Data protection authorities issue joint statement on AI-generated imagery and privacy concerns
OIC has signed a joint statement with 60 other domestic and global privacy authorities, highlighting concerns about artificial intelligence (AI) systems that generate realistic images and videos depicting identifiable individuals, without their knowledge or consent.
Queensland’s Information Commissioner, Joanne Kummrow, and Privacy Commissioner, Alexander White, signed the statement which was coordinated by the International Enforcement Cooperation Working Group (part of the Global Privacy Assembly).
Mr White said the united position highlights the seriousness of the issue, as well as the need for organisations developing and using AI systems to comply with applicable legal frameworks, including data protection and privacy rules.
“We are especially concerned about potential harm to vulnerable groups in the community, including children. This misuse of personal information can result in serious harms, such as reputational and emotional harm from cyber-bullying and exploitation,” Mr White said.
“While technological advancements can bring positives to our world, we must ensure AI content generation systems do not encroach on people’s privacy rights, dignity, safety and other fundamental rights.”
The joint statement is provided below.
Joint Statement on AI-Generated Imagery and the Protection of Privacy
23 February 2026
The co-signatories below are issuing this Joint Statement in response to serious concerns about artificial intelligence (AI) systems that generate realistic images and videos depicting identifiable individuals without their knowledge and consent.
While AI can bring meaningful benefits for individuals and society, recent developments - particularly AI image and video generation integrated into widely accessible social media platforms - have enabled the creation of non-consensual intimate imagery, defamatory depictions, and other harmful content featuring real individuals. We are especially concerned about potential harms to children and other vulnerable groups, such as cyber-bullying and/or exploitation.
Expectations for Organisations
The co-signatories remind all organisations developing and using AI content generation
systems that such systems must be developed and used in accordance with applicable legal frameworks, including data protection and privacy rules.
We also highlight that the creation of non-consensual intimate imagery can constitute a criminal offence in many jurisdictions.
Whilst specific legal requirements vary by jurisdiction, fundamental principles should guide all organisations developing and using AI content generation systems, including:
- Implement robust safeguards to prevent the misuse of personal information and generation of non-consensual intimate imagery and other harmful materials, particularly where children are depicted.
- Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse.
- Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests.
- Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators.
Coordinated Response
The harms arising from non-consensual generation of intimate, defamatory, or otherwise harmful content depicting real individuals are significant and call for urgent regulatory attention.
To encourage the development of innovative and privacy-protective AI, the co-signatories of this statement are united in expressing their concern about the potential harms from the misuse of AI content generation systems. The co-signatories aim to share information on their approaches to addressing these concerns that can include enforcement, policy and education, as appropriate and to the extent that such sharing is consistent with applicable laws. This reflects our shared commitment and joint effort in addressing a global risk.
Conclusion
We call on organisations to engage proactively with regulators, implement robust safeguards from the outset, and ensure that technological advancement does not come at the expense of privacy, dignity, safety, and other fundamental rights - particularly for the most vulnerable of our global society.
Signatories
OIC has signed a joint statement with 60 other domestic and global privacy authorities, highlighting concerns about artificial intelligence (AI) systems that generate realistic images and videos depicting identifiable individuals, without their knowledge or consent.
| Albania Information and Data Protection Office of the Republic of Albania Besnik Dervishi, Information and Data Protection Commissioner |
| Andorra Andorran Data Protection Agency Agència Andorrana de Protecció de Dades Jèssica Obiols, Head of the Andorran Data Protection Agency |
| Argentina Agency of Access to Public Information – DPA Argentina Agencia de Acceso a la Información Pública Mg. Beatriz de Anchorena, Commissioner of the Agency to Access to Public Information |
| Autonomous City of Buenos Aires (Argentina) Ombudsman’s Office of the Autonomous City of Buenos Aires Defensoría del Pueblo de la Ciudad Autónoma de Buenos Aires María Rosa Muiños, Defensora del Pueblo / Ombudsman |
| State of Queensland (Australia) Office of the Information Commissioner, Queensland Joanne Kummrow, Information Commissioner Alexander White, Privacy Commissioner |
| Basque (Spain) Basque Data Protection Authority Autoridad Vasca de Protección de Datos Unai Aberasturi Gorriño, President |
| Belgium Data Protection Authority Autorité de la protection des données – Gegevensbeschermingsautoriteit Koen Gorissen, Chairman of the Board Alexandra Jaspar, Member of the Board Peter Van den Eynde, Member of the Board |
| Bermuda Office of the Privacy Commissioner of Bermuda E. Angie Farquharson, Acting Privacy Commissioner |
| Brazil National Data Protection Agency Agência Nacional de Proteção de Dados Waldemar Gonçalves Ortunho Junior, Director-President |
| Bulgaria Commission for Personal Data Protection of the Republic of Bulgaria Комисия за защита на личните данни Borislav Bozhinov, Chairman |
| Burkina Faso Commission for Information Technology and Freedoms Commission de l’Informatique et des Libertés Kouliga Désiré Yameogo, Director of Legal Affairs and Litigation |
| Canada Office of the Privacy Commissioner of Canada Philippe Dufresne, Commissioner |
| Province of Alberta (Canada) Office of the Information and Privacy Commissioner of Alberta Diane McLeod, Information and Privacy Commissioner |
| Province of British Columbia (Canada) Office of the Information and Privacy Commissioner for British Columbia Michael Harvey, Information and Privacy Commissioner for British Columbia |
| Province of Newfoundland and Labrador (Canada) Office of the Information and Privacy Commissioner for Newfoundland and Labrador Kerry Hatfield, Commissioner |
| Province of Quebec (Canada) Commission on Access to Information of Quebec Commission d’accès à l’information du Québec Me Lise Girard, President and Member Me Naomi Ayotte, Vice-President, Supervision Section and Administrative Judge Me Steeven Plante, Member, Supervision Section and Administrative Judge |
| Republic of Cabo Verde National Commission of Data Protection Comissão Nacional de Proteção de Dados Faustino Varela Monteiro, President |
| Catalonia (Spain) Catalan Data Protection Authority Autoritat Catalana de Protecció de Dades Meritxell Borràs i Solé, Director |
| Colombia Superintendence of Industry and Commerce of Colombia Superintendencia de Industria y Comercio Juan Carlos Upegui, Deputy Superintendent for the Protection of Personal Data |
| Croatia Croatian Personal Data Protection Agency Agencija za zaštitu osobnih podataka Zdravko Vukić, Director |
| Cyprus Commissioner for Personal Data Protection, Cyprus Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα Maria Christofides, Commissioner for Personal Data Protection |
| Ecuador Superintendence of Personal Data Protection of Ecuador Superintendencia de Protección de Datos Personales del Ecuador Fabrizio Roberto Peralta Díaz, Superintendent of Data Protection |
| European Data Protection Board European Data Protection Board Anu Talus, Chair of the European Data Protection Board |
| European Data Protection Supervisor European Data Protection Supervisor Wojciech Wiewiórowski, European Data Protection Supervisor |
| France National Commission for Information Technology and Civil Liberties Commission Nationale de l’Informatique et des Libertés Marie-Laure Denis, President |
| Germany Federal Commissioner for Data Protection and Freedom of Information Bundesbeauftragte für den Datenschutz und die Informationsfreiheit Andreas Hartl, Deputy Commissioner |
| Ghana Data Protection Commission Ghana Dr Arnold Kavaarpuo, Executive Director / Commissioner Quintin Akrobotu, Director, Regulatory & Compliance Abigail Tibuah Yeboah, Head of Administration |
| Gibraltar Gibraltar Regulatory Authority John Paul Rodriguez, Chief Executive Officer |
| Bailiwick of Guernsey Office of the Data Protection Authority Brent Homan, Data Protection Commissioner |
| Hong Kong (SAR), China Office of the Privacy Commissioner for Personal Data 個人資料私隱專員公署 Ada Chung Lai-Ling, Privacy Commissioner |
