Skip to content

Global Privacy Assembly adopts new resolutions

On 21 October 2021, the Global Privacy Assembly (GPA) concluded its 43rd Closed Session, hosted virtually by the Mexican National Institute of Access to Information and Data Protection. During the course of the four-day event, the GPA adopted a number of resolutions.

Having set the scene and outlined progress against the 2019-2021 strategic plan, the GPA acknowledged the impact of the Covid-19 pandemic on accelerated digitalisation. As such, the GPA has, amongst other things, resolved during the period 2021-2023 to prioritise global regulatory environment for privacy with clear and consistently high standards of data protection as digitalisation continues. In order to implement the priorities the GPA will adopt an Implementation Plan setting out clear, practical actions, rather than focusing solely on policy.  Three pillars support the strategic priorities: (i) evolving global frameworks and standards; (ii) enforcement cooperation; and (iii) policy focus areas (which continue to include data sharing for public good; AI biometrics and surveillance technologies; protecting children online; data protection and other rights and freedoms).

Under the Resolution on Data Sharing for the Public Good, the GPA established a Working Group on Data Sharing for the Public Good, a group intended to expand on the work of the Covid-19 Working Group and focus on data protection and privacy issues as the response to the Covid-19 pandemic shifts towards economic recovery.

In its Resolution on Children’s Digital Rights, the GPA makes a number of recommendations directed towards those concerned in the field of protection of children’s rights in the digital environment. It specifically recommends, amongst others that:

  • the capacity of children to exercise their own digital rights directly be expressly affirmed and that consent given by the child (or guardian) is free and informed;
  • age assurance mechanisms must be based on risk assessment, data protection principles and respect privacy;
  • privacy policies, terms of use, details of the child’s rights in a digital environment and commitments to child data protection are presented in a child-friendly manner;
  • controllers and data protection authorities should consider implementing child-friendly complaints processes;
  • online service providers should not incorporate manipulation or deceptive techniques in their design interfaces that would influence a child’s decisions and unduly affect their privacy or cause them to provide more personal data than in necessary;
  • tracking must be off by default and where necessary should only be carried out with knowledge of the child (or carer) with the right to object
  • States should consider introducing regulations prohibiting practices which manipulate children or which aim to unduly influence their behaviour;
  • data controllers and processors implement accountability measures imposing greater responsibility including, for example, increased measures of security;
  • States should consider promoting regulations that prohibit the use or transmission to third parties of children’s data for commercial purposes;
  • electronic communication service providers should only processes a child’s basic information and technical data strictly necessary-states to consider legislation in this area accounting for age/maturity;
  • data controllers and online service providers should not profile a child based on their digital record (or presumed characteristics) for commercial purposes nor should they disseminate/disclose personal data of an informative/newsworthy nature if it would be detrimental to the child’s honour, image or reputation;
  • online service providers should integrate promotion of best interests of the child into their service design, for example, through use of approaches referenced above, children’s rights impact assessments and consultation with children/carers during development; and
  • States, online service providers and data protection authorities should encourage amongst others the introduction of contractual provisions regarding limitation of personal data use beyond basic information strictly necessary for use of services.
The GPA is further advocating a set of principles be applied for government access to personal data held by the private sector for national security and public safety purposes. In its Resolution on Government Access to Data, the GPA called on governments and international organisations to observe a set of principles covering matters such as legal basis, the need for clear and precise rules, for necessity, proportionality and transparency, and to work towards the development of multilateral instruments to ensure compliance with these principles in relation to governmental access to personal data. The GPA also called for discussions on regulating the sale, export and use of technologies that allow for intrusive and disproportionate access to, in particular, electronically held personal data.

Related expertise