G7 Data Protection and Privacy Authorities’ Action Plan
We, the G7 Data Protection and Privacy Authorities (DPAs),Footnote 1 endorse the following Action Plan for 2024/2025 on the three pillars set out in the 2024 Communiqué, namely (I) Data Free Flow with Trust (DFFT), (II) Emerging technologies, and (III) Enforcement cooperation. In doing so, we commit to:
Pillar I - DFFT
i. Developing DFFT
- Remain attentive and supportive to the ongoing efforts to develop and operationalise the concept of DFFT, as progressed within several international fora, such as the Organization for Economic Co-operation and Development (OECD) and the Global Privacy Assembly (GPA).
- Invite further collaboration and seek opportunities to discuss and promote the notion of DFFT with such international fora, also considering the ongoing work of the DFFT Expert Community at the OECD and of the Global Frameworks and Standards Working Group at the GPA.
- Continue to work towards developing the notion and key components of DFFT amongst G7 DPAs, in particular in influencing regulatory policies aiming to achieve elements of convergence in data transfers within the G7.
- Identify opportunities for longer-term initiatives of the DFFT Working Group, including progressing strategic discussions on how DPAs can best contribute to further develop the concept of DFFT.
ii. Transfer tools
- Continue working towards elements of convergence to foster future interoperability of transfer tools, where possible, and to achieve a high level of data protection and facilitate DFFT.
- Share the G7 DFFT Working Group’s comparative analysis of the core elements of the EU GDPR certification as a tool for transfers and the Global Cross Border Privacy Rules (CBPR) System in a controller-to-controller scenario with relevant international fora such as the GPA, OECD or Global CBPR Forum; build on this exercise to identify further collaborative work on transfer tools, in particular considering possible opportunities and challenges to contribute to the global dialogue on their convergence and possible interoperability.
- Contribute to and seek further opportunities to support the past and future work of the Global Frameworks and Standards Working Group of the GPA, in particular the update of the factual comparison of model contractual clauses across a range of different data protection frameworks (“Comparative tables – Contractual Clauses for transfers from Controllers to Controllers” adopted in 2023). Remain attentive to developments within G7 jurisdictions to further enhance the working group’s focus on model contractual clauses and their potential to build elements of convergence and interoperability of this transfer tool globally.
iii. Government access to data
- Continue to support the 2021 GPA resolution on “Government Access to Data, Privacy and the Rule of Law”.
- Encourage the OECD to further promote its “Declaration on Government Access to Personal Data held by Private Sector Entities” adopted at the OECD Ministerial meeting in December 2022.
- Continue to encourage non-OECD members to refer to the OECD Declaration in the light of its global nature, and reflect it in their policy making, having in mind the seven common principles on government access to personal data held by private sector entities identified by the Declaration in existing legal frameworks.
Pillar II - Emerging Technologies
i. Knowledge exchange and capacity-building
- Continue to promote the development and usage of emerging technologies in ways that reinforce trust and respect privacy and data protection.
- Facilitate strategic and technical discussion between G7 DPAs, with a view to understanding individual DPA priorities and challenges and help inform one another’s approach on key issues.
- Ensure the exchange of knowledge, experience, and expertise in assessing the impact of key technologies, including in particular areas such as AI technologies and online tracking, on privacy and data protection rights.
- Promote internal capacity-building and the exchange of expertise among G7 DPAs, for instance by means of workshops and presentations on key issues.
ii. Collaboration on personal data protection
- Identify and assess opportunities for collaborative action on the issue of personal data protection and privacy in key technological domains, considering in particular the field of AI and related and overlapping technologies, such as biometrics and online tracking.
- Explore how best to protect privacy with respect to these technologies through collaborative action within the G7, while promoting convergence on key values, principle and notions.
- Continue to explore the possible implications of AI and emerging issues related to the use of AI-enabled systems by children and young people, building on the G7 DPAs “Statement on AI and Children”.
- Follow legislative developments related to AI, including on the role of DPAs in this context, building on the G7 2024 DPAs “Statement on the Role of Data Protection Authorities in Fostering Trustworthy AI”, and sharing strategies for ensuring effective supervision and enforcement in this space.
iii. Strategic support
- Contribute to discussions occurring in other international fora in support of G7 Emerging Technologies Working Group (ETWG) action items, while emphasising the need to pay close attention to data protection and privacy rights.
- Promote external awareness and engagement with G7 DPAs outputs, including the ETWG use case study on synthetic data and the terminology reference document on de-identification, pseudonymisation, and anonymisation.
Pillar III- Enforcement cooperation
i. Increasing Enforcement Dialogue amongst G7 DPAs and the broader data protection and privacy enforcement community
- Continue to foster greater dialogue, through the G7 Enforcement Cooperation Working Group (ECWG) and with the broader privacy enforcement community, on enforcement cooperation matters, including enforcement of laws and regulations, to ensure a high level of data protection and privacy.
- In particular, continue the dialogue to identify and overcome legal and practical challenges for cross border enforcement cooperation.
- Seek opportunities to actively participate in discussions on these topics at existing fora and organisations, such as the GPA’s International Enforcement Cooperation Working Group (IEWG), the Global Privacy Enforcement Network (GPEN), the Global Cooperation Arrangement for Privacy Enforcement (CAPE), the OECD and the Council of Europe (CoE).
- Consider establishing new bilateral Memoranda of Understanding (MoUs) or Memoranda of Cooperation (MoCs) amongst G7 DPAs and incorporating the 2023 G7 Request for Information (RFI) form and the existing and future MOUs and MoCs into the GPA’s Enforcement Cooperation Handbook, to serve as examples for other DPAs.
- Continue sharing enforcement best practices and priorities, building on the G7 “Promoting Enforcement Cooperation” narrative on national and cross-border enforcement cases.
ii. Interventions by the G7 Enforcement Cooperation Working Group to Support Enforcement Cooperation Activities
- Leverage the G7 “Promoting Enforcement Cooperation” narrative to identify opportunities to engage in concrete bilateral or multi-lateral enforcement cooperation amongst G7 DPAs, and share information and/or undertake joint or coordinated enforcement actions in relation to data protection and privacy issues of global significance.
- Seek out opportunities to endorse enforcement cooperation initiatives led by other networks, such as Privacy Sweeps and joint statements, to amplify their impact.
- Share knowledge and experiences regarding the procedures required for the exchange of information among DPAs in joint or coordinated enforcement actions.
iii. General Support and Amplification of Existing Enforcement Cooperation Activities
- Encourage the broader data protection and privacy community to engage with global and regional fora. Aim to expand our collective enforcement capacity and create the foundation for successful cooperation, by leveraging the various tools and mechanisms of those networks. To this end, the G7 ECWG undertakes the following:
- Further encourage participation in the GPA, including:
- the Global Cross-Border Enforcement Cooperation Arrangement of the GPA (“Mauritius Arrangement”),
- the GPA’s IEWG, in respect of which we encourage the use of the Enforcement Cooperation Handbook and Repository; and participation in “closed enforcement sessions” and capacity building workshops,
- the GPA’s Digital Citizen and Consumer Working Group which promotes cross-regulatory dialogues and practical cooperation where privacy intersects with other regulatory spheres (e.g. Competition).
- Encourage participation in GPEN and its various tools and initiatives, such as Privacy Sweeps, capacity building webinars and online discussion forum, and continued support for the implementation of its updated Action Plan.
Working groups and evaluation
- Continue dialogue of mutual importance amongst G7 DPAs at the Data Free Flow with Trust, Emerging Technologies and Enforcement Cooperation Working Groups.
- Evaluate the progress and achievements of this Action Plan throughout 2025, including at the 2025 G7 DPA Canada Roundtable.
Footnote
- Date modified: