The roundup is produced by Digital Policy Alert, an independent repository of policy changes affecting the digital economy. If you have feedback or questions, please contact Maria Buza.

Overview. The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert. To ensure trust, every finding links to the Digital Policy Alert entry with the official government source. The full Digital Policy Alert dataset is available for you to access, filter, and download. To stay updated, Digital Policy Alert also offers a customizable notification service that provides free updates on your areas of interest. Digital Policy Alert’s tools further allow you to navigate, compare, and chat with the legal text of AI rules across the globe.

Drawing from the Digital Policy Alert’s daily monitoring of developments in the G20 countries, it summarizes the highlights of February in four core areas of digital policy.

• Content moderation, UK's measures under the Data (Use and Access) Act, which make it an offense to create or request sexual deepfakes of adults without their consent, India's IT Amendment Rules introducing mandatory labeling for synthetic content, Brazil's bills on protection of minors, the European Commission's formal proceedings against Shein and preliminary findings against TikTok under the Digital Services Act, and Indonesia's temporary restriction of Wikimedia's login functionality.
• AI regulation, including the endorsement of the New Delhi AI Impact Summit Declaration by 91 countries and international organizations, the European AI Office's establishment of a Taskforce to oversee the General-Purpose AI Code of Practice, and enforcement actions against X in Brazil over Grok's generation of non-consensual sexual synthetic content.
• Competition policy, including the European Commission's decision not to designate Apple Ads and Apple Maps under the Digital Markets Act, the German Federal Cartel Office's prohibition of Amazon's price parity requirements, the UK Competition and Markets Authority's consultations on proposed commitments from Apple and Google, and South Africa's Competition Commission final guidance note for online intermediation platforms.
• Data governance, including the European Data Protection Board and European Data Protection Supervisor's joint opinion on the proposed Digital Omnibus Regulation, China's implementation of new national cybersecurity standards, Canada's passage of the data mobility framework under the Budget Implementation Act, and the UK Information Commissioner's Office's GBP 14.47 million fine against Reddit.

Content moderation

Europe

The European Commission adopted guidelines under the European Media Freedom Act clarifying very large online platforms’ obligation to provide a declaration functionality for media service providers. The mechanism must allow providers to declare their legal identity, editorial independence, and that they do not provide AI-generated content without human review. From August 2025, very large online platforms must notify media service providers before removing their content and provide 24 hours for a response.

As part of a broader security agenda, the Commission announced that it would assess whether the Terrorist Content Online Regulation needs revision and established the EU Online Crisis Response Framework. The Commission also submitted a proposal for a Directive on the trafficking of illicit firearms, addressing the online sale of illicit firearms.

Regarding enforcement, the Commission opened formal proceedings against Shein under the Digital Services Act (DSA) over alleged addictive design practices, recommender system transparency failures, and the sale of illegal products on the platform. The Commission also issued its preliminary findings against TikTok, concluding that the platform failed to meet its DSA obligations on risk assessments related to addictive design features.

At the member-state level, the Spanish Council of Ministers voted to request the Public Prosecutor's Office to investigate X, Meta, and TikTok over alleged AI-enabled creation and dissemination of child sexual abuse material. Poland's Office of Competition and Consumer Protection announced an investigation into Meta over alleged failure to provide effective contact channels for users across its platforms.

In France, the decree on the experimentation of games with monetizable digital objects came into force, prohibiting the opening of player accounts for minors. Operators must document their verification arrangements and must refuse to open accounts where identity cannot be verified.

A bill to establish terms for the disclosure of risks and consequences of participation in gambling was introduced to the Russian State Duma. The bill would set rules for advertising online gambling services and for platforms distributing gambling-related content.

In the Grand National Assembly of Turkey, a bill was introduced to require large digital platforms to negotiate with and compensate online news content providers. The bill would ban retaliation against publishers during negotiations, such as algorithmic downgrading or reduced visibility, and require platforms to appoint a local representative.

In the United Kingdom, the intimate image-related offenses under the Data (Use and Access) Act came into force. The Act amended the Sexual Offenses Act to criminalize creating or requesting the creation of a purported intimate image of an adult. Additionally, an amendment to the Crime and Policing Bill was introduced to require online platforms to remove non-consensual intimate images within 48 hours of notification. The Office of Communications (Ofcom) also announced it would accelerate the timeline for its proposed proactive technology requirement for illegal intimate images in the Illegal Harms Code.

The Department for Culture, Media and Sport drafted regulations under the Media Act to designate video-on-demand services with over 500,000 UK users as “tier 1” services, which will bring around 20 services under Ofcom’s regulatory oversight. The designated services will be required to comply with new standards and accessibility codes, covering harmful or offensive content, privacy, fairness, impartiality, and accuracy in news.

Regarding enforcement, Ofcom fined 8579 LLC GBP 1.4 million for failing to implement age assurance measures to prevent children from accessing pornographic content and fined Kick GBP 830,000 for non-compliance with age assurance obligations and failure to respond to statutory information requests. Ofcom issued provisional notices of contravention to 4chan and Im.ge over alleged failures to comply with illegal content duties. Ofcom also issued a provisional decision that the provider of an online suicide discussion forum breached the Online Safety Act by failing to conduct adequate risk assessments for illegal content.

Asia and Australia

Australia's eSafety Commissioner published the second of four transparency reports assessing how Apple, Discord, Google, Meta, Microsoft, Skype, Snap, and WhatsApp are addressing child sexual exploitation and abuse (CSEA) on their platforms. The report highlighted safety gaps, such as inadequate detection of live or newly created CSEA content, while noting improvements such as faster handling of reports and expanded detection of known material. The eSafety Commissioner also commenced an evaluation of the social media minimum age to assess whether the measures are achieving their intended objectives. Finally, the eSafety Commissioner notified Roblox of its intention to directly test the platform's implementation and effectiveness of the safety commitments it had made.

The Cyberspace Administration of China (CAC) issued the measures to identify platform service providers with a significant impact on minors. Platforms with more than 10 million registered users or over 1 million monthly active minor users may be designated, as well as platforms identified based on high minor engagement, substantial minor-related content, or repeated violations involving minors. Designated platforms will be subject to enhanced regulatory oversight and periodic reviews. Additionally, the supervision and management measures for online trading platforms and live streaming e-commerce came into force. Online trading platforms must prohibit the creation and dissemination of illegal content, among other obligations. Live-streaming e-commerce operators are required to implement graduated responses to illegal activities, ranging from warnings and function restrictions to account suspension and blacklisting.

Regarding enforcement, the CAC concluded several investigations into online platforms for failure to label AI-generated content. Additionally, the State Administration for Market Regulation announced enforcement actions against companies for deceptive marketing practices involving AI products or services. The Shanghai Qiaopin Network Information Technology was fined CNY 200,000, Shanghai Entropy Cloud Network Technology CNY 62,692, and Hangzhou Boheng Culture Media CNY 30,000.

In India, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules came into force, expanding the definition of information to cover artificially created or modified content. Public-facing synthetic content must include visible labels, embedded metadata, and a permanent unique identifier. Significant social media intermediaries are required to obtain user declarations on whether uploaded content is synthetic, implement technical measures to verify these declarations, and ensure proper labeling of synthetic content on their platforms. Further, the compliance window for takedown directions was shortened from 36 hours to 3 hours. The Ministry of Electronics and Information Technology published guidance clarifying implementation obligations for intermediaries handling AI-generated and AI-manipulated content.

Separately, the Ministry of Information and Broadcasting adopted guidelines for accessibility of content on platforms of publishers of online curated content for persons with hearing and visual impairment. Finally, a bill was introduced in Parliament to ban casual dating platforms and require matrimonial service providers to register. Registered platforms would be required to verify user profiles and implement anti-harassment measures, age-appropriate matching, and grievance redressal mechanisms.

Indonesia’s Ministry of Communication and Digital Affairs temporarily restricted Wikimedia’s login functionality due to non-compliance with registration requirements. Users can still access the homepage and content, but editing or creating articles is suspended. Full access may be restored once Wikimedia completes the required registration.

In South Korea, the Enforcement Decrees of the Content Industry Promotion Act and the Telecommunications Business Act came into force, establishing consumer protection governance frameworks and content moderation obligations for streaming service providers and telecommunications infrastructure operators. Additionally, two bills were introduced to the National Assembly. The first bill would introduce content moderation and design requirements for platforms to detect and counter foreign influence operations. The second bill would establish an expedited mechanism for platforms to respond to illegal online content.

Regarding enforcement, the Communications Commission launched a fact-finding investigation into Instagram over alleged unjustifiable account suspensions and failure to provide adequate support services for affected users. The Commission also opened investigations into 17 value-added communications service providers over deletion-restricted floating advertisements.

Americas

Two bills were introduced to the Chamber of Deputies of Argentina to address digital platform design. The first bill on the protection of cognitive autonomy would require platforms to adopt “safe by design” defaults for verified minor users, including session limits, reduced notifications, deactivated auto-play, and subdued social validation metrics. The bill would require platforms to conduct an impact assessment before launching new functionalities or making substantial changes to recommendation systems, and would prohibit the behavioral profiling of minors. The second bill on the preventive mental health regime in digital environments would establish design and age verification obligations.

In Brazil, the Chamber of Deputies received several proposals on the regulation of digital platforms and online content. The bills that would set the minimum age of 16 to access social media include bill 29, bill 309, and bill 330. Additionally, bill 381 proposes technical standards and certification requirements for age verification systems, and bill 98 would extend age verification and content moderation obligations to electronic games.

The proposals to protect minors online include bill 224, which would introduce content moderation and design obligations to combat child sexual exploitation, and bill 730, which would set protection duties for children on social media platforms and e-commerce. The bill 687 proposes limits on persuasive design and parental alert systems in messaging apps, while bill 94 establishes age verification and content moderation obligations for platforms and streaming services. Other proposals, including bill 339, bill 457, and bill 349, address the monetization of children's content and clarify enforcement powers.

The bills addressing content labeling and platform accountability include bill 450, which introduces labeling rules for political content and seeks to limit algorithmic amplification, and bill 453, which mandates the identification of AI-generated content. The bill 322 establishes accountability for false or fraudulent user accounts, while bill 83 proposes strict liability for platforms that fail to identify AI-generated or manipulated content.

Other proposals focus on harmful content and consumer protection. The bill 519 and bill 180 would require the removal of content depicting animal abuse, and bill 627 would require the takedown of content promoting violence against women. The bill 535 would allow users to terminate subscriptions by email, and bill 446 aims to protect older users online by setting quality standards for payment and e-commerce services.

Artificial Intelligence

International

Ninety-one countries and international organizations endorsed the New Delhi AI Impact Summit Declaration, setting out a voluntary framework for the development of artificial intelligence (AI). The United Nations Children's Fund issued a statement on the dangers of deepfake child sexual abuse material and called for coordinated regulatory and platform responses. Sixty-one data protection authorities also issued a joint statement on AI-generated imagery, warning of defamatory content and risks to vulnerable groups, and urging developers and platforms to implement safeguards. Meanwhile, the Council of Europe’s Committee of Ministers approved the HUDERIA Model, a methodology for assessing the human rights, democracy, and rule-of-law impacts of AI systems used by public and private actors.

Europe

The European Union AI Office announced the establishment of the Taskforce to oversee the drafting process of the General-Purpose AI Code of Practice and ensure signatories meet the AI Act’s transparency requirements for general-purpose AI models. The European Insurance and Occupational Pensions Authority published a report on generative AI use in the insurance sector, detailing adoption rates, use cases, and risk management practices.

The Network and Information Systems Cooperation Group, together with the European Commission, released a risk assessment for connected and automated vehicles, establishing a cybersecurity framework for AI-enabled vehicle systems and identifying vulnerabilities in automotive supply chains. The European Commission also announced a new EU Internet Forum workstream focused on platform-based prevention of online radicalisation, covering risks from AI-driven content recommendation and dissemination.

Separately, the European Ombudswoman opened an inquiry into potential inconsistencies between the Commission’s AI Act guidelines and the General-Purpose AI Code of Practice. The Commission issued a statement of objections to Meta over its WhatsApp Business terms, which may exclude third-party AI providers while favouring Meta’s own services, potentially violating EU competition law. At the member-state level, the Irish Data Protection Commission launched an investigation into X regarding non-consensual sexualised images generated by the platform’s AI tools.

The United Kingdom’s Office of Communications published a transparency notice announcing a behavioral audit of X and Grok as part of its ongoing Online Safety Act investigation into X, examining whether the platform's AI tools have been used in ways that fail to protect users and children from illegal and harmful content. Additionally, the Information Commissioner's Office opened formal investigations into X and X.AI over alleged unlawful processing of personal data to train the Grok AI model. The investigation will also assess whether data was collected and used without adequate transparency or a lawful basis under data protection law.

Asia and Australia

The Australian Communications and Media Authority registered the Commercial Radio Code of Practice, which includes an AI transparency requirement for radio broadcasters. The code comes into force in July 2026.

