Communiqué: G7 Data Protection and Privacy Authorities

Roundtable of G7 Data Protection and Privacy Authorities

Working toward operationalizing Data Free Flow with Trust and intensifying regulatory cooperation

June 21, 2023

---

Introduction

1. We, the G7 Data Protection and Privacy Authorities (DPAs), met on 20 and 21 June 2023 in a meeting chaired by Tanno Mieko, Chairperson of the Personal Information Protection Commission (PPC) Japan, to discuss key privacy and data protection topics, including the development of the concept of Data Free Flow with Trust (DFFT) and its future operationalization, emerging technologies and enhancing enforcement cooperation.
2. We confirm our commitment to protecting the rights and interests of individuals through ensuring a high level of data protection and privacy, while recognizing the increasing economic and societal benefits and impacts of personal data within the developing information and communication-driven society. Affirming our shared fundamental values and principles such as freedom, democracy, human rights, and the rule of law, we will continue to further deepen and strengthen our cooperative relationship to ensure a high level of protection of personal data as an enabler of economic and social development for G7 members.
3. We welcome the G7 Digital and Tech Ministerial Declaration on 30 April 2023, in which they reaffirmed their commitment to operationalize work on DFFT and build upon commonalities, complementarities and elements of convergence between existing regulatory approaches and instruments enabling data to flow with trust in order to foster future interoperability. The declaration shows strong support by Ministers for the G7 DPAs to intensify regulatory cooperation and further cooperate on knowledge sharing through the Roundtable of G7 DPAs, and with other relevant international multistakeholder fora. We acknowledge that Annex I of the Ministerial Declaration, which was endorsed by the G7 Leaders in the Hiroshima Leaders’ Communiqué on 20 May 2023, draws particular attention to DPAs’ regulatory cooperation including identifying commonalities in regulatory approaches to cross-border data transfers and data protection requirements, as well as facilitating cooperation on Privacy-Enhancing Technologies (PETs), model contractual clauses, certification, access to regulatory information and good regulatory practices, such as enhancing transparency.
4. We take note that the Ministers endeavor to launch the Institutional Arrangement for Partnership (IAP) and call on the IAP to bring together data protection and privacy stakeholders including the relevant DPAs to consider issues on the regulatory approaches mentioned above. In this context, we believe that DPAs must have a key role in contributing on topics that are within their competence in this Arrangement to ensure that high standards of data protection and privacy continue to be upheld.
5. Determined to address global issues and formulate concrete measures for regulatory cooperation in the area of data protection and privacy, we have reflected on three important pillars proposed by the PPC Japan at the 2022 Roundtable, and have established dedicated working groups to facilitate discussions in the following areas:
   • Pillar 1 - DFFT;
   • Pillar 2 - Emerging Technologies; and
   • Pillar 3 - Enforcement Cooperation

