Welcome to March’s Algorithm Governance Roundup. This month, AWO and the NSPCC published a report on Generative AI and Child Safety: What are the risks and how can we solve them. Check it out alongside this accompanying blog from AWO’s Nick Botton.

In this month's Community Spotlight, I spoke to Rejo Zenger at Bits of Freedom about their landmark lawsuit against Meta for violations of the Digital Services Act. We discuss the case, which centres on dark patterns, and the viability of civil society using private litigation to enforce regulation.

As a reminder, we take submissions: we are a small team who select content from public sources. If you would like to share content please reply or send a new email to algorithm.newsletter@awo.agency. Our only criterion for submission is that the update relates to algorithm governance, with emphasis on the second word: governance.

I would love to hear from you!

Many thanks and happy reading!

Esme Harrington

In Canada, the Government reconvened its expert advisory group on online safety to consult on emerging issues, including AI chatbots and companions. The group previously led a series of nine workshops on online safety in 2022.

In the EU, the European Commission (EC) has opened formal proceedings against Snapchat to investigate compliance with child protection rules under the Digital Services Act (DSA). The investigation covers Snapchat’s age assurance measures; failures to protect minors from grooming and criminal recruitment; inadequate default privacy and safety account settings; dissemination of information on prohibited products such as drugs, vapes and alcohol; and its illegal content reporting mechanisms.

The EC has preliminarily found against Pornhub, Stripchat, XNXX and XVideos under the DSA for failing to protect minors from exposure to pornographic content. The companies may now review and respond to the EC’s investigation files and findings.

The EC hosted the first meeting of the Special Panel on child safety online. The panel comprises 20 experts, including psychologists and members of national authorities. The meeting examined current evidence on children’s use of online services, age appropriate safety-by-design and digital literacy. The panel will provide expert recommendations and explore the case for harmonised social media age restrictions. Since the panel was announced in 2025, numerous Member States have discussed, proposed or implemented age restrictions for social media (see the Tech Policy Press Tracker).

The European Council has agreed its position on the Digital Omnibus on AI. It proposes to prohibit the generation of non-consensual intimate images (NCII) and child sexual abuse material (CSAM) and extend the compliance timeline for high-risk AI systems. The position also reinstates the requirement for providers to centrally register AI systems they self-assess as non-high-risk, and a strict necessity standard for processing special category personal data for bias detection.

The European Parliament’s Committee on the Internal Market and Consumer Protection and the Committee on Civil Liberties have also agreed their joint negotiating position on the Digital Omnibus on AI. In line with the Council’s position, the MEPs propose to ban NCII tools and reject the EC’s proposals to lower the threshold for processing special category data and remove the registration requirements for providers that self-assess as non-high risk.

The European Network of National Human Rights Institutions (NHRIs) and the European Network of Equality Bodies (Equinet) have published a joint statement on the Digital Omnibus, raising concerns about the implications for fundamental rights.

The EC is consulting on a draft implementing act for general-purpose AI (GPAI) enforcement under the AI Act. The draft lays out arrangements for the AI Office to evaluate GPAI models, including the involvement of independent experts. Consultation deadline is 09 April.

The European Parliament has adopted recommendations on copyrighted works and AI, following a report published by the Committee on Legal Affairs. MEPs called for the EC to ensure fair remuneration of rights holders, including for past use; greater transparency, requiring developers to provide an itemised list of all copyrighted works used in training and detailed records of crawling activities for inference and retrieval-augmented generation; and the creation of a new licensing market, including voluntary collective licensing agreements by sector.

The Global Privacy Assembly’s International Enforcement Cooperation Working Group has published a joint statement on AI-generated images and privacy, representing 61 Data Protection Authorities. The statement recommends that companies implement robust safeguards, transparency and redress mechanisms, and address specific risks to children.

The Council of Europe’s Committee of Ministers has adopted two recommendations on AI and gender equality. The recommendation on equality and AI provides guidance on preventing discrimination across the AI lifecycle. The recommendation on accountability for technology-facilitated violence against women and girls sets the first international standard on this topic and provides guidance on legal, institutional and regulatory measures to prevent and address technology-facilitated abuse.

In the Netherlands, a Dutch Court has ordered Grok and X to cease generating and distributing NCII and CSAM. The interim order applies to images of persons living in the Netherlands and to the production and distribution of such images within the country. The case was brought by Offlimits, a Dutch foundation on child safety and online abuse.

In the UK, the Department of Science, Innovation and Technology (DSIT) has opened a consultation on children growing up online. It examines a range of online services including social media, gaming sites and AI chatbots, and a range of interventions such as age restrictions, bans on addictive design and risky functionalities, and better support for carers. Consultation deadline is 26 May.

