Language selection

Search

G7 Data Protection and Privacy Authorities’ Communiqué

Roundtable of G7 Data Protection and Privacy Authorities

“Privacy in the age of data”

11 October 2024


Introduction

  1. We, the G7 Data Protection and Privacy Authorities (DPAs)Footnote 1, met on 10 and 11 October 2024 in a Roundtable meeting hosted by the Garante per la protezione dei dati personali (Garante) in Rome, Italy, to discuss some of the most challenging issues for privacy and data protection in the age of data. Building on the work done in previous years by our Roundtable, we continued working on the three pillars of Data Free Flow with Trust (DFFT), emerging technologies and enforcement cooperation, and have also focused our attention on the challenges that artificial intelligence (AI) poses to privacy, data protection and other fundamental rights and freedoms.
  2. We welcome the attention paid by the G7 Industry, Technology and Digital Ministerial Meeting Declaration on 15 March 2024 to the “evolving and complex challenges that digital technologies, including AI, pose with respect to protecting human rights, including privacy, and […] the risks to personal data protection”.
  3. Building on our shared fundamental values and principles such as freedom, democracy, human rights, and the rule of law, we confirm our commitment to protecting the rights and interests of individuals through ensuring a high level of data protection and privacy within the developing information and communication-driven society.
  4. We also recognise the increasing economic and societal benefits and impacts of personal data sharing and use of AI systems while being mindful of the risks which may occur with such use. Considering that many AI technologies, including generative AI, are based on the processing of personal data, the need to protect the right to privacy and data protection is more critical than ever. We will continue to cooperate to ensure a high level of protection of these rights, while helping to foster innovation and promoting safe, secure, and trustworthy AI.
  5. DPAs emerge as key figures in the AI governance landscape, leveraging their expertise in data protection to uphold privacy to the highest standards. Their role is crucial in fostering trustworthy AI technologies and helping to ensure that they are developed and used responsibly, in line with data protection rules and principles which also apply to these technologies. By drawing on their extensive experience and working collaboratively, DPAs can help navigate the complexities of AI governance and promote the lawful development and deployment of these technologies whilst respecting human rights. In this regard, DPAs’ full independence plays a crucial role in helping to ensure a responsible and efficient governance of the development of AI technologies. DPAs may play a key role in helping to promote public awareness and understanding of AI technologies related to privacy and data protection, contribute to a more knowledgeable and prepared society, and enforcing the law where appropriate.
  6. Further to our G7 DPAs’ “Statement on Generative AI” (June 21, 2023), we have adopted the G7 Roundtable “Statement on the Role of Data Protection Authorities in Fostering Trustworthy AI”. The statement calls on policymakers and regulators for approaches that recognise the critical role of the DPAs in ensuring that AI technologies are developed and deployed responsibly and in identifying and addressing AI issues at their source. We emphasise that DPAs apply a human-centred lens to their mandate and have vast experience with data-driven processing and in operationalising many data protection overarching principles that can be transposed into broader AI governance frameworks, in particular fairness, accountability, transparency, and security.
  7. We welcome the contribution to our discussions provided by the Council of Europe (CoE), the Organisation for Economic Co-operation and Development (OECD), the Asia Pacific Privacy Authorities (APPA), the Global Privacy Enforcement Network (GPEN) and the Global Privacy Assembly (GPA). We are grateful for the experience and knowledge they shared with us during the session on “Trustworthy AI: challenges and ongoing discussions within global fora”. We reaffirm that cooperation and knowledge sharing between the G7 DPAs Roundtable and other international fora are of great importance in order to align efforts to protect the rights and interests of individuals, through ensuring a high level of data protection and privacy.
  8. We welcome the G7 Industry, Technology and Digital Ministers’ reaffirmed commitment to operationalise the concept of DFFT and “to build upon commonalities, complementarities and elements of convergence between existing regulatory approaches and instruments enabling data to flow with trust in order to foster future interoperability”Footnote 2.
  9. We also note the Ministers’ commitment “to further work to promote DFFT, recognising the importance of strengthening global data governance” and their welcoming of “knowledge sharing in the context of G7 data protection authorities’ roundtables”, as well as their call on the Institutional Arrangement for Partnership (IAP), currently in the form of the DFFT Expert Community at the OECD, to regularly update and exchange information on its progress, next steps, and priorities, and to collaborate with the G7 in subsequent meetings. We appreciate this continued support by the Ministers for the G7 DPAs to intensify their cooperation and knowledge sharing through the Roundtable of G7 DPAs and with other relevant international multi-stakeholder fora. We acknowledge that the DFFT Expert Community at the OECD brings together data protection and privacy stakeholders, and we reiterate the importance of also including the DPAs. We firmly believe that DPAs have a key role in contributing on topics that are within their competence to ensure that high standards of data protection and privacy continue to be upheld.
  10. With a view to addressing these global challenges and providing a concrete contribution, we have continued our work on the three pillars through dedicated working groups:
    • Pillar 1 - DFFT
    • Pillar 2 - Emerging Technologies
    • Pillar 3 - Enforcement Cooperation

