In this Draft Mapping Report, CIPL examines the European Union’s General Data Protection Regulation (GDPR) to assess whether—and to what extent—the GDPR aligns with the Global CBPR Program Requirements (as updated in 2026) and the existing Global PRP Program Requirements. The analysis shows that more than 70% of Global CBPR Program Requirements, as revised, align […]

This paper examines how different state laws define personal information and “sensitive data” – foundational concepts that determine the scope of compliance obligations, regulatory triggers, and individual rights – as the landscape of U.S. privacy regulations continues to evolve in the absence of a federal privacy framework. The paper specifically analyzes common approaches and key […]

Earlier this year, the U.S. Congress signaled its intent to take a fresh look at the potential elements of a U.S. federal privacy law. CIPL submitted a detailed comment to the House Committee on Energy and Commerce Data Privacy Working Group on April 7th in response. Following this, we created this summary of our views […]

In this discussion paper, CIPL considers the following key privacy and data protection concepts and explores how they can be effectively applied to the development and deployment of genAI models and systems: Fairness; Collection limitation; Purpose specification; Use limitation; Individual rights; Transparency; Organizational accountability; and Cross-border data transfers. The analysis in this paper builds on […]

Drawing largely from the experience under the GDPR and several EU digital laws, CIPL partnered with Bae, Kim & Lee LLC on this paper to make the case for shifting away from over-reliance on consent and exploring, instead, other legal bases such as contractual necessity and legitimate interest. The paper argues that to ensure the […]

The paper, written in partnership with Richard Thomas CBE, raises two fundamental questions for data protection authorities: What should DPAs be doing and prioritizing? How should they be doing it? While these questions are not easy to answer, they are essential to explore. Building on our previous work, including the Regulating for Results Paper (2017) […]

Legislation requiring the use of age assurance or age verification measures to promote safe online experiences for children and young people is gaining traction in the United States. At the time of publishing, 21 states have enacted laws with age assurance provisions, but there remains little agreement among states regarding the methods or tools to […]

We published this discussion paper as part of a series on emerging privacy laws in the United States to offer analysis and recommendations to policymakers for safeguarding consumer data privacy and enhancing responsible data practices. First, this paper analyzes the data minimization requirements in US state privacy laws and the proposed American Privacy Rights Act […]

On April 7, 2024, Senate Commerce Committee Chair Maria Cantwell and House Energy and Commerce Committee Chair Cathy McMorris Rodgers released a discussion draft of the American Privacy Rights Act (APRA), a comprehensive federal consumer privacy framework built on prior congressional efforts including the American Data Privacy and Protection Act (ADPPA). On May 21, 2024, […]

In this paper, we examine requirements regarding automated decisionmaking and profiling included in comprehensive state privacy laws. This report also explores notable state-level AI regulations. Our goal is to help state lawmakers and policymakers in the US advance the principles of privacy and data protection in a more consistent and manageable way. Key recommendations include: […]

In this white paper, CIPL proposes a roadmap for building a holistic data strategy that seeks to align the Board and C-suite on data-driven initiatives and provide a framework for promoting innovative and responsible uses of data, including the development and deployment of powerful AI technologies.

This report showcases how 20 leading organizations are developing accountable AI programs and best practices on the ground. Our research shows that organizational accountability is fundamental to the responsible development and deployment of AI. Organizations recognize the need to demonstrate AI accountability as a business imperative, especially as the expectations of consumers, business partners, shareholders, […]

With the proliferation of privacy laws across various states in the US, companies with limited budgets and resources are seeking ways to synthesize requirements and harmonize compliance obligations across jurisdictions. To address this challenge, CIPL has launched a project aimed at identifying areas of alignment and divergence between state laws, and examining the compliance challenges […]

Drawing on CIPL’s years of experience as a thought leader and our extensive engagement with private sector leaders developing and deploying AI technologies, policymakers, and regulators, CIPL offers in this paper ten recommendations to guide AI policymaking and regulation to enable accountable, responsible, and trustworthy AI. These ten recommendations encapsulate CIPL’s view on a layered […]

