45th Global Privacy Assembly

16 November 2023

The Global Privacy Assembly, which brings together the data protection authorities from more than 80 countries, has adopted seven resolutions, including two on artificial intelligence at its annual meeting in October 2023.

An annual discussion between 80 countries on the protection of privacy

Created in 1979, the Global Privacy Assembly (GPA) brings together data protection authorities from over 80 countries to discuss high-stakes issues relating to the protection of personal data and privacy.

The CNIL was represented at this event by Mr Bertrand du Marais, commissioner in charge of international issues.

The main resolutions adopted

At its 45th annual meeting, held from 15 to 20 October 2023 in Bermuda, the GPA adopted seven resolutions as well as a new action plan for 2023-2025. The CNIL participated in the drafting of several of these resolutions, notably on:

Generative artificial intelligence systems

This resolution, proposed by the European Data Protection Supervisor, recalls the need to respect essential data protection principles when developing, operating and deploying AI systems:

  • lawfulness of the data processing (i.e. the fact that the collection and use of the data complies with the law);
  • limitation of the objectives (or purposes) of the processing;
  • data minimisation;
  • data accuracy ;
  • data transparency;
  • data security ;
  • data protection by design and by default;
  • respecting the rights of data subjects;
  • the accountability of developers, suppliers and entities deploying generative AI systems.

A report on the work carried out by the members of the GPA working group on AI will shortly be presented to the members of the Assembly.

Artificial intelligence and employment

This resolution underlines the importance of data protection and privacy principles and safeguards in the development and use of artificial intelligence systems in the employment context (including recruitment).

In order to draft this resolution, a survey was carried out among GPA members. The risks identified included, among others:

  • a lack of transparency;
  • the presence of prejudice or discrimination;
  • a lack significant human intervention;
  • a lack of assessment of the necessity and proportionality of the use of AI in the workplace, or the absence of a legal basis for the processing and/or of specific laws for the use of AI in this context.

Global data protection principles

This resolution driven by the UK's data protection authority (Information Commissioner 's Office or ICO ), aims to update the principles adopted by the GPA in Madrid in 2009 in the light of recent technological developments.

The resolution includes new principles such as data protection by design and by default, the right to data portability, and a framework for profiling and automated decision-making.

Other resolutions adopted

At this annual meeting, the GPA also adopted the following four resolutions:

  • the creation of a 'library' of resources on the key principles of data protection to support GPA members in their decision-making;
  • the creation of a working group on an intersectional gender approach to data protection;
  • a resolution on health data and scientific research;
  • a proposal for a joint GPA/Access Now prize on data protection and human rights.

Digital education: remedies for exercising minors' rights

The CNIL is leading the GPA Working Group on Digital Education. It presented the results of a survey carried out among its counterparts on the pathways offered to young people faced with the issue of illegal or harmful online content.

The findings are as follows:

  • A limited number of data protection authorities have specific powers to investigate and block illegal content online in the context of cyber-bullying of minors.
  • The authorities do have the power to deal with requests from minors to have their data deleted if sites and social networks failed to respond.
  • A wide variety of institutions and associations supported by the public authorities are available to listen to young people. These contact points work actively with data protection authorities to take swift action against digital violence.
  • Data protection authorities have already made considerable efforts to guide minors and/or their parents in exercising their rights. They could further improve the pages on their websites aimed at young people or those accompanying them. The aim is to display practical information in clearer, and more entertaining language.