June 2026 Global Digital Policy Highlights

0
4

Key Takeaways

  • Content‑moderation strides: The EU provisionally agreed on a Directive tightening criminal liability for AI‑generated child sexual abuse material; the UK plans to bar under‑16s from social media livestreaming and romantic‑AI chatbots; Australia raised penalties for systematic breaches of its social‑media‑minimum‑ AI regulation momentum: The EU adopted the Digital Omnibus on AI Regulation, expanded the AI Office’s powers and sandbox access, while the Commission proposed a Cloud and AI Development Act; Russia tabled a bill to steer sovereign AI models, and 35 countries signed a Joint Statement on AI Opportunity. Competition‑policy shifts: The EU preliminarily labeled AWS and Azure as DMA gatekeepers, the General Court partially annulled Meta’s gatekeeper status, and the UK CMA imposed conduct requirements on Google search and consulted on Apple/Google mobile platforms. Data‑governance highlights: Canada’s Lawful Access and Protecting Privacy Acts expand state‑access and consumer‑rights regimes; South Korea fined Coupang KRW 624 billion for a massive data breach; the Irish High Court upheld a €530 m TikTok GDPR fine; Saudi Arabia launched a Data Monetisation Policy treating data as a national asset. International cooperation: Ten new jurisdictions joined the Pax Silica Declaration (now 24 signatories); the G7 issued privacy‑preserving age‑assurance principles; the Five Eyes warned of AI‑induced cyber‑risk; Asia‑Pacific data authorities formed a working group on illicit personal‑information trade.

Overview and Purpose of the Roundup
The roundup, produced by Digital Policy Alert, serves as a curated guide to June 2026’s digital‑policy developments across the G20, linking each finding to its official government source in the Alert’s searchable database. “The roundup serves as a guide for navigating global digital policy based on the work of the Digital Policy Alert,” the note explains, adding that users can “access, filter, and download” the full dataset and subscribe to a free, customizable notification service. The summary focuses on four core pillars: content moderation, AI regulation, competition policy, and data governance.


Europe: Content‑Moderation Advances
In Europe, the European Parliament and Council reached a provisional agreement on the Directive on combating the sexual abuse and sexual exploitation of children and child sexual abuse material. The Directive “introduces new criminal offenses relating to technological developments, including the design, adaptation, or distribution of AI systems intended to generate child sexual abuse material, paying to access livestreamed child sexual abuse, and the sexual extortion of children.” Parallel moves in the United Kingdom announced planned secondary legislation under the Children’s Wellbeing and Schools Act that would “prohibit user‑to‑user social media platforms from offering services to children under 16, prohibit under‑16s from livestreaming, and require AI romantic companion chatbots to enforce a minimum age of 18.” Australia’s Online Safety Amendment Bill sought to strengthen enforcement of its social‑media minimum age, while Canada introduced the Digital Safety Act, mandating rapid removal of child sexual abuse material and non‑consensual intimate images within 24 hours.


Europe: AI Regulation Milestones
The EU’s Digital Omnibus on AI Regulation was passed by Parliament and adopted by the Council, clarifying the AI Office’s competence to supervise general‑purpose AI models, extending enforcement to AI embedded in very large online platforms, expanding regulatory sandboxes (including an EU‑level sandbox), and extending SME exemptions to small mid‑cap enterprises. The Regulation also amends the AI Act’s design, quality‑of‑service, and cybersecurity requirements for high‑risk systems and adjusts the legal basis for processing special‑category data for bias detection. Complementarily, the European Commission submitted a proposal for the Cloud and AI Development Act, which creates four Union assurance levels for cloud services, coupled with cybersecurity and public‑procurement rules. In Russia, a bill to support AI technologies was introduced to the State Duma, establishing a governance framework for large foundation models, mandating sovereign‑model use in certain cases, and imposing data‑localization and risk‑prevention requirements.


Europe: Competition‑Policy Developments
The European Commission took a preliminary position that Amazon Web Services and Microsoft Azure should be designated as gatekeepers under the Digital Markets Act (DMA) based on their cloud‑computing services. At the judicial level, the General Court partially annulled Meta’s gatekeeper designation, upholding Facebook Messenger as a standalone core service but annulling Facebook Marketplace due to an incorrect legal time frame and insufficient justification after 2023 listing restrictions. In the United Kingdom, the Competition and Markets Authority (CMA) imposed conduct requirements on Google following its strategic market status in general search, obliging “fair ranking” of organic results, advance notice of ranking changes, and data‑portability measures. The CMA also opened consultations on steering conduct requirements for Apple’s and Google’s mobile platforms and examined near‑field‑communication access on Apple devices.