Ofcom has fined 4chan £480,000 for failing to implement age assurance measures, not conducting an illegal content risk assessment or maintain adequate terms of service, as required by the Online Safety Act. 4chan has previously indicated it will not pay the fine. In addition, Ofcom launched an investigation into two online image boards for non-compliance with illegal content duties in relation to NCII and CSAM.

DSIT and the Department for Culture, Media and Sport have published a report on copyright and AI. The report does not propose any immediate reforms. It indicates the government has withdrawn its previously preferred option of a text and data mining copyright exception with rightsholder opt-outs, and instead will conduct further evidence-gathering and stakeholder engagement.

Apple has implemented age assurance for all iOS users based in the UK. Users identified as under 18, or who do not verify their age, will have web content filters and on-device communications scanning enabled. These features restrict access to adult websites and apps, and generate alerts when communications involve nude images including on iMessage, FaceTime and certain third-party apps.

In parallel, Ofcom and the Information Commissioner’s Office published a joint statement on age assurance, explaining the interaction between online safety and data protection frameworks and providing practical compliance guidance.

In the US, the White House has published a national policy framework for AI. The framework calls on Congress to pass laws to protect children, including proposals for age-assurance, tools to manage children’s privacy settings and screen time, and requirements on AI platforms to reduce sexual exploitation and self-harm risks. It also calls on Congress to prevent censorship and pre-empt state-level AI regulation.

A New Mexico jury has found against Meta and ordered it to pay $375 million for violating the Unfair Practices Act, making false or misleading statements, and engaging in unconscionable trade practices that exploited children’s vulnerabilities. The jury found that Meta knowingly harmed children’s mental health and failed to protect children from trafficking and sexual abuse. The case was brought by the Attorney General of New Mexico and Meta has said it will appeal.

In addition, a Los Angeles jury has found against Meta and Google for failure to warn and negligence in designing and operating Instagram and YouTube to be addictive. The jury found that the platforms conduct was a substantial factor in causing the depression, body dysmorphia and suicidal ideation of a young woman. The companies have been ordered to pay $6 million in compensatory and punitive damages, with Meta liable for $4.2 million. Meta and Google have said they will appeal the landmark verdict.

A Californian Court has granted Anthropic’s request for a temporary injunction against the Department of Defence (DoD). Anthropic sued the DoD, alleging that the government violated its First Amendment rights by designating the company as a supply chain risk. This followed Anthropic’s refusal to allow its AI systems to be used for mass surveillance of US citizens or for lethal autonomous weapons. The judge stated that the Pentagon’s decision was likely both contrary to law, and arbitrary and capricious.

The US Department of Labor has launched a voluntary AI Literacy Framework to support federal bodies in designing AI literacy programs and to encourage training across the public workforce and education systems.

In Vietnam, the government has passed a comprehensive Law on Artificial Intelligence. The law adopts a risk-based approach similar to the EU AI Act, requiring providers to conduct a self-assessment for conformity and submit high-risk AI systems for audit. It also requires providers and deployers to label AI-generated content and prohibits political deepfakes. Implementing documents on risk classification criteria, AI labelling, and reporting and conformity procedures are forthcoming.

A Digital Omnibus: Identifying Interlinks and Possible Overlaps Between Different Legal Acts in the Field of Digital Legislation to Streamline Tech Rules, Goda Skiotytė and Audronė Sadauskaitė, Study Requested by IMCO Committee of European Parliament

Agentic Artificial Intelligence from the Perspective of Data Protection, Agencia Española de Protección de Datos

AI, Copyright and the Creative Industries, United Kingdom House of Lords Communications and Digital Committee

AI in the Early Years: Examining the implications of GenAI toys for young children, Emily J. Goodacre and Jenny L. Gibson

Are AI Systems Incompatible with Data Privacy?, Paul Bouchaud and Pedro Ramaciotti, Tech Policy Press

Building a Centralised National AI Authority: Poland’s AI Act Implementation Model in a European Context, Jan Króliński, interface

Building Sustainable Data Ecosystems for Generative AI: Policy Considerations Beyond Copyright-Only Frameworks, Tanya Aplin, Marta Arisi and Sylvie Delacroix

Characterizing Delusional Spirals through Human-LLM Chat Logs, Jared Moore, Ashish Mehta, William Agnew, Jacy Reese Anthis, Ryan Louie, Yifan Mai, Peggy Yin, Myra Cheng, Samuel J Paech, Kevin Klyman, Stevie Chancellor, Eric Lin, Nick Haber and Desmond Ong

Could Agents be the Next Stumbling Block for Europe’s AI Rules? Claudie Moreau and Maximilian Henning, Euractiv