Pillar I - DFFT

  1. We take note of the increasing attention of the international community and stakeholders to the benefits that may arise from cross-border transfers of data linked to the globalisation of economic and social activities. We highlight that the growth in these cross-border transfers may raise serious challenges to the protection of personal data and privacy and that “trust” is a vital component where transfers of personal data occur across borders. We highlight the need to rely on transfer mechanisms that ensure the protection of personal data when shared across borders, as this is an essential condition for data to be transferred safely and freely.
  2. We recognise that the concept of DFFT has become a common objective for like-minded countries and international fora. We highlight that the core concept of DFFT is to enable the international transfer of personal data in a responsible, trustworthy manner whilst at all times adhering to high standards of protection of personal data and privacy.
  3. Building on the decision taken at the Roundtable hosted by the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Bonn in 2022 and the commitments contained in the G7 DPAs’ Communiqué of the Roundtable hosted by the Personal Information Protection Commission (PPC) in Tokyo in 2023, we have continued our discussions on DFFT within the context of the G7 DFFT Working Group, co-chaired by the Information Commissioner’s Office (ICO), UK, and the Commission Nationale de l’Informatique et des Libertés (CNIL), France.
  4. Further to our commitment to working towards elements of convergence to foster future interoperability of transfer tools to achieve a high level of data protection and facilitate DFFT, the Working Group has developed, under the lead of the BfDI and the CNIL, a comparative analysis of core elements of the EU GDPR certification as a tool for transfers and of the Global Cross-Border Privacy Rules (CBPR) System in a controller-to-controller scenario. This comparative analysis highlights both the commonalities and differences between the systems. We observe that both schemes subscribe to various similar key principles, such as lawfulness, purpose limitation, security of data processing and transparency. At the same time, there are notable differences in their legal foundations, structure and purpose as well as in the specific provisions, including enforceability and legal redress, and rules regarding independent oversight and government access. The Working Group will build on the comparative analysis to identify further collaborative work on transfer tools and contribute to the global dialogue on working towards elements of convergence to foster future interoperability.
  5. Further to the work undertaken by the G7 DFFT Working Group, we recognise and support the valuable efforts by other international fora, and highlight the work of the GPA’s Global Frameworks and Standards Working Group (GFSWG) and its resolution adopted in 2023 on “Achieving global data protection standards: Principles to ensure high level of data protection and privacy worldwide”. We further welcome the factual comparison of standard contractual clauses across a range of different data protection frameworks carried out in 2023 and which is currently being updated, as a helpful resource for organisations that transfer personal data across borders. Recognising that model contractual clauses are one of the most used tools for data transfers globally, we will foster further dialogue for cooperation and convergence of these instruments as decided in the G7 Action Plan adopted in Tokyo.
  6. We also highlight and support the work that the GFSWG is undertaking in relation to DFFT and on essential elements to achieve secure and trustworthy cross-border data flows and we will seek new opportunities to align our efforts in this area. We further recognise the work to operationalise DFFT within the DFFT Expert Community at the OECD and will seek opportunities to support these endeavours.
  7. We also take note of the ongoing discussions and developments regarding data flows and transfer tools in various regional and international groups and fora, such as the Council of Europe (CoE), the European Data Protection Board (EDPB), the Global CBPR Forum, the Association of Southeast Asian Nations (ASEAN), the Ibero-American Data Protection Network (RIPD) and encourage dialogue between these organisations.
  8. In addition, we reaffirm our support to the 2022 OECD Declaration on Government Access to Personal Data held by Private Sector Entities and continue to encourage governments to reflect and build on its content and on the 2021 GPA resolution on “Government Access to Data, Privacy and the Rule of Law” in their own policy making.

