Article

G7 data protection and privacy authorities discuss key data protection issues and emerging technologies

G7 data protection and privacy authorities discuss key data protection issues and emerging technologies

On June 26, 2026, the data protection and privacy authorities of the G7 (UK, U.S., Canada, Japan, Italy, Germany, France, and the EU) (the G7 DPAs) gathered at a roundtable (the Roundtable), with a view to increasing international cooperation and fostering high standards for privacy protection.  

The G7 DPAs were joined by representatives from the Global Privacy Assembly, the Global Privacy Enforcement Network, the Governance Committee of the Asia Pacific Privacy Authorities, the Association francophone des autorites de protection des donnees personnelle, the Personal Information Protection Commission of Korea, the Committee of Convention 108 of the Council of Europe and the OECD. 

The Roundtable discussed key data protection issues in relation to the following topics:

  • Children’s protection online and age assurance: The G7 DPAs welcomed the G7 Digital and Technology Ministers’ commitment (made in its May 2026 G7 Common set of principles defining a safer and more secure digital space for minors) to rely on “robust, reliable, risk-based, appropriate, rights-respecting, privacy-preserving and interoperable age assurance solutions” in relation to protecting children. In that context the G7 DPAs flagged the Age Assurance Statement (described below). The Roundtable also included a discussion on deepfakes, the risks to children of such technology, and the efforts of some regulators to take action against developers, deployers and users of AI systems on that basis.
  • Connected home devices and protecting children’s privacy: The G7 DPAs highlighted the Connected Home Devices Paper (described below) and the G7 DPAs’ intention to collaborate in relation to other new technologies that may pose data protection and privacy risks.
  • Smart glasses: by reference to the CNIL Smart Glasses Compendium (described below), the G7 DPAs noted the benefits of smart glasses but highlighted associated risks. For example, the volume of personal data that may be collected is substantial, there is a risk of general surveillance, the discreet nature of smart glasses makes it difficult for individuals to know when their data is being collected.
  • Agentic AI: The G7 DPAs recognized the opportunities afforded by agentic AI systems but discussed the unique risks and challenges they pose to data protection and privacy (including agentic AI autonomy, complexity of supply chains, automated decision making and lack of human oversight). No joint statement was produced on this topic but the G7 DPAs committed to sharing information to improve knowledge of the systems.
  • Enforcement cooperation: The G7 DPAs acknowledged their ongoing cooperation and information sharing and the creation of a G7 data protection and privacy authorities public enforcement repository for their use.
  • Data free flow with trust: The G7 DPAs welcomed the G7 Digital and Technology Ministers’ reiteration of the importance of trust-based data frameworks and the ministers’ commitment to data free flow with trust while respecting legislation such as that related to privacy and data protection. The G7 DPAs stated that they will continue to cooperate with a view to creating more “commonalities, complementarities and elements of convergence” between cross-border transfer regimes to enable interoperability and trusted cross-border data flows. They specifically highlighted discussions on the infrastructure for cross-border data transfers including with regards to government access to personal data.

In addition to the summary of topics addressed at the Roundtable, the G7 DPAs published a number of papers. 

A joint statement on privacy-preserving age assurance tools (the Age Assurance Statement) outlines the following (non-exhaustive list of) key data protection and privacy issues:

  • Age assurance as a restrictive measure should be balanced against individuals’ other rights and freedoms such as the right to freedom of expression and access to information.
  • Age assurance should not create further privacy risk and should not enable identification, tracking, profiling or monitoring of individuals. Age assurance results should only be used for the specific purpose that required age assurance.
  • Data collection, its subsequent use and retention to verify age, should be limited to what is necessary to achieve age assurance.
  • Accurate and proportionate approaches should be used to ensure effective age assurance.
  • Online service providers and those involved in the age assurance ecosystem should handle personal data in compliance with law and they should be transparent about their use of personal data in the context of age assurance.
  • In light of the sensitive nature of children’s data, reasonable and appropriate technical and organizational measures should be deployed to ensure the adequate security of personal data.
  • Privacy by design should lead approaches to age assurance throughout its development and its operational life-cycle (including by regularly evaluating effectiveness). 

The G7 DPAs also recognize that age assurance tools are evolving and are just one of the approaches that can contribute to online safety, alongside, for example, parental control systems and digital literacy initiatives.

A paper on connected home devices and children’s privacy (the Connected Home Devices Paper) notes that:

  • data is often collected by connected home devices through tracking technology
  • consumers are often not aware of this data collection
  • this data collection occurs in a context where individuals have the highest expectations of privacy
  • there are a range of associated data protection risks, particularly when connected home devices are used by children (who are less aware of the consequences of processing of their personal data). 

The Connected Home Devices Paper notes that special considerations are needed when connected home devices target children. It calls on manufacturers, software developers and others within the online tracking ecosystem to follow a set of principles. For example: 

  • Apply privacy by design and default. Turn off geolocation and online behavioral advertising by default. Turn off behavioral profiling by default or set to the highest level of privacy. Minimize data collection by default.
  • Ensure all communications (including privacy policies) are clear, use easily understandable language and reflect the maturity of the child. Provide further notices to parents.
  • Ensure that privacy and consent mechanisms are appropriate for the child (or the parent, where required). Do not use deceptively designed patterns.
  • Ensure the child and parent have meaningful choice over when and how data is collected and used. Display clear options on the device to accept or reject data processing/to manage choices.
  • Ensure that any data processing by the device or service is carried out in reliance on a valid lawful basis. Carry out an appropriate assessment to determine whether any data processing raises any harms or risks for the child.
  • Notify the child and parent (in a conspicuous manner) when a device is “listening” or recording data.
  • Comply with data retention requirements and ensure that data collected about the child is not retained for any longer than is permitted.
  • Apply strong security measures by default and update regularly. Provide control and knowledge of security settings for users and prevent data breaches.
  • Manufacturers and services providers should ensure accountability of the data ecosystem.
  • Manufacturers should account for the best interests of the child and ensure legal compliance.

The French supervisory authority, the CNIL, shared its compendium on G7 data protection and privacy authority approaches to smart glasses (the Smart Glasses Compendium). The Smart Glasses Compendium describes the smart glasses technology and use cases. It summarizes data protection risks and concerns as previously expressed by data protection authorities (in relation to smart glasses and internet of things devices more generally). It also notes privacy recommendations that have also been highlighted by those authorities. The Smart Glasses Compendium also calls out G7 court proceedings and supervisory activities relating to smart glasses. 

For further information, please find the following resources below: 

Related capabilities