Deepfake Detection Technology, Department of Science, Innovation and Technology and PUBLIC

Enforcement of the AI Act, Tristan Marcelin, European Parliamentary Research Service

Generation AI: What Kids and Families Think About AI, Celinda Lake, Cate Gormley, Alysia Snell, Izzy Vinyard, Lina Tate, Matthew Gillett, Kristen Soltis Anderson, Eleanor O'Neil, Michael Robb and Supreet Mann, Common Sense Media, Lake Research Partners and Echelon Insights

Generative AI and Child Safety: What are the risks and how can we solve them, Nick Botton, Esme Harrington, Mathias Vermeulen, Toni Brunton-Douglas, Lewis Keller and Eleni Romanou, AWO and NSPCC

How Big AI Developers are Skirting a Mandate for Training Data Transparency, Dick Blankvoort, Harshvardhan Pandit and Maximilian Gahntz, Tech Policy Press

How to Update EU and US Copyright Regimes in the Age of AI, Roberta Carlini, Natalia Menéndez and Anya Schiffrin

Invisible No More: How AI Chatbots Are Reshaping Violence Against Women and Girls, Clare McGlynn, Yvonne McDermott, Stuart Macdonald, Rüya Tuna Toparlak, Fabienne Tarrant and Samantha Treacy

Private Power, Public Values: Anthropic and the Constitutional Dimension of Governance in the Digital Environment, Lucas Henrique Muniz da Conceição, Verfassungsblog

Scheming in the Wild: Detecting Real-World AI Scheming Incidents with Open-Source Intelligence, Tommy Shaffer Shane, Simon Mylius and Hamish Hobbs, Centre for Long-Term Resilience

Shareholder Control and the New Politics of Platform Regulation, Paddy Leerssen, Tech Policy Press

Smarter, not simpler, rules: five questions on the EU Digital Omnibus, Friederike Schuüür, Ada Lovelace Institute

The Agentic AI Landscape and its Conceptual Foundations, OECD AI Paper

Tracking Efforts to Restrict Or Ban Teens from Social Media Across the Globe, Ramsha Jahangir and Justin Hendrix, Tech Policy Press

Wikipedia Bans AI-Generated Content, Emanuel Maiberg, 404Media

Hosted by the Institute for the Future of Work, this conference will bring together senior decision-makers, expert academics and leading firms.

re:publica is one of Europe’s leading conferences on digital society, technology and internet policy. It brings together activists, academics, policymakers and industry leaders to discuss the social impact of digital technologies, the theme for this edition is “Never Gonna Give You Up”.

Rejo Zenger is a policy adviser at Bits of Freedom, the Netherlands’ leading digital rights organisation. We spoke about their lawsuit against Meta for violations of the Digital Services Act (DSA) related to dark patterns that prevent users from persistently switching to a non-profiling feed.

Rejo: Bits of Freedom is the leading digital rights organisation in the Netherlands. We work on digital freedom, human rights, and the digital infrastructure that shapes the everyday life of Dutch internet users. We began as a lobbying organisation working predominantly on technology legislation in the Hague and Brussels. We also conduct campaigns, bring legal action, and directly empower users by helping them to understand and exercise their rights.

I’ve been at Bits of Freedom for fifteen years, working on a range of issues from data retention and encryption to the dominance of major platforms and how that shapes the public debate. Recently, I’ve been working on the EU’s proposed Child Sexual Abuse Regulation and leading our lawsuit against Meta under the DSA.

Rejo: The EU’s Digital Services Act (DSA) requires Meta to allow users to choose a platform feed which is not based on profiling (i.e. the collection and analysis of personal data). To implement this, Facebook and Instagram allow users to switch to a “Following” feed instead of the profiling based “For You” feed. However, switching to the “Following” feed was not persistent. Instead, the platforms reverted to the “For You” feed every time the user closed and re-opened the app. This did not offer users a real choice. Instead, this design nudged users back to the profiling feed, amounting to a prohibited dark pattern which forced users to repeatedly state their preference (as per Article 25 DSA & Recital 67). In addition, on certain interfaces such as Instagram Reels, Meta did not provide any feed not based on profiling.

Whilst we do not have a view on whether profiling or non-profiling feeds are better, we believe it is important that each user is able to decide how they receive information on platforms. This is a core element of the right to freedom of expression. This is particularly the case because Meta’s profiling-based feed recommends content that serves its own business model rather than users’ interests.

