The 47^th Global Privacy Assembly (GPA) took place in Seoul, South Korea, in September 2025. Data protection authorities from around the world issued two milestone resolutions related to artificial intelligence (AI), co-sponsored by the Office of the Privacy Commissioner for Bermuda (PrivCom):

• Resolution on the collection, use and disclosure of personal data to pre-train, train, and fine-tune AI models

• Resolution on meaningful human oversight of decisions involving AI systems

Submitted by the Office of the Australian Information Commissioner, the GPA resolution on AI training is a powerful call to ensure that personal data used to pre-train, train, and fine-tune AI models is handled in a lawful, fair, transparent, explainable and accountable manner. The resolution:

• affirms that AI training must comply with existing privacy and data protection laws;

• warns against the indiscriminate scraping of publicly available personal information without a lawful condition for using it;

• calls for stronger cross-border enforcement cooperation among DPAs to oversee global AI systems; and

• promotes global engagement with OECD, the Council of Europe, and UN bodies to advance trustworthy AI governance.

The GPA underscored that privacy is a fundamental human right and trustworthy, ethical AI is essential to its exercise by individuals.

Submitted by the Office of the Privacy Commissioner of Canada on behalf of the Working Group on Ethics and Data Protection in Artificial Intelligence (AIWG), the GPA human oversight resolution emphasised that human oversight is essential to ensuring automated decision-making (ADM) systems respect fundamental human rights, including privacy, lawfulness and fairness. The resolution:

• reaffirms that individuals must not be subject to fully automated decisions without meaningful human review and safeguards;

• stresses that oversight must be effective, informed, and empowered — not symbolic or procedural;

• warns that automation can undermine transparency, explainability and accountability if humans cannot understand or challenge system outputs;

• calls for clear governance frameworks so humans can intervene, override, or audit algorithmic decisions; and

• highlights the need for strong protections where decisions impact employment, access to services, vulnerable persons, or other fundamental rights.

  
  

The GPA urged governments, regulators, and developers to ensure that human judgment remains central in high-impact automated systems — promoting trust, accountability, and rights-respecting innovation. The Office of the Privacy Commissioner of Bermuda encourages and advises all organisations to follow the practices noted in these resolutions.

What is the GPA?

The GPA is a global forum that brings together more than 130 data protection and privacy watchdogs worldwide. It seeks to provide leadership in data protection and privacy.

The Assembly has been in existence for more than four decades. It first met in 1979 and was known until 2019 as the International Conference of Data Protection and Privacy Commissioners. In September 2020, PrivCom joined the GPA as an accredited member. PrivCom hosted the 45^th GPA in Bermuda in October 2023. To find out more, read Bermuda 2023 GPA Annual Meeting: Ripples, Waves & Currents or visit 45th Annual Global Privacy Assembly Open Sessions - YouTube.