the Data Union Strategy-Unlocking Data for AI, focusing on expanding access to data for AI, simplifying data regulations, and enhancing the EU’s position in international data flows. Additionally, the Commission adopted a recommendation on non-binding model contractual terms on data access and use and standard contractual clauses for cloud computing contracts.

Under the Digital Operational Resilience Act, European Supervisory Authorities identified critical ICT third-party providers, including cloud and database services, subject to enhanced oversight. The European Data Protection Board adopted its opinion on Brazil’s data protection framework for cross-border transfers and opened a consultation on GDPR compliance templates. The Court of Justice clarified the legal basis for newsletter marketing under the ePrivacy Directive and GDPR. Finally, at the member state level, the Irish High Court granted TikTok’s request to stay the data transfer suspension and corrective orders issued by the Data Protection Commission (DPC), pending appeal. The orders follow the DPC’s May 2025 decision to fine TikTok EUR 530 million and suspend its personal data transfers from the EEA to China.

The German Parliament passed the NIS 2 Implementation and Cybersecurity Strengthening Act, introducing security requirements and expanding the powers of the Federal Office for Information Security. The Federal Commissioner for Data Protection and Freedom of Information also approved the first service under the Consent Management Ordinance. In addition, the Hessian Commissioner for Data Protection and Freedom of Information published a report on the use of Microsoft 365, evaluating data protection compliance. Furthermore, the Conference of Independent Data Protection Supervisory Authorities adopted a resolution on proposed GDPR amendments aimed at child protection, recommending additional safeguards for minors’ data.

The Italian Competition Authority (AGCM) accepted Google’s commitments and closed its investigation into allegations that Google provided unclear or misleading information on the use of personal data in consent requests. Google must revise these requests to clearly explain the implications of consent, allow users to consent to specific services, and send the updated requests to new, passive, and active users with the required hyperlinks.

The Cyber Security and Resilience Bill was introduced to the United Kingdom Parliament. It expands the scope of the 2018 NIS Regulations to cover additional essential and digital service providers, including online marketplaces, cloud services, search engines, and managed service providers, and designates data centres as essential services. The Bill updates regulators’ powers, incident reporting, and information-sharing rules. Additionally, the United Kingdom and its partners United States, Canada, Australia, and New Zealand, adopted a joint statement on security, establishing cybersecurity standards for telecommunications infrastructure.

Asia and Australia

In China, several cybersecurity and data protection measures have come into effect. The Cyberspace Administration’s national cybersecurity incident reporting measures require critical information infrastructure operators to report security incidents within one hour, and major incidents within 30 minutes, while other network operators have to report to local cyberspace authorities within four hours. The standard on security requirements for processing sensitive data sets requirements for lawful collection, explicit notification, separate consent, encryption, access control, and de-identification.

The Ministry of Industry and Information Technology launched the second phase of a pilot programme for cybersecurity insurance coverage. Meanwhile, the Cyberspace Administration opened consultations on draft frameworks, including administrative measures for cybersecurity identification and regulations on personal information protection for large-scale online platforms, covering data localisation requirements, organisational requirements, data protection requirements, and cybersecurity requirements for platforms, e-commerce services, search providers, and cloud computing infrastructure.

India’s Ministry of Electronics and Information Technology adopted the Digital Personal Data Protection Rules, setting out measures for implementing the Digital Personal Data Protection Act (DPDPA). The Rules establish a phased implementation timeline, with immediate effect for definitions, the Data Protection Board, and government powers. After one year, the measures regarding registration and oversight of consent managers will take effect. After 18 months, the operational provisions covering consent, fiduciary obligations, and Board authorities will come into force.

South Korea’s Ministry of Science and Information and Communications Technology issued an order against Telecom Corporation for failing to report malware infections. Meanwhile, the Personal Information Protection Commission announced an investigation into Coupang following a data leak involving customer and account information.

Americas

Argentina and the United States reached a Reciprocal Trade and Investment Agreement. Under it, Argentina will recognize the US as adequate for personal data transfers, accept US electronic signatures, avoid trade restrictions on US digital services and products, and address intellectual property issues.

The National Data Protection Authority of Brazil (ANPD) assessed WhatsApp’s data sharing practices with Meta following the 2021 privacy policy update. While WhatsApp showed mechanisms keeping Meta as a processor under the General Personal Data Protection Law (LGPD), ANPD identified high risks due to data volume, corporate links, and Meta’s business model. WhatsApp was ordered to conduct an external audit, submit a compliance plan, and enhance transparency when Meta acts as a processor or controller.

Canada’s Budget Implementation Act passed its first reading. The Act amends the Personal Information Protection and Electronic Documents Act (PIPEDA) to create a data mobility framework. Organizations must share personal data with another organization chosen by the individual, following the framework’s rules. The Governor in Council can set requirements on disclosure, security, and interoperability. Additionally, the Office of the Privacy Commissioner launched an inquiry into websites and mobile applications commonly used by children.

Africa

South Africa’s Information Regulator reached a settlement with WhatsApp over its 2021 Privacy Policy, resolving allegations of noncompliance with the Protection of Personal Information Act (POPIA). WhatsApp withdrew its legal action and will implement additional measures to provide transparency regarding the information made available to South African users.