Europe: Data‑Governance and Privacy Actions
Canada’s House of Commons passed the Lawful Access Act (Bill C‑22), expanding police and national‑security powers to compel telecommunications and electronic‑service providers to hand over digital evidence, user identifiers, and metadata. Simultaneously, the Protecting Privacy and Consumer Data Act (Bill C‑36) was introduced, establishing rules on consent, data minimisation, legitimate interests, privacy‑management programs, breach notification, and granting individuals rights to access, automated decision‑making, and data mobility. Across the Atlantic, Saudi Arabia’s Data and Artificial Intelligence Authority issued a Data Monetisation Policy treating government‑generated data as a national asset, emphasizing privacy‑by‑design and anti‑monopolistic practices. South Korea’s Personal Information Protection Commission levied a historic KRW 624.7 billion fine on Coupang for a data breach affecting ~37.5 million individuals and for unauthorized third‑party activity records. In Ireland, the High Court upheld the Data Protection Commission’s €530 million fine against TikTok for GDPR data‑transfer violations, referring methodological questions to the Court of Justice of the EU.


Asia and Australia: Content‑Moderation and Enforcement
Australia’s Online Safety Amendment (Strengthening Enforcement for the Social Media Minimum Age) Bill expanded the eSafety Commissioner’s powers to cover age‑assurance and app‑store providers, raising the maximum penalty for systematic breaches from AUD 49.5 million to AUD 99 million. The eSafety Commissioner also ordered three AI‑powered nudifying services to withdraw from the market after finding deficient age‑assurance measures. In China, the National Cybersecurity Standardization Technical Committee opened consultations on security guidelines for applications involving minors and on a national standard for critical‑information‑infrastructure testing. India’s Ministry of Electronics and Information Technology issued an order restricting access to Telegram during a national examination period to curb alleged fraud and misinformation; the Delhi High Court dismissed Telegram’s challenge. Indonesia’s Ministerial Regulation on Child Protection in Electronic Systems came into force, prompting platforms such as TikTok (4.1 million child accounts deactivated) and YouTube (600 000 child accounts removed) to comply with age‑verification obligations. Japan’s Ministry of Internal Affairs and Communications recommended default protection for young users, strengthened age verification beyond self‑declaration, and mandatory OS‑vendor requirements. South Korea introduced several Network Act bills addressing decriminalization of true‑fact defamation, user speech rights, hate‑information moderation, and preservation of AI‑generated labels, alongside provisions on platform liability for hazardous e‑commerce products and age verification.


Asia and Australia: AI Regulation and Governance
China’s Ministry of Industry and Information Technology (MIIT) issued implementation opinions on AI development in the ICT sector, outlining measures for telecommunications, AI infrastructure, sectoral applications, and governance, and opened a consultation on selected typical AI cases such as Huawei Cloud’s ModelArts, Baidu’s PaddlePaddle, and humanoid‑robot applications from UBTECH and Leju Intelligent. India’s Ministry of Communications established a national working group on AI to coordinate standardization and support international participation; the Prime Minister advocated “safe‑by‑design AI systems, common standards, testing frameworks, regulatory sandboxes, and strengthened global cooperation against deepfakes, misinformation, and cyber fraud.” Japan’s Digital Agency adopted procurement guidelines for generative AI in government, demanding incident‑response procedures, data‑handling controls, and safeguards against prompt‑injection and denial‑of‑service attacks. South Korea’s National Assembly saw three bills amending the Framework Act on AI Development: one on non‑personal training data, another expanding AI‑vulnerable groups to include children and adolescents, and a third creating a dedicated governance framework for physical AI.


Asia and Australia: Competition, Antitrust, and Data‑Governance
Australia’s ACCC granted interim authorization to the Google‑Epic Games store settlement, deeming it unlikely to reduce competition, while denying collective‑bargaining authorization for Screen Producers Australia. China’s State Administration for Market Regulation issued rectification measures against Lalamove, requiring cessation of algorithmic freight‑price suppression, refund of RMB 120 million to drivers, commission‑rate reduction from ~11 % to ~9 %, and a RMB 50 million driver‑assistance fund. South Korea’s FTC published a report showing algorithm‑based self‑preferencing increased a platform’s own‑product purchases by ~34 % and cut top‑ranked competitor purchases by ~32 %. The FTC also rejected consent‑decree proposals from Coupang and Baemin regarding most‑favoured‑nation clauses. In data‑governance, South Korea’s PIPC fined Coupang KRW 624.7 billion (see above) and Bithumb KRW 210 million for cross‑border data‑transfer violations, while launching an investigation into Tving over an alleged breach.


