Resources

In this Draft Mapping Report, CIPL examines the European Union’s General Data Protection Regulation (GDPR) to assess whether—and to what extent—the GDPR aligns with the Global CBPR Program Requirements (updated in 2026) and the existing Global PRP Program Requirements. The analysis shows that 72% of the 2026 Global CBPR Program Requirements fully align with provisions […]

As privacy engineering plays a critical role in responding to sociotechnical challenges in personal data processing, organizations must operationalize privacy in a scalable and accountable manner. The IEEE Digital Privacy Initiative and Centre for Information Policy Leadership (CIPL) hosted a roundtable in December 2025 to discuss how internal organizational governance and public policy can together […]

This report is based on our first technical workshop for CIPL’s Simplification Project. The workshop was focused on the proposed AI Act Omnibus and explored targeted amendments that could simplify implementation while preserving the AI Act’s objectives: enabling trustworthy, human-centric AI and innovation, while protecting health, safety, fundamental rights, and the environment. The report highlights […]

CIPL welcomes the opportunity to comment on the joint draft Guidelines of the European Commission and the European Data Protection Board (EDPB) on the Interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). CIPL appreciates the cooperative nature of these draft Guidelines and the collaboration of the European Commission and […]

Since 2019, CIPL has been spearheading work to interpret the legal basis for processing personal data under data protection laws as well as apply data protection laws and principles to AI technologies. Building on this, CIPL has spent the last year convening a select group of Data Protection Officers from leading companies in an initiative […]

While AI technologies are not new, the advent and update of generative AI have prompted regulators and policymakers to renew their focus on their governance. In the context of privacy and data protection, this has led to debate on how data protection principles apply to AI, what new risks these systems may present, and how […]

Europe’s digital laws are ambitious. But as GDPR, ePrivacy, DSA, DMA, AI Act and NIS2 converge, organisations and regulators face duplicated reporting, parallel risk assessments and contradictory expectations. CIPL’s Big Ideas for Simplification of Europe’s Digital Rulebook provide twenty-seven targeted proposals to join up Europe’s digital frameworks while maintaining the highest standards of protection. Our […]

These key takeaways come from a roundtable held on June 13 in Brussels, in collaboration with the WeProtect Global Alliance. CIPL and WeProtect explored what a broader, interoperable framework for age assurance could look like, while ensuring privacy, user autonomy, and transparency. Key takeaways from the Workshop on Interoperability: Key elements that could still be […]

Following our series of Multistakeholder Dialogue workshops on Age Assurance, CIPL and WeProtect produced this paper to explore what a broader, interoperable framework for age assurance could look like, while ensuring privacy, user autonomy, and transparency.

This paper examines how different state laws define personal information and “sensitive data” – foundational concepts that determine the scope of compliance obligations, regulatory triggers, and individual rights – as the landscape of U.S. privacy regulations continues to evolve in the absence of a federal privacy framework. The paper specifically analyzes common approaches and key […]

Agentic AI has the potential to transform business processes and customer experience across a range of industries. Companies are working to rapidly scale their investment, development, and adoption of agentic AI to help better serve customers and reap benefits, such as greater productivity and efficiency, optimization of organizational resources, and personalization of products and services. […]

Clear, concise, and practical regulatory guidance is essential for organisations, as it provides the legal certainty needed to navigate an increasingly complex and overlapping regulatory landscape. This is particularly important in cases of legislative overlap, where the jurisdictions and competencies of multiple regulators may intersect. CIPL supports the clarification the draft guidelines make, that the […]

On October 29, 2025, the Centre for Information Policy Leadership (CIPL) hosted an immersive, full-day roundtable—an exclusive “CIPL In Focus” event—to examine the practical and legal challenges stemming from legislative and regulatory efforts to make the internet a safer space for children and teens. The event was held at Snap Inc.’s conference facilities in Santa […]

In this submission, CIPL supports the Commission’s commitment to strengthening the high level of consumer protection in the digital environment. As the Fitness Check of EU Consumer Law on Digital Fairness concluded, it is imperative that: “existing consumer protection rules remain relevant and necessary to ensure a high level of consumer protection and effective functioning […]

This paper examines sandbox initiatives across multiple jurisdictions, including in AI, data protection and financial services, to identify the core success factors that make these models effective. It distils these insights into practical recommendations for regulators designing and operating sandboxes and for participating organisations. Building on this analysis, the paper considers the specific context of […]

What are the Global Cross-Border Privacy Rules (Global CBPR)? What is the Global Privacy Recognition for Processors (Global PRP)? How do these systems work? What benefits do they provide to businesses and individuals alike? These questions and more are addressed in CIPL’s Global CBPR & Global PRP Systems Playbook, which explains how these programs provide […]

Building on CIPL’s ongoing work at the intersection of data protection, AI, and organizational accountability, our latest paper takes a deep dive into the evolving role of sensitive data in AI systems. As AI technologies become more advanced and widely adopted, existing legal frameworks often restrict the use of sensitive data, even when it is […]

On June 4, the CIPL hosted its first-ever “CIPL In Focus”—an immersive, full-day event for senior-level professionals to examine in-depth the operational challenges related to a given issue and to share practical approaches for overcoming those challenges. The fast-moving, thought-provoking discussion focused on the future of privacy, data governance, and responsible innovation. The conversation looked […]

Enabling responsible innovation to advance economic growth has become central to the global discussions on privacy and digital policy. As the digital landscape rapidly evolves, policymakers worldwide are exploring pro-innovation approaches to regulate emerging technologies effectively without stifling innovation. On 1 April 2025, CIPL held a roundtable on ‘Smart Regulation in a Changing World’ to […]

As a first part of CIPL’s EU AI Act Implementation Project and in conjunction with ongoing research on the responsible and accountable development and deployment of artificial intelligence systems, CIPL has identified Article 4 AI literacy best practices and recommendations for practitioners. AI Literacy Best Practices for Whom? These best practices can be adapted and […]

CIPL held its Annual Summit in Washington, DC on March 4-5, 2025. With more than 100 attendees, it was CIPL’s largest Summit ever. Participants included leaders from CIPL member companies, regulators and policymakers from a range of jurisdictions, and experts on data and technology policy from academia and the non-governmental sector. Both days of the […]

Organizational accountability is recognized as a key building block of effective privacy and data protection regulation and compliance. A well-developed, comprehensive accountability framework or program provides organizations with the tools and processes needed to implement relevant legal requirements and standards, as well as internal ethics standards and other internal “best practice” goals. CIPL’s Accountability Framework […]

As trilogue negotiations on the GDPR Procedural Regulation approach the end, CIPL is sharing key takeaways from our recent roundtable in Brussels which brought together leading regulators and organizations for a constructive dialogue on the state of play of GDPR enforcement. CIPL has consistently highlighted potential challenges and benefits concerning this file from the very […]

Earlier this year, the U.S. Congress signaled its intent to take a fresh look at the potential elements of a U.S. federal privacy law. CIPL submitted a detailed comment to the House Committee on Energy and Commerce Data Privacy Working Group on April 7th in response. Following this, we created this summary of our views […]

As part of CIPL’s research on PETs, this paper provides an in-depth exploration of how PETs can and are being deployed to address privacy concerns specifically within AI systems. The paper describes how these technologies can help operationalize privacy by design and by default when developing AI systems, and also serve as key business enablers, […]

This CIPL report, based on research by Public First, commissioned by Google, highlights how digital advertising plays a significant role in supporting European competitiveness, particularly for small and medium-sized businesses (SMBs). This survey of 4,287 EU SMBs across 13 countries found that 86% attributed revenue growth directly to digital advertising, in particular personalised advertising. The […]

The European Union’s Digital Markets Act (DMA) represents one of the most ambitious regulatory interventions in the digital economy to date. It was intended to empower consumers and to level the market playing field to foster innovation, growth, and competitiveness in the EU. To achieve this, the DMA introduced a number of strict obligations on […]

These key takeaways from CIPL’s Multi-Stakeholder Dialogue on Age Assurance – Working Group on Risk Assessments, held on 19 September 2024 in Brussels and online, in collaboration with the WeProtect Global Alliance highlight the following themes from the discussion: Identifying current challenges Overarching considerations Balancing safety and privacy Implementing accountability and governance measures Embedding risk […]

