G7 Data Protection and Privacy Authorities
Data Free Flow with Trust position paper

December 10, 2025

In an increasingly digitalised world, the reliance on cross-border transfers of personal data is more prominent than ever. Deepening practical discussions between regulators and working in collaboration with global stakeholders on the future interoperability of transfer regimes is essential to support innovation and growth whilst preserving privacy and data protection.

The vision of the G7 Data Protection and Privacy Authorities (DPAs) of developing a strategic approach to Data Free Flow with Trust (DFFT) builds upon commitments made in the 2024 G7 Ministerial Declaration of Industry Tech and Digital Ministers ‘to operationalising Data Free Flow with Trust (DFFT) and to build upon commonalities, complementarities, and elements of convergence between existing regulatory approaches and instruments enabling data to flow with trust in order to foster future interoperability’^{Footnote 1}.

Global efforts on personal data transfers

Achieving trusted, safe and secure cross-border flows of personal data is a truly global matter, and operationalising DFFT is not an issue that the G7 DPAs can resolve alone. It requires the cooperation of all relevant stakeholders in the field.

We note and welcome the efforts and actions that have already been taken to develop and operationalise DFFT, instigated by several international fora, including the work of the OECD’s Expert Community, the Global Privacy Assembly (GPA) and at the Council of Europe.

We acknowledge and affirm the high-level essential elements described in the GPA Resolution on Data Free Flow with Trust and an Effective Regulation of Global Data Flows^{Footnote 2}, adopted unanimously by the GPA members in 2024. These elements are noted as ‘essential to achieve secure and trustworthy cross-border data flows’:

• Key data protection principles
• Individual rights
• Security
• Onward transfers
• Government access
• Independent oversight
• Legal remedies and redress.

We reiterate that trust is a vital component of data transfers, and agree that these essential elements, as noted within the GPA Resolution, provide important considerations for policymakers on the core components required to facilitate safe cross-border transfers of personal data.

We encourage OECD members to continue to promote the Declaration and further encourage non-OECD countries to refer to these principles in their policy making. We also highlight the 2021 GPA Resolution on Government Access to Data, Privacy and the Rule of Law^{Footnote 3} and continue to encourage governments to reflect and build upon its contents.

Future work

We acknowledge that further work is needed to achieve DFFT. In this regard, through our efforts to continue working towards elements of convergence to foster the future interoperability of transfer tools, we resolve to continue to build upon our work to date, such as the comparative analysis of GDPR certification mechanisms as a tool for transfers and the Global CBPR Framework, undertaken in 2024.

We reaffirm our collective commitment to:

• Support the work of other multilateral fora to align efforts and avoid duplication of work on DFFT.
• Support other international fora in their endeavours to build upon existing comparison work on standard contractual clauses. 
• Continue to identify opportunities to find commonalities between transfer tools.
• Develop resources to support safe and secure cross-border data flows.
• Collectively consider how best to support OECD members to promote the OECD’s trusted government access principles.

Practical steps to facilitate DFFT

In addition to our above commitment, we call on governments and policy makers to: 

• Promote the development of legal frameworks that support efficient and effective data flows while maintaining high standards of data protection and privacy, embedding data protection by design and recognise different domestic legal and cultural traditions.
• Consider how to support efforts to build upon existing networks devoted to data protection and privacy, where appropriate.
• Invest in practical and accessible compliance tools such as standard and model contractual clauses and certifications that support entities, including small and medium-sized enterprises, in navigating international data transfers.
• Develop online learning resources to empower organisations in their knowledge and understanding of international personal data transfers and to increase their confidence when selecting transfer tools.