Americas: Platform Liability and Safety Legislation
Brazil’s Supreme Federal Court completed its review of platform liability under Article 19 of the Internet Civil Framework, ruling the provision partially unconstitutional. The Court held that user‑generated‑content platforms may be held jointly liable for unlawful third‑party content in cases of paid advertisements, algorithmically amplified content, and specified serious criminal content if they fail to meet removal obligations. The decision also mandates self‑regulation, complaint mechanisms, annual transparency reports, and a Brazilian legal representative, effective prospectively from 5 August 2025 with a 60‑day compliance window. In Canada, the Digital Safety Act was introduced, requiring social‑media operators to render child sexual abuse material and non‑consensual intimate images inaccessible within 24 hours, submit digital‑safety plans, and, for AI chatbot operators, publish user guidelines on mitigating harmful content and addressing suicidal ideation. The accompanying Digital Safety Commission of Canada Act would create the enforcement authority.


Americas: Data‑Access and Privacy Bills
Canada’s Lawful Access Act (Bill C‑22) passed its third reading, expanding police and national‑security powers to compel telecoms and electronic‑service providers to disclose digital evidence, user identifiers, and metadata. The Protecting Privacy and Consumer Data Act (Bill C‑36) was introduced, establishing consent‑based collection, data minimisation, legitimate‑interest processing, privacy‑management programs, breach notification, and granting individuals rights to access, automated decision‑making, and data mobility. Additionally, the Critical Cyber Systems Protection Act received royal assent, obliging designated operators in critical sectors to implement cybersecurity programs, manage supply‑chain risks, report incidents, and follow government cybersecurity directions, while amending the Telecommunications Act to let the state direct telcos to secure their networks.


International Cooperation and Global Statements
At the Second Pax Silica Summit, ten additional jurisdictions—including the EU, Germany, and Argentina—signed the Pax Silica Declaration, bringing total signatories to 24. The Declaration envisages cooperation across the AI supply chain and coordination on sensitive technologies. Simultaneously, 35 jurisdictions signed the Joint Statement on AI Opportunity, outlining shared principles on AI governance, supply‑chain collaboration, and access to AI computing resources. The G7 Data Protection and Privacy Authorities adopted a statement on privacy‑preserving age assurance, articulating seven data‑protection principles for design and deployment. The Five Eyes cybersecurity agencies warned that AI may introduce new vulnerabilities, including zero‑day exploits, while urging secure‑by‑design and secure‑by‑default practices. Finally, the Asia‑Pacific data protection authorities (including Japan and South Korea) launched a working group focused on the illegal distribution of personal information.


Cybersecurity, Privacy Enforcement, and Emerging Trends
The EU’s Regulation on horizontal cybersecurity requirements for products with digital elements entered into force, setting rules for hardware and software with digital components and overseeing conformity‑assessment bodies. The European Data Protection Board opened a consultation on a common template for data‑breach notifications, and the Commission signed a Digital Partnership with Brazil covering cross‑border data flows, AI, and e‑commerce. At the CJEU, national courts may use unlawfully collected personal data as evidence subject to minimisation requirements, and supervisory authorities cannot reject GDPR complaints solely because judicial proceedings are pending. In the UK, the Data (Use and Access) Act’s commencement provisions created a statutory right for individuals to lodge complaints directly with data controllers, mandating acknowledgment within 30 days and timely investigation. Australia’s Cyber Security Centre consulted on evolving the Essential Eight framework and issued quantum‑technology guidance, while the Information Commissioner ordered Monash and Medmate to cease harvesting sensitive data via tracking pixels and sanctioned Optus for failing to protect personal information in a breach. Japan’s Personal Information Protection Commission issued guidance on unpatched vulnerabilities, exposed databases, unlawful pre‑order data collection, and unauthorized third‑party sharing. Saudi Arabia’s Data Monetisation Policy reinforced the principle of treating data as a national asset, urging privacy‑by‑design and anti‑monopoly safeguards.


This synthesis distills the June 2026 digital‑policy roundup into thematic paragraphs, each led by a bolded sub‑heading, and integrates direct quotations to preserve the original source’s voice while remaining within the requested 700‑1200‑word window.

https://techpolicy.press/global-digital-policy-roundup-june-2026

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here