International Privacy Discussion at the First Japan Symposium: Collaboration among G7 Data Protection Authorities on controlling AI and other regulatory focal points

International Privacy Discussion at the First Japan Symposium: Collaboration among G7 Data Protection Authorities on controlling AI and other regulatory focal points

The G7 Data Protection Authorities (DPAs) will convene in Rome next year, with a focus on addressing the privacy and data protection challenges posed by generative AI. The DPAs are actively engaged in shaping regulatory and practical frameworks to mitigate the risks that AI, particularly generative AI, poses to privacy and data protection.

The GDPR, the European Union's data protection law, is a key concern for the DPAs. They emphasize that generative AI models trained on personal data fall under the scope of the GDPR, as these models can memorize personal information from training data. This means that developers and users of such models must comply with data protection rules. The DPAs urge careful legal analysis and documentation to confirm whether personal data processing occurs during model training and offer practical techniques to reduce such risks.

The French data protection authority (CNIL) has finalized recommendations aimed at ensuring AI system development respects GDPR principles. They have also published compliance checklists and fact sheets to support developers operationally.

The G7 nations have adopted a declaration on AI for prosperity, which recognizes AI’s economic benefits while stressing responsible development and trustworthy AI principles. The declaration calls for collaborative governance approaches to address privacy challenges, including cross-border data flows and children's protection online. This aligns with broader international efforts such as the Council of Europe’s HUDERIA methodology for AI risk assessment and the EU’s evolving AI regulatory framework.

The EU Commission is advancing regulations like the AI Act and supporting tools such as a Code of Practice for general-purpose AI models, which aims to help providers meet transparency, safety, and intellectual property obligations.

The DPAs focus on data security, confidentiality, accountability in AI systems, and ensuring that AI providers implement robust technical and organizational safeguards against data misuse or leakage from model training. The annotation phase of datasets is seen as both a compliance and data quality risk that requires stringent controls.

The G7 DPAs' efforts are not limited to generative AI. The UK's Age Appropriate Design Code has resulted in significant improvements for the online experience of children, such as privacy settings being automatically set to high and ads being blocked for children. The CNIL has created a dedicated department to monitor how AI systems comply with legal obligations stemming from data protection law.

The G7 DPAs' Agenda, built on three pillars: Data Free Flow with Trust, emerging technologies, and enforcement cooperation. The DPAs emphasize a commitment to move towards constant exchanges related to enforcement actions and to revitalize existing global enforcement cooperation networks like GPEN.

The first Japan Privacy Symposium, hosted by our website and S&K Brussels LPC in Tokyo on June 22, 2023, featured global thought leadership on the interaction of data protection and privacy law with AI. More than 250 in-house privacy leaders, lawyers, consultants, and journalists attended the Symposium. Commissioner Shuhei Ohshima of Japan's Personal Information Protection Commission gave a keynote address at the Symposium.

The Action Plan adopted in Tokyo, the G7 DPAs included clues as to how they see the operationalization of Data Free Flow with Trust playing out. The UK already has an official "Digital Regulators Cooperation Forum" to provide a coherent regulatory framework. The IAP seems to provide a key role for governments themselves, in addition to stakeholders and "the broader multidisciplinary community of data governance experts from different backgrounds."

The G7 DPAs' Action Plan also emphasizes a commitment to move towards constant exchanges related to enforcement actions and to revitalize existing global enforcement cooperation networks like GPEN. The US FTC initiated an investigation against OpenAI. Canada introduced a bill last year that is currently under debate, focusing on high impact AI systems and preventing harms and biased outputs.

The COPPA (Children's Online Privacy Protection Act) is one of the strongest federal privacy laws in the US, and the FTC is committed to enforcing it aggressively. The CNIL prioritizes attention to age verification tools, favoring principles like no direct collection of identity documents and no processing of biometric data to recognize an individual.

The G7 DPAs' overall support for the Data Free Flow with Trust political initiative was expressed in their Communique. The DPAs must have a key role in contributing on topics that are within their competence in this Arrangement.

1. The G7 Data Protection Authorities (DPAs) will focus on addressing the privacy and data protection challenges posed by generative AI next year.
2. The GDPR, the European Union's data protection law, is a key concern for the DPAs, who argue that generative AI models trained on personal data fall under the GDPR's scope.
3. The DPAs urge careful legal analysis and documentation to confirm whether personal data processing occurs during model training and offer practical techniques to reduce such risks.
4. The French data protection authority (CNIL) has finalized recommendations for AI system development that respect GDPR principles and published compliance checklists to support developers.
5. The G7 nations have adopted a declaration on AI for prosperity, which encourages collaborative governance approaches to address privacy challenges, including cross-border data flows and children's protection online.
6. The EU Commission is advancing regulations like the AI Act and providing tools such as a Code of Practice for general-purpose AI models to help providers meet transparency, safety, and intellectual property obligations.
7. The DPAs focus on data security, confidentiality, accountability in AI systems, and implementing robust technical and organizational safeguards against data misuse or leakage from model training.
8. The G7 DPAs' Agenda includes a commitment to move towards constant exchanges related to enforcement actions and revitalizing existing global enforcement cooperation networks like GPEN, as well as providing a key role for governments and stakeholders in operationalizing Data Free Flow with Trust.

Read also: