Global Privacy Watchdogs to Focus on Enforcement Cooperation, AI and Data Flows

The conference produced several communiques and statements stressing the importance of "robust cross-border data transfer mechanisms that protect personal data," the EDPS said. Other documents detailed the critical role of data protection authorities (DPAs) in ensuring that AI technology is trustworthy and is used responsibly, and issues around AI and children.

Strong cross-border data transfer mechanisms to safeguard personal data are seen as "a cornerstone for secure and free data flow across international boundaries," the EDPS said. The G7 remains committed to boosting cooperation and regulatory collaboration to reinforce trust and privacy in the face of rapid technological change, it said.

Greater cooperation among policymakers and regulators "will bring greater international consistency and, as a result, greater certainty for businesses," emailed Hogan Lovells privacy attorney Eduardo Ustaran.

The G7 meeting is unlikely to lead to anything concrete with regard to increased data protection enforcement or compliance obligations for companies, Ustaran said. "But the fact that enforcement cooperation is identified as one of the priorities suggests that certain issues that are already under regulatory scrutiny, like the collection of personal data for AI development, the use of AI for decision-making of significance, or the processing of children's personal data, will continue to receive attention in a coordinated fashion."

2025 could see major policy changes in data protection in the EU or other G7 nations, experts said. The European Commission has new commissioners, and European Parliament elections took place last summer. The EC has proposed modifications to the general data protection regulation (GDPR) to toughen cross-border enforcement rules (see 2411040001).The proposals need approval from the European Council (made up of government ministers) and European Parliament.

President-elect Donald Trump's incoming administration is likely to bring increased attention to the "advancement of US supremacy in technology, especially in AI and the space industry," emailed Linklaters data protection attorney Tanguy Van Overstraeten. It's also expected that the U.S. will want to shield its tech industry from strict EU laws such as the Digital Services Act and Digital Market Act. This should give the EU a chance for increased autonomy in the tech sector and to reclaim market share through its leading companies, Van Overstraeten said. But achieving those goals may require legislative changes.

Michael McGrath, European commissioner for democracy, justice, rule of law and consumer protection, has stressed the need for the GDPR "to remain aligned with digital transformation and responsive to commercial needs, among others," said Van Overstraeten. It's hard to predict, however, what that means in practice, and the GDPR "could be revisited to adapt it to new realities, including the AI boost," he added.

The U.K. is modernizing its data protection rules. In comments on the proposed Data (Use and Access) Bill, introduced in October, the Information Commissioner's Office (ICO) said that besides offering strong safeguards, data protection rules "should be as easy to navigate and use for organisations as possible."

In addition, the ICO said, changes in the legislation include allowing companies to use automated decision-making regardless of their lawful basis as long as suitable safeguards are in place, and to rely on legitimate interests for this kind of data processing.

Other revisions include changes to the U.K.'s international data transfer policy to allow personal information to flow more easily from Britain to other countries with the same level of protection, the ICO wrote. The bill also includes changes to consent requirements for placement of cookies under electronic communications rules, meaning companies will need consent for fewer low-risk cookies.