Joint Statement on AI-Generated Imagery and the Protection of Privacy
By JOIC
23 February 2026
The co-signatories below are issuing this Joint Statement in response to serious concerns about artificial intelligence (AI) systems that generate realistic images and videos depicting identifiable individuals without their knowledge and consent.
While AI can bring meaningful benefits for individuals and society, recent developments - particularly AI image and video generation integrated into widely accessible social media platforms - have enabled the creation of non-consensual intimate imagery, defamatory depictions, and other harmful content featuring real individuals. We are especially concerned about potential harms to children and other vulnerable groups, such as cyber-bullying and/or exploitation.
Expectations for Organisations.
The co-signatories remind all organisations developing and using AI content generation systems that such systems must be developed and used in accordance with applicable legal frameworks, including data protection and privacy rules. We also highlight that the creation of non-consensual intimate imagery can constitute a criminal offence in many jurisdictions.
Whilst specific legal requirements vary by jurisdiction, fundamental principles should guide all organisations developing and using AI content generation systems, including:
Implement robust safeguards to prevent the misuse of personal information and generation of non-consensual intimate imagery and other harmful materials, particularly where children are depicted.
Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse.
Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests.
Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators.
Coordinated Response.
The harms arising from non-consensual generation of intimate, defamatory, or otherwise harmful content depicting real individuals are significant and call for urgent regulatory attention.
To encourage the development of innovative and privacy-protective AI, the co-signatories of this statement are united in expressing their concern about the potential harms from the misuse of AI content generation systems. The co-signatories aim to share information on their approaches to addressing these concerns that can include enforcement, policy and education, as appropriate and to the extent that such sharing is consistent with applicable laws. This reflects our shared commitment and joint effort in addressing a global risk.
Conclusion.
We call on organisations to engage proactively with regulators, implement robust safeguards from the outset, and ensure that technological advancement does not come at the expense of privacy, dignity, safety, and other fundamental rights - particularly for the most vulnerable of our global society.
Signatories.
This Joint Statement has been coordinated by the Global Privacy Assembly's (GPA) International Enforcement Cooperation Working Group (IEWG) and is signed by the following co-signatories.
Albania Information and Data Protection Office of the Republic of Albania Besnik Dervishi, Information and Data Protection Commissioner
Andorra Andorran Data Protection Agency Agència Andorrana de Protecció de Dades Jèssica Obiols, Head of the Andorran Data Protection Agency
Argentina Agency of Access to Public Information – DPA Argentina Agencia de Acceso a la Información Pública Mg. Beatriz de Anchorena, Commissioner of the Agency to Access to Public Information
Autonomous City of Buenos Aires (Argentina) Ombudsman’s Office of the Autonomous City of Buenos Aires Defensoría del Pueblo de la Ciudad Autónoma de Buenos Aires María Rosa Muiños, Defensora del Pueblo / Ombudsman
State of Queensland (Australia) Office of the Information Commissioner, Queensland Joanne Kummrow, Information Commissioner Alexander White, Privacy Commissioner
Basque (Spain) Basque Data Protection Authority Autoridad Vasca de Protección de Datos Unai Aberasturi Gorriño, President
Belgium Data Protection Authority Autorité de la protection des données – Gegevensbeschermingsautoriteit Koen Gorissen, Chairman of the Board Alexandra Jaspar, Member of the Board Peter Van den Eynde, Member of the Board