This roundtable, hosted in partnership with the WeProtect Global Alliance brought together leaders from industry, academia, and civil society as part of our Working Group on Global & Regional Perspectives on Age Assurance to explore global and regional perspectives on age assurance, particularly in the context of emerging legislation in the United States. While the […]

In this discussion paper, CIPL considers the following key privacy and data protection concepts and explores how they can be effectively applied to the development and deployment of genAI models and systems: Fairness; Collection limitation; Purpose specification; Use limitation; Individual rights; Transparency; Organizational accountability; and Cross-border data transfers. The analysis in this paper builds on […]

Drawing largely from the experience under the GDPR and several EU digital laws, CIPL partnered with Bae, Kim & Lee LLC on this paper to make the case for shifting away from over-reliance on consent and exploring, instead, other legal bases such as contractual necessity and legitimate interest. The paper argues that to ensure the […]

The paper, written in partnership with Richard Thomas CBE, raises two fundamental questions for data protection authorities: What should DPAs be doing and prioritizing? How should they be doing it? While these questions are not easy to answer, they are essential to explore. Building on our previous work, including the Regulating for Results Paper (2017) […]

On December 7th, 2023, the Court of Justice of the European Union (CJEU) ruled that SCHUFA, a credit rating agency, played a “determining role” in a lender’s decision to deny a loan application. The CJEU found that SCHUFA’s role, i.e. providing credit scores, qualified as a “decision” under Article 22 of the GDPR. The court […]

Legislation requiring the use of age assurance or age verification measures to promote safe online experiences for children and young people is gaining traction in the United States. At the time of publishing, 21 states have enacted laws with age assurance provisions, but there remains little agreement among states regarding the methods or tools to […]

In the modern economy, cloud computing continues to be a transformative technology for digital societies, enabling digital transformation while at the same time driving privacy, security and economic efficiencies. Nevertheless, the use of cloud services increasingly faces significant scrutiny in the European Union. Some of the concerns related to geopolitical tensions and supply chain control […]

This CIPL Response is not publicly available.

We published this discussion paper as part of a series on emerging privacy laws in the United States to offer analysis and recommendations to policymakers for safeguarding consumer data privacy and enhancing responsible data practices. First, this paper analyzes the data minimization requirements in US state privacy laws and the proposed American Privacy Rights Act […]

On 11th July 2024, CIPL and the WeProtect Global Alliance hosted the second multi-stakeholder dialogue in an ongoing global dialogue involving key stakeholders on age assurance. This second multi-stakeholder dialogue served as the inaugural meeting of the law and regulation working group, which was formed to drive the development of consensus-based principles that can inform […]

On April 7, 2024, Senate Commerce Committee Chair Maria Cantwell and House Energy and Commerce Committee Chair Cathy McMorris Rodgers released a discussion draft of the American Privacy Rights Act (APRA), a comprehensive federal consumer privacy framework built on prior congressional efforts including the American Data Privacy and Protection Act (ADPPA). On May 21, 2024, […]

The GDPR has been an important tool for protecting individuals’ privacy and has substantially elevated data protection awareness globally. Its impact can be seen in many data protection laws around the world, as well as in the global privacy compliance and data management programs of many multinational organizations that use the GDPR as their baseline […]

In this paper, we examine requirements regarding automated decisionmaking and profiling included in comprehensive state privacy laws. This report also explores notable state-level AI regulations. Our goal is to help state lawmakers and policymakers in the US advance the principles of privacy and data protection in a more consistent and manageable way. Key recommendations include: […]

Digital age assurance is a complex and sensitive issue, requiring a careful balancing of rights and risks. In order to better understand the current state of play – challenges and opportunities – and to advance a holistic and principles-based approach, CIPL partnered with the WeProtect Global Alliance to host a series of workshops which brought […]

This third paper in our series analyzing the Digital Markets Act assess the operational consequences of the DMA obligations for gatekeepers and organizations receiving or getting access to personal data, specifically in the context of Art. 6(9) of the DMA. The article mandates the portability of data provided or generated by a user from a […]

Biometric technologies have emerged as important tools for security, safety, convenience and accessibility. Many of the use cases enabled by biometric technologies are of unquestionable benefit to businesses, individuals, and society, particularly when combined with other emerging technologies such as artificial intelligence, machine learning, and privacy-enhancing technologies. However, certain applications can present challenges and risks […]

In this white paper, CIPL proposes a roadmap for building a holistic data strategy that seeks to align the Board and C-suite on data-driven initiatives and provide a framework for promoting innovative and responsible uses of data, including the development and deployment of powerful AI technologies.

This report showcases how 20 leading organizations are developing accountable AI programs and best practices on the ground. Our research shows that organizational accountability is fundamental to the responsible development and deployment of AI. Organizations recognize the need to demonstrate AI accountability as a business imperative, especially as the expectations of consumers, business partners, shareholders, […]

Since the CJEU Schrems II Judgment in July 2020, European data protection authorities (DPAs) in the EU have developed a “zero risk” theory in relation to Chapter V of the General Data Protection Regulation (GDPR). They have been asking data controllers and processors that transfer personal data outside the EU to “eliminate” all risks of […]

With the proliferation of privacy laws across various states in the US, companies with limited budgets and resources are seeking ways to synthesize requirements and harmonize compliance obligations across jurisdictions. To address this challenge, CIPL has launched a project aimed at identifying areas of alignment and divergence between state laws, and examining the compliance challenges […]

As we look forward to a new year of delivering cutting-edge thought leadership on data protection, accountable governance and privacy, CIPL has published a compilation of everything we were able to accomplish in 2023. Last year, we published 16 white papers, 15 public consultations, and 11 infographics. We delivered 38 roundtables and workshops, over 60 […]

On December 12, 2023, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) released a new white paper on Privacy-Enhancing and Privacy-Preserving Technologies: Understanding the Role of PETs and PPTs in the Digital Age. The paper explores how organizations are approaching PETs, how PETs can advance data protection principles and provides examples […]

Privacy-enhancing technologies (PETs) and privacy-preserving technologies (PPTs) generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals whose data is being used. These technologies not only enhance privacy protections, but also maintain the informational value of data to varying degrees. This White Paper: Provides […]

On  September 29, 2023, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) released a new paper on its Ten Recommendations for Global AI Regulation. The paper is part of CIPL’s Accountable AI project and follows several earlier contributions including Artificial Intelligence and Data Protection in Tension (October 2018), Hard Issues and Practical […]

This paper addresses the growing trend of localities requesting (and sometimes mandating) that data collected by the private sector be shared with the localities themselves. Such requests are generally not in the context of law enforcement or national security matters, but rather are part of an effort to further the public interest or promote a […]

Drawing on CIPL’s years of experience as a thought leader and our extensive engagement with private sector leaders developing and deploying AI technologies, policymakers, and regulators, CIPL offers in this paper ten recommendations to guide AI policymaking and regulation to enable accountable, responsible, and trustworthy AI. These ten recommendations encapsulate CIPL’s view on a layered […]

This document addresses commonly asked questions about the Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems, which are data transfer mechanisms developed by the Asia-Pacific Economic Cooperation (APEC) member economies. CBPR and PRP operationalize the nine Privacy Principles set forth in the 2005 APEC Privacy Framework. In 2022, several APEC economies established […]

This paper takes an in-depth look at open questions regarding the seeming limitation by the DMA of legal bases available for certain processing of personal data and whether the DMA should consequently be considered as a lex specialis to the GDPR. The paper examines ambiguities related to the scope of DMA in terms of personal […]

Data underpins the digital transformation of our economies and society. It can be considered one of the most valuable economic assets – responsible use of data enables economic growth and brings benefits and progress to people, governments, and societies at large. Data is also central to governmental and societal interests, such as national security, cyber […]

In this paper, TLS explores one rationale that some proponents of localization have advanced: that localization will insulate companies from foreign governments’ ability to legally compel access to their data. We examine not only the legal framework in the United States (U.S.), but also those of other countries, and conclude that legal systems, in general, […]

