GPA Resolution on Achieving Global Data Protection Standards: Principles to Ensure High Levels of Data Protection and Privacy Worldwide

By Policy Development Division

In October 2023, the 45th Global Privacy Assembly (GPA) adopted the GPA Resolution on Achieving Global Data Protection Standards. The Resolution aims to positively influence data protection laws, policies, and practices by establishing key principles and rights essential for high data protection standards in today's digital economy.

Here, we delve into the Resolution’s objectives, significance, content, and implications for privacy and data protection worldwide.

Objectives of the Resolution

Recognizing that high global data protection standards are vital to providing increased protections for people and certainty for organizations, the Resolution seeks to foster a common understanding of standards of and approach to, data protection principles among the data protection and privacy authorities of the world. By outlining essential principles and rights, the GPA aims to create a framework that member authorities can adopt, ensuring robust data protection practices are universally implemented.

Importance of the Resolution

The Resolution's adoption emphasizes a shared commitment to high data protection standards among GPA’s 130+ member authorities. This consensus on data protection standards is crucial for several reasons.

First, high data protection standards ensure that an individual’s personal data is safeguarded wherever personal data flows. This is increasingly vital in an era where data transcends borders. The Resolution also supports regulatory cooperation in tackling common challenges, particularly those arising from new technologies like artificial intelligence. Lastly, a greater coherence in underpinning high standards is a prerequisite for managing risks associated with cross-border data transfers. It also contributes to the long-term goal of achieving interoperability of global data flows.

Key Principles of the Resolution

Building on the GPA's 2009 Madrid Resolution, the 2023 Resolution updates and emphasizes high-level principles crucial for data protection in the digital age. These principles are:

1. Lawfulness and Fairness – The processing of personal data must be lawful following applicable national legislation and international agreements. It must also be fair, ensuring the processing does not result in unfair, discriminatory, or biased outcomes.
2. Purpose Specification - Processing should be limited to the fulfillment of specific, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Necessity and Proportionality - Personal data should be limited to that which is adequate, relevant, and not excessive in relation to the purposes of the processing.
4. Data Quality - All reasonable steps should be taken to ensure that the personal data processed is accurate and kept up to date as necessary to fulfill the purposes.
5. Transparency - Organizations should provide clear, accessible, and easy-to-understand information about their data processing activities so that people are properly informed about how their data is processed and can exercise their rights.
6. Privacy by Design and Default - Data protection measures should be integrated into developing and operating technologies and processes.
7. Accountability - Organizations should be accountable for adhering to these principles and capable of demonstrating compliance.

Updates to the 2009 Madrid Resolution

In addition to updating the general privacy principles adopted in the original Madrid Resolution, the Resolution refers to other resources that provide insights into current approaches to data protection law, regulation, and best practices, and support high standards globally. These include:

• GPA Resolution on Government Access to Data, Privacy and the Rule of Law: Principles for Governmental Access to Personal Data held by the Private Sector for National Security and Public Safety Purposes;
• Organisation for Economic Cooperation and Development (OECD) Declaration on Government Access to Personal Data Held by Private Sector Entities;
• Existing and development of new international transfer safeguards and regimes, including those that promote multilateral cooperation and interoperability; and
• Updated conventions and guidelines from the United Nations, the Council of Europe and other non-governmental organizations.

Likewise, while many principles in the resolution are familiar, the Resolution also includes important updates that reflect both regulatory and legislative developments as well as the application of case law and best practices, for example:

• Ability of individuals to exercise their rights and seek redress, ensuring effective protection regardless of location.
• Effective and independent supervisory authorities not only in monitoring compliance but also in outreach and training.
• Application of principles to new technologies, cybersecurity risks, and the digital economy, ensuring relevance in a rapidly changing environment.

Implementation and Advocacy

The Resolution calls on GPA members to advocate for and promote these principles. This means ensuring the principles, rights, and elements set out in the Resolution are effectively implemented and applied, particularly in the context of new and emerging technologies. Through the Resolution, GPA members are also encouraged to call on law and policymakers to consult data protection and privacy authorities as trusted expert advisers when enacting and amending data protection, privacy, and related laws.

For more information, the Resolution can be accessed at the GPA website here and the FAQs here.