Discussion at the Initial Japan Privacy Symposium: G7 Data Protection Authorities outlined strategies to control AI, and listed key regulatory focus areas

Discussion at the Initial Japan Privacy Symposium: G7 Data Protection Authorities outlined strategies to control AI, and listed key regulatory focus areas

The G7 nations are actively shaping data protection and privacy regulations for generative AI, with a strong emphasis on transparency, risk mitigation, and privacy. The EU is leading the charge with detailed, risk-based regulatory frameworks, while other member states contribute harmonised principles that emphasise transparency, data minimisation, protection of minors, and international cooperation for privacy in AI deployments.

The EU's approach is outlined in the EU AI Act, which is nearing phased implementation. Standard generative AI models must comply with transparency requirements, including technical documentation, training data summaries, and copyright compliance. Higher-risk models face stricter obligations, such as rigorous evaluations, systemic risk mitigation, incident reporting, and cybersecurity mandates. The second phase, set for August 2, 2025, will introduce these rule sets specifically for generative AI models. Enforcement will involve the new European AI Office alongside national regulators.

Within the G7 context, data protection authorities from member nations have collaborated to address privacy challenges posed by AI. The G7 Commissioners' Communique expressed overall support for the Data Free Flow with Trust political initiative. The G7 emphasises responsible innovation balanced with privacy protection, especially emphasising protections for children online, age-appropriate design, and data minimisation principles. The G7 supports international frameworks facilitating trusted cross-border data flows such as the Global CBPR and Privacy Recognition system.

National regulators like France’s CNIL and Germany’s Data Protection Supervisory Authorities have issued detailed guidance on lawful AI data processing, endorsing principles like data minimisation, transparency, legitimate interest legal bases, clear role designation of data controllers/processors, and privacy by design in AI system development. Enforcement guidance under GDPR has also been clarified to ensure consistent action on data protection violations related to AI systems.

Switzerland’s AI regulatory strategy remains in development, aiming for finalisation in 2025, which will likely align with broader G7 and EU principles but is not yet fully enacted. The United States approach focuses on broad AI management and innovation promotion, as reflected in the White House’s AI Action Plan, which includes steps toward regulatory frameworks balancing innovation with risk management, though it is less prescriptive than the EU AI Act in data privacy detail.

Canada is in the process of legislating AI, with the regulatory activity assigned to the relevant ministry in the Canadian government. The UK already has an official "Digital Regulators Cooperation Forum" to provide a coherent regulatory framework. The UK's Information Commissioner, John Edwards, stated that commissioners are "keen to ensure" they do not miss the development of generative AI in the way they missed the moment of building business models underpinning social media and online advertising.

The G7 DPA Commissioners will meet in Rome next year, and the G7 DPA Agenda was built on three pillars: Data Free Flow with Trust, emerging technologies, and enforcement cooperation. The program started with a keynote address from Commissioner Shuhei Ohshima of Japan's Personal Information Protection Commission. The Action Plan adopted in Tokyo by the G7 DPAs includes clues as to how they see the operationalization of Data Free Flow with Trust playing out.

The Japan Privacy Symposium, hosted by our website and S&K Brussels LPC in Tokyo on June 22, 2023, featured global thought leadership on the interaction of data protection and privacy law with AI. The Garante (Italian data protection authority) has a long track record of enforcing data protection law on algorithmic systems and decision-making that impacted the rights of individuals. The IAP seems to provide a key role for governments themselves, alongside stakeholders and data governance experts.

Notably, the US FTC initiated an investigation against OpenAI. The UK is also taking a proactive approach, with the Garante (Italian data protection authority) having a long track record of enforcing data protection law on algorithmic systems and decision-making that impacted the rights of individuals.

In summary, the G7 nations are actively shaping data protection and privacy regulations for generative AI, with the EU currently leading in detailed, risk-based regulatory frameworks. Other member states contribute harmonised privacy authorities’ principles, emphasising transparency, data minimisation, protection of minors, and international cooperation for privacy in AI deployments. Enforcement and regulatory specifics continue developing through 2025 with phased implementation ongoing.

1. The G7 Commissioners' Communique supports the Data Free Flow with Trust political initiative, which promotes trusted cross-border data flows such as the Global CBPR and Privacy Recognition system.
2. Standard generative AI models must comply with transparency requirements under the EU AI Act, which includes technical documentation, training data summaries, and copyright compliance.
3. Enforcement of the EU AI Act's rules sets for generative AI models will be carried out by the new European AI Office alongside national regulators.
4. National regulators like France’s CNIL and Germany’s Data Protection Supervisory Authorities have issued guidance on lawful AI data processing, emphasizing principles such as data minimisation and transparency.
5. Switzerland’s AI regulatory strategy, which will likely align with broader G7 and EU principles, is still in development, aiming for finalisation in 2025.
6. The US FTC initiated an investigation against OpenAI, indicating a proactive approach towards ensuring privacy and compliance with regulations in the use of generative AI.
7. The UK has an official "Digital Regulators Cooperation Forum" to provide a coherent regulatory framework, and the Information Commissioner, John Edwards, is keen to ensure they do not miss the development of generative AI like they missed the moment of building business models underpinning social media and online advertising.
8. The Japan Privacy Symposium will feature global thought leadership on the interaction of data protection and privacy law with AI, with the Garante (Italian data protection authority) having a long track record of enforcing data protection law on algorithmic systems and decision-making that impacted the rights of individuals.

Read also: