diff --git a/app/services/projects/fork_service.rb b/app/services/projects/fork_service.rb
index 03be7039b2a..348eb0bf8d8 100644
--- a/app/services/projects/fork_service.rb
+++ b/app/services/projects/fork_service.rb
@@ -26,7 +26,7 @@ module Projects
         name:                   @project.name,
         path:                   @project.path,
         shared_runners_enabled: @project.shared_runners_enabled,
-        namespace_id:           @params[:namespace].try(:id) || current_user.namespace.id
+        namespace_id:           target_namespace.id
       }
 
       if @project.avatar.present? && @project.avatar.image?
@@ -74,14 +74,14 @@ module Projects
       Projects::ForksCountService.new(@project).refresh_cache
     end
 
-    def allowed_visibility_level
-      project_level = @project.visibility_level
+    def target_namespace
+      @target_namespace ||= @params[:namespace] || current_user.namespace
+    end
 
-      if Gitlab::VisibilityLevel.non_restricted_level?(project_level)
-        project_level
-      else
-        Gitlab::VisibilityLevel.highest_allowed_level
-      end
+    def allowed_visibility_level
+      target_level = [@project.visibility_level, target_namespace.visibility_level].min
+
+      Gitlab::VisibilityLevel.closest_allowed_level(target_level)
     end
   end
 end
diff --git a/changelogs/unreleased/bvl-fork-public-project-to-private-namespace.yml b/changelogs/unreleased/bvl-fork-public-project-to-private-namespace.yml
new file mode 100644
index 00000000000..b802625943d
--- /dev/null
+++ b/changelogs/unreleased/bvl-fork-public-project-to-private-namespace.yml
@@ -0,0 +1,5 @@
+---
+title: Allow forking a public project to a private group
+merge_request: 16050
+author:
+type: changed
diff --git a/lib/gitlab/visibility_level.rb b/lib/gitlab/visibility_level.rb
index 11472ce6cce..6ced06a863d 100644
--- a/lib/gitlab/visibility_level.rb
+++ b/lib/gitlab/visibility_level.rb
@@ -57,11 +57,17 @@ module Gitlab
         }
       end
 
-      def highest_allowed_level
+      def allowed_levels
         restricted_levels = current_application_settings.restricted_visibility_levels
 
-        allowed_levels = self.values - restricted_levels
-        allowed_levels.max || PRIVATE
+        self.values - restricted_levels
+      end
+
+      def closest_allowed_level(target_level)
+        highest_allowed_level = allowed_levels.select { |level| level <= target_level }.max
+
+        # If all levels are restricted, fall back to PRIVATE
+        highest_allowed_level || PRIVATE
       end
 
       def allowed_for?(user, level)
diff --git a/spec/lib/gitlab/visibility_level_spec.rb b/spec/lib/gitlab/visibility_level_spec.rb
index 48a67773de9..d85dac630b4 100644
--- a/spec/lib/gitlab/visibility_level_spec.rb
+++ b/spec/lib/gitlab/visibility_level_spec.rb
@@ -49,4 +49,31 @@ describe Gitlab::VisibilityLevel do
         .to eq([Gitlab::VisibilityLevel::PUBLIC])
     end
   end
+
+  describe '.allowed_levels' do
+    it 'only includes the levels that arent restricted' do
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::INTERNAL])
+
+      expect(described_class.allowed_levels)
+        .to contain_exactly(described_class::PRIVATE, described_class::PUBLIC)
+    end
+  end
+
+  describe '.closest_allowed_level' do
+    it 'picks INTERNAL instead of PUBLIC if public is restricted' do
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+
+      expect(described_class.closest_allowed_level(described_class::PUBLIC))
+        .to eq(described_class::INTERNAL)
+    end
+
+    it 'picks PRIVATE if nothing is available' do
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC,
+                                                              Gitlab::VisibilityLevel::INTERNAL,
+                                                              Gitlab::VisibilityLevel::PRIVATE])
+
+      expect(described_class.closest_allowed_level(described_class::PUBLIC))
+        .to eq(described_class::PRIVATE)
+    end
+  end
 end
diff --git a/spec/services/projects/fork_service_spec.rb b/spec/services/projects/fork_service_spec.rb
index 4057caca2ac..409d5de8d43 100644
--- a/spec/services/projects/fork_service_spec.rb
+++ b/spec/services/projects/fork_service_spec.rb
@@ -139,10 +139,10 @@ describe Projects::ForkService do
             stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::INTERNAL])
           end
 
-          it "creates fork with highest allowed level" do
+          it "creates fork with lowest level" do
             forked_project = fork_project(@from_project, @to_user)
 
-            expect(forked_project.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+            expect(forked_project.visibility_level).to eq(Gitlab::VisibilityLevel::PRIVATE)
           end
         end
 
@@ -209,6 +209,19 @@ describe Projects::ForkService do
           expect(to_project.errors[:path]).to eq(['has already been taken'])
         end
       end
+
+      context 'when the namespace has a lower visibility level than the project' do
+        it 'creates the project with the lower visibility level' do
+          public_project = create(:project, :public)
+          private_group = create(:group, :private)
+          group_owner = create(:user)
+          private_group.add_owner(group_owner)
+
+          forked_project = fork_project(public_project, group_owner, namespace: private_group)
+
+          expect(forked_project.visibility_level).to eq(Gitlab::VisibilityLevel::PRIVATE)
+        end
+      end
     end
   end