Global Digital Policy Roundup: September 2025

The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of August 2025 in four core areas of digital policy.

• Content moderation, including Australia’s six new industry codes to protect minors online, Brazil’s bill on the protection of minors, China’s measures for platforms with significant impact on minors, the expansion and implementation of the UK Online Safety Act, and the European Commission’s enforcement of the Digital Services Act.
• AI regulation, including the European Commission’s guidelines under the AI Act, Italy’s law on the governance of AI, China’s methods for identifying AI-generated synthetic content, and South Korea’s draft enforcement decree for the AI Act.
• Competition policy, including the European Union's first review of the Digital Markets Act and enforcement actions against Google and Microsoft, the UK’s rules on the strategic market status levy, China’s consultations on platform pricing, Brazil’s proposed digital markets regulation, and Canada’s penalty against KuCoin.
• Data governance, including the EU Data Act’s entry into force, Russia’s data access and protection law for communications and information providers, China’s cybersecurity reporting and data standards consultations, and Canada’s report against TikTok over inappropriate collection of children’s data.

Content moderation

Europe

The European Commission welcomed the endorsement of the code of conduct on online reviews for tourism accommodation in line with the Digital Services Act (DSA) and the Unfair Commercial Practices Directive. The voluntary framework establishes standards for authenticity verification, transparency in review collection, and fair treatment of user-generated feedback on accommodation platforms. Additionally, the Commission closed the consultations on draft guidance to support the implementation of the regulation on transparency and targeting of political advertising and its forthcoming action plan against cyberbullying.

At the judicial level, the General Court upheld the European Commission’s designation of Zalando as a very large online platform under the DSA for its Partner Programme. The Court agreed that Zalando’s own retail activities are not an online platform but ruled that all users could be counted for the Partner Programme as exposure to third-party content cannot be separated. Conversely, the Court annulled the Commission’s supervisory fee decisions following challenges from Meta and TikTok. The Court temporarily maintained the effects of the annulled decisions for up to 12 months to ensure continuity in fee collection and ordered the Commission to cover the costs.

Regarding enforcement, the European Commission requested information from Booking, Google, and Microsoft on the detection and mitigation of financial scam risks under the Digital Services Act. The requests focus on the platforms’ methods for identifying fraudulent content, conducting risk assessments, and protecting users from financial scams.

The Italian Communications Regulatory Authority’s amended rules expanding the scope of dynamic injunctions under the Piracy Shield platform come into force. The rules enable all rights holders of live and audiovisual content to request rapid blocking of infringing material, covering a broad range of service providers, including VPNs and search engines.

Russia implemented a law banning advertising on platforms deemed “undesirable,” including Facebook and Instagram, and restricting the use of VPNs to bypass access blocks. The amended code of administrative offences now prohibits distributing VPNs, creating or searching for extremist content, and advertising bypass tools. Separately, the Ministry of Digital Development concluded the consultation on a draft law to combat information communication technologies-related offences, which proposes out-of-court blocking of phishing sites.

The United Kingdom’s Department for Science, Innovation, and Technology announced that the Online Safety Act (OSA) will be amended to designate content encouraging or assisting serious self-harm as a priority offence. As part of OSA implementation, the Office of Communications (Ofcom) opened several consultations and enforcement actions. It opened a consultation on super-complaints, outlining procedures for designated organisations to raise systemic user safety concerns. The guidance covers eligibility criteria, investigation timelines, and potential regulatory responses. Ofcom also consulted on its notification guidance for online safety fees, which will fund its regulatory and enforcement activities. The guidance clarifies fee structures, calculation methods, payment procedures, and reporting requirements. In addition, Ofcom issued recommendations on designing for media literacy. These offer platforms' best practices for features that improve user understanding of online content, combat misinformation, and support critical evaluation of information sources.

Regarding enforcement, Ofcom expanded its formal investigation into 8579 LLC over compliance with age assurance obligations, examining whether the platform has robust age verification mechanisms to prevent minors from accessing adult content. Similar investigations were opened into Cyberitic, Youngtek Solutions, ZD Media, and the provider of XGroovy, focusing on platforms displaying adult content without adequate age verification measures. These actions target potential violations of mandatory age-restriction requirements.

Asia and Australia

Australia’s eSafety Commissioner registered six new industry codes under the Online Safety Act, set to take effect on 9 March 2026. These codes apply to social media, messaging services, designated internet platforms, relevant electronic services, app distribution services, and equipment providers, and include measures to protect children from age-restricted content such as online pornography, extreme violence, and self-harm material. Messaging services must block illegal sharing of child-related pornography and offer safety features like blocking and group-exit options.

Social media platforms are required to verify users’ ages for restricted content and remove it if it is prohibited on the platform. Designated internet services, including adult websites and high-risk generative AI platforms, must implement effective age verification, while app stores are expected to enforce checks for 18+ apps. Device manufacturers and operating system providers must offer child accounts with integrated safety tools and continuously enhance protections. In addition, the eSafety Commissioner adopted social media minimum age regulatory guidance and released a self-assessment tool for platforms to determine whether their services qualify as age-restricted and require implementation of mandatory age verification measures.

Complementing these measures, the Attorney General released the national identity proofing guidelines. The framework establishes standardized procedures for verifying user identities across digital services and supports the implementation of age verification requirements. Previously, the Department of Infrastructure issued a report on age assurance technology. The report evaluates available age verification methods, including biometric systems, identity document verification, and third-party age estimation technologies.

Concerning enforcement, the eSafety Commissioner opened an investigation into a technology company providing AI-generated “nudify” services, examining whether the platform violates content moderation obligations by enabling the creation and distribution of non-consensual intimate images. Separately, Roblox committed to implementing safety measures to comply with the Online Safety Act's codes.

The Cyberspace Administration of China opened consultation on measures for identifying internet platform service providers with large numbers of minor users and a significant impact on minors. The framework establishes criteria for designating platforms subject to additional minor protection requirements, including mandatory age verification, content filtering, and usage time limitations. Separately, the Ministry of Industry and Information Technology closed its consultation on the draft national standard technical safety requirements for children's smartwatches. The standard establishes design requirements for wearable devices marketed to children, including content filtering capabilities, location privacy protections, and communication restrictions to enhance child safety.

Regarding enforcement, the CAC launched enforcement measures targeting irregularities in internet news and information services and initiated a two-month nationwide campaign against the malicious instigation of negative emotions online. It also released a second batch of typical cases under its campaign to optimize the online business environment. The CAC also issued an interim ruling against Xiaohongshu for insufficient content moderation and inadequate responses to illegal content reports, as well as orders against the UC platform and Toutiao for failing to prevent harmful material distribution. Both platforms are required to remove prohibited content, improve systems, and enhance monitoring.

The Republic of Korea’s National Assembly received a bill amending the Network Act to establish procedures for handling online content removal requests related to privacy violations or defamation. It requires internet service providers to notify users of actions taken and inform them of options to obtain uploader information or pursue dispute resolution. The bill also sets rules for mediation, including application, referral, decision timelines, grounds for refusal or suspension, and confidentiality obligations for participants. Additionally, the Fair Trade Commission closed its consultation on draft amended consumer protection guidelines in e-commerce, establishing specific interpretation standards and recommendations for dark pattern regulation.

Americas

The President of Brazil signed into law the bill on the protection of minors in digital environments. The law requires providers of services deemed inadequate or legally restricted for children to implement age verification mechanisms to restrict access. In addition, the law requires preventive and protective measures, including restrictions on the profiling of minors and the establishment of accessible content reporting mechanisms. Providers with over one million users under 18 must further publish semi-annual transparency reports on content moderation, data protection, parental consent, and risk assessments. The law also sets specific obligationsfor electronic games and requires providers to appoint a representative in Brazil. The President also signed a measure setting the law’s implementation date for March 2026, six months after publication, shortening the original twelve-month deferral period. Additionally, the National Data Protection Agency was designated as the independent authority responsible for enforcing the law.

Artificial intelligence

International

Twenty data protection authorities issued a joint statement promoting trustworthy data governance frameworks to support innovative, privacy-respecting artificial intelligence (AI). Separately, the G7 Cyber Expert Group released a statement on AI and cybersecurity, addressing emerging risks such as adversarial attacks, model manipulation, and AI-enabled cyber threats.

Europe

The European Commission advanced the implementation of the EU AI Act. It opened a public consultation on draft guidance and a reporting template for serious AI incidents. These incidents, defined as events causing significant harm to people, infrastructure, rights, or the environment, require clear reporting timelines, investigation duties, and coordination with market authorities and existing EU reporting frameworks. The Commission also launched a consultation on transparency guidelines for AI systems under Article 50, clarifying obligations for systems that interact with users, generate content, or make automated decisions. In parallel, the European AI Office also invited expressions of interest to contribute to the development of a voluntary Code of Practice on Transparent Generative AI Systems, addressing model documentation, training data disclosure, and user notification requirements.

Additionally, the Commission concluded consultations on selecting experts for the Scientific Panel supporting AI Act implementation, as well as on proposals for a directive establishing harmonized rules for innovative companies under the European Innovation Act. Finally, the Commission approved a joint venture between Meta Platforms and Reliance Industries.

The Council of Europe also published draft guidelines on privacy and data protection for large language model systems, focusing on data minimization and user rights.

The Italian Senate adopted the law on the governance of AI, establishing a national framework to complement the EU AI Act. The law will come into force in October 2025 and governs AI deployment across healthcare, public administration, judicial activity, national security, defense, and employment. The law introduces specific safeguards for minors and a framework for healthcare AI research, allowing secondary use of anonymized or pseudonymized data under oversight. It also introduces copyright protection for AI-assisted works with meaningful human authorship and permits text and data extraction for AI model training, provided there is legitimate access. The law also requires public procurement platforms to prioritize AI suppliers that process and store strategic data within national data centers to ensure disaster recovery, business continuity, and high security standards.

The United Kingdom Department of Science, Innovation, and Technology published a policy paper following its review of the third-party AI assurance market. The findings note gaps in current offerings and suggest government support to strengthen assurance capabilities. Separately, the House of Commons Treasury Committee launched an inquiry into the use of AI in financial services by companies including Amazon Web Services, Anthropic, Google Cloud, Meta, Microsoft, and OpenAI. It will examine AI deployment and risks related to algorithmic decision-making, model transparency, and consumer protection, to inform potential regulatory measures. Meanwhile, the United States and the United Kingdom signed a memorandum of understanding under the Technology Prosperity Deal, establishing frameworks for cooperation on AI development and digital infrastructure.

Asia and Australia

The National Cybersecurity Standardisation Technical Committee of China (TC260) issued the updated AI Safety Governance Framework. It establishes risk management requirements for AI systems, including safety testing procedures, ongoing monitoring obligations, and incident response protocols.

The Cyberspace Administration (CAC) implemented rules on methods for identifying AI-generated synthetic content. The methods set standardized practices for marking text, images, audio, video, and virtual scenes. AI service providers and businesses using synthetic media must implement both explicit and implicit content identifiers. To support the implementation, the National Information Security Standardisation Technical Committee’s standard establishes uniform marking requirements. The CAC also released the thirteenth batch of domestic deep synthesis service algorithm filing list. In addition, TC260 adopted the guide on generative AI service security emergency response. The guidance establishes procedures for responding to security incidents involving generative AI systems, including data breaches, model manipulation, and harmful content generation.

The National Institution for Transforming India adopted a report on leveraging AI for accelerated economic growth. The report outlines steps for India to achieve 8% GDP growth by 2035 through AI adoption, supported by the India AI Mission with a five-year INR 10,000 crore budget. It recommends creating an AI supervisory body for financial institutions, setting obligations on consumer protection, cybersecurity, and system resilience.

Japan's Prime Minister’s Office convened the first meeting of the AI Strategy Headquarters to commence deliberations on the draft AI Basic Plan. The plan will address four areas: applying AI in sectors such as elderly care, advancing domestic AI research and infrastructure, ensuring AI reliability through rights protections and international engagement, and supporting AI integration in employment and industry through systemic and social measures.

The Ministry of Science and Information and Communication Technology of South Korea released thedraft Enforcement Decree of the Framework Act on the Development of AI and Establishment of Trust Foundation. The draft decree establishes design requirements, AI governance structures, and user rights in AI interactions. The Ministry noted that briefing sessions would be held with stakeholders before the subordinate statutes are finalised and published. Additionally, the Presidential decree establishing the National AI Strategy Committee entered into force.

Americas

The Ministry of Human Rights and Citizenship of Brazil adopted an ordinance establishing guidance for ethical, safe, and transparent use of AI. The framework applies to government procurement of AI systems, establishing evaluation criteria for ethical compliance, safety standards, and transparency requirements.

The Government of Canada issued an order establishing the AI Strategy Task Force to coordinate AI policy across federal agencies, advise on regulatory approaches, and monitor international AI governance developments, supporting the implementation of Canada’s AI strategy. Separately, the Digital Regulators Forum published a report on synthetic media, examining deepfakes, AI-generated content, and manipulated audiovisual material. The paper highlights regulatory challenges such as detection, attribution, and potential harms, and proposes coordinated approaches to manage synthetic media risks.

Competition

Europe

The European Commission opened a consultation on the revised Technology Transfer Block Exemption Regulation and its guidelines. The regulation defines market share thresholds that automatically exempt certain technology licensing agreements from antitrust prohibitions. The Commission also concluded consultations on the first review of the Digital Markets Act, which examined its effectiveness in promoting fair digital markets, and the review of EU merger guidelines.

In enforcement, the European Commission fined Google EUR 2.95 billion for abusing its dominant position in the online advertising technology sector. The company has 60 days to propose remedies, and the Commission may impose structural measures, including divestment, if the commitments are insufficient. The Commission also accepted Microsoft's commitments to resolve competition concerns over bundling Teams with Office 365 and Microsoft 365. Microsoft will now offer unbundled versions at lower prices, ensure interoperability and data portability, and promote both options equally. Additionally, the Commission opened an investigation into SAP over alleged anticompetitive practices in the planning software maintenance market, and approved the joint acquisition of Frontier Global Investments and Evolution by ZeroTwo and WP.

Italy’s Regional Administrative Tribunal partially annulled the Competition Authority's EUR 1.13 billion fine against Amazon for abuse of dominant position in online marketplaces. The Tribunal found procedural irregularities in the authority's investigation while upholding the requirements for Prime eligibility and performance monitoring.

The United Kingdom’s Competition and Markets Authority (CMA) adopted rules on the strategic market status levy under the Digital Markets, Competition and Consumers Act (DMCC). The rules establish fee structures for firms designated with strategic market status, which will be used to fund regulatory oversight and enforcement activities. Moreover, the CMA closed its consultation on draft guidance on price transparency under the DMCC. In enforcement, the CMA approved commitments from Ticketmaster over Oasis concert sales after concerns about misleading information during high-demand sales.

Asia and Australia

China’s State Administration for Market Regulation (SAMR) opened a consultation on draft rules for national standard monitoring points. The framework establishes monitoring points’ responsibilities, data collection and reporting requirements, eligibility, and review procedures. The SAMR also closed its consultations on draft measures for handling market supervision and administration complaints and on the rules on internet platform pricing behavior, defining pricing conduct, prohibiting algorithmic discrimination and collusion, and setting obligations on subsidies, bundling, and automatic renewals.

In enforcement, SAMR announced preliminary findings that Nvidia violated the Anti-Monopoly Law and prior review conditions, as part of an investigation into the company's acquisition of Mellanox. Moreover, SAMR opened an investigation into Chengdu Kuaigou Technology's compliance with the E-Commerce Law, focusing on alleged livestreaming violations such as false marketing and counterfeit goods. In parallel, SAMR also released the third batch of typical cases on live e-commerce investigations. The enforcement actions address false advertising, fabricated reviews, misleading claims, and unqualified products across sectors.

India’s National Company Law Appellate Tribunal announced the continuation of proceedings following WhatsApp and Meta Platforms' appeal against a Competition Commission order that fined them INR 213.14 crore for abuse of dominance and banned data sharing for advertising for five years.

The Republic of Korea’s Fair Trade Commission finalized a consent resolution regarding Broadcom's alleged violation of the Monopoly Regulation and Fair Trade Act. The settlement requires Broadcom to stop requiring exclusive use of its System on a Chip components, avoid adverse actions against partners working with competitors, and refrain from contracts covering over 50% of system semiconductor needs. The Commission also approved the merger between Shinsegae and Alibaba with conditions to prevent domestic consumer data sharing, prohibit mutual use for overseas purchases, and ensure independent operation to protect data privacy.

Americas

Brazil introduced a bill to establish ex-ante regulation for systemically relevant digital platforms in Brazil, allowing the Competition Authority to designate large firms and impose tailored obligations on merger control regulations, unilateral conduct regulations, data access, interoperability requirements, and transparency. The Bill also includes provisions on competition authority governance and local operations requirements. It provides that designated companies face administrative review, mandatory compliance, and fines for violations.

Regarding enforcement, the Administrative Council for Economic Defence closed its consultation on an investigation into Google for alleged abuse of dominance in the advertising sector. The investigation examines whether Google leverages its dominance in search services to advantage its advertising business, restricting competition in digital advertising markets through preferential ad placement, discriminatory access to user data, and bundling of advertising products.

Data governance

Europe

The European Union’s Data Act entered into force, establishing rules on data access, protection, interoperability, and transfers. It ensures users of connected products can access their data, safeguards trade secrets and intellectual property, and sets standards for data sharing, compensation, and dispute resolution.

The European Commission opened a consultation on the Digital Omnibus, which aims to reduce compliance costs and simplify regulations. It proposes amendments to the Data Governance Act, e-Privacy Directive, and the AI Act, among others. The Commission also issued guidelines on the resilience of critical entities to support Member States in identifying entities and implementing measures against cyber threats. Additionally, the Commission launched the process for an adequacy decision to allow EU personal data transfers to Brazil without additional authorization.

The European Data Protection Board opened a consultation on guidelines clarifying the interplay between the Digital Services Act and the General Data Protection Regulation (GDPR). The guidelines cover personal data processing by intermediary service providers, limits on automated decision-making, profiling restrictions, recommender systems, protections for minors, and governance coordination. In parallel, the Advocate General issued an opinion clarifying that GDPR access requests are excessive only in exceptional, abusive cases, and that damages under Article 82 can cover non-material harm, including loss of control over personal data. Finally, the General Court dismissed the challenge to the EU-US data protection framework adequacy decision, upholding that it provides adequate protection for personal data transferred to the United States, safeguards against automated decision-making, and ensures data security.

France’s National Commission on Informatics and Liberty (CNIL) adopted guidelines on inactive user account data retention in digital content sectors, and closed the consultation on guidelines on the deployment of web filtering. In enforcement, the CNIL fined Google EUR 325 million for processing Gmail communications for advertising without user consent and for inadequate cookie practices, finding violations of GDPR requirements. Shein was also fined EUR 150 million after its Irish entity, Infinite Styles Services Limited, placed tracking cookies without consent, used misleading consent interfaces, and failed to respect users’ cookie preferences.

The United Kingdom’s Office of Communications opened a consultation on guidance for data preservation notices under the Data (Use and Access) Act, covering retention of children’s online activity after death, including content, metadata, search history, and friend lists. Meanwhile, the Information Commissioner’s Office (ICO) closed its consultation on updated guidance for storage and access technologies, clarifying how the United Kingdom GDPR applies to user-device data, including consent, online advertising, and mandatory versus recommended practices. The ICO also welcomed Meta’s changes to its advertising model, which now requires user consent for targeted ads or offers a paid ad-free option, following a privacy-focused regulatory sandbox review. In parallel, the Department for Science, Innovation and Technology closed its consultation on the Smart Data scheme, which would enable secure sharing of consumer and business data with authorized third parties to boost innovation and competition.

Asia

The Cyberspace Administration of China (CAC) adopted new cybersecurity incident reporting measures, requiring critical infrastructure operators to report major incidents within one hour, central and state operators within two hours, followed by summary reports within 30 days. The CAC also launched a consultation on draft rules to establish personal information protection supervisory committees for large online platforms.

Meanwhile, the National Information Security Standardisation Technical Committee (TC260) issued guidelines requiring platforms with over 10 million users to give 20 working days’ notice before shutdown, enable users to access or delete their data, and retain data only for legal or regulatory reasons. TC260 also adopted new standards for academic and scientific platforms covering cybersecurity, data localisation, and data transfer. In addition, several national cybersecurity standards entered into force, including real-time verification protocols for digital certificate revocation and unified definitions for detecting and responding to network attacks.

South Korea implemented amendments to the enforcement decree of the Personal Information Protection Act, expanding data portability rights and obligations for overseas businesses’ domestic agents. Updated guidelines on AI-related data impact assessments also took effect, introducing criteria on data legality, sensitive data handling, accountability, safeguards, and reporting.

The Personal Information Protection Commission (PIPC) announced new regulations on personal information, including fair use guidelines that expand access to public and pseudonymized data and support the regulation of autonomous driving and AI robots. In enforcement, PIPC opened investigations into KT Corporation and LG Uplus over suspected data breaches involving unauthorized payments and hacking. It also fined Moncler KRW 81.01 million, plus a KRW 7.2 million surcharge, for violations of the Personal Information Protection Act after a breach exposed 230,000 personal records and delayed notifications. The Ministry of Science and ICT separately opened an investigation into allegations of SK Telecom customer data being stolen and sold by an international hacking group. Additionally, the Korea Internet and Security Agency and Korea Consumer Agency reported cybersecurity vulnerabilities in robot vacuum cleaners, including risks of unauthorized camera activation and data leaks.

Indonesia concluded negotiations with the European Union on the Comprehensive Economic Partnership Agreement, including provisions on cross-border data transfers, data protection regulation, and cybersecurity regulation. The Agreement promotes free data transfers, recognises personal data rights, and establishes interoperable cybersecurity standards.

Americas

Brazil’s National Data Protection Authority signed agreements with the United Kingdom and Argentina to strengthen international cooperation on privacy, covering digital governance, cross-border data transfers, joint investigations, and training.

The Privacy Commissioner of Canada, alongside provincial privacy commissioners, found that TikTok violated privacy laws by improperly collecting children’s data and lacking valid consent mechanisms. TikTok is required to strengthen age verification, stop targeted advertising to minors, improve transparency on data transfers, and submit progress reports within six months.