This roundtable was convened around the core idea that a more coherent digital rulebook need not come at the expense of strong protections. Instead, simplification can be understood as an effort to address areas where the EU digital acquis has grown increasingly complex in practice, including at the intersection of data protection, AI, online safety, […]

In this Draft Mapping Report, CIPL examines the European Union’s General Data Protection Regulation (GDPR) to assess whether—and to what extent—the GDPR aligns with the Global CBPR Program Requirements (as updated in 2026) and the existing Global PRP Program Requirements. The analysis shows that more than 70% of Global CBPR Program Requirements, as revised, align […]

This report is based on our first technical workshop for CIPL’s Simplification Project. The workshop was focused on the proposed AI Act Omnibus and explored targeted amendments that could simplify implementation while preserving the AI Act’s objectives: enabling trustworthy, human-centric AI and innovation, while protecting health, safety, fundamental rights, and the environment. The report highlights […]

CIPL welcomes the opportunity to comment on the joint draft Guidelines of the European Commission and the European Data Protection Board (EDPB) on the Interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). CIPL appreciates the cooperative nature of these draft Guidelines and the collaboration of the European Commission and […]

Europe’s digital laws are ambitious. But as GDPR, ePrivacy, DSA, DMA, AI Act and NIS2 converge, organisations and regulators face duplicated reporting, parallel risk assessments and contradictory expectations. CIPL’s Big Ideas for Simplification of Europe’s Digital Rulebook provide twenty-seven targeted proposals to join up Europe’s digital frameworks while maintaining the highest standards of protection. Our […]

Clear, concise, and practical regulatory guidance is essential for organisations, as it provides the legal certainty needed to navigate an increasingly complex and overlapping regulatory landscape. This is particularly important in cases of legislative overlap, where the jurisdictions and competencies of multiple regulators may intersect. CIPL supports the clarification the draft guidelines make, that the […]

In this submission, CIPL supports the Commission’s commitment to strengthening the high level of consumer protection in the digital environment. As the Fitness Check of EU Consumer Law on Digital Fairness concluded, it is imperative that: “existing consumer protection rules remain relevant and necessary to ensure a high level of consumer protection and effective functioning […]

Enabling responsible innovation to advance economic growth has become central to the global discussions on privacy and digital policy. As the digital landscape rapidly evolves, policymakers worldwide are exploring pro-innovation approaches to regulate emerging technologies effectively without stifling innovation. On 1 April 2025, CIPL held a roundtable on ‘Smart Regulation in a Changing World’ to […]

As a first part of CIPL’s EU AI Act Implementation Project and in conjunction with ongoing research on the responsible and accountable development and deployment of artificial intelligence systems, CIPL has identified Article 4 AI literacy best practices and recommendations for practitioners. AI Literacy Best Practices for Whom? These best practices can be adapted and […]

As trilogue negotiations on the GDPR Procedural Regulation approach the end, CIPL is sharing key takeaways from our recent roundtable in Brussels which brought together leading regulators and organizations for a constructive dialogue on the state of play of GDPR enforcement. CIPL has consistently highlighted potential challenges and benefits concerning this file from the very […]

This CIPL report, based on research by Public First, commissioned by Google, highlights how digital advertising plays a significant role in supporting European competitiveness, particularly for small and medium-sized businesses (SMBs). This survey of 4,287 EU SMBs across 13 countries found that 86% attributed revenue growth directly to digital advertising, in particular personalised advertising. The […]

The European Union’s Digital Markets Act (DMA) represents one of the most ambitious regulatory interventions in the digital economy to date. It was intended to empower consumers and to level the market playing field to foster innovation, growth, and competitiveness in the EU. To achieve this, the DMA introduced a number of strict obligations on […]

In this discussion paper, CIPL considers the following key privacy and data protection concepts and explores how they can be effectively applied to the development and deployment of genAI models and systems: Fairness; Collection limitation; Purpose specification; Use limitation; Individual rights; Transparency; Organizational accountability; and Cross-border data transfers. The analysis in this paper builds on […]

Drawing largely from the experience under the GDPR and several EU digital laws, CIPL partnered with Bae, Kim & Lee LLC on this paper to make the case for shifting away from over-reliance on consent and exploring, instead, other legal bases such as contractual necessity and legitimate interest. The paper argues that to ensure the […]

The paper, written in partnership with Richard Thomas CBE, raises two fundamental questions for data protection authorities: What should DPAs be doing and prioritizing? How should they be doing it? While these questions are not easy to answer, they are essential to explore. Building on our previous work, including the Regulating for Results Paper (2017) […]

On December 7th, 2023, the Court of Justice of the European Union (CJEU) ruled that SCHUFA, a credit rating agency, played a “determining role” in a lender’s decision to deny a loan application. The CJEU found that SCHUFA’s role, i.e. providing credit scores, qualified as a “decision” under Article 22 of the GDPR. The court […]

This CIPL Response is not publicly available.

The GDPR has been an important tool for protecting individuals’ privacy and has substantially elevated data protection awareness globally. Its impact can be seen in many data protection laws around the world, as well as in the global privacy compliance and data management programs of many multinational organizations that use the GDPR as their baseline […]

This third paper in our series analyzing the Digital Markets Act assess the operational consequences of the DMA obligations for gatekeepers and organizations receiving or getting access to personal data, specifically in the context of Art. 6(9) of the DMA. The article mandates the portability of data provided or generated by a user from a […]

In this white paper, CIPL proposes a roadmap for building a holistic data strategy that seeks to align the Board and C-suite on data-driven initiatives and provide a framework for promoting innovative and responsible uses of data, including the development and deployment of powerful AI technologies.

This report showcases how 20 leading organizations are developing accountable AI programs and best practices on the ground. Our research shows that organizational accountability is fundamental to the responsible development and deployment of AI. Organizations recognize the need to demonstrate AI accountability as a business imperative, especially as the expectations of consumers, business partners, shareholders, […]

Since the CJEU Schrems II Judgment in July 2020, European data protection authorities (DPAs) in the EU have developed a “zero risk” theory in relation to Chapter V of the General Data Protection Regulation (GDPR). They have been asking data controllers and processors that transfer personal data outside the EU to “eliminate” all risks of […]

Drawing on CIPL’s years of experience as a thought leader and our extensive engagement with private sector leaders developing and deploying AI technologies, policymakers, and regulators, CIPL offers in this paper ten recommendations to guide AI policymaking and regulation to enable accountable, responsible, and trustworthy AI. These ten recommendations encapsulate CIPL’s view on a layered […]

This paper takes an in-depth look at open questions regarding the seeming limitation by the DMA of legal bases available for certain processing of personal data and whether the DMA should consequently be considered as a lex specialis to the GDPR. The paper examines ambiguities related to the scope of DMA in terms of personal […]

This study by the Centre for Information Policy Leadership (CIPL) and the Privacy Center of Excellence at Cisco explores the business benefits and return on investment (ROI) of DPMPs. In particular, the study demonstrates that organizations are experiencing a wide range of benefits from investing in DPMPs. These include risk management and compliance benefits, as […]

This document presents a comparison of the APEC Cross-Border Privacy Rules (CBPR) Requirements and the EU-U.S. Privacy Shield Requirements to the requirements of the UK General Data Protection Regulation (GDPR). For purposes of this analysis, we analyzed relevant documents pertaining to participation in both the CBPR and Privacy Shield certification system. We present recommendations, as […]

The EU digital strategy intends to establish a safe and trusted digital space for individuals and a level playing field for businesses that fosters innovation, growth, and competitiveness in the EU. Specifically, the draft Digital Markets Act (DMA) aims to enable open and fair digital and data markets by fostering competition. In particular, it seeks […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

Promoting organizational accountability among all organizations that process personal data has been one of CIPL’s main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper elaborates specifically on […]

The One-Stop-Shop mechanism (OSS), is essential to support the consistent implementation of the GDPR in order to achieve the EU single market. The OSS brings important benefits to individuals, organizations and Supervisory Authorities (SAs). However, the OSS is facing a growing amount of criticism and risks being undermined. Its challenges should now be discussed and […]

Following the European Data Protection Board’s (EDPB) Stakeholder Workshop on Legitimate Interests on 27 November 2020, CIPL published this white paper as input for the EDPB’s future update of the guidelines on the legitimate interests legal basis. This Paper is also relevant for any jurisdiction where data protection law includes legitimate interests as a legal […]

Building on its prior work, CIPL has been working with experts in the EU and multinational companies who are leaders in AI to collect best practices and emerging trends in AI accountability. CIPL’s objective is to inform the current EU discussions on the development of rules to regulate AI. This paper summarizes CIPL’s vision on […]

On July 16 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as Schrems II, that Standard Contractual Clauses are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. This substantially impacts organizations […]

On July 16th 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as “Schrems II”, that Standard Contractual Clauses (SCCs) are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. The Judgment substantially impacts […]

Following the European Data Protection Board’s (EBPB) stakeholders’ event in Brussels on November 4th 2019, on Data Subject Rights CIPL submitted this White Paper as input for the EDPB’s future guidelines on Data Subject Rights. The EDPB’s stakeholder event on DSR addressed the following GDPR provisions: The right of access (Article 15) The right to […]

The COVID-19 crisis imposed a wide range of immediate and likely long-term impacts on organizations, governments, regulators, people and society at large. Many of them could to stay with us beyond the immediate crisis and change the way we all live, work and interact. These impacts likely will also be felt in data privacy – […]

CIPL has a long history of exploring accountability-based information management and privacy governance. As part of our work on enabling innovation while also protecting privacy, we are currently exploring how to further develop and improve the existing concept of accountability to maximize both goals. This report consolidates the findings of CIPL’s Accountability Mapping Project launched […]

The COVID-19 crisis is imposing a wide range of immediate and likely long-term impacts on organizations, governments, regulators, people and society at large. Many of them are likely to stay with us beyond the immediate crisis and change the way we all live, work and interact going forward. These impacts likely will also be felt […]

The rise and rapid expansion of Artificial Intelligence technology is one of the main features of the Fourth Industrial Revolution. Its transformational potential for our digital society and ability to drive benefits for citizens, governments and organizations is unparalleled. To realize this potential and ensure its sustainability, we must build AI on a foundation of […]

Organisational accountability is a powerful tool in the hands of the political and business leaders that are shaping 21st century Europe. It places the responsibility for ethical behavior and the protection of individuals on the organizations that are best placed to achieve it. This report argues that accountability is a scalable and transferrable concept that can be implemented by […]

The European Commission is currently working on updated standard data protection clauses for international transfers (SCC) to serve as “appropriate safeguards” that are necessary to legitimize the transfer of personal data to a third country in the absence of an adequacy decision. The Commission is currently receiving input from organizations. CIPL welcomes the opportunity to […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

In this report, we seek to outline the positive impacts and benefits organizations have experienced as a result of their GDPR compliance efforts. We also describe the challenges and unfulfilled promises of the GDPR, where organizations feel the Regulation has not lived up to its objectives and has presented practical difficulties, despite their dedication to […]

What is a “Regulatory Sandbox”? How could it contribute to high standards of data protection and privacy and promote innovation? What are the challenges and problems? What safeguards are needed? Why would regulators and organizations want to participate in a Sandbox? In this white paper, we set out the key features of the concept. Essentially, […]

An important focus in the legislative discussions on the proposed ePrivacy Regulation is the fact that the proposal (mainly the articles 5 and 6 thereof) aims to protect the confidentiality of communications of individuals and legal persons, and in particular addresses the confidentiality of content data and metadata, implementing Article 7 of the EU Fundamental […]

This report introduces artificial intelligence and some of the technologies enabled by it, as well as some of the challenges and tensions between artificial intelligence and existing data protection laws and principles. The challenges to data protection presented by AI are frequently remarked on but are often addressed only at a surface level. There is […]

This short paper introduces two CIPL papers on the topic of organisational accountability – The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society and The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society. It outlines the goals of these other papers, […]

It is essential that there is consensus and clarity on the precise meaning and application of organisational accountability among all stakeholders, including organisations implementing accountability and data protection authorities (DPAs) overseeing accountability. Without such consensus, organisations will not know what DPAs expect of them and DPAs will not know how to assess organisations’ accountability-based privacy […]

The objectives of this second paper in our Accountability series are, first, to make the case for specifically incentivising organisational accountability and, second, to provide specific suggestions for what such incentives might be. Importantly, the objective in promoting an approach of incentivising accountability is not to weaken or hinder the powers of data protection authorities […]

This study was prepared by Brinkhof for CIPL On 10 January 2017, the Commission adopted its proposal for a new ePrivacy Regulation to replace the existing Directive 2002/58/EC. This proposal is currently being discussed in the Council. One of the questions being considered, is the link between the ePR and the General Data Protection Regulation. […]

This report was prepared by Normally Ltd for the Centre for Information Policy Leadership in April 2018. In the discourse on regulation of digital services and the proposed ePR, design has been missing from the discussion. This study makes the case for why we all need design to take a seat at the table. It […]

This Factsheet addresses the following in the context of the proposed ePrivacy Regulation and GDPR: Controllers and Processors Data Protection Principles Transparency Territorial Scope The Lawfulness of Processing Rights of the Data Subject Privacy by Design and by Default Security Risk-based Approach Data Protection Impact Assessment Supervisory Authorities Remedies Sanctions

Personal data relating to children are processed for many purposes by private and public sector organizations, including the provision of online and offline services, education, social care, healthcare and personal welfare, and as part of information on family circumstances. In some cases, the processing will include special categories of personal data. CIPL recognizes that the […]

The ecosystem for regulating data protection and privacy is changing rapidly, and not just within the EU. For many years CIPL has championed the role of accountable organizations and the merits of a risk-based approach. We now turn to the “plumbing” of the system as a whole and consider how its component parts can best […]

This paper highlights and explores CIPL’s ten key messages on the principles of transparency, consent and legitimate interest: Transparency is intended to be user-centric and should not primarily envisage legal compliance. Transparency should be context-specific, benefit from the possibilities of new technologies and avoid information overload. Transparency should be provided contextually by different methods and […]

On 6 and 7 March 2017, CIPL held its 3rd major workshop of the GDPR Implementation Project focusing on the issues of transparency, consent and legitimate interest. The workshop was held in the historic premises of Telefónica with more than 140 participants from industry, DPAs, national governments, the European Commission, the EDPS, and academia. The […]

The purpose of this paper is to: Inform the EU DPAs and the Article 29 Working Party as they consider the provisions of the GDPR on criteria to define the lead DPA and the co-operation among DPAs in the context of the OSS and the lead DPA. Signal any practical challenges in implementing these provisions […]

The function of the data protection officer or chief privacy officer is an essential component of data privacy accountability, playing a crucial role in enabling organisations to ensure and demonstrate both data privacy compliance and effective privacy protection of individuals. In recognition of its crucial status within organisations, this function is formally recognised and described […]

In September, we held our second GDPR Workshop in Paris as part of our two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster […]

On 16 March 2016, CIPL and the Dutch Ministry of Security and Justice co-hosted a workshop in Amsterdam entitled “Towards a Successful and Consistent Implementation of the GDPR”. The workshop kick-started the special CIPL project on the consistent interpretation and implementation of the EU GDPR. The main objective of the workshop was to initiate an […]

The role and function of a data protection officer (DPO) are evolving and will underpin data protection compliance under the proposed European General Data Protection Regulation. Recognizing the critical importance of the DPO function and oversight as a prerequisite for data privacy corporate accountability, many organizations have invested strategically in developing a DPO function, but […]