G7 Data Protection And Privacy Authorities Release Joint Statement On Generative AI And Communiqué For Relevant Global Issues

On June 21, 2023, the Privacy Commissioner of Canada met with fellow members of the G7 data protection and privacy authorities (collectively, the DPAs) to discuss global privacy issues and enforcement cooperation.  Based on these discussions, the DPAs released a joint statement (the Statement) on generative artificial intelligence (AI) technologies and a communiqué (the Communiqué) that addresses key issues currently occupying the group’s focus.

The Statement acknowledges that generative AI holds potential risks to privacy, data protection, and other fundamental human rights if left unchecked by legal regulation.  Accordingly, the DPAs call for AI related laws to be focused on protecting “…human rights and fundamental freedoms and the protection of privacy and personal data".  The DPAs also called for developers and providers of generative AI technologies to take on a “Privacy by Design” approach to the design, conception, operation, and management of AI technologies.  This includes maintaining compliance with existing laws and globally observed principles, such as data minimization, data quality, purpose specification, use limitation, security safeguards, transparency, rights for data subjects, and accountability.

In addition to the Statement, the DPAs released the Communiqué that sets out three pillars to be addressed in dedicated working groups: (i) Data Free Flow with Trust (DFFT); (ii) emerging technologies; and (iii) enforcement cooperation among the DPAs.  The Communiqué also mentions an action plan (the Action Plan) that will be used by the DPAs to deal with challenges that are identified for each pillar.  Notably, the Action Plan includes the following action items:

• In an effort to further develop the concept of DFFT, the DPAs will share knowledge on data transfer tools that are considered secure and trustworthy.
• To promote emerging technologies and increase collaboration among the DPAs, a terminology reference document will be developed that outlines key terms and characteristics for de-identification, anonymization, pseudonymization, and Privacy-Enhancing Technologies used across G7 jurisdictions. The document will define the terms and highlight differences between jurisdictions.
• To further assist in enforcement cooperation, the DPAs will work to increase dialogues among the data protection community for enforcement cooperation matters, such as the enforcement of laws and regulations, and the identification of challenges for cross-border enforcement cooperation.

For more information, the Action Plan can be found here.

Summary By: Imtiaz Karamat