This study by the Centre for Information Policy Leadership (CIPL) and the Privacy Center of Excellence at Cisco explores the business benefits and return on investment (ROI) of DPMPs. In particular, the study demonstrates that organizations are experiencing a wide range of benefits from investing in DPMPs. These include risk management and compliance benefits, as […]

This document presents a comparison of the APEC Cross-Border Privacy Rules (CBPR) Requirements and the EU-U.S. Privacy Shield Requirements to the requirements of the UK General Data Protection Regulation (GDPR). For purposes of this analysis, we analyzed relevant documents pertaining to participation in both the CBPR and Privacy Shield certification system. We present recommendations, as […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

Promoting organizational accountability among all organizations that process personal data has been one of CIPL’s main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper elaborates specifically on […]

Data flows between India and the United States are of unquestionable value to India’s modern digital economy and society. According to a 2019 digital trade report1 from the Hinrich Foundation, digital trade contributed $32.5 billion to India’s domestic economy in 2017. The report further notes that this has the potential to grow to $480 billion […]

The COVID-19 crisis imposed a wide range of immediate and likely long-term impacts on organizations, governments, regulators, people and society at large. Many of them could to stay with us beyond the immediate crisis and change the way we all live, work and interact. These impacts likely will also be felt in data privacy – […]

CIPL has a long history of exploring accountability-based information management and privacy governance. As part of our work on enabling innovation while also protecting privacy, we are currently exploring how to further develop and improve the existing concept of accountability to maximize both goals. This report consolidates the findings of CIPL’s Accountability Mapping Project launched […]

The rise and rapid expansion of Artificial Intelligence technology is one of the main features of the Fourth Industrial Revolution. Its transformational potential for our digital society and ability to drive benefits for citizens, governments and organizations is unparalleled. To realize this potential and ensure its sustainability, we must build AI on a foundation of […]

Organisational accountability is a powerful tool in the hands of the political and business leaders that are shaping 21st century Europe. It places the responsibility for ethical behavior and the protection of individuals on the organizations that are best placed to achieve it. This report argues that accountability is a scalable and transferrable concept that can be implemented by […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

Our economies and societies are in the midst of the 4th industrial revolution, with digitalization and datafication transforming the way we live, work and interact. This transformation has brought into sharp focus the question of how we should regulate data use, governance and privacy to enable us to reap the benefits of data driven innovation […]

What is a “Regulatory Sandbox”? How could it contribute to high standards of data protection and privacy and promote innovation? What are the challenges and problems? What safeguards are needed? Why would regulators and organizations want to participate in a Sandbox? In this white paper, we set out the key features of the concept. Essentially, […]

This report introduces artificial intelligence and some of the technologies enabled by it, as well as some of the challenges and tensions between artificial intelligence and existing data protection laws and principles. The challenges to data protection presented by AI are frequently remarked on but are often addressed only at a surface level. There is […]

This short paper introduces two CIPL papers on the topic of organisational accountability – The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society and The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society. It outlines the goals of these other papers, […]

It is essential that there is consensus and clarity on the precise meaning and application of organisational accountability among all stakeholders, including organisations implementing accountability and data protection authorities (DPAs) overseeing accountability. Without such consensus, organisations will not know what DPAs expect of them and DPAs will not know how to assess organisations’ accountability-based privacy […]

The objectives of this second paper in our Accountability series are, first, to make the case for specifically incentivising organisational accountability and, second, to provide specific suggestions for what such incentives might be. Importantly, the objective in promoting an approach of incentivising accountability is not to weaken or hinder the powers of data protection authorities […]

The ecosystem for regulating data protection and privacy is changing rapidly, and not just within the EU. For many years CIPL has championed the role of accountable organizations and the merits of a risk-based approach. We now turn to the “plumbing” of the system as a whole and consider how its component parts can best […]