The security framework for AI computing platforms, issued by the National Information Security Standardisation Technical Committee of China, came into force. The framework establishes cybersecurity requirements for AI computing infrastructure and security standards for platforms supporting AI model development and deployment.

The Artificial Intelligence (Human Health and Medical Education) Regulation Act was introduced to the Parliament of India. The Act would establish a statutory framework for AI in healthcare, clinical research, and medical education, creating a National Authority to regulate, approve, and monitor AI systems while ensuring human oversight and maintaining medical accountability. It also introduces an AI Harm Compensation Fund and sets fines and penalties, including up to 7 years’ imprisonment, for serious violations causing harm or death.

The Ministry of Communication and Digital Affairs of Indonesia conditionally restored access to Grok following X's submission of a written commitment to address the concerns over AI-generated pornographic content, with continued compliance monitoring conditions attached to the restoration.

Americas

Two bills were introduced to the Chamber of Deputies of Brazil addressing AI governance. The first bill proposes public procurement safeguards for automated decision systems used by government agencies. The second bill would establish data protection requirements for AI-enabled wearable devices capable of capturing and processing individuals' personal data in public spaces. Regarding enforcement, the National Data Protection Authority, the Federal Public Prosecutor's Office, and the National Consumer Secretariat determined that measures reported by X in response to their investigation into Grok's alleged generation of non-consensual sexual synthetic content were insufficient. The platform must implement additional corrective actions and transparency measures before the investigation can be closed.

Competition

Europe

The European Commission decided not to designate Apple Ads and Apple Maps as core platform services under the Digital Markets Act, finding that neither service met the thresholds required to qualify Apple as a gatekeeper in online advertising or mapping. The Commission approved Google's acquisition of Wiz under the EU Merger Regulation, concluding that the transaction did not raise competition concerns in the cloud computing and cybersecurity markets. The Commission and the United Kingdom signed the Competition Cooperation Agreement, establishing a framework for information sharing, coordination of enforcement activities, and mutual assistance between the competition authorities of both jurisdictions

The Advocate General of the Court of Justice issued an opinion recommending dismissal of Meta's appeal against a previous ruling that upheld the European Commission's decision in the investigation into Meta's alleged anti-competitive behaviour. At the member-state level, the Belgian Competition Authority opened a formal investigation into Google over alleged abuse of a dominant position in the online advertising sector.

The French Competition Authority published an opinion on competition dynamics in the online video content creation sector. The Authority noted that the sector is concentrated around a limited number of platforms, notably YouTube, TikTok, Instagram, and, to a lesser extent, Twitch. The opinion calls on platforms to enhance transparency in revenue-sharing arrangements, algorithmic recommendation systems, and moderation processes, and to ensure appropriate resources are available to address creators’ queries.

The German Federal Cartel Office prohibited Amazon from applying price control mechanisms that restricted third-party sellers on its marketplace from offering lower prices on other platforms, and ordered the disgorgement of economic benefits derived from the practice. The Federal Cartel Office determined that Amazon's pricing parity requirements constituted an abuse of its dominant position under German competition law.

The United Kingdom Competition and Markets Authority (CMA) released updated guidance setting out its approach to market reviews, market studies, and market investigations. The CMA also issued guidance on the review of procedural decisions clarifying how they can be challenged. Regarding enforcement, the CMA opened consultations on proposed commitments from Apple and Google to improve fairness in their respective app store processes and, in Apple's case, to enhance iOS interoperability. The CMA also opened a consultation on the interim report in the Shutterstock acquisition of Getty Images investigation, which found that the transaction may result in a substantial lessening of competition in the stock photography and image licensing markets.

Asia and Australia

The State Administration for Market Regulation of China adopted guidelines on anti-monopoly compliance, establishing standards for platform conduct regarding self-preferencing, exclusive dealing, and the use of data. The Cyberspace Administration advanced the trial implementation of the negative list, which designates specific algorithmic practices that platforms offering food delivery, travel, and other lifestyle services are prohibited from deploying.

The Supreme Court of India admitted the appeal filed by Meta Platforms against the Competition Commission's penalty and data-sharing directions arising from its investigation into WhatsApp's 2021 privacy policy update. The Court allowed Meta's challenge to the Commission's findings and remedies to proceed to a full hearing.

The Japan Fair Trade Commission released compliance reports submitted by Apple, iTunes, and Google under the Act on Promoting Competition Regarding Specific Software Used in Smartphones. The report outlines the steps taken by each company to comply with the Act's requirements on app store access and interoperability.

The South Korea Fair Trade Commission imposed corrective orders and an administrative surcharge of KRW 2.185 billion on Coupang for violations of the Act on Fair Transactions in Large Retail Business. The Commission found that the e-commerce platform engaged in practices that unfairly disadvantaged partner sellers on its marketplace.

Americas

In Brazil, two bills were introduced to the Chamber of Deputies. The first bill seeks to regulate commercial relations between e-commerce platforms and third-party sellers to address unilateral conduct, including rules on contracting, delisting, and the imposition of conditions. The second bill aims to address dynamic pricing in transport applications and would require ride-hailing platforms to disclose the methodology and variables used to calculate fares in real time.

Africa

The Competition Commission of South Africa issued a final guidance note for online intermediation platforms following its 2023 market inquiry. The guidance does not create new legal obligations but clarifies how the Commission will assess platform conduct, market power, and dominance, including through a broader evaluation of market dynamics. It also outlines categories of conduct that may be examined, such as price parity clauses, self-preferencing, data use, and differentiated trading terms, including in relation to small business and market access.

Data governance

Europe

The European Commission consulted on a draft implementing regulation to align technical standards for electronic attestations with the updated European Digital Identity Wallet framework. The draft updates security, interoperability, revocation, and verification requirements, and confirms that personal data processing remains subject to the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

The NIS2 Cooperation Group adopted the ICT supply chain security toolbox, providing Member States with guidance on assessing and mitigating cybersecurity risks in procurement and supply chains. It also adopted a risk assessment of detection equipment at border crossing points. Meanwhile, the EU Agency for Cybersecurity adopted a cybersecurity exercise methodology, establishing a standardised framework for conducting cybersecurity exercises across critical sectors.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor jointly adopted an opinion on the proposed Digital Omnibus Regulation. The joint opinion raised concerns about proposed changes to the definition of personal data, measures on sensitive data processing, and the consolidation of the Data Governance Act and Data Act into a single instrument. The EDPB also published a report on international data protection enforcement cooperation, completing its inquiry into frameworks for coordinated cross-border enforcement between data protection authorities. The EDPB also adopted a report on the coordinated enforcement framework on the right to erasure, presenting findings from its coordinated inquiry into how data controllers across the EU implement erasure requests.

At the judicial level, the Court of Justice of the European Union set aside the General Court’s 7 December 2022 dismissal of WhatsApp’s action and referred the case back, ruling that the EDPB’s 28 July 2021 decision can be challenged and may be of direct concern to WhatsApp. The Court found that a decision can affect a party directly even if not final or enforceable, leaving no discretion to implementing authorities, making the General Court’s previous dismissal incorrect.

Regarding bilateral cooperation, the EU-Singapore Digital Trade Agreement came into force. The Agreement establishes a prohibition on data localisation requirements as a condition for market access, and principles for addressing cybersecurity risks, among others.

At the member-state level, the Spanish Data Protection Agency issued a warning to Tools for Humanity regarding its planned resumption of Worldcoin and World ID operations, advising the company that any data processing activities must comply with GDPR before operations recommence, as the Agency's investigation into alleged violations of data protection law remains ongoing.

The French Council of State dismissed appeals by GERS, Santestat, and Cegedim Sante, upholding sanctions from the National Commission on Informatics and Liberty (CNIL) and confirming that pseudonymised health data remains subject to data protection law due to potential re-identification risks. Additionally, the CNIL opened a consultation on a draft recommendation for session replay tools, clarifying data protection obligations for software that records and replays user interactions. The CNIL also published guidance on deepfakes, outlining the legal risks and providing practical steps for reporting or removing illegal content under data protection law.

In Germany, the 52nd Civil Chamber of the Berlin II Regional Court ordered WhatsApp to refrain from disclosing certain user data to third parties, while rejecting the claimant's request for deletion of data collected under the 2016 update to WhatsApp's terms of service and privacy policy.

The Italian Data Protection Authority, in a joint investigation with the National Labour Inspectorate, imposed a permanent restriction on Amazon's processing of personal data following findings of unlawful worker monitoring and data handling practices. The Authority found that Amazon collected and used worker performance data in ways that violated data protection and labour law protections.

