In March 2026, at the Global Cross-Border Privacy Rules (CBPR) Forum in Lima, the Information Technology Industry Council (ITI) presented findings from its recent paper on how privacy frameworks can remain effective and relevant in the world of AI.
The growth of generative AI in recent years has added complexity to an already fragmented global data privacy landscape. At the same time, proportionate, risk-based data privacy frameworks have proven to be important enablers of AI innovation and growth.
Policymakers around the world now have an opportunity to streamline privacy rules and processes so that they remain fit for purpose in the AI era. Doing this in a coordinated way will help reduce fragmentation, facilitate trusted cross-border data flows, and provide greater certainty for organizations developing and deploying AI technologies.
(Image provided by Rob McGruer.)
Generative AI requires a distinct approach
ITI’s paper makes clear that generative AI requires a distinct approach when it comes to the application of longstanding privacy norms.
Generative AI systems involve different stages of data processing, from the development of models through to their deployment and use, and form part of a value chain with distinct roles and responsibilities often shared among different actors. Traditional privacy accountability roles, such as data controllers and processors, do not always easily map onto these value chains, and greater collaboration is needed between regulators and industry to apply these roles consistently and proportionately without stifling innovation.
Generative AI systems also interact with data differently. Unlike traditional data processing methods, models convert vast datasets into mathematical parameters capable of generating probabilistic outputs. This means that when generative AI intersects with personal data, it requires flexible and forward-looking interpretations of core privacy principles such as data minimization, transparency, and accuracy, and for regulators to support pragmatic approaches to privacy risk management.
These unique characteristics mean that generative AI and privacy considerations are context specific and vary depending on the stage of the AI value chain, the type of data involved and the actual corresponding privacy risks. This does not mean that AI requires a rewriting of data privacy laws, but it does mean that rules need to be applied based on a clear understanding of the technology.
The need for layered accountability
Effective AI and privacy governance depends on layered accountability. Organizations are increasingly combining traditional privacy compliance tools and AI-specific safeguards, with a particular emphasis on encryption, pseudonymization, and accelerating industry-wide deployment of privacy-enhancing technologies (PETs).
While different privacy regulators around the world have published initial positions on how privacy rules should apply to generative AI, more needs to be done to turn this into a developed and consistent body of knowledge that can provide greater certainty for responsible innovation, and to narrow the gaps when it comes to trusted cross-border data sharing.
Privacy regulators should establish clear and consistent approaches confirming how privacy laws are compatible with and promote responsible AI development and use. This could include promoting specific guidance (for example on a global pro-innovation approach to pseudonymized data), coordinating with other sectoral regulators to establish more coherent policy approaches across the data economy, or partnering with industry to set out how AI technology itself can be better harnessed to improve privacy outcomes.
Global CBPRs as a forum for solutions
The Global CBPR forum provides an opportunity for governments, regulators and industry to come together and practically define these layered accountability approaches and solutions. The Global CBPR’s emphasis on organizational accountability and privacy-by-design practices means it is well placed to help global privacy rules evolve and for this to happen within a flexible and scalable framework for cross-border data sharing.
Data privacy is also one layer of a much wider AI policy debate focused on economic growth, competitiveness and security, and this reinforces the need for interoperable and trusted data transfer frameworks such as the Global CBPR forum. Ultimately, effective global privacy governance will require ongoing collaboration between regulators, governments, and industry, taking account of the broader AI policy ecosystem and grounded in a strong understanding of the underlying technology.
About the Author
Rob McGruer is Senior Director of Policy at ITI, where he focuses on global privacy and data policy within the Trust, Data, and Technology team. He brings experience from the private sector, government, and regulatory bodies—including Ofcom and the U.S. Federal Trade Commission—and holds advanced academic credentials in EU law and languages, as well as CIPP/US certification.