Cross-border data flows are vital to people in their everyday lives and to every aspect of the global economy and society, from commerce to communications, finance, health, research, and critical functions like cybersecurity and fraud prevention. The COVID-19 pandemic elevated data flows’ importance across domains central to our personal lives, including education, health care, and […]

On February 16, 2023, CIPL hosted a virtual roundtable with representatives from CIPL member companies, data protection authorities, civil society and experts to discuss the role of age assurance tools, their effectiveness, appropriateness, and their role in providing a safe online environment for minors. The event was a part of the CIPL’s Children’s Data Privacy […]

In 2019, the New York Times reported the story of Nijeer Parks, a New Jersey man who spent a week in prison after police arrested him based on a false match using facial recognition technology. Facial recognition technology is demonstrably worse at recognizing Black faces than white ones, with dark-skinned women suffering some of the […]

This CIPL paper argues that effective regulation of blockchain technologies requires cooperation and collaboration between authorities dealing with data, particularly, financial conduct, competition and data protection authorities. On the basis of this, the paper makes the case that better regulation of digital assets requires the setting of realistic and achievable goals which stem from dialogue […]

This study by the Centre for Information Policy Leadership (CIPL) and the Privacy Center of Excellence at Cisco explores the business benefits and return on investment (ROI) of DPMPs. In particular, the study demonstrates that organizations are experiencing a wide range of benefits from investing in DPMPs. These include risk management and compliance benefits, as […]

Complying with the growing number of laws on children’s privacy in the global marketplace is an increasingly complex undertaking. It involves reconciling measures to protect children from online harm and intrusions into their privacy with the equally important necessity for children to participate and engage online and to access beneficial or even essential online resources. […]

This document presents a comparison of the APEC Cross-Border Privacy Rules (CBPR) Requirements and the EU-U.S. Privacy Shield Requirements to the requirements of the UK General Data Protection Regulation (GDPR). For purposes of this analysis, we analyzed relevant documents pertaining to participation in both the CBPR and Privacy Shield certification system. We present recommendations, as […]

As part of CIPL’s celebrations of 20 years of working with industry leaders, regulatory authorities and policy makers to develop global solutions and best practices for privacy and responsible data use. To mark this occasion, we compiled a volume of short “thought pieces” under the general title of “Perspectives on Privacy and Effective Data Use […]

Cross-border data flows foster innovation and growth, support cybersecurity, and enable access to essential services. They are important for delivering public services and empowering individuals to access them, including healthcare and education. Cross-border data flows make access to transformational technologies like AI equally available to individuals and public and private sector organizations who might otherwise […]

By Rama Vedashree CEO, Data Security Council of India Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP As we scan the landscape of digitisation across enterprises, be it Banking, Retail, Travel, Public Services, along with post-pandemic Healthcare and Education too, the platformisation of technology and business has […]

By Richard Thomas CBE Former UK Information Commissioner Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP What would data protection look like if we started with a blank sheet of paper? This is a fantasy. It will never happen. Even the dream gets clouded by what already […]

The EU digital strategy intends to establish a safe and trusted digital space for individuals and a level playing field for businesses that fosters innovation, growth, and competitiveness in the EU. Specifically, the draft Digital Markets Act (DMA) aims to enable open and fair digital and data markets by fostering competition. In particular, it seeks […]

By David Erdos Faculty of Law, University of Cambridge Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP At least in Europe, the basic data protection framework coalesced during the 1970s and very early 1980s. Even then, it was framework under serious socio-technological challenge. But since this time […]

By Woodrow Hartzog, Professor of Law & Computer Science, Northeastern University and Neil Richards, Koch Distinguished Professor in Law, Washington University in St. Louis ​Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP ​America’s privacy bill has come due. Since the dawn of the Internet, Congress has repeatedly […]

By Dario Gil Senior Vice President & Director IBM Research ​Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP The next 10 years will bring about all manner of revolutionary data-driven technologies that pose both tremendous benefits and alarming privacy risks. Of these, neurotechnology, or neurotech, will likely […]

By Dr. Alexander Dix Vice-Chair of the European Academy for Freedom of Information and Data Protection Former Data Protection and Freedom of Information Commissioner in Brandenburg (1998-2005) and Berlin (2005-2016) Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP Sir Bruce Slane, New Zealand’s first Privacy Commissioner, at […]

By Emily Sharpe Director of Policy, The Web Foundation Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP In 1989, Sir Tim Berners-Lee was working as a software engineer at CERN, the large particle physics laboratory in Switzerland. Throughout his tenure at CERN, he noticed that the scientists […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

Promoting organizational accountability among all organizations that process personal data has been one of CIPL’s main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper elaborates specifically on […]

By Eduardo Bertoni Representative of the Regional Office for South America of the Inter American Institute of Human Rights ​Former Director of the Argentine Data Protection and Access to Information Authority​ Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP ​The pandemic caused by COVID 19 triggered many […]

This is the second paper of the special Joint-Project “Effective Implementation and Regulation Under the New Brazilian Data Protection Law (LGPD)”, by CIPL and CEDIS/IDP. This project aims to: Facilitate information-sharing about the LGPD Inform and advance constructive, forward-thinking and consistent LGPD implementation Enable the sharing of industry experience and best practices Promote effective regulatory […]

The One-Stop-Shop mechanism (OSS), is essential to support the consistent implementation of the GDPR in order to achieve the EU single market. The OSS brings important benefits to individuals, organizations and Supervisory Authorities (SAs). However, the OSS is facing a growing amount of criticism and risks being undermined. Its challenges should now be discussed and […]

By Malcolm Crompton Founder & Lead Privacy Advisor, Information Integrity Solutions ​Former Australia Privacy Commissioner Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP The rise of the digital age has profoundly changed the economics of personal data handling. The growing sophistication of data analytics coupled with data […]

Following the European Data Protection Board’s (EDPB) Stakeholder Workshop on Legitimate Interests on 27 November 2020, CIPL published this white paper as input for the EDPB’s future update of the guidelines on the legitimate interests legal basis. This Paper is also relevant for any jurisdiction where data protection law includes legitimate interests as a legal […]

This Roundtable Series Report provides a summary of key takeaways from each of the roundtables and highlights the latest thinking on these topics as COVID-19 continues to drive digital transformation and organizations continue to leverage data to fight the pandemic, think about other pressing humanitarian issues and find responsible data solutions to today’s unprecedented data […]

Building on its prior work, CIPL has been working with experts in the EU and multinational companies who are leaders in AI to collect best practices and emerging trends in AI accountability. CIPL’s objective is to inform the current EU discussions on the development of rules to regulate AI. This paper summarizes CIPL’s vision on […]

This document addresses some commonly asked questions about the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems. The following questions are addressed in these FAQs: What is APEC? What are the APEC Cross-Border Privacy Rules (CBPR)? Which APEC economies participate in the CBPR? What is the APEC Privacy Recognition for Processors […]

On July 16 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as Schrems II, that Standard Contractual Clauses are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. This substantially impacts organizations […]

On July 16th 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as “Schrems II”, that Standard Contractual Clauses (SCCs) are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. The Judgment substantially impacts […]

Data flows between India and the United States are of unquestionable value to India’s modern digital economy and society. According to a 2019 digital trade report1 from the Hinrich Foundation, digital trade contributed $32.5 billion to India’s domestic economy in 2017. The report further notes that this has the potential to grow to $480 billion […]

This is the second paper of the special Joint-Project “Effective Implementation and Regulation Under the New Brazilian Data Protection Law (LGPD)”, by CIPL and CEDIS/IDP. This project aims to: Facilitate information-sharing about the LGPD Inform and advance constructive, forward-thinking and consistent LGPD implementation Enable the sharing of industry experience and best practices Promote effective regulatory […]

COVID-19 has forced an increased reliance on technology and data, both in our daily lives and in responding to the pandemic. The pandemic has also demonstrated, more than ever before, the need for a comprehensive US federal privacy framework. CIPL has published a new paper entitled “Data Protection in the New Decade: Lessons from COVID-19 […]

Following the European Data Protection Board’s (EBPB) stakeholders’ event in Brussels on November 4th 2019, on Data Subject Rights CIPL submitted this White Paper as input for the EDPB’s future guidelines on Data Subject Rights. The EDPB’s stakeholder event on DSR addressed the following GDPR provisions: The right of access (Article 15) The right to […]

Over the past decade, we have witnessed the gradual rise of “organizational accountability” in global privacy and data protection law and practice. Privacy regulators increasingly expect it from their regulated organizations, and it’s fair to say that many modern privacy laws now explicitly require it. CIPL has been engaged pretty much from the beginning both […]

The COVID-19 crisis imposed a wide range of immediate and likely long-term impacts on organizations, governments, regulators, people and society at large. Many of them could to stay with us beyond the immediate crisis and change the way we all live, work and interact. These impacts likely will also be felt in data privacy – […]

CIPL has a long history of exploring accountability-based information management and privacy governance. As part of our work on enabling innovation while also protecting privacy, we are currently exploring how to further develop and improve the existing concept of accountability to maximize both goals. This report consolidates the findings of CIPL’s Accountability Mapping Project launched […]

This is the second paper of the special Joint-Project “Effective Implementation and Regulation Under the New Brazilian Data Protection Law (LGPD)”, by CIPL and CEDIS/IDP. This project aims to: Facilitate information-sharing about the LGPD Inform and advance constructive, forward-thinking and consistent LGPD implementation Enable the sharing of industry experience and best practices Promote effective regulatory […]

In the pressing global fight against Covid-19, technological and AI solutions, involving massive tracking and data analytics, have brought into sharp focus public concern over our fundamental right to privacy. Some have even asked whether privacy will be the victim of Covid-19. And, some have pointed out that our fundamental right to life must trump […]

This document addresses some commonly asked questions about the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems. The following questions are addressed in these FAQs: What is APEC? What are the APEC Cross-Border Privacy Rules (CBPR)? Which APEC economies participate in the CBPR? What is the APEC Privacy Recognition for Processors […]

The COVID-19 crisis is imposing a wide range of immediate and likely long-term impacts on organizations, governments, regulators, people and society at large. Many of them are likely to stay with us beyond the immediate crisis and change the way we all live, work and interact going forward. These impacts likely will also be felt […]

Global Convergence and Interoperability between Privacy Regimes Around the world, new privacy laws are coming into force and outdated laws continue to be updated: the EU GDPR, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), Thailand’s Personal Data Protection Act (PDPA), India’s and Indonesia’s proposed bills, California’s Consumer Privacy Act (CCPA), and the various […]

The rise and rapid expansion of Artificial Intelligence technology is one of the main features of the Fourth Industrial Revolution. Its transformational potential for our digital society and ability to drive benefits for citizens, governments and organizations is unparalleled. To realize this potential and ensure its sustainability, we must build AI on a foundation of […]

In the last few weeks in the US, Democrats and Republicans from the Senate Commerce Committee have each released draft comprehensive federal privacy legislation bills, and there is a considerable amount of overlap between them. In the Committee’s recent hearing the two sides appeared closer than ever to a bipartisan compromise on a privacy bill. […]

Organisational accountability is a powerful tool in the hands of the political and business leaders that are shaping 21st century Europe. It places the responsibility for ethical behavior and the protection of individuals on the organizations that are best placed to achieve it. This report argues that accountability is a scalable and transferrable concept that can be implemented by […]

The European Commission is currently working on updated standard data protection clauses for international transfers (SCC) to serve as “appropriate safeguards” that are necessary to legitimize the transfer of personal data to a third country in the absence of an adequacy decision. The Commission is currently receiving input from organizations. CIPL welcomes the opportunity to […]

Promoting organizational accountability among all organizations that process personal data has been one of the Centre for Information Policy Leadership’s (CIPL) main areas of focus. An important component of our work on that front has been to identify ways in which data protection laws, public policy, and approaches to enforcement can encourage and incentivize organizational accountability. This paper […]

In this report, we seek to outline the positive impacts and benefits organizations have experienced as a result of their GDPR compliance efforts. We also describe the challenges and unfulfilled promises of the GDPR, where organizations feel the Regulation has not lived up to its objectives and has presented practical difficulties, despite their dedication to […]

Our economies and societies are in the midst of the 4th industrial revolution, with digitalization and datafication transforming the way we live, work and interact. This transformation has brought into sharp focus the question of how we should regulate data use, governance and privacy to enable us to reap the benefits of data driven innovation […]

What is a “Regulatory Sandbox”? How could it contribute to high standards of data protection and privacy and promote innovation? What are the challenges and problems? What safeguards are needed? Why would regulators and organizations want to participate in a Sandbox? In this white paper, we set out the key features of the concept. Essentially, […]

An important focus in the legislative discussions on the proposed ePrivacy Regulation is the fact that the proposal (mainly the articles 5 and 6 thereof) aims to protect the confidentiality of communications of individuals and legal persons, and in particular addresses the confidentiality of content data and metadata, implementing Article 7 of the EU Fundamental […]

This report introduces artificial intelligence and some of the technologies enabled by it, as well as some of the challenges and tensions between artificial intelligence and existing data protection laws and principles. The challenges to data protection presented by AI are frequently remarked on but are often addressed only at a surface level. There is […]

This short paper introduces two CIPL papers on the topic of organisational accountability – The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society and The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society. It outlines the goals of these other papers, […]

It is essential that there is consensus and clarity on the precise meaning and application of organisational accountability among all stakeholders, including organisations implementing accountability and data protection authorities (DPAs) overseeing accountability. Without such consensus, organisations will not know what DPAs expect of them and DPAs will not know how to assess organisations’ accountability-based privacy […]

The objectives of this second paper in our Accountability series are, first, to make the case for specifically incentivising organisational accountability and, second, to provide specific suggestions for what such incentives might be. Importantly, the objective in promoting an approach of incentivising accountability is not to weaken or hinder the powers of data protection authorities […]

This study was prepared by Brinkhof for CIPL On 10 January 2017, the Commission adopted its proposal for a new ePrivacy Regulation to replace the existing Directive 2002/58/EC. This proposal is currently being discussed in the Council. One of the questions being considered, is the link between the ePR and the General Data Protection Regulation. […]

This report was prepared by Normally Ltd for the Centre for Information Policy Leadership in April 2018. In the discourse on regulation of digital services and the proposed ePR, design has been missing from the discussion. This study makes the case for why we all need design to take a seat at the table. It […]

This Factsheet addresses the following in the context of the proposed ePrivacy Regulation and GDPR: Controllers and Processors Data Protection Principles Transparency Territorial Scope The Lawfulness of Processing Rights of the Data Subject Privacy by Design and by Default Security Risk-based Approach Data Protection Impact Assessment Supervisory Authorities Remedies Sanctions

Personal data relating to children are processed for many purposes by private and public sector organizations, including the provision of online and offline services, education, social care, healthcare and personal welfare, and as part of information on family circumstances. In some cases, the processing will include special categories of personal data. CIPL recognizes that the […]

Global data flows are the product of the increasing globalization and digitalization of business processes and society. They are foundational to the modern digital economy. The ability to use, share and access information across borders stimulates innovation, enables data-driven products and services, fuels economic growth and ideas, and is often the lifeline for remote communities. […]

The ecosystem for regulating data protection and privacy is changing rapidly, and not just within the EU. For many years CIPL has championed the role of accountable organizations and the merits of a risk-based approach. We now turn to the “plumbing” of the system as a whole and consider how its component parts can best […]

This paper highlights and explores CIPL’s ten key messages on the principles of transparency, consent and legitimate interest: Transparency is intended to be user-centric and should not primarily envisage legal compliance. Transparency should be context-specific, benefit from the possibilities of new technologies and avoid information overload. Transparency should be provided contextually by different methods and […]

On 6 and 7 March 2017, CIPL held its 3rd major workshop of the GDPR Implementation Project focusing on the issues of transparency, consent and legitimate interest. The workshop was held in the historic premises of Telefónica with more than 140 participants from industry, DPAs, national governments, the European Commission, the EDPS, and academia. The […]

The purpose of this paper is to: Inform the EU DPAs and the Article 29 Working Party as they consider the provisions of the GDPR on criteria to define the lead DPA and the co-operation among DPAs in the context of the OSS and the lead DPA. Signal any practical challenges in implementing these provisions […]

The function of the data protection officer or chief privacy officer is an essential component of data privacy accountability