| Iceland The Icelandic Data Protection Authority Persónuvernd Helga Þórisdóttir, Data Protection Commissioner Helga Sigríður Þórhallsdóttir, Head of International Affairs & Guidance |
| Ireland Data Protection Commission Coimisiún um Chosaint Sonaí Dr. Des Hogan, Commissioner for Data Protection and Chairperson Dale Sunderland, Commissioner for Data Protection Niamh Sweeney, Commissioner for Data Protection |
| Isle of Man Isle of Man Information Commissioner Alexandra Delaney-Bhattacharya, Information Commissioner |
| Israel Israeli Privacy Protection Authority הרשות להגנת הפרטיות Gilad Semama, Commissioner |
| Italy Italian Data Protection Authority Garante per la Protezione dei dati Personali Pasquale Stanzione, President Ginevra Cerrina Feroni, Vice-President Agostino Ghiglia, Board Member |
| Bailiwick of Jersey Jersey Office of the Information Commissioner Paul Vane, Information Commissioner |
| Kenya Office of the Data Protection Commissioner Oscar Otieno, Deputy Data Commissioner |
| Kosovo Information and Privacy Agency Krenare Sogojeva Dërmaku, Commissioner for Information and Privacy |
| Malta Office of the Information and Data Protection Commissioner of Malta Ian Deguara, Information and Data Protection Commissioner |
| Mauritius Mauritius Data Protection Office Drudeisha Madhub, Data Protection Commissioner |
| State of Mexico and Municipalities (Mexico) Institute for Transparency, Access to Public Information and Personal Data Protection of the State of Mexico and Municipalities Instituto de Transparencia, Acceso a la Información Pública y Protección de Datos Personales del Estado de México y Municipios Dr. José Martínez Vilchis, President Commissioner Rosario Mejía Ayala, Commissioner Sharon Cristina Morales Martínez, Commissioner Luis Gustavo Parra Noriega, Commissioner Guadalupe Ramírez Peña, Commissioner |
| State of Nuevo León (Mexico) Institute for Transparency, Access to Public Information and Personal Data Protection of Nuevo León Instituto de Transparencia, Acceso a la Información Pública y Protección de Datos Personales del Estado de Nuevo León Brenda Lizeth González Lara, President Commissioner Félix Fernando Ramírez Bustillos, Commissioner María Teresa Treviño Fernández, Commissioner |
| Mexico Personal Data Protection Unit of the Anti-Corruption and Good Government Secretariat Unidad de Protección de Datos Personales de la Secretaría Anticorrupción y del Buen Gobierno |
| Monaco Personal Data Protection Authority Autorité de Protection des Données Personnelles Agnès Lepaulmier, Secretary General |
| Netherlands Dutch Data Protection Authority Autoriteit Persoonsgegevens Monique Verdier, Deputy Chair |
| New Zealand Office of the Privacy Commissioner, New Zealand Michael Webster, Privacy Commissioner |
| Nigeria Nigeria Data Protection Commission Dr. Vincent Olatunji, National Commissioner / Chief Executive Officer |
| Norway Norwegian Data Protection Authority Datatilsynet Tobias Judin, Head of International |
| Panama The National Authority for Transparency and Access to Information Autoridad Nacional de Transparencia y Acceso a la Información Licda. Sheyla Castillo de Arias, Director |
| Peru National Authority for the Protection of Personal Data Autoridad Nacional de Protección de Datos Personales Eduardo Luna Cervantes, Director |
| Philippines National Privacy Commission, Philippines Atty. Johann Carlos S. Barcena, CESO III, Privacy Commissioner Atty. Jose Amelito S. Belarmino, MSc, Deputy Privacy Commissioner Atty. Juan Paolo F. Fajardo, Deputy Privacy Commissioner |
| Poland Personal Data Protection Office Urząd Ochrony Danych Osobowych Mirosław Wróblewski, President of the Office |
| Portugal Portuguese Data Protection Supervisory Authority Comissão Nacional de Proteção de Dados Prof. Dra. Paula Meira Lourenço, President |
| Singapore Personal Data Protection Commission of the Republic of Singapore Denise Wong, Deputy Commissioner |
| Slovenia Information Commissioner of the Republic of Slovenia Informacijski pooblaščenec dr. Jelena Virant Burnik, Information Commissioner |
| Republic of Korea Personal Information Protection Commission 개인정보 보호위원회 Kyung Hee Song, Chairperson |
| Switzerland Federal Data Protection and Information Commissioner Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter Adrian Lobsiger, Federal Data Protection and Information Commissioner |
| Emirate of Abu Dhabi (United Arab Emirates) ADGM Office of Data Protection Sami Mohammed, Commissioner of Data Protection |
| Emirate of Dubai (United Arab Emirates) Dubai International Financial Centre Authority Lori Baker, Vice President – Data Protection & Regulatory Compliance |
| United Kingdom UK Information Commissioner’s Office William Malcolm, Executive Director Regulatory Risk & Innovation |
| Uruguay Regulatory and Control Unit for Personal Data Unidad Reguladora y de Control de Datos Personales Executive Council |