DPAs’ Action Plan approved at G7 Japan 2023

We, the G7 Data Protection and Privacy Authorities (DPAs), endorse the following Action Plan on the three pillars set out by the 2023 Communiqué, namely (I) Data Free Flow with Trust (DFFT), (II) Emerging technologies, and (III) Enforcement cooperation. In doing so, we commit to:

Pillar I – DFFT

Developing DFFT

1. Remain attentive and supportive to the ongoing efforts to develop the concept of DFFT, as progressed within several international fora such as our G7 working group, the Global Privacy Assembly (GPA), the Organization for Economic Co- operation and Development (OECD), including through the announcement of the creation of a new Institutional Arrangement for Partnership (IAP), and emphasize that trust is a vital component to the flow of data on a global scale.
   2. Reach a common understanding of the notion and key components of DFFT as far as personal data is concerned and assess common goals to ensure a high level of data protection and privacy.

Transfer tools

3. Build on the conclusions of the G7 DPA Roundtable in Bonn in 2022 which recognized data transfer tools as important means for DFFT.
4. Continue working towards elements of convergence to foster future interoperability of these transfer tools, where possible, and identify specific use- cases for their interoperable use, in order to achieve a high level of data protection and facilitate DFFT.
5.  Contribute to and support the work that is being undertaken by the Global Frameworks and Standards Working Group of the GPA, through the existing membership of the G7 DPAs.
6. Share knowledge on tools for secure and trustworthy transfers, notably through the comparison of Global Cross-Border Privacy Rules (CBPR) and EU certification requirements, and through the comparison of existing model contractual clauses. This work will assess the level of interoperability and convergence between different certification mechanisms and other tools for transfers, and map commonalities and possible differences as well as areas for further improvement.
7.  Identify opportunities for longer term initiatives for the DFFT Working Group, including progressing discussions on how DPAs can play an active role in the development of the IAP.

Government access to data

8. Commend the 2021 GPA resolution on Government Access to Data, Privacy and the Rule of Law.
9.  Encourage the OECD to continue its work on trusted government access including considering further steps to promote and develop approaches in support of its Declaration on Government Access to Personal Data held by Private Sector Entities adopted at the OECD Ministerial meeting in December 2022.
10. Considering its universal nature, encourage non-OECD members to refer to the OECD Declaration and reflect it in their policy making.

Pillar II – Emerging technologies

11. Seek to promote the development and usage of emerging technologies in ways that reinforce trust and respect privacy.

Terminology reference document

12. Facilitate collaborative work and discussions on de-identification, anonymization, pseudonymization, and Privacy-Enhancing Technologies (PETs) by fostering a common understanding of key terms and concepts in use across G7 jurisdictions.
13. Develop a terminology reference document outlining key terms and characteristics relating to de-identification, anonymization, pseudonymization, and PETs in use among G7 DPAs to facilitate collaborative work and discussions.The document will note how terms are defined, explain common features across jurisdictions, and note important differences between jurisdictions. It will also address relevant international definitions/uses of terms (e.g. International Organization for Standardization (ISO) standards), and will contain references to sources of information, guidance, and definitions for key terms in G7 jurisdictions.

PETs use case study

14. Encourage the adoption and development of PETs by developing a use case demonstrating how one specific PET (synthetic data) can be used to reduce privacy risks while contributing to the public benefit.
15. Bring regulatory insights to this emerging market and encourage the use of such technologies, by demonstrating, through this use case, how synthetic data can be used for the purpose of sharing health data to help achieve a safe and privacy-enhancing method for obtaining insights from sensitive data.The use case will seek to explain how generating local-level synthetic datasets of prescriptions can allow insights to be gained at a wider geographic level without the need to share sensitive information about individual prescriptions and provide information about how such a process can take place, what technical and organizational measures are required and what privacy considerations are relevant.
16. Share knowledge and existing work in this area and identify opportunities to engage with subject matter experts and other relevant stakeholders.
17. Discuss how to proceed with other PETs in this Working Group without limitation to use case studies once the analysis of one type of PET (synthetic data) is completed.

Support for GPA resolution on principles for the use of facial recognition technology

18. Welcome the GPA 2022 Resolution on Principles and Expectations for the Appropriate Use of Personal Information in Facial Recognition Technology (FRT), which seeks to establish a set of shared principles for FRT use by public and private organizations around the world.
19. Promote these principles and expectations to stakeholders worldwide, by:Citing and hyperlinking the text of the principles and expectations, where relevant and appropriate, in documentation on AI and FRT-related topics produced by Emerging Technologies Working Group members; Encouraging support for the principles and expectations, as and where appropriate, among external stakeholder groups. Advocating for safeguards that are consistent with the principles and expectations, as and where appropriate in members’ jurisdictions.

Collaboration on personal data protection in the context of generative AI

20. Collaborate on the issue of personal data protection within the context of generative AI from an ethical, legal, social, and technical perspective.
21. Contribute to discussions on generative AI in other international fora, while emphasizing the need to pay close attention to data protection and privacy issues.
22. Explore how best to protect privacy in relation to generative AI.