Pillar I - DFFT

6. We recognise the increase in cross-border transfers of data through the globalization of economic and social activities, due to the ubiquitous opportunities offered by digital technologies. While recognizing the benefits that may arise from cross border transfers of data, we also highlight that these transfers may raise serious challenges to the protection of personal data and privacy. In this context, the G7 DPAs discussed the concept of DFFT, which was originally proposed by the Japanese Government in 2019. DFFT has now become a common objective for like-minded countries and in various international fora. We emphasize that ensuring “trust”, including a high standard of protection of personal data is a fundamental requirement and prerequisite to facilitate the free flow of data.
7. We reaffirm our commitment to discuss current approaches that have been implemented in different legal systems and international frameworks, and continue to work towards identifying commonalities, and elements of convergence between existing regulatory approaches and instruments enabling data to flow with trust, in order to foster future interoperability, where possible, and to facilitate cross-border transfers of personal information at a high level of data protection and privacy. We acknowledge the diversity of different personal information protection laws, which are based on different domestic principles, and that discussions on these approaches should be inclusive and not exclusive. Taking into account personal data protection requirements and the needs of entities and organizations, including business operators, we believe it is necessary to create options for businesses so that they can choose cross-border transfer tools suitable to the nature of their interests and scope of their activities. We therefore aim to further advocate, promote and advise on the development of global-scale data transfer tools which help businesses to comply with data protection and privacy requirements worldwide.
8. Valuable efforts have been made by the G7 DPA DFFT Working Group, co-chaired by the Information Commissioner’s Office (ICO), UK, and the Commission Nationale de l’Informatique et des Libertés (CNIL), France, in discussing the concept of DFFT and how our common goals as DPAs could collectively add value to this important concept. The Working Group reflected on the objectives and commitments made during the Roundtable meeting hosted by the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Bonn in 2022 and committed to continue working towards elements of convergence to foster future interoperability of these transfer tools, where possible, to achieve a high level of data protection and facilitate DFFT. Consideration has also been given to exploring future objectives for the Working Group. In this context, the Working Group will continue current efforts through the comparative analysis of existing data transfer tools such as certification mechanisms and model contractual clauses.
9. In addition, we support the various efforts in relevant international fora concerning DFFT, encourage their further development, and will continue to work together to deliver concerted solutions. Notably, we acknowledge the ongoing work undertaken by the Global Frameworks and Standards Working Group of the Global Privacy Assembly (GPA) on the comparison of model contractual clauses and by the Working Party on Data Governance and Privacy in the Digital Economy of the Organization for Economic Cooperation and Development (OECD). We welcome the OECD Ministerial Declaration on Government Access to Personal Data held by Private Sector Entities adopted in December 2022 in Gran Canaria. In light of its global nature, we encourage Governments from non-OECD countries to reflect on these principles in their own policy making. Finally, we also note, among others, the ongoing discussions and progress being made on transfer tools such as model clauses (Council of Europe, Association of Southeast Asian Nations (ASEAN), the Ibero-American Data Protection Network (RIPD) and certification (Global Cross-Border Privacy Rules (CBPR) Forum and EDPB). We encourage dialogue between these organisations and networks to develop convergent transfer mechanisms in order to foster interoperability whilst having in mind the transfer tools developed within the respective frameworks.

Pillar II - Emerging technologies

10. We acknowledge the emergence of various digital technologies that have brought substantial benefits to our economies, societies, and our personal lives. These technologies, such as Artificial Intelligence (AI), Internet of Things (IoT) and cloud services, have made it easier to collect, process and analyze vast amounts of data in ways not previously possible, opening new possibilities for services, industries, communications, and more. At the same time, we also recognize that these technologies, if left unchecked, can cause serious harm and undermine the rights and interests of individuals including their privacy.
11. We note growing concerns at the global level about increased risks to privacy and other human rights posed by the development, application, and use of AI technologies, including Generative AI. These emerging technologies can involve the automated collection and processing of large quantities of personal information in ways that, in the absence of appropriate safeguards, may undermine compliance with key international principles of data protection and privacy. In that context, we stress the need for developers and users of these technologies to demonstrate compliance with legal obligations, and ensure the implementation of risk mitigating measures, in consultation with relevant DPAs where necessary or appropriate. We reiterate that ensuring the “trust” of individuals, regulatory authorities, and our society is fundamental to the expansion and continued use of such technologies.
12. We also note that among AI technologies, facial recognition technology (FRT) has become a technology of particular concern in G7 member states and around the world. Its use can involve the collection and analysis of highly sensitive personal information through processes that can be automated, scaled, and deployed across a wide range of environments. The use of FRT by both public and private organizations can have serious and lasting consequences for individuals and for society as a whole. In that context, we welcome the recent GPA Resolution on Principles and Expectations for the Appropriate Use of Personal Information in FRT and the GPA’s subsequent efforts to promote the principles in the resolution throughout the world.
13. The G7 DPAs understand the importance and benefits of Privacy Enhancing Technologies (PETs). With the development of these new methods, we recognise that guidance from DPAs is needed to support understanding of the data protection implications of using PETs.
14. We highlight that PETs may help entities/organizations to implement data protection principles effectively and to integrate necessary data protection safeguards into various data processing activities. We emphasize that PETs are not a “silver bullet” for data protection compliance and that in deploying them consideration must be given to the interactions with other regulatory spheres to ensure compliance with such spheres. For example, competition authorities may be concerned with the anticompetitive use of PETs. Case-by-case risk assessments are still required to determine how, and to what extent, individual PETs can enhance compliance with data protection principles and requirements.
15. We value the working-level discussions held within the Emerging Technologies Working Group, chaired by the Office of the Privacy Commissioner of Canada (OPC). The Working Group has committed to developing a PETs use case to demonstrate how one type of PET (synthetic data) can be used for a specific purpose to achieve a safe and private method for obtaining insights from sensitive data. The development of a case study will aim to inform this emerging market and in doing so, encourage the responsible use of such technologies. The Working Group also plans to develop a terminology document for anonymization, pseudonymisation and de-identification, to ensure a common understanding of key terms across jurisdictions. Further, the Working Group intends to collaborate on the issue of personal data protection in the context of generative AI, and to explore how best to protect privacy in relation to this technology.

Pillar III - Enforcement cooperation

16. One of the most important functions of DPAs is to exercise the full range of their regulatory powers to prevent non-compliance, sanction violations of individual privacy and deter possible contraventions. Enforcement powers are a fundamental element of DPAs’ overall approach to achieving compliance.
17. We reaffirm the need for international cooperation among DPAs to effectively exercise our regulatory powers in today’s digital economy, especially in the face of the global adoption of new and emerging technologies and increasing data flows. International enforcement cooperation helps better protect the rights and interests of individuals and provides clarity and consistency for organisations, wherever they are in the world. Cooperation expands our collective enforcement capacity to take action, especially with cross-border and global issues, which are challenging for DPAs to tackle alone.
18. We therefore reaffirm our commitment to enhance cooperation towards finding and implementing appropriate solutions to such challenges, generally and in specific cases. This will occur through regulatory dialogues and information sharing, and by seeking out opportunities to engage in concrete bilateral or multilateral coordinated enforcement actions amongst G7 DPAs.
19. To facilitate effective enforcement in practice, we are fostering dialogues to reach a better understanding of each other’s laws and powers and to share national and international best practices both within the G7 group and with other regulatory authorities, bilaterally and through enforcement cooperation networks. Such dialogues include discussions on the effective implementation of the data minimization principle.
20. We highly value and will continue to support and leverage enforcement collaboration activities in international fora. These include the GPA’s International Enforcement Cooperation Working Group, which recently updated the Enforcement Cooperation Handbook and Repository, and the Global Privacy Enforcement Network (GPEN), which provides pragmatic opportunities and tools for participating DPAs to strengthen their cooperation on enforcement.
21. We welcome the progress made by the G7 Enforcement Cooperation Working Group under the co-chairs of the Federal Trade Commission, United States of America and the PPC, Japan. The development at the 2023 DPAs Roundtable meeting of a G7 DPA Request for Information form and a G7 Contact List is a tangible step towards strengthening enforcement cooperation among the G7 members, and with other DPAs.

Next steps

22. Based on the above shared views, we have endorsed the 2023/24 Action Plan (in Annex) to continue deepening our regulatory cooperation. With the adoption of the Action Plan, we express our strong commitment to strengthen cooperation, address the challenges identified in those three priority areas, fulfill our responsibilities, and shape our path towards a high level of data protection and privacy.
23. Building on the results of the Roundtable meeting and the meetings of the DFFT, Emerging Technologies and Enforcement Cooperation Working Groups in 2023, we will continue to engage in discussions at expert level with the aim of developing the topics identified in the Action Plan and preparing the Roundtable meeting under the chairpersonship of the Garante, Italy, in 2024.