Introduction
Global Privacy Assembly (GPA) is a global forum for data protection and privacy authorities. First convened in 1979 and formerly known as the International Conference of Data Protection and Privacy Commissioners, it brings together regulators and privacy authorities to cooperate on data protection issues. GPA influences global privacy policy through resolutions, working groups, declarations, reports and annual meetings involving authorities from more than 130 member bodies.
What is GPA and what does it do
GPA provides a cooperation platform for data protection and privacy authorities from different jurisdictions. Its members use the forum to exchange regulatory experience, adopt common positions, coordinate on emerging privacy risks and strengthen international cooperation.
The Assembly does not regulate companies directly. Its influence comes from the way member authorities use GPA outputs in domestic policy, enforcement priorities, guidance, international cooperation and privacy frameworks affecting organisations that process personal data.
Mission and remit
GPA’s mission is to provide international leadership in data protection and privacy. It supports member authorities by promoting cooperation, sharing practical experience and helping regulators respond to technological, legal and social changes affecting privacy rights.
Its remit covers issues such as artificial intelligence, cross-border data transfers, children’s privacy, digital identity, biometrics, certification, data free flow with trust, privacy enforcement cooperation, online tracking, automated decision-making and responsible data governance.
Core work domains
- International privacy cooperation — Support for cooperation and information exchange between data protection and privacy authorities.
- Resolutions and declarations — Adoption of common positions on emerging privacy, data protection and technology issues.
- Working groups and reports — Specialist work on topics such as AI, enforcement cooperation, digital citizen rights, data transfers and regulatory capacity.
- Cross-border data governance — Discussion of international data flows, data free flow with trust, adequacy, interoperability and safeguards.
- Technology and emerging risks — Focus on privacy implications of AI, biometrics, neurotechnology, automated decisions and digital platforms.
- Capacity building and regulatory practice — Sharing tools, approaches and experience between authorities with different levels of institutional maturity.
- Public and closed-session engagement — Annual meetings that include public-facing sessions and closed sessions for accredited authorities.
Geographic scope and cross-border reach
GPA is global in scope. Its accredited members include data protection and privacy authorities from many regions, including Europe, the Americas, Africa, Asia-Pacific and the Middle East.
The annual GPA meeting is hosted by different member authorities in different locations. The Assembly’s influence reaches beyond the host country because its resolutions and working group outputs are used by privacy regulators and policymakers across jurisdictions.
Why GPA matters for payments operators
GPA matters for PSPs, acquirers, payment gateways, wallets, fintech platforms, fraud vendors, identity providers and payment orchestration companies because payment services rely heavily on personal data. Even though GPA does not supervise payment firms directly, its work can influence privacy guidance, regulatory cooperation and enforcement themes that later affect payment operators.
For payments companies, GPA is especially relevant where payment data intersects with cross-border transfers, fraud monitoring, biometric authentication, digital identity, AI-driven risk scoring, transaction analytics, customer profiling, children’s data, consent, data minimisation and data retention. These themes can affect product design, compliance controls, vendor management and data governance.
The teams most likely to follow GPA include privacy, legal, compliance, data protection, product, risk, fraud, data science, information security, vendor management, policy and senior leadership teams.
Who runs GPA and how is it organised
GPA is composed of accredited member authorities and observers. Its work is organised through an Executive Committee, working groups, annual meetings, closed sessions, public sessions and secretariat arrangements governed by GPA rules and procedures.
The Assembly is not an open industry association. Decision-making is reserved for eligible privacy and data protection authorities, while companies and civil society may participate only through specific public sessions, consultations, events or engagement with their national regulators.
Membership composition
GPA membership is made up of data protection and privacy authorities rather than private companies.
| Category | Typical participants |
|---|---|
| National privacy authorities | Independent data protection regulators and privacy commissioners at national level |
| Sub-national authorities | Regional or state-level data protection authorities where eligible under GPA rules |
| Regional and international observers | Organisations involved in privacy, data protection, human rights or regulatory cooperation |
| Working group participants | Member authority representatives contributing to specialist policy, enforcement or technology work |
| Annual meeting participants | Accredited members, observers, invited experts and public-session attendees depending on the programme |
Working groups and decision rights
GPA working groups examine priority issues and prepare reports, resolutions or practical resources for members. Topics can include AI, data transfers, enforcement cooperation, digital rights, emerging technologies and regulatory capacity.
Voting and formal decision-making belong to accredited members according to GPA rules. Private companies do not have direct voting rights, but they may follow GPA outputs and engage with member authorities in their own jurisdictions.
What does GPA publish and how are its outputs used
GPA publishes resolutions, declarations, reports, working group materials, communiqués and annual meeting outputs. These documents are not laws, but they can shape regulatory thinking and policy development across jurisdictions.
| Output type | Scope | Used by |
|---|---|---|
| Resolutions | Common positions adopted by member authorities on privacy and data protection issues | Privacy authorities, policymakers, companies and advisers |
| Declarations | High-level statements on data protection principles and global privacy priorities | Regulators, public bodies and international organisations |
| Working group reports | Detailed analysis of emerging topics or regulatory practice | Data protection authorities, legal teams, policy teams and researchers |
| Annual meeting materials | Public-session and closed-session outputs from GPA meetings | Regulators, companies, civil society and privacy professionals |
| Rules and procedures | Governance documents for GPA membership, decision-making and secretariat arrangements | Member authorities and observers |
Adoption and downstream influence
GPA outputs are not legally binding on companies. Their influence is indirect: privacy authorities may use GPA positions when developing national guidance, enforcement priorities, cooperation mechanisms or public policy views.
For payment operators, GPA materials can be useful early signals of where privacy regulators are paying attention. Topics such as AI, biometrics, data transfers, certification, children’s privacy and automated decision-making may later appear in local regulator guidance or enforcement activity.
Events and convenings
GPA holds an annual meeting hosted by a member authority, usually with both closed sessions for accredited authorities and public-facing sessions involving wider stakeholders. The annual meeting is a key forum for adopting resolutions, discussing emerging issues and coordinating international privacy cooperation.
GPA also supports working group activity and engagement between member authorities throughout the year.
How to engage with GPA
Private companies cannot join GPA as members. Engagement is usually indirect and happens through national data protection authorities, public sessions, consultations, observer organisations, privacy conferences or responses to policy initiatives influenced by GPA work.
For payment operators, the practical route is to monitor GPA resolutions and reports, compare them with local regulator guidance, and assess whether emerging privacy themes affect product design, data governance, cross-border transfers or vendor relationships.
Access routes for private-sector input
Companies may engage with GPA-related issues by attending public sessions where available, following published outputs, contributing to consultations run by national privacy authorities, and participating in industry associations that discuss privacy policy.
The most direct relationship for a company remains with its relevant national or regional privacy regulator, not GPA itself.
What companies gain from following GPA
Companies that follow GPA can identify early international privacy trends and prepare for regulatory convergence. This is useful for payment operators with cross-border operations, data-intensive products, AI-driven fraud tools, biometric authentication, digital identity services or complex vendor networks.
FAQ
Is GPA the same as a data protection authority?
No. GPA is not a national or regional data protection authority. It is a forum where data protection and privacy authorities cooperate, exchange experience and adopt shared positions. Individual regulators remain responsible for supervision, enforcement and guidance in their own jurisdictions.
What was GPA called before?
GPA was formerly known as the International Conference of Data Protection and Privacy Commissioners. The name Global Privacy Assembly was adopted in 2019 to better reflect its global role and broader privacy-policy cooperation between member authorities.
Can a company become a GPA member?
Private companies cannot become GPA members. Membership is reserved for eligible data protection and privacy authorities. Companies can still follow GPA publications, attend public sessions where available and engage with privacy regulators or trade associations in their own markets.
Why should PSPs follow GPA?
PSPs should follow GPA because payment services process sensitive personal and transactional data. GPA outputs can signal future privacy regulatory attention around AI, biometrics, digital identity, cross-border transfers, transaction monitoring, customer profiling and data minimisation.
Does GPA create binding privacy law?
GPA does not create binding privacy law. Its resolutions and reports are influential but non-binding. They may still matter because member authorities can use GPA outputs when developing domestic guidance, enforcement priorities, cooperation mechanisms or privacy-policy positions.
What topics does GPA cover besides GDPR-style privacy?
GPA covers many global privacy issues beyond GDPR implementation, including AI governance, children’s privacy, digital education, neurotechnology, biometrics, automated decisions, certification mechanisms, cross-border data flows and data protection capacity building.
How often does GPA meet?
GPA holds an annual meeting hosted by a member authority in a different location. The annual meeting includes closed sessions for accredited authorities and often public sessions where wider stakeholders can follow or participate in discussions on global privacy issues.
Comments