Facebook’s EU market exit threat following the CJEU’s invalidation of the EU-US Privacy Shield revealed two truths about the digital economy. Firstly, cross-border data transfers are one of its bloodlines. Secondly, regulatory heterogeneity in data transfer policy has the potential to fragment it. However, data transfers are not the only concern for actors of the digital economy. Policymakers are currently moving on many issues simultaneously. Just in the last ten weeks, members of the Asia-Pacific Economic Cooperation (APEC) and the G20 have advanced significant changes in content moderation and competition on top of data governance. This activity, as captured in the data of the Digital Policy Alert, shows that the need for international coordination on digital policy matters keeps growing.

The APEC and G20 members by themselves account for over 277 regulatory changes issued or proposed since 1 September 2022. Companies of all sizes as well as policymakers and regulators have to navigate considerable international policy uncertainty since half of these changes are still pending final formulation and implementation. The bulk of activity came from the policy areas of content moderation (20), competition (40) and data governance (115). Across policy areas, the European Union often lead the way with wide-ranging regulations, but substantial policies were adopted across the globe.

In content moderation, the EU Digital Services Act, including a flagging mechanism for online content, among many other instruments, received the final approval and will enter into force on 16 November 2022 (with a fifteen-month grace period). India implemented the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, tightening intermediary platforms’ content moderation obligations to include preventive measures. Turkey adopted the Anti-Disinformation Law including strict rules for online content such as a criminal offence for certain social media misinformation. Similarly, Brazil raised its regulatory power to counter election disinformation through a Resolution that enabled direct content removal orders to digital platforms regarding defamatory news on candidates and even banned paid political advertising on internet blogs, websites, and social media.

In competition, another EU Act was recently adopted. The Digital Markets Act, including rules on both mergers and unilateral conduct for “gatekeepers”, entered into force on 1 November 2022 albeit with a six-month grace period. Worldwide, the enforcement of competition policy continues to proliferate. Recent investigations concluded with fines include the Indian Competition Commission’s investigation into Google Play Store payment policies and the Turkish Competition Authority’s investigation into Meta’s data combination between its core services.

The most active policy area remains data governance. Recently, the Indonesian Bill on the Protection of Personal Data was implemented and the draft Argentinian Personal Data Protection Law was opened for consultation, while India rejected its Personal Data Protection Bill. The centre of attention continues to be the topic of cross-border data transfers. Since our last update in August 2022, 32 domestic data transfer regulations were implemented or newly proposed across the globe. Recently, China implemented the Measures for the Security Assessment of Data Exports. Data transfers are regulated in the abovementioned laws of Indonesia and Argentina, which both only allow data transfers to third countries conditional on an equivalent level of data protection. In addition, Thailand opened a consultation on its Rules and Principles of Appropriate Personal Data Protection for International Transfer that would amend the Personal Data Protection Act to regulate binding corporate rules and standard contractual clauses and introduce a code of conduct for transferors and recipients of data.

Not least because of market access risks, the data transfer negotiation between the United States and the European Union advanced in recent weeks. Having found an agreement in principle on a Trans-Atlantic Data Privacy Framework earlier this year, in October, the US adopted the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities. The Executive Order formulates principles for the authorising and conducting signals intelligence activities that were at the core of the seminal ruling. Soon, the data protection authorities of Italy and Baden-Wuerttemberg (Germany) published opinions providing both praise for this first step and a critical assessment thereof. The main points of critique are the legal nature of the Executive Order, due to the unclear interaction with existing laws (e.g. the Clarifying Lawful Overseas Use of Data (CLOUD) Act), and the complaint mechanism, due to unclear standards for complaints and limited information sharing with complainants. Described by the Italian data protection authority as a “new page in a long book still to be written”, the saga will be closely monitored by the Digital Policy Alert.