In April 2025, we filed a complaint about this practice with the Irish Digital Services Coordinator (DSC). We argued that Meta was violating three provisions of the DSA: (1) the obligation that Very Large Online Platforms (VLOPs) must provide users with an alternative to profiling-based feeds, (2) the obligation to enable users to set a preference between these feeds, and (3) the prohibition on dark patterns, which are platform interface designs that undermine the users’ autonomy. Unfortunately, we did not receive a substantive update on the complaint, merely receiving confirmation of receipt and that the complaint was partially forwarded to the European Commission.

In early June, the Dutch government unexpectedly collapsed and snap elections were called for October. This made an intervention urgent: Meta’s DSA violations could impact how Dutch users received information during the election period. Therefore, we decided to initiate summary proceedings before the Amsterdam District Court. This is a fast-track civil procedure which is designed for urgent situations, namely where waiting for full proceedings would undermine the purpose of the claim.

Rejo: The Amsterdam District Court agreed that Meta had violated all three DSA obligations. To remedy this, the Court ordered Meta to change its Facebook and Instagram interfaces to enable users to persistently select non-profiling feeds within two weeks. The implementation timeframe was extended to four months following Meta’s successful appeal on this specific aspect of the remedy.

As a result, Meta had to implement these changes by 1 January. In practice, we have seen that most users that created their accounts in the Netherlands can now persistently select non-profiling feeds. However, we are investigating several instances where users remain unable to persistently change their feed. Whilst this remedy is conceptually simple, verifying Meta’s compliance required significant resource and expertise. Meta runs constant A/B testing across users, with the change rolled out in phases across surfaces, e.g. web, iOS, Android, and interfaces, e.g. home feed, reels, comments, which made it difficult to verify.

Meta did file an appeal against the judgment as a whole. However, it withdrew its substantive grounds a day prior to the appeal hearing. Therefore, Meta no longer contests the court’s finding that it violated the DSA. Instead, Meta only appealed on procedural grounds, arguing that the summary proceedings were not appropriate. On 10 March, the Court of Appeal ruled against Meta, affirming that Bits of Freedom had an urgent interest in the claim because of Meta’s continuing unlawful conduct in violation of the DSA which impacts freedom of information. The Court of Appeal also increased the penalty for failure to comply with the Court Order to €10 million.

This judgment will have impact across the EU for several reasons, despite the fact that Meta only rolled out the interface changes for Dutch users.

First, the logic of the ruling is applicable across European Member States and could be replicated in similar cases. Since the courts would be interpreting the same harmonised regulation and platform behaviour, they could likely rely on the Dutch judgment as persuasive authority.

Second, the DSA includes a parallel enforcement mechanism to empower national DSCs and the European Commission (for VLOPs such as Instagram and Facebook) to enforce the law across the EU. We hope the European Commission will treat the Dutch Court’s judgment as a strong indication of non-compliance and seek a remedy that applies across the EU to avoid duplicative litigation.

Rejo: Regulatory enforcement moves slowly. We did not see meaningful progress on our complaint to the Irish DSC, beyond it being forwarded to the European Commission. This did not match the urgent action that was required given the upcoming Dutch elections and, more broadly, the impacts to freedom of expression and information autonomy. This urgency pushed us to use litigation to compel compliance with the DSA. Litigation is useful because it can move much more quickly, clarifying what compliance should look like and forcing platforms to implement concrete remedies.

However, private litigation is not a substitute for regulatory enforcement. Civil society faces several constraints: First, is the significant financial risk. Big Tech has extensive legal resources which makes the costs of litigation high. This poses a (possibly existential) financial risk for civil society organisations if they were to lose. Second, is the deep information asymmetry. In our case, Meta knew exactly how its systems work and how changes were rolled out, whilst we had to infer from observation and commission expert opinions. Even where we commissioned expert evidence regarding the remedies and implementation timeline, Meta easily disputed the feasibility. This also makes it difficult to properly verify Meta’s compliance with the Court Order. Third, are the jurisdictional limitations. A national case delivers a national fix, and platforms have incentives to do the minimum geographically required, e.g. only rolling out the mandated changes to Dutch users.

Finally, civil society organisations are reckoning with significant risks related to the current geopolitical environment. The U.S. House Judiciary Committee recently labelled Bits of Freedom as a “censorious NGO”, and several individuals leading CSOs on hate speech and disinformation were sanctioned for their work. It is crucial that the European Commission stands firm to enforce European law and support the civil society organisations doing this work.

Rejo: A core priority is to expand the impact of this case beyond the Netherlands and make it structural. We need to avoid a system where civil society must litigate the same pattern repeatedly across Member States, platforms, and app surfaces.

Bits of Freedom are also working across other technology legislation such as the Digital Fairness Act on manipulative design and how it translates obligations related to interface. We’re also working on issues related to bodily integrity and the use of AI by the Dutch government, particularly to profile citizens.