diff --git a/data/deprecations/16-10-protected-vars-downstream.yml b/data/deprecations/16-10-protected-vars-downstream.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9156a8791ccdd2679e1377fbeb7cecdff24cbfe8
--- /dev/null
+++ b/data/deprecations/16-10-protected-vars-downstream.yml
@@ -0,0 +1,43 @@
+# ----- DELETE EVERYTHING ABOVE THIS LINE -----
+
+- title: "Behavior change for protected variables and multi-project pipelines"
+  # The milestones for the deprecation announcement, and the removal.
+  removal_milestone: "17.0"
+  announcement_milestone: "16.10"
+  # Change breaking_change to false if needed.
+  breaking_change: true
+  # The stage and GitLab username of the person reporting the change,
+  # and a link to the deprecation issue
+  reporter: jocelynjane
+  stage: verify
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/432328
+  body: |  # (required) Don't change this line.
+    In some cases, users with sufficient permissions in a project could forward protected variables to an unsecure project, so this change is a security enhancement that minimizes the risk of protected variable values being exposed.
+
+    While [forwarding CI/CD variables](https://docs.gitlab.com/ee/ci/pipelines/downstream_pipelines.html#pass-cicd-variables-to-a-downstream-pipeline) through downstream pipelines is useful for some workflows, [protected variables](https://docs.gitlab.com/ee/ci/variables/#protect-a-cicd-variable) require additional care. They are intended for use only with specific protected branches or tags.
+
+    In GitLab 17.0, variable forwarding will be updated to ensure protected variables are only passed in specific situations:
+
+    - Project-level protected variables can only be forwarded to downstream pipelines in the same project (child pipelines).
+    - Group-level protected variables can only be forwarded to downstream pipelines of projects that belong to the same group as the source project.
+
+    If your pipeline relies on forwarding protected variables, update your configuration to either conform to the two options above, or avoid forwarding protected variables.
+
+# ==============================
+# OPTIONAL END-OF-SUPPORT FIELDS
+# ==============================
+#
+# If an End of Support period applies:
+# 1) Share this announcement in the `#spt_managers` Support channel in Slack
+# 2) Mention `@gitlab-com/support` in this merge request.
+#
+  # When support for this feature ends, in XX.YY milestone format.
+  end_of_support_milestone:
+  # Array of tiers the feature is currently available to,
+  # like [Free, Silver, Gold, Core, Premium, Ultimate]
+  tiers:
+  # Links to documentation and thumbnail image
+  documentation_url:
+  image_url:
+  # Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+  video_url:
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 2a849a583979b51be4696a3fb90bd11e0339953c..fe14686b46ef8e337ce076cb4b706757fc590a55 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -379,6 +379,29 @@ can change `## Step - 1` to `## Step 1` to ensure in-page links continue to work
 
 <div class="deprecation breaking-change" data-milestone="17.0">
 
+### Behavior change for protected variables and multi-project pipelines
+
+<div class="deprecation-notes">
+- Announced in GitLab <span class="milestone">16.10</span>
+- Removal in GitLab <span class="milestone">17.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/432328).
+</div>
+
+In some cases, users with sufficient permissions in a project could forward protected variables to an unsecure project, so this change is a security enhancement that minimizes the risk of protected variable values being exposed.
+
+While [forwarding CI/CD variables](https://docs.gitlab.com/ee/ci/pipelines/downstream_pipelines.html#pass-cicd-variables-to-a-downstream-pipeline) through downstream pipelines is useful for some workflows, [protected variables](https://docs.gitlab.com/ee/ci/variables/#protect-a-cicd-variable) require additional care. They are intended for use only with specific protected branches or tags.
+
+In GitLab 17.0, variable forwarding will be updated to ensure protected variables are only passed in specific situations:
+
+- Project-level protected variables can only be forwarded to downstream pipelines in the same project (child pipelines).
+- Group-level protected variables can only be forwarded to downstream pipelines of projects that belong to the same group as the source project.
+
+If your pipeline relies on forwarding protected variables, update your configuration to either conform to the two options above, or avoid forwarding protected variables.
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="17.0">
+
 ### Block usage of ref and sha together in `GET /projects/:id/ci/lint`
 
 <div class="deprecation-notes">