G7 Data Protection and Privacy Authorities’ 2026 Action Plan

December 10, 2025

We, the G7 Data Protection and Privacy Authorities (DPAs), guided by the 2025 Action Plan, collaborated throughout 2025 under the theme of “Championing privacy in a digital age: Collective action today for a trusted tomorrow.” Together, we adopted a statement titled Promoting Responsible Innovation and Protecting Children by Prioritizing Privacy. Throughout 2026, we will continue to promote the principles set out in this statement.

We endorse the following Action Plan for 2026 to continue to advance our priorities. In doing so, we commit to:

1. Engage in continued dialogue of mutual importance amongst G7 DPAs and engage with experts and partner networks to foster a trusted digital environment for all.
2. Foster trust and support innovation that protects privacy, and particularly children’s privacy, as the collective actions that we take today will contribute to shaping a safer digital environment for future generations.
3. Support the G7 Industry, Digital and Technology Ministers in achieving their commitment to “promote a human-centric approach and create an enabling environment for the widespread adoption of secure, responsible and trustworthy AI.” As stated in the G7 2025 Industry, Digital and Technology Ministerial Declaration of December 9, 2025, this includes “to promote AI that drives innovation and growth and benefits people, mitigates negative externalities, promotes our economic and national security, respects applicable legal frameworks, including human rights, and is enabled through Data Free Flow with Trust (DFFT)”^{Footnote 1}.
4. Continue to collaborate and engage on the three ongoing pillars, namely:
1. Data Free Flow with Trust (DFFT), to help foster secure, transparent and responsible exchange of personal information across borders.
2. Emerging technologies, to promote the development and usage of emerging technologies in ways that reinforce trust and respect privacy; and
3. Enforcement cooperation, to expand collective enforcement capacity by identifying and overcoming legal and practical challenges and sharing knowledge and experiences.

Pillar I – Data Free Flow with Trust (DFFT)

5. Build upon the work carried on in 2025 by the DFFT Working Group, led by the Federal Commissioner for Data Protection and Freedom of Germany (BfDI), specifically on developing practical approaches to operationalize DFFT alongside other global efforts, working towards elements of convergence to foster future interoperability of transfer tools that achieve a high level of data protection and facilitate data flows.

Developing DFFT

6. Continue to work towards developing the notion and key components of DFFT among G7 DPAs, in particular to promote and influence the development of legal frameworks, regulatory policies and transfer tools that support efficient and effective data flows while maintaining high standards of data protection and privacy.
7. Develop resources to support safe and secure cross-border data flows, including understanding the requirements for data transfers within G7 jurisdictions. This work will gather the legal requirements and existing guidance by G7 DPAs regarding cross-border transfers, including, for example, on government access or Transfer Impact Assessments / Transfer Risk Assessments, to identify further opportunities for collaboration.
8. Identify opportunities for longer-term initiatives of the DFFT Working Group that make use of the G7 DPAs’ strategic position to contribute to the development of DFFT.

Support the work of international fora

9. Remain attentive of and support the work of several international fora progressing the development and operationalisation of the concept of DFFT, such as the Organization for Economic Co-Operation and Development (OECD) and the Global Privacy Assembly (GPA) and actively encourage and facilitate dialogue between the relevant groups.
10. Continue to support the 2021 GPA resolution on Government Access to Data, Privacy and the Rule of Law.
11. Support OECD members to identify further opportunities to promote the 2022 Declaration on Government Access to Personal Data Held by Private Sector Entities and its principles, and given their global nature, continue to encourage non-OECD members to refer to these principles in their policymaking.

Pillar II – Emerging technologies

12. Expand on the work completed in 2025, including the joint paper on connected home devices and children’s privacy, exploring privacy in the context of third-party service providers, and knowledge sharing on AI, to continue to promote the development and usage of emerging technologies in ways that reinforce trust and prioritize privacy. Through the work of the Emerging Technologies Working Group, under the leadership of the Information Commissioner’s Office (ICO), we commit to:

Children’s Privacy

13. Remain attentive to the impact that emerging technologies can have on privacy, particularly on children’s privacy.
14. Explore emerging trends that build upon the work undertaken in 2025 on connected home devices and children.

Industry Developments

15. Continue to reinforce the importance that data protection and privacy play in the successful deployment of emerging technologies and react accordingly to fast paced industry developments.
16. Apply a horizon-scanning approach to understand new and emerging technologies, such as Smart Glasses, Agentic AI and cybersecurity, that may warrant further collaboration.
17. Facilitate strategic and policy-level discussions to share early understanding of each other’s priority areas in emerging technologies.
18. Continue to promote internal capacity building and the exchange of expertise amongst the G7 DPAs in emerging technologies.

Collaboration and Capacity-building

19. Remain attentive to the work conducted by other international fora on these new and emerging technologies and seek opportunities for collaboration, capacity building and knowledge sharing.

Pillar III – Enforcement cooperation

20. Continue to explore ways to facilitate effective enforcement cooperation in practice within the G7 Enforcement Cooperation Working Group (ECWG), co-chaired by the U.S. Federal Trade Commission (FTC), and the Personal Information Protection Commission (PPC), Japan, by leveraging the enforcement cooperation mechanisms developed through 2025 as well as existing practical methods for cooperation identified through the past year and provided by other fora.

Enforcement Case Sharing Format

21. Progress the discussion on the establishment of a repository of completed enforcement cases, including:
1. How to leverage the enforcement case sharing format adopted by ECWG in 2025 to populate the repository.
2. Technical requirements for the repository for each G7 DPA.
3. Legal or practical challenges that should be addressed.
4. Identify relevant enforcement case examples to share amongst the G7 DPAs to maintain momentum whilst the repository is being developed.

22. Invite further collaboration and seek opportunities to discuss and promote the enforcement case sharing format with existing fora and organisations, such as the GPA’s International Enforcement Cooperation Working Group (IEWG), the Global Privacy Enforcement Network (GPEN), the Global Cooperation Arrangement for Privacy Enforcement (CAPE), the OECD and the Council of Europe (CoE).
23. Before establishing the repository, share valuable enforcement cases which each DPA finds appropriate to be shared amongst G7 DPAs at ECWG via the enforcement case sharing format.
24. Collaborate with DFFT Working Group and Emerging Technology Working Group when ECWG analyzes enforcement cases in the repository that relate to elements that hinder DFFT or trends in emerging technologies.

Enforcement Dialogue amongst G7 DPAs

25. Continue sharing enforcement best practices related to standard safeguards and security measures that enable DPAs to share confidential information in the context of enforcement cooperation.
26. Seek opportunities for collaborative enforcement actions by G7 DPAs and the broader DPA community, such as:
1. Expand our collective capacity and create the foundation for successful cooperation by using and encouraging the broader DPA community to leverage existing enforcement cooperation tools and mechanisms provided by global and regional fora.
2. Promote and build on the results of the 2025 Global Privacy Enforcement Network Sweep focused on the protection of children’s privacy.
3. Model best practice by using the GPA’s Enforcement Cooperation Handbook in cross-border collaboration cases involving G7 DPAs and promoting use of the Handbook by the broader DPA community.

Maximizing our impact

27. Evaluating the progress and achievements of this Action Plan throughout 2026, including at the 2026 G7 DPA Roundtable to be hosted by the Commission Nationale de l’Informatique et des Libertés of France (CNIL).
28. Continue our collaboration with other networks of data protection authorities and with regulators in other spaces, sharing our findings and learning from theirs in an ongoing effort to foster better protection and promotion of privacy around the globe.