The Turkish Personal Data Protection Authority (KVKK) opened an investigation into Google over alleged unauthorized processing of personal data by Google Assistant, as well as into X and X.AI Corporation regarding the Grok AI assistant, to determine whether personal data was processed without a valid legal basis and whether users were properly informed. Separately, KVKK launched investigations into TikTok, Instagram, Facebook, YouTube, X, and Discord over the alleged processing of children’s personal data, examining whether each platform’s data collection and profiling practices comply with legal obligations for handling minors’ data.

In the United Kingdom, several provisions of the Data (Use and Access) Act came into force. The commencement no. 6 and transitional and saving provisions regulations brought into effect measures on data protection, cross-border data transfer, and new investigatory powers. Additionally, the Department for Science, Innovation and Technology laid before the Parliament additional regulations that would transfer statutory functions to the Information Commission.

The Information Commissioner’s Office (ICO) updated its data protection by design and by default guidance to reflect the changes introduced by the Data (Use and Access) Act, and published guidance on addressing data protection complaints under the Act's new complaints framework. Regarding enforcement, the ICO fined Reddit GBP 14.47 million for unlawfully processing children’s personal data. The ICO found that Reddit had not conducted a data protection impact assessment before January 2025 or implemented effective age verification, making it unable to lawfully process data for users under 13. The ICO also noted that Reddit’s July 2025 self-declaration age measures remain easily bypassed, continuing to pose risks to children.

Asia and Australia

The Australian Cyber Security Centre adopted guidance on quantum technology about computing, advising organizations on preparing cryptographic infrastructure for the transition to post-quantum security standards. Additionally, the Federal Court ordered FIIG Securities to pay a penalty of AUD 2.5 million in proceedings brought by the Australian Securities and Investments Commission over the company's failure to meet cybersecurity obligations, following a breach that compromised client data.

In China, several national cybersecurity standards adopted by the National Information Security Standardization Technical Committee (TC260) entered into force. These include the standards on cloud computing service security capability assessment method, public key infrastructure security management protocols, minimum interoperability specifications, timestamp specification for public key infrastructure, guidelines for information security risk management in cybersecurity technologies, and the network security operation and maintenance implementation guide. Additionally, the TC260 issued a notice recommending seven national standards on cybersecurity, a practice guide on technical requirements for network data labelling, and a guide on requirements for prevention and handling of new types of corruption on internet platforms.

The Ministry of Industry and Information Technology, jointly with seven other government departments, issued a security guide on cross-border transfer of automobile data, setting governance requirements for vehicle-generated data, including geolocation, biometric, and operational information. In enforcement, the Beijing Cyberspace Administration issued a CNY 119.1 million fine against Kuaishou Technology for failure to fulfill cybersecurity obligations and for hosting illegal content.

In India, a bill to establish measures for critical infrastructure resilience, protection, and accountability was introduced to the Parliament. The bill would establish security standards for operators of internet and telecommunications infrastructure and network hardware, and incident reporting.

The Saudi Data and AI Authority adopted rules for the issuance of accreditation certificates for data controllers and processors, establishing a framework that requires entities operating in Saudi Arabia to obtain certificates demonstrating compliance with the Personal Data Protection Law.

The National Assembly of South Korea adopted a bill amending the Personal Information Protection Act, introducing cybersecurity obligations for personal information processing systems. A further bill amending the Information and Communications Network Act was introduced to the National Assembly, proposing mandatory security assessments for Internet of Things devices before market access. Regarding enforcement, the Personal Information Protection Commission imposed administrative fines totalling KRW 36 billion on Louis Vuitton, Christian Dior Couture, and Tiffany over personal information breaches, finding that each company failed to implement adequate security measures to protect customer data. Additionally, the Inter-Agency Consultative Body on Overseas Transfer of Survey Results approved Google's application to export national map data.

Americas

The Brazilian Senate adopted a bill converting the Presidential Measure No. 1317 into law, formally establishing the National Data Protection Authority as an autonomous public body and clarifying its legal basis and governance structure. In addition, a bill was introduced to the Chamber of Deputies to formalise the process by which Brazil recognises foreign jurisdictions as adequate for cross-border data transfers.

The House of Commons of Canada passed the Budget Implementation Act, including provisions establishing the data mobility framework, which would require organizations to share personal data held on behalf of an individual with another organization, subject to rules on disclosure, security, and interoperability set by the Governor in Council. Separately, the Connected Care for Canadians Act on interoperability of health information technology was introduced to the Senate to establish interoperability requirements and data protection regulations for health information technology software providers.