Office of the Privacy Commissioner of Bermuda Angie Farquharson, Acting Privacy Commissioner
Brazil National Data Protection Agency Agência Nacional de Proteção de Dados Waldemar Gonçalves Ortunho Junior, Director-President
Bulgaria Commission for Personal Data Protection of the Republic of Bulgaria Комисия за защита на личните данни Borislav Bozhinov, Chairman
Burkina Faso Commission for Information Technology and Freedoms Commission de l’Informatique et des Libertés Kouliga Désiré Yameogo, Director of Legal Affairs and Litigation
Canada Office of the Privacy Commissioner of Canada Philippe Dufresne, Commissioner
Province of Alberta (Canada) Office of the Information and Privacy Commissioner of Alberta Diane McLeod, Information and Privacy Commissioner
Province of British Columbia (Canada) Office of the Information and Privacy Commissioner for British Columbia Michael Harvey, Information and Privacy Commissioner for British Columbia
Province of Newfoundland and Labrador (Canada) Office of the Information and Privacy Commissioner for Newfoundland and Labrador Kerry Hatfield, Commissioner
Province of Quebec (Canada) Commission on Access to Information of Quebec Commission d’accès à l’information du Québec Me Lise Girard, President and Member Me Naomi Ayotte, Vice-President, Supervision Section and Administrative Judge Me Steeven Plante, Member, Supervision Section and Administrative Judge
Republic of Cabo Verde National Commission of Data Protection Comissão Nacional de Proteção de Dados Faustino Varela Monteiro, President
Catalonia (Spain) Catalan Data Protection Authority Autoritat Catalana de Protecció de Dades Meritxell Borràs i Solé, Director
Colombia Superintendence of Industry and Commerce of Colombia Superintendencia de Industria y Comercio Juan Carlos Upegui, Deputy Superintendent for the Protection of Personal Data
Croatia Croatian Personal Data Protection Agency Agencija za zaštitu osobnih podataka Zdravko Vukić, Director
Cyprus Commissioner for Personal Data Protection, Cyprus Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα Maria Christofides, Commissioner for Personal Data Protection
Ecuador Superintendence of Personal Data Protection of Ecuador Superintendencia de Protección de Datos Personales del Ecuador Fabrizio Roberto Peralta Díaz, Superintendent of Data Protection
European Data Protection Board European Data Protection Board Anu Talus, Chair of the European Data Protection Board
European Data Protection Supervisor European Data Protection Supervisor Wojciech Wiewiórowski, European Data Protection Supervisor
France National Commission for Information Technology and Civil Liberties Commission Nationale de l’Informatique et des Libertés Marie-Laure Denis, President
Germany Federal Commissioner for Data Protection and Freedom of Information Bundesbeauftragte für den Datenschutz und die Informationsfreiheit Andreas Hartl, Deputy Commissioner
Ghana Data Protection Commission Ghana Dr Arnold Kavaarpuo, Executive Director / Commissioner Quintin Akrobotu, Director, Regulatory & Compliance Abigail Tibuah Yeboah, Head of Administration
Gibraltar Gibraltar Regulatory Authority John Paul Rodriguez, Chief Executive Officer
Bailiwick of Guernsey Office of the Data Protection Authority Brent Homan, Data Protection Commissioner
Hong Kong (SAR), China Office of the Privacy Commissioner for Personal Data 個人資料私隱專員公署 Ada Chung Lai-Ling, Privacy Commissioner
Iceland The Icelandic Data Protection Authority Persónuvernd Helga Þórisdóttir, Data Protection Commissioner Helga Sigríður Þórhallsdóttir, Head of International Affairs & Guidance
Ireland Data Protection Commission Coimisiún um Chosaint Sonaí Dr. Des Hogan, Commissioner for Data Protection and Chairperson Dale Sunderland, Commissioner for Data Protection Niamh Sweeney, Commissioner for Data Protection
Isle of Man Isle of Man Information Commissioner Alexandra Delaney-Bhattacharya, Information Commissioner
Israel Israeli Privacy Protection Authority הרשות להגנת הפרטיות Gilad Semama, Commissioner
Italy Italian Data Protection Authority Garante per la Protezione dei dati Personali Pasquale Stanzione, President Ginevra Cerrina Feroni, Vice-President Agostino Ghiglia, Board Member
Bailiwick of Jersey Jersey Office of the Information Commissioner Paul Vane, Information Commissioner
Kenya Office of the Data Protection Commissioner Oscar Otieno, Deputy Data Commissioner
Kosovo Information and Privacy Agency Krenare Sogojeva Dërmaku, Commissioner for Information and Privacy
Malta Office of the Information and Data Protection Commissioner of Malta Ian Deguara, Information and Data Protection Commissioner
Mauritius Mauritius Data Protection Office Drudeisha Madhub, Data Protection Commissioner
State of Mexico and Municipalities (Mexico) Institute for Transparency, Access to Public Information and Personal Data Protection of the State of Mexico and Municipalities Instituto de Transparencia, Acceso a la Información Pública y Protección de Datos Personales del Estado de México y Municipios Dr. José Martínez Vilchis, President Commissioner Rosario Mejía Ayala, Commissioner Sharon Cristina Morales Martínez, Commissioner Luis Gustavo Parra Noriega, Commissioner Guadalupe Ramírez Peña, Commissioner
State of Nuevo Leon (Mexico) Institute for Transparency, Access to Public Information and Personal Data Protection of Nuevo León Instituto de Transparencia, Acceso a la Información Pública y Protección de Datos Personales del Estado de Nuevo León Brenda Lizeth González Lara, President Commissioner Félix Fernando Ramírez Bustillos, Commissioner María Teresa Treviño Fernández, Commissioner
Mexico Personal Data Protection Unit of the Anti-Corruption and Good Government Secretariat Unidad de Protección de Datos Personales de la Secretaría Anticorrupción y del Buen Gobierno
Monaco Personal Data Protection Authority Autorité de Protection des Données Personnelles Agnès Lepaulmier, Secretary General
Netherlands Dutch Data Protection Authority Autoriteit Persoonsgegevens Monique Verdier, Deputy Chair
New Zealand Office of the Privacy Commissioner, New Zealand Michael Webster, Privacy Commissioner
Nigeria Nigeria Data Protection Commission Dr. Vincent Olatunji, National Commissioner / Chief Executive Officer
Norway Norwegian Data Protection Authority Datatilsynet Tobias Judin, Head of International
Panama The National Authority for Transparency and Access to Information Autoridad Nacional de Transparencia y Acceso a la Información Licda. Sheyla Castillo de Arias, Director
Peru National Authority for the Protection of Personal Data Autoridad Nacional de Protección de Datos Personales Eduardo Luna Cervantes, Director
Philippines National Privacy Commission, Philippines Atty. Johann Carlos S. Barcena, CESO III, Privacy Commissioner Atty. Jose Amelito S. Belarmino, MSc, Deputy Privacy Commissioner Atty. Juan Paolo F. Fajardo, Deputy Privacy Commissioner
Poland Personal Data Protection Office Urząd Ochrony Danych Osobowych Mirosław Wróblewski, President of the Office
Portugal Portuguese Data Protection Supervisory Authority Comissão Nacional de Proteção de Dados Prof. Dra. Paula Meira Lourenço, President
Singapore Personal Data Protection Commission of the Republic of Singapore Denise Wong, Deputy Commissioner
Slovenia Information Commissioner of the Republic of Slovenia Informacijski pooblaščenec Dr. Jelena Virant Burnik, Information Commissioner
Republic of Korea Personal Information Protection Commission 개인정보 보호위원회 Kyung Hee Song, Chairperson
Switzerland Federal Data Protection and Information Commissioner Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter Adrian Lobsiger, Federal Data Protection and Information Commissioner
Emirate of Abu Dhabi (United Arab Emirates) ADGM Office of Data Protection Sami Mohammed, Commissioner of Data Protection
Emirate of Dubai (United Arab Emirates) Dubai International Financial Centre Authority Lori Baker, Vice President – Data Protection & Regulatory Compliance
United Kingdom UK Information Commissioner’s Office William Malcolm, Executive Director Regulatory Risk & Innovation
Uruguay Regulatory and Control Unit for Personal Data Unidad Reguladora y de Control de Datos Personales Executive Council