In a world where data crosses borders in milliseconds and AI systems are trained on the personal information of billions of people, the question of who sets the rules for global privacy has never mattered more. The answer — at least as close to one as the international community currently has — lies largely with a body that many privacy professionals have heard of but fewer have engaged with deeply: the Global Privacy Assembly.
For practitioners navigating the intersection of international data flows, AI governance, and cross-border enforcement, understanding what the GPA is, how it works, and what it has been doing over the past two years is not academic background reading. It is practical professional intelligence.
What the Global Privacy Assembly Is
The Global Privacy Assembly is a leading international forum that brings together data protection and privacy authorities from around the world. Originally convened in 1979 as the International Conference of Data Protection and Privacy Commissioners, the GPA has since evolved into a global voice for privacy protection, with its membership expanding to more than 140 authorities from over 90 countries. It adopted its current name at its 41st annual conference in Tirana, Albania in 2019 — a rebranding that signaled a deliberate shift in ambition, from a collegial discussion forum to a genuine policy-setting body.
The GPA’s mission is to provide leadership at an international level in data protection and privacy by connecting the efforts of authorities globally. It serves as a platform for authorities to share knowledge, develop policy positions, and influence the development of global privacy standards. The forum encourages the adoption of high data protection standards through its resolutions and declarations on key privacy topics.
The GPA’s membership is remarkably broad. Its accredited members include the European Data Protection Supervisor and the European Data Protection Board, national data protection authorities from across Europe, the UK’s Information Commissioner’s Office, the Office of the Privacy Commissioner of Canada, regulators from across the Asia-Pacific, Latin America, Africa, and the Middle East. The United States Federal Trade Commission participates as an observer — a designation that carries significance, as we will see.
How It Works
The GPA program consists of a closed session and an open session. The closed session is attended by accredited members and observers; the public session is attended by these members and observers in addition to a wider audience from the data protection and privacy community, business, industry, civil society, academia and other government representatives.
The closed session is where the substantive governance work happens. Accredited members deliberate on proposed resolutions, review working group reports, and vote on formal outputs. In the extended part of the annual conference, the GPA deals with current social, legal and technical developments that have a global impact on the right to privacy. Representatives of international organizations and non-governmental organizations as well as from science and industry also participate in this event.
The GPA’s outputs take several forms:
- Resolutions — formal position statements adopted by the membership on specific topics, such as AI governance, facial recognition, or cross-border data flows. These are not legally binding, but they carry substantial persuasive weight with national legislators, technology companies, and international standards bodies.
- Joint Statements — coordinated public communications issued by multiple member authorities outside the annual conference cycle, typically in response to urgent or emerging issues.
- Working Group Reports — detailed technical and policy analyses produced by specialist subgroups across topic areas including AI, digital education, enforcement cooperation, and emerging technologies.
- Declarations and Communiqués — broader thematic statements that situate privacy within wider human rights and technology governance conversations.
The GPA also maintains several standing working groups that operate year-round, most importantly the International Enforcement Cooperation Working Group (IEWG), which coordinates cross-border enforcement activity and investigates issues requiring joint regulatory action. As one privacy commissioner noted: “In an age in which data flows transcend borders, cross-jurisdictional and cross-regulatory collaboration has never been more important. By working together, we can streamline our investigative processes, promote greater harmony in the application of laws, expand our capacity to take enforcement action and amplify the compliance impact of those actions.”
The 2026 Global Privacy Assembly conference has been announced for Dubai in December 2026. Below is a background on the past 2024 and 2025 conferences are below to help give some insight into how the conference is structured.
The 46th Annual Conference: Jersey, 2024
The 46th edition of the Global Privacy Assembly took place from 28 October to 1 November 2024, under the central theme “The Power of i,” focused on eight interconnected themes: individual, innovation, information, integrity, independence, international, intercultural and indigenous. Organized by the Jersey Data Protection Authority, this conference brought together representatives of over 160 GPA member and observer authorities, from academia, civil society, business and interest groups, liberal professions, the media, and more.
During the closed session, the following documents were adopted: a Resolution on the encouragement and use of certification mechanisms in data protection; a Resolution on surveillance technologies by law enforcement bodies and the protection of individuals’ rights to privacy; a Resolution on the free and trustful exchange of data and on the effective regulation of global data flows; a Resolution on the principles of personal information processing in neuroscience and neurotechnology; and a Resolution on the Rules and Procedures of the GPA.
Two of these are particularly relevant for compliance professionals operating in a cross-border data environment.
The Data Free Flow with Trust (DFFT) resolution addressed one of the most commercially consequential tensions in modern privacy law: the need to enable legitimate international data flows while maintaining meaningful protections for individuals. The GPA’s position is that these goals are not mutually exclusive but must be pursued together — and that regulatory interoperability mechanisms, including certification frameworks and recognized transfer tools, are the path forward. For organizations managing complex international data transfer architectures, the GPA’s active engagement on DFFT signals that cross-border transfer standards are likely to continue evolving, and that certification-based approaches have growing multilateral endorsement.
The surveillance and law enforcement resolution reflects the GPA’s ongoing concern about the creeping normalization of intrusive surveillance technologies in public and semi-public spaces. This connects directly to one of the GPA’s most significant recent outputs on biometric data.
Facial Recognition: A Standing GPA Priority
The GPA’s engagement with facial recognition technology has been sustained and explicit. At its 44th annual conference in Istanbul in 2022, the GPA members adopted a resolution on the use of personal information in facial recognition technology, which outlined a series of principles and expectations that authorities would promote to external stakeholders, assess real-world application, and report back on.
The resolution addressed the recognition of human features in publicly accessible spaces, noting that this had led multiple national, regional and local data protection authorities, including all EEA data protection authorities, to propose bans on certain uses. Organizations were required to establish the necessity and proportionality of facial recognition use, consider demographic differentials and bias in both system functioning and deployment impact, and ensure transparency to all potentially affected individuals.
The core message of the GPA’s facial recognition framework is clear and has not softened since its adoption: the threshold for justifying facial recognition use is high, proportionality must be assessed in advance rather than rationalized after deployment, and bias testing is not optional. For organizations using or procuring facial recognition systems — in retail, workplace access control, identity verification, or security applications — the GPA’s principles represent the closest thing the global regulatory community has to a shared standard, and individual member authorities have made clear they will apply these principles in their own enforcement contexts.
The 47th Annual Conference: Seoul, 2025
The 47th Global Privacy Assembly took place between September 15 and 19, 2025, hosted by South Korea’s Personal Information Protection Commission in Seoul, with over 140 authorities from more than 90 countries participating. The Seoul conference was notable for its concentration of AI-focused deliberation — the event had a strong focus on agentic AI, and much of the dialogue focused on the need for data protection authorities to align on smart implementation and oversight.
The conference produced three resolutions, two of which were substantive AI governance outputs of direct relevance to compliance professionals.
Resolution 1: Personal Data in AI Training
Submitted by the Office of the Australian Information Commissioner, the resolution on AI training is a powerful call to ensure that personal data used to pre-train, train, and fine-tune AI models is handled in a lawful, fair, transparent, explainable and accountable manner. The resolution affirms that AI training must comply with existing privacy and data protection laws, warns against the indiscriminate scraping of publicly available personal information without a lawful condition for using it, and calls for stronger data protection across the entire lifecycle of AI models.
The resolution stresses that economic or political imperatives to accelerate AI technologies’ development and adoption must maintain full respect for data protection and privacy principles and laws. It highlights that personal data should only be used to pre-train, train or fine-tune AI models where it has been lawfully obtained and where collection, use and disclosure is consistent with core data protection principles. On transparency, the resolution requires that AI developers and deployers implement adequate notice mechanisms, including clear, accessible, and meaningful information about the categories of data processed, data sources, and retention periods.
Notably, the resolution passed quasi-unanimously, with only one abstention among GPA members noted in the public documents: the United States Federal Trade Commission. That abstention is a telling data point about the current divergence between U.S. federal regulatory posture on AI and the direction of the global DPA community.
Resolution 2: Meaningful Human Oversight of AI Decisions
The second resolution, submitted by the Office of the Privacy Commissioner of Canada and joined by thirteen co-sponsors, focused on addressing how member authorities could synchronize their approaches to “meaningful human oversight” of AI decision-making. The Assembly resolved that GPA members should promote a common understanding of meaningful human oversight, encourage the designation of overseers with necessary competence, training, resources, and awareness of contextual information and specific information regarding AI systems, and use the GPA Ethics and Data Protection in Artificial Intelligence Working Group to share knowledge and best practices.
The resolution’s emphasis on evaluating overseers based on whether oversight was actually performed — rather than on the outcome of any particular decision — is a significant design principle with direct operational implications. It means organizations cannot satisfy oversight requirements by pointing to a nominal human reviewer who rubber-stamps AI outputs; the oversight mechanism itself must be substantive, documented, and resourced.
The February 2026 Joint Statement on AI-Generated Imagery
The GPA’s most recent major output came not from an annual conference but from its IEWG, which coordinated a joint statement published on February 23, 2026. The Joint Statement on AI-Generated Imagery was published by 61 data protection authorities and addresses concerns regarding AI systems capable of generating realistic images and videos depicting identifiable individuals without their knowledge or consent. The statement notes particular concern about the potential risks to children and other vulnerable groups, including the possibility of cyber-bullying and exploitation.
The Joint Statement identifies several principles that should inform the development and use of AI content generation systems: implementing enhanced protections for children; establishing accessible removal processes with a commitment to prompt response; strengthening safeguards against misuse; and promoting system transparency by providing clear and accessible information about how AI systems function, what protections are in place, and the intended and permissible uses.
The statement’s enforcement implications are broader than its deepfake framing might suggest. AI-powered recruitment tools analyzing candidate photos, marketing platforms using generative AI to create personalized content from customer images, security systems running facial recognition on employees, healthcare AI processing patient imaging data — in each scenario, the core question is the same: did the individual whose data is being processed consent to this specific AI use, and was the processing limited to what is necessary for the stated purpose? The GPA’s joint statement confirms that 61 regulatory authorities, coordinated through the world’s preeminent privacy governance body, are aligned on the answer.
Global Privacy Assembly — List of Accredited Members
Abu Dhabi Global Market Office of Data Protection (2021)
Albania Commissioner for Personal Data Protection / Information and Data Protection Commissioner of Albania (2010)
Andorra Data Protection Agency / Agència Andorrana de Protecció de Dades (2006)
Argentina Agencia de Acceso a la Información Pública (2018) Ombudsman’s Office of the City of Buenos Aires (2013)
Armenia Personal Data Protection Agency (2016)
Astana International Financial Centre (AIFC) Commissioner of Data Protection (2018)
Australia Office of the Australian Information Commissioner (2002) New South Wales: Privacy Commissioner (2002) Northern Territory: Information Commissioner (2003) Victoria: Office of the Victorian Information Commissioner (2017) Queensland: Office of the Information Commissioner (2017)
Austria Austrian Data Protection Authority / Datenschutzkommission (2002)
Belgium Data Protection Authority / Autorité de protection des données – Gegevensbeschermingsautoriteit Supervisory Body for Police Information Management
Benin National Commission for Informatics and Liberties / Commission Nationale de l’Informatique et des Libertés (2015)
Bermuda Office of the Privacy Commissioner of Bermuda (2020)
Bosnia and Herzegovina Personal Data Protection Agency / Agencija za zaštitu ličnih podataka u Bosni i Hercegovini (2011)
Brazil Autoridade Nacional de Proteção de Dados (ANPD) (2023)
Bulgaria Commission for Personal Data Protection / Комисия за защита на личните данни (2010)
Burkina Faso National Commission for Informatics and Liberties / Commission Nationale de l’Informatique et des Libertés (2008)
Canada Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada (2002) Alberta: Information and Privacy Commissioner (2003) British Columbia: Information and Privacy Commissioner (2002) Manitoba: Ombudsman / L’Ombudsman du Manitoba (2002) New Brunswick: Ombudsman / L’Ombud (2006) Newfoundland and Labrador: Office of the Information and Privacy Commissioner (2007) Northwest Territories: Information and Privacy Commissioner (2006) Nova Scotia: Office of the Information and Privacy Commissioner (2010) Nunavut: Information and Privacy Commissioner (2006) Ontario: Information and Privacy Commissioner / Commissionaire à l’information et à la protection de la vie privée (2002) Quebec: Information Access Commission / Commission d’accès à l’information (2002) Saskatchewan: Information and Privacy Commissioner (2005)
Cape Verde National Commission of Data Protection / Comissão Nacional de Protecção de Dados (2016)
Cayman Islands Cayman Islands Ombudsman (2020)
Chile Chilean Transparency Council / Consejo para la Transparencia (2019)
Colombia Superintendence of Industry and Commerce / Superintendencia de Industria y Comercio (2012)
Costa Rica Agency for the Protection of Personal Data of Inhabitants (2012)
Côte d’Ivoire Telecommunications/ICT Regulatory Body / Autorité de Régulation des Télécommunications de Côte d’Ivoire (ARTCI) (2016)
Council of Europe Data Protection Commissioner (2003)
Croatia Data Protection Agency / Agencija za zaštitu osobnih Podataka (2008)
Cyprus Personal Data Protection Commissioner / Επίτρoπoς Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (2003)
Czech Republic Office for Personal Data Protection / Urad Pro Ochranu Osobnich Udaju (2002)
Denmark Data Protection Agency / Datatilsynet (2002)
Dubai International Financial Centre Data Protection Commissioner (2020)
Ecuador Superintendence of Personal Data Protection (2025)
Estonia Data Protection Inspectorate / Andmekaitse Inspektsioon (2006)
European Union Customs Information System Joint Supervisory Authority (2003) European Data Protection Supervisor / Contrôleur européen de la protection des données (2004)
Finland Data Protection Ombudsman / Tietosuojavaltuutetun Toimisto (2002)
France National Commission for Informatics and Liberties / Commission Nationale de l’Informatique et des Libertés (CNIL) (2002)
FYROM / Republic of North Macedonia Personal Data Protection Agency / Агенција за заштита на личните податоци (2007)
Gabon Autorité pour la Protection des Données Personnelles et de la Vie Privée (APDPVP) (2019)
Georgia Personal Data Protection Service of Georgia
Germany Federal Data Protection Commissioner / Bundesbeauftragten für den Datenschutz (2002) Bavaria: Privacy Commissioner / Bayerische Landesbeauftragte für den Datenschutz (2002) Bavarian Data Protection Authority / Bayerisches Landesamt für Datenschutzaufsicht (2018) Berlin: Data Protection and Freedom of Information Commissioner (2002) Brandenburg: Data Protection and Access to Information Commissioner (2002) Bremen: State Commissioner for Data Protection and Freedom of Information / Die Landesbeauftragte für Datenschutz und Informationsfreiheit (2014) Hamburg: Data Protection Commissioner / Hamburgischer Datenschutzbeauftragter (2002) Hesse: Data Protection Commissioner / Hessische Datenschutzbeauftrage (2002) Mecklenburg–West Pomerania: Data Protection Commissioner (2002) North Rhine-Westphalia: Data Protection and Information Commissioner (2008) Rhineland Palatinate: Data Protection Commissioner (2002) Saxony-Anhalt: Data Protection Commissioner (2002) Schleswig-Holstein: Privacy Commissioner / Unabhängiges Landeszentrum für Datenschutz (2002) Thuringia: Data Protection Commissioner / Thüringer Landesbeauftragte für den Datenschutz (2002)
Ghana Data Protection Commission (GDPC) (2014)
Gibraltar Data Protection Commissioner (2006)
Greece Hellenic Data Protection Authority / ΑΡΧΗ ΠΡΟΣΤΑΣΙΑΣ ΔΕΔΟΜΕΝΩΝ ΠΡΟΣΩΠΙΚΟΥ ΧΑΡΑΚΤΗΡΑ (2002)
Guernsey Office of the Data Protection Authority, Bailiwick of Guernsey (2019)
Hong Kong Privacy Commissioner for Personal Data (2002)
Hungary National Authority for Data Protection and Freedom of Information / Nemzeti Adatvédelmi és Információszabadság Hatóság (2002)
Iceland Data Protection Authority / Persónuvernd (2002)
Interpol Commission for the Control of Interpol’s Files / Commission de Contrôle des Fichiers de l’O.I.P.C. Interpol (2003)
Ireland Data Protection Commission / An Coimisinéir Cosanta Sonraí (2002)
Isle of Man Isle of Man Information Commissioner (2002)
Israel Israeli Privacy Protection Authority / הרשות להגנת הפרטיות (2009)
Italy Data Protection Commission / Garante per la protezione dei dati personali (2002)
Jamaica Office of the Information Commissioner, Jamaica (2025)
Japan Personal Information Protection Commission / 個人情報保護委員会 (2017)
Jersey Jersey Office of the Information Commissioner (2002)
Kenya Office of the Data Protection Commissioner (2022)
Kosovo Information and Privacy Agency / Agjencia për Informim dhe Privatësi (2013)
Latvia State Data Inspectorate / Datu Valsts Inspekcija (2002)
Liechtenstein Data Protection Authority (2006)
Lithuania State Data Inspectorate / Valstybine Duomenu Apsaugos Inspekcija (2002)
Luxembourg National Data Protection Commission / Commission nationale pour la protection des données (2005)
Mali Personal Data Protection Authority / Autorité de Protection de Données à Caractère Personnel (2016)
Malta Data Protection Commissioner (2003)
Mauritania The Mauritanian Personal Data Protection Authority (2024)
Mauritius Data Protection Office of Mauritius (2013)
Mexico National Institute for Transparency, Access to Information and Personal Data Protection (INAI) (2010) Institute for Access to Public Information of the Federal District (2010) State of Mexico Transparency, Public Information Access and Personal Data Protection Institute (INFOEM) (2015) Institute for Transparency, Access to Information and Data Protection of Michoacán (2022) State Institute for Transparency, Access to Information and Personal Data Protection (INFO NL) (2022) Institute of Transparency and Access to Information of the State of Quintana Roo (2024) Institute of Transparency and Access to Information of the State of Tamaulipas (2024)
Moldova National Center for Personal Data Protection / Centrului Naţional pentru Protecţia Datelor cu Caracter Personal (2010)
Monaco Supervisory Commission for Personal Information / Commission de Contrôle des Informations Nominatives (2009)
Montenegro Agency for Personal Data Protection and Free Access to Information (2017)
Morocco National Commission for the Control and Protection of Personal Data / Commission nationale de contrôle et de protection des données personnelles (2011)
Netherlands Autoriteit Persoonsgegevens (2002)
New Zealand Privacy Commissioner / Te Mana Matapono Matatapu (2002)
Niger Haute Autorité de Protection des Données à Caractère Personnel (HAPDP) (2023)
Nigeria Nigeria Data Protection Commission (NDPC) (2023)
Norway Data Inspectorate / Datatilsynet (2002)
Organisation for Economic Co-operation and Development (OECD) Data Protection Commissioner (2019)
Peru National Authority for Data Protection / Autoridad Nacional de Protección de Datos Personales (2012)
Philippines National Privacy Commission (2016)
Poland Personal Data Protection Office / Urząd Ochrony Danych Osobowych (2002)
Portugal National Data Protection Commission / Comissão Nacional de Protecção de Dados (2002)
Qatar Qatar National Cybersecurity Agency (2024) Data Protection Office of the Qatar Financial Centre (2024)
Republic of Korea Korea Internet & Security Agency / 한국인터넷진흥원 (2004) Korea Communications Commission (2018) Personal Information Protection Commission / 개인정보보호위원회 (2012)
Romania National Supervisory Authority for Personal Data Protection / Autorităţii Naţionale de Supraveghere a Prelucrării Datelor cu Caracter Personal (2006)
San Marino Autorità Garante per la protezione dei dati personali (2019)
São Tomé and Príncipe National Agency for the Protection of Personal Data / Agência Nacional de Protecção de Dados Pessoais (2019)
Senegal Commission of Personal Data Protection (CDP) / La Commission de Protection de Données Personnelles (2014)
Serbia Commissioner for Information of Public Importance and Personal Data Protection / Повереник за информације од јавног значаја и заштиту података о личности (2012)
Singapore Personal Data Protection Commission (2025)
Slovakia Office for Personal Data Protection of the Slovak Republic / Úrad na ochranu osobných údajov Slovenskej republiky (2002)
Slovenia Human Rights Ombudsman / Varuh Človekovih Pravic (2002) Information Commissioner of the Republic of Slovenia / Informacijski pooblaščenec (2007)
South Africa Information Regulator (2017)
Spain Data Protection Agency / Agencia de Protección de Datos (2002) Basque Country: Data Protection Commissioner / Agencia Vasca de Protección de Datos (2005) Catalonia: Catalan Data Protection Agency / Agència Catalana de Protecció de Dades (2004) Transparency and Data Protection Council of Andalusia / Consejo de Transparencia y Protección de Datos Personales de Andalucía (2022)
Sweden Swedish Authority for Privacy Protection / Integritetsskyddsmyndigheten (2002)
Switzerland Federal Data Protection and Information Commissioner / Préposé fédéral à la protection des données et à la transparence (2002) Canton of Basel-Landschaft: Data Protection Commissioner (2005) Canton of Basel-Stadt: Data Protection Commissioner (2015) Canton of Bern: Data Protection Commissioner (2020) Canton of Zug: Data Protection Commissioner (2002) Canton of Zurich: Data Protection Commissioner (2002)
Tunisia National Personal Data Authority / Instance Nationale de Protection des Données Personnelles (2012)
Turkiye Personal Data Protection Authority / Kişisel Verileri Koruma Kurumu (2017)
Uganda The Uganda Personal Data Protection Office (2024)
Ukraine Ukrainian Parliament Commissioner for Human Rights / Уповноваженого Верховної Ради України з прав людини (2015)
United Kingdom Information Commissioner’s Office (2002)
United States of America Federal Trade Commission (2010) California Privacy Protection Agency (2022)
Uruguay Regulatory and Control Unit of Personal Data / Unidad Reguladora y de Control de Datos Personales (2009)
Zimbabwe Zimbabwe Postal and Telecommunications Regulatory Authority (2024)
Former Members of the Global Privacy Assembly
Joint Supervisory Body of Europol, European Union — Accredited 2003, abolished 2017 Data Protection Agency of the Region of Madrid, Spain — Accredited 2003, abolished 2012 Board of the National Institute for Transparency, Access to Information, and Personal Data Protection of Mexico (INAI Board) — abolished March 2025.
What This Means for Privacy Professionals
The GPA does not have enforcement authority. Its resolutions are not regulations. But to treat it as merely aspirational would be a significant strategic mistake. Here is why it matters in practice:
- Regulatory foreshadowing: GPA resolutions consistently precede the hardening of national regulations. The 2020 resolution on children’s digital rights foreshadowed the wave of children’s privacy legislation enacted globally since then. The 2022 facial recognition resolution established the principles that individual DPAs are now applying in enforcement actions. The 2025 AI training resolution is likely to shape national regulatory requirements for AI data governance in the near term.
- Enforcement coordination: The IEWG actively coordinates cross-border enforcement investigations. When 61 DPAs sign a joint statement on AI-generated imagery, that is not a press release — it is a coordinated enforcement signal. Organizations that dismiss joint statements as symbolic do so at their peril.
- International transfer planning: The GPA’s sustained engagement on DFFT and certification mechanisms informs the trajectory of cross-border transfer frameworks globally. Organizations designing international data architecture need to track GPA positions alongside the specific legal requirements of individual jurisdictions.
- The U.S. gap: The FTC’s abstention from the 2025 AI training resolution is a meaningful divergence signal. Privacy professionals at U.S. organizations with international operations need to navigate the gap between the direction of global DPA consensus and the current posture of U.S. federal privacy regulators — a gap that is likely to create compliance complexity rather than simplification in the near term.
The 48th Global Privacy Assembly will be held in Dubai in December 2026. Given the trajectory of the last two conferences, AI governance — including agentic AI, training data standards, synthetic media, and human oversight requirements — will almost certainly dominate the agenda. For privacy professionals, following the GPA’s outputs is no longer optional background reading. It is an essential part of staying ahead of where global regulatory expectations are heading before they arrive on your compliance desk.
