Since 2019, CIPL has been spearheading work to interpret the legal basis for processing personal data under data protection laws as well as apply data protection laws and principles to AI technologies. Building on this, CIPL has spent the last year convening a select group of Data Protection Officers from leading companies in an initiative […]

While AI technologies are not new, the advent and update of generative AI have prompted regulators and policymakers to renew their focus on their governance. In the context of privacy and data protection, this has led to debate on how data protection principles apply to AI, what new risks these systems may present, and how […]

Europe’s digital laws are ambitious. But as GDPR, ePrivacy, DSA, DMA, AI Act and NIS2 converge, organisations and regulators face duplicated reporting, parallel risk assessments and contradictory expectations. CIPL’s Big Ideas for Simplification of Europe’s Digital Rulebook provide twenty-seven targeted proposals to join up Europe’s digital frameworks while maintaining the highest standards of protection. Our […]

Following our series of Multistakeholder Dialogue workshops on Age Assurance, CIPL and WeProtect produced this paper to explore what a broader, interoperable framework for age assurance could look like, while ensuring privacy, user autonomy, and transparency.

This paper examines how different state laws define personal information and “sensitive data” – foundational concepts that determine the scope of compliance obligations, regulatory triggers, and individual rights – as the landscape of U.S. privacy regulations continues to evolve in the absence of a federal privacy framework. The paper specifically analyzes common approaches and key […]

Agentic AI has the potential to transform business processes and customer experience across a range of industries. Companies are working to rapidly scale their investment, development, and adoption of agentic AI to help better serve customers and reap benefits, such as greater productivity and efficiency, optimization of organizational resources, and personalization of products and services. […]

This paper examines sandbox initiatives across multiple jurisdictions, including in AI, data protection and financial services, to identify the core success factors that make these models effective. It distils these insights into practical recommendations for regulators designing and operating sandboxes and for participating organisations. Building on this analysis, the paper considers the specific context of […]

What are the Global Cross-Border Privacy Rules (Global CBPR)? What is the Global Privacy Recognition for Processors (Global PRP)? How do these systems work? What benefits do they provide to businesses and individuals alike? These questions and more are addressed in CIPL’s Global CBPR & Global PRP Systems Playbook, which explains how these programs provide […]

Building on CIPL’s ongoing work at the intersection of data protection, AI, and organizational accountability, our latest paper takes a deep dive into the evolving role of sensitive data in AI systems. As AI technologies become more advanced and widely adopted, existing legal frameworks often restrict the use of sensitive data, even when it is […]

As a first part of CIPL’s EU AI Act Implementation Project and in conjunction with ongoing research on the responsible and accountable development and deployment of artificial intelligence systems, CIPL has identified Article 4 AI literacy best practices and recommendations for practitioners. AI Literacy Best Practices for Whom? These best practices can be adapted and […]

Earlier this year, the U.S. Congress signaled its intent to take a fresh look at the potential elements of a U.S. federal privacy law. CIPL submitted a detailed comment to the House Committee on Energy and Commerce Data Privacy Working Group on April 7th in response. Following this, we created this summary of our views […]

As part of CIPL’s research on PETs, this paper provides an in-depth exploration of how PETs can and are being deployed to address privacy concerns specifically within AI systems. The paper describes how these technologies can help operationalize privacy by design and by default when developing AI systems, and also serve as key business enablers, […]

This CIPL report, based on research by Public First, commissioned by Google, highlights how digital advertising plays a significant role in supporting European competitiveness, particularly for small and medium-sized businesses (SMBs). This survey of 4,287 EU SMBs across 13 countries found that 86% attributed revenue growth directly to digital advertising, in particular personalised advertising. The […]

In this discussion paper, CIPL considers the following key privacy and data protection concepts and explores how they can be effectively applied to the development and deployment of genAI models and systems: Fairness; Collection limitation; Purpose specification; Use limitation; Individual rights; Transparency; Organizational accountability; and Cross-border data transfers. The analysis in this paper builds on […]

Drawing largely from the experience under the GDPR and several EU digital laws, CIPL partnered with Bae, Kim & Lee LLC on this paper to make the case for shifting away from over-reliance on consent and exploring, instead, other legal bases such as contractual necessity and legitimate interest. The paper argues that to ensure the […]

The paper, written in partnership with Richard Thomas CBE, raises two fundamental questions for data protection authorities: What should DPAs be doing and prioritizing? How should they be doing it? While these questions are not easy to answer, they are essential to explore. Building on our previous work, including the Regulating for Results Paper (2017) […]

On December 7th, 2023, the Court of Justice of the European Union (CJEU) ruled that SCHUFA, a credit rating agency, played a “determining role” in a lender’s decision to deny a loan application. The CJEU found that SCHUFA’s role, i.e. providing credit scores, qualified as a “decision” under Article 22 of the GDPR. The court […]

Legislation requiring the use of age assurance or age verification measures to promote safe online experiences for children and young people is gaining traction in the United States. At the time of publishing, 21 states have enacted laws with age assurance provisions, but there remains little agreement among states regarding the methods or tools to […]

In the modern economy, cloud computing continues to be a transformative technology for digital societies, enabling digital transformation while at the same time driving privacy, security and economic efficiencies. Nevertheless, the use of cloud services increasingly faces significant scrutiny in the European Union. Some of the concerns related to geopolitical tensions and supply chain control […]

We published this discussion paper as part of a series on emerging privacy laws in the United States to offer analysis and recommendations to policymakers for safeguarding consumer data privacy and enhancing responsible data practices. First, this paper analyzes the data minimization requirements in US state privacy laws and the proposed American Privacy Rights Act […]

On April 7, 2024, Senate Commerce Committee Chair Maria Cantwell and House Energy and Commerce Committee Chair Cathy McMorris Rodgers released a discussion draft of the American Privacy Rights Act (APRA), a comprehensive federal consumer privacy framework built on prior congressional efforts including the American Data Privacy and Protection Act (ADPPA). On May 21, 2024, […]

In this paper, we examine requirements regarding automated decisionmaking and profiling included in comprehensive state privacy laws. This report also explores notable state-level AI regulations. Our goal is to help state lawmakers and policymakers in the US advance the principles of privacy and data protection in a more consistent and manageable way. Key recommendations include: […]

This third paper in our series analyzing the Digital Markets Act assess the operational consequences of the DMA obligations for gatekeepers and organizations receiving or getting access to personal data, specifically in the context of Art. 6(9) of the DMA. The article mandates the portability of data provided or generated by a user from a […]

In this white paper, CIPL proposes a roadmap for building a holistic data strategy that seeks to align the Board and C-suite on data-driven initiatives and provide a framework for promoting innovative and responsible uses of data, including the development and deployment of powerful AI technologies.

This report showcases how 20 leading organizations are developing accountable AI programs and best practices on the ground. Our research shows that organizational accountability is fundamental to the responsible development and deployment of AI. Organizations recognize the need to demonstrate AI accountability as a business imperative, especially as the expectations of consumers, business partners, shareholders, […]

Since the CJEU Schrems II Judgment in July 2020, European data protection authorities (DPAs) in the EU have developed a “zero risk” theory in relation to Chapter V of the General Data Protection Regulation (GDPR). They have been asking data controllers and processors that transfer personal data outside the EU to “eliminate” all risks of […]

With the proliferation of privacy laws across various states in the US, companies with limited budgets and resources are seeking ways to synthesize requirements and harmonize compliance obligations across jurisdictions. To address this challenge, CIPL has launched a project aimed at identifying areas of alignment and divergence between state laws, and examining the compliance challenges […]

Privacy-enhancing technologies (PETs) and privacy-preserving technologies (PPTs) generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals whose data is being used. These technologies not only enhance privacy protections, but also maintain the informational value of data to varying degrees. This White Paper: Provides […]

Drawing on CIPL’s years of experience as a thought leader and our extensive engagement with private sector leaders developing and deploying AI technologies, policymakers, and regulators, CIPL offers in this paper ten recommendations to guide AI policymaking and regulation to enable accountable, responsible, and trustworthy AI. These ten recommendations encapsulate CIPL’s view on a layered […]

This paper takes an in-depth look at open questions regarding the seeming limitation by the DMA of legal bases available for certain processing of personal data and whether the DMA should consequently be considered as a lex specialis to the GDPR. The paper examines ambiguities related to the scope of DMA in terms of personal […]

Data underpins the digital transformation of our economies and society. It can be considered one of the most valuable economic assets – responsible use of data enables economic growth and brings benefits and progress to people, governments, and societies at large. Data is also central to governmental and societal interests, such as national security, cyber […]

In this paper, TLS explores one rationale that some proponents of localization have advanced: that localization will insulate companies from foreign governments’ ability to legally compel access to their data. We examine not only the legal framework in the United States (U.S.), but also those of other countries, and conclude that legal systems, in general, […]

This CIPL paper argues that effective regulation of blockchain technologies requires cooperation and collaboration between authorities dealing with data, particularly, financial conduct, competition and data protection authorities. On the basis of this, the paper makes the case that better regulation of digital assets requires the setting of realistic and achievable goals which stem from dialogue […]

This study by the Centre for Information Policy Leadership (CIPL) and the Privacy Center of Excellence at Cisco explores the business benefits and return on investment (ROI) of DPMPs. In particular, the study demonstrates that organizations are experiencing a wide range of benefits from investing in DPMPs. These include risk management and compliance benefits, as […]

Complying with the growing number of laws on children’s privacy in the global marketplace is an increasingly complex undertaking. It involves reconciling measures to protect children from online harm and intrusions into their privacy with the equally important necessity for children to participate and engage online and to access beneficial or even essential online resources. […]

This document presents a comparison of the APEC Cross-Border Privacy Rules (CBPR) Requirements and the EU-U.S. Privacy Shield Requirements to the requirements of the UK General Data Protection Regulation (GDPR). For purposes of this analysis, we analyzed relevant documents pertaining to participation in both the CBPR and Privacy Shield certification system. We present recommendations, as […]

Cross-border data flows foster innovation and growth, support cybersecurity, and enable access to essential services. They are important for delivering public services and empowering individuals to access them, including healthcare and education. Cross-border data flows make access to transformational technologies like AI equally available to individuals and public and private sector organizations who might otherwise […]

The EU digital strategy intends to establish a safe and trusted digital space for individuals and a level playing field for businesses that fosters innovation, growth, and competitiveness in the EU. Specifically, the draft Digital Markets Act (DMA) aims to enable open and fair digital and data markets by fostering competition. In particular, it seeks […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

Promoting organizational accountability among all organizations that process personal data has been one of CIPL’s main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper elaborates specifically on […]

This is the second paper of the special Joint-Project “Effective Implementation and Regulation Under the New Brazilian Data Protection Law (LGPD)”, by CIPL and CEDIS/IDP. This project aims to: Facilitate information-sharing about the LGPD Inform and advance constructive, forward-thinking and consistent LGPD implementation Enable the sharing of industry experience and best practices Promote effective regulatory […]

The One-Stop-Shop mechanism (OSS), is essential to support the consistent implementation of the GDPR in order to achieve the EU single market. The OSS brings important benefits to individuals, organizations and Supervisory Authorities (SAs). However, the OSS is facing a growing amount of criticism and risks being undermined. Its challenges should now be discussed and […]

Following the European Data Protection Board’s (EDPB) Stakeholder Workshop on Legitimate Interests on 27 November 2020, CIPL published this white paper as input for the EDPB’s future update of the guidelines on the legitimate interests legal basis. This Paper is also relevant for any jurisdiction where data protection law includes legitimate interests as a legal […]

This Roundtable Series Report provides a summary of key takeaways from each of the roundtables and highlights the latest thinking on these topics as COVID-19 continues to drive digital transformation and organizations continue to leverage data to fight the pandemic, think about other pressing humanitarian issues and find responsible data solutions to today’s unprecedented data […]

Building on its prior work, CIPL has been working with experts in the EU and multinational companies who are leaders in AI to collect best practices and emerging trends in AI accountability. CIPL’s objective is to inform the current EU discussions on the development of rules to regulate AI. This paper summarizes CIPL’s vision on […]

On July 16 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as Schrems II, that Standard Contractual Clauses are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. This substantially impacts organizations […]

On July 16th 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as “Schrems II”, that Standard Contractual Clauses (SCCs) are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. The Judgment substantially impacts […]

This is the second paper of the special Joint-Project “Effective Implementation and Regulation Under the New Brazilian Data Protection Law (LGPD)”, by CIPL and CEDIS/IDP. This project aims to: Facilitate information-sharing about the LGPD Inform and advance constructive, forward-thinking and consistent LGPD implementation Enable the sharing of industry experience and best practices Promote effective regulatory […]

Following the European Data Protection Board’s (EBPB) stakeholders’ event in Brussels on November 4th 2019, on Data Subject Rights CIPL submitted this White Paper as input for the EDPB’s future guidelines on Data Subject Rights. The EDPB’s stakeholder event on DSR addressed the following GDPR provisions: The right of access (Article 15) The right to […]

The COVID-19 crisis imposed a wide range of immediate and likely long-term impacts on organizations, governments, regulators, people and society at large. Many of them could to stay with us beyond the immediate crisis and change the way we all live, work and interact. These impacts likely will also be felt in data privacy – […]

CIPL has a long history of exploring accountability-based information management and privacy governance. As part of our work on enabling innovation while also protecting privacy, we are currently exploring how to further develop and improve the existing concept of accountability to maximize both goals. This report consolidates the findings of CIPL’s Accountability Mapping Project launched […]

This is the second paper of the special Joint-Project “Effective Implementation and Regulation Under the New Brazilian Data Protection Law (LGPD)”, by CIPL and CEDIS/IDP. This project aims to: Facilitate information-sharing about the LGPD Inform and advance constructive, forward-thinking and consistent LGPD implementation Enable the sharing of industry experience and best practices Promote effective regulatory […]

The COVID-19 crisis is imposing a wide range of immediate and likely long-term impacts on organizations, governments, regulators, people and society at large. Many of them are likely to stay with us beyond the immediate crisis and change the way we all live, work and interact going forward. These impacts likely will also be felt […]

The rise and rapid expansion of Artificial Intelligence technology is one of the main features of the Fourth Industrial Revolution. Its transformational potential for our digital society and ability to drive benefits for citizens, governments and organizations is unparalleled. To realize this potential and ensure its sustainability, we must build AI on a foundation of […]

Organisational accountability is a powerful tool in the hands of the political and business leaders that are shaping 21st century Europe. It places the responsibility for ethical behavior and the protection of individuals on the organizations that are best placed to achieve it. This report argues that accountability is a scalable and transferrable concept that can be implemented by […]

The European Commission is currently working on updated standard data protection clauses for international transfers (SCC) to serve as “appropriate safeguards” that are necessary to legitimize the transfer of personal data to a third country in the absence of an adequacy decision. The Commission is currently receiving input from organizations. CIPL welcomes the opportunity to […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

Our economies and societies are in the midst of the 4th industrial revolution, with digitalization and datafication transforming the way we live, work and interact. This transformation has brought into sharp focus the question of how we should regulate data use, governance and privacy to enable us to reap the benefits of data driven innovation […]

What is a “Regulatory Sandbox”? How could it contribute to high standards of data protection and privacy and promote innovation? What are the challenges and problems? What safeguards are needed? Why would regulators and organizations want to participate in a Sandbox? In this white paper, we set out the key features of the concept. Essentially, […]

An important focus in the legislative discussions on the proposed ePrivacy Regulation is the fact that the proposal (mainly the articles 5 and 6 thereof) aims to protect the confidentiality of communications of individuals and legal persons, and in particular addresses the confidentiality of content data and metadata, implementing Article 7 of the EU Fundamental […]

This report introduces artificial intelligence and some of the technologies enabled by it, as well as some of the challenges and tensions between artificial intelligence and existing data protection laws and principles. The challenges to data protection presented by AI are frequently remarked on but are often addressed only at a surface level. There is […]

This short paper introduces two CIPL papers on the topic of organisational accountability – The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society and The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society. It outlines the goals of these other papers, […]

It is essential that there is consensus and clarity on the precise meaning and application of organisational accountability among all stakeholders, including organisations implementing accountability and data protection authorities (DPAs) overseeing accountability. Without such consensus, organisations will not know what DPAs expect of them and DPAs will not know how to assess organisations’ accountability-based privacy […]

The objectives of this second paper in our Accountability series are, first, to make the case for specifically incentivising organisational accountability and, second, to provide specific suggestions for what such incentives might be. Importantly, the objective in promoting an approach of incentivising accountability is not to weaken or hinder the powers of data protection authorities […]

This study was prepared by Brinkhof for CIPL On 10 January 2017, the Commission adopted its proposal for a new ePrivacy Regulation to replace the existing Directive 2002/58/EC. This proposal is currently being discussed in the Council. One of the questions being considered, is the link between the ePR and the General Data Protection Regulation. […]

This report was prepared by Normally Ltd for the Centre for Information Policy Leadership in April 2018. In the discourse on regulation of digital services and the proposed ePR, design has been missing from the discussion. This study makes the case for why we all need design to take a seat at the table. It […]

This Factsheet addresses the following in the context of the proposed ePrivacy Regulation and GDPR: Controllers and Processors Data Protection Principles Transparency Territorial Scope The Lawfulness of Processing Rights of the Data Subject Privacy by Design and by Default Security Risk-based Approach Data Protection Impact Assessment Supervisory Authorities Remedies Sanctions

Personal data relating to children are processed for many purposes by private and public sector organizations, including the provision of online and offline services, education, social care, healthcare and personal welfare, and as part of information on family circumstances. In some cases, the processing will include special categories of personal data. CIPL recognizes that the […]

Global data flows are the product of the increasing globalization and digitalization of business processes and society. They are foundational to the modern digital economy. The ability to use, share and access information across borders stimulates innovation, enables data-driven products and services, fuels economic growth and ideas, and is often the lifeline for remote communities. […]

The ecosystem for regulating data protection and privacy is changing rapidly, and not just within the EU. For many years CIPL has championed the role of accountable organizations and the merits of a risk-based approach. We now turn to the “plumbing” of the system as a whole and consider how its component parts can best […]

This paper highlights and explores CIPL’s ten key messages on the principles of transparency, consent and legitimate interest: Transparency is intended to be user-centric and should not primarily envisage legal compliance. Transparency should be context-specific, benefit from the possibilities of new technologies and avoid information overload. Transparency should be provided contextually by different methods and […]

The purpose of this paper is to: Inform the EU DPAs and the Article 29 Working Party as they consider the provisions of the GDPR on criteria to define the lead DPA and the co-operation among DPAs in the context of the OSS and the lead DPA. Signal any practical challenges in implementing these provisions […]

The function of the data protection officer or chief privacy officer is an essential component of data privacy accountability, playing a crucial role in enabling organisations to ensure and demonstrate both data privacy compliance and effective privacy protection of individuals. In recognition of its crucial status within organisations, this function is formally recognised and described […]

On 30 June 2016, CIPL and Telefónica held a joint Roundtable in London, with senior business leaders, data privacy officers and lawyers, data privacy regulators and academic experts, entitled ‘Reframing Data Transparency’. The objective of the Roundtable was to build on recent projects, initiatives and legal changes related to data transparency, such as the EU-US […]

Risk management has long played an important role in data protection. Over the past three years, CIPL has hosted a series of multinational workshops and published two white papers on risk management and its role in effective modern data protection. In this paper we focus on the interaction of risk management with other data protection […]

In the modern information age of big data, the Internet of Things and cloud computing, new data-driven products and services are enabling scientific and societal developments at a rapid pace and are the key drivers of economic growth. Our digital information society depends and thrives on the ability to generate, collect, aggregate, link and use […]

Legislatures in many countries currently are drafting or amending data protection laws. Often, these drafts and amendments attempt to regulate cross-border data transfers by imposing restrictions on transfers of personal data to other countries that do not have similar data privacy laws. Sometimes they also include so-called data localization provisions that require data or copies […]

Data protection has long relied on risk management as a critical tool for complying with data protection laws and ensuring that data are processed appropriately and the fundamental rights and interests of individuals are protected effectively. Yet these risk management processes, whether undertaken by businesses or regulators, have often been informal, unstructured and failed to […]

On March 20, 2014, the Centre held a workshop in Paris during which more than 50 privacy experts, industry representatives and regulators discussed their experiences and views with respect to the risk-based approach to privacy, the privacy risk framework and methodology, as well as goals and next steps in this project. This paper, titled “A […]

The role and function of a data protection officer (DPO) are evolving and will underpin data protection compliance under the proposed European General Data Protection Regulation. Recognizing the critical importance of the DPO function and oversight as a prerequisite for data privacy corporate accountability, many organizations have invested strategically in developing a DPO function, but […]

Analytics promises to revolutionize business, science, research and education. Powerful algorithms help identify individuals in need of social services, detect fraud, predict the effects of natural disasters, recognize patterns in scientific research and discover trends in consumer demand. Analytics play a role in addressing concerns across all aspects of society – from understanding biology at […]

Accountability builds on traditional notions of fair information practices, but incorporates new elements that require organizations to implement comprehensive privacy programs and base their decisions about data on credible assessment of the risks they raise for individuals and how best to mitigate them. This year, the CIPL has responded to suggestions in public policy discussions […]

In the current data environment, organizations must employ effective and explicit data governance programs to protect individuals against the risks that these uses of information may raise. While individuals must continue to play an appropriate role in making choices about sharing their data, they cannot be held responsible for detailed decisions about vastly complex technologies […]

When the participants in the Accountability Project released its discussion paper on accountability’s essential elements in October 2009, they did so recognizing that within the framework  described in that document, it would be necessary to address questions about the its real-world implementation. CIPL was excited to facilitate further work on accountability, assembling experts to consider […]

Written for CIPL by Paul M. Schwartz, Professor of Law, Berkley Law School, University of California, Berkeley; Director, Berkeley Center for Law & Technology This paper offers a contextual examination of analytics. The term “contextual” is used here in reference to an organization’s need to consider the risks that a specific application of analytics poses […]

This document serves as a compendium of our work conducting throughout our Accountability Project as of 2010, along with other notable contributions on this vital topic, including: Data Protection Accountability: The Essential Elements (October, 2009) Demonstrating and Measuring Accountability – The Paris Project (October, 2010) Privacy by Design: Essential for Organizational Accountability and Strong Business […]

Innovations in technology; rapid increases in data collection, analysis and use; and the global flow and access to data have made an unprecedented array of products, resources and services available to consumers. These developments, however, in no way diminish an individual’s right to the secure, protected and appropriate collection and use of their information. The […]

This white paper provides ten recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and information security more broadly. The Dos and Dont’s of Data Breach and Information Security Policy: Don’t equate data breaches with identity fraud or other consumer harms. Don’t become so […]

This paper recognizes a growing global belief that, to promote competitiveness and innovation, businesses and service providers must address issues related to trust and accountability for information privacy and security in connection with outsourcing transactions. NASSCOM has been working on similar objectives in its exploration of how to develop a credible selfregulatory organization in India […]

This paper creates a 10 step guide to creating a multilayered privacy notice. It argues that creating a privacy notice should not be viewed as an intimidating process. Developing a multilayered notice is no more difficult than a full legally compliant notice. If an organization has already created a full legally compliant notice, they can […]