Pillar II - Emerging technologies

  1. Building on the work of the G7 Emerging Technologies Working Group, chaired by the Office of the Privacy Commissioner (OPC), Canada, we aim to promote the development and usage of emerging technologies in ways that reinforce trust and privacy.
  2. Considering the increased importance of technological solutions that could promote the development and usage of emerging technologies in ways that reinforce trust and privacy, and as outlined in our Action Plan adopted in 2023, the Working Group developed and published, under the leadership of the UK Information Commissioner’s Office (ICO), a hypothetical Use Case on Privacy Enhancing Technologies (PETs) to demonstrate how one type of PET (synthetic data) could be used to achieve a safe and privacy-preserving method for obtaining insights from sensitive data. We believe that the development of a case study will help inform this emerging market and encourage the responsible use of such technologies.
  3. We also believe that a common understanding of key terms and concepts in use across G7 jurisdictions in the area of emerging technologies can facilitate collaborative work and discussions. To this end, we are issuing a terminology paper related to the notions of anonymisation, pseudonymisation and de-identification (“Reducing identifiability in cross-national perspective: Statutory and policy definitions for anonymisation, pseudonymisation, and de-identification in G7 jurisdictions”). The work, led by the OPC, describes how terms are defined, explains common features across jurisdictions, and underlines important differences among G7 jurisdictions.
  4. Considering the significant opportunities that digital technologies, such as AI, create for children and young people, while taking into account their potential impacts on data protection and privacy rights, we initiated collaborative discussions on the issue of personal data protection in the context of AI and how best to protect children’s privacy, in particular, given the vulnerability of children in relation to this technology.
  5. Led by the Garante and the OPC, the Working Group has developed the “Statement on AI and Children”. The document identifies examples of privacy and data protection risks arising from the development and use of AI technology in relation to children, and calls on stakeholders to take action to protect children’s privacy in this context. The statement emphasises the need to “promote the development and usage of emerging technologies in ways that reinforce trust and respect privacy”, in line with our G7 DPAs Action Plan and in continuation of the work started and the commitments made in the G7 DPAs “Statement on Generative AI” adopted in Tokyo in 2023.

Pillar III- Enforcement cooperation

  1. In today’s digital economy, which is increasingly characterised by globally impactful new and emerging technologies and significant data flows, cooperation amongst DPAs applying their different powers is crucial. We therefore continue our efforts in fostering international cooperation among DPAs to effectively exercise our regulatory powers. We firmly believe that enforcement cooperation helps better protect the rights and interests of individuals while ensuring more clarity and consistency for organisations.
  2. To this end, we have increased our dialogue and information sharing and seek, where appropriate, to engage in concrete bilateral or multilateral coordinated enforcement actions both amongst the G7 and with other DPAs.
  3. To facilitate effective enforcement cooperation in practice within the G7 Enforcement Cooperation Working Group, co-chaired by the Federal Trade Commission (FTC), United States of America, and the Personal Information Protection Commission (PPC), Japan, we shared enforcement best practices and identified overlapping enforcement priorities. We reported these cases in the “Promoting Enforcement Cooperation” narrative which describes and links to several representative enforcement cases, in order to foster further collaboration on common priorities.
  4. Recognising the importance of promoting efficient cooperation between G7 DPAs, we continued our work to foster use of the Request for Information (RFI) form adopted in 2023 in Tokyo, including by encouraging its incorporation into existing cooperation instruments such as Memoranda of Understanding (MoUs) and Memoranda of Cooperation (MoCs). Within this framework, a MoC was established between ICO and PPC (17 October 2023) and MOUs were established between ICO and EDPS (9 November 2023) and between ICO and BfDI (10 June 2024), respectively.
  5. We take note of the ongoing initiatives to further enhance enforcement cooperation within the EDPB, as well as the work of the Global Cooperation Arrangement for Privacy Enforcement (which underpins the Global CBPR system), and will continue to support and leverage enforcement collaboration activities in international fora, including the GPA’s International Enforcement Cooperation Working Group, and GPEN.

Next steps

  1. As we, the G7 DPAs, enter our fifth year of collaboration as a roundtable, we intend to assess, evaluate, and where appropriate re-calibrate internal governance processes and procedures, to ensure efficiencies in the work carried out and ensure maximum impact.
  2. Based on the above shared views, we have endorsed a high level 2024/25 Action Plan (in Annex) to continue strengthening our cooperation, by addressing the challenges identified in the three pillars, in order to protect privacy, individual fundamental rights and societal democratic values shared among the G7 countries.
  3. Building on the results of the Roundtable and the meetings of our three Working Groups in 2024, we will continue to engage in discussions at expert level with the aim of developing the topics identified in the Action Plan under the chairpersonship of the OPC in 2025.

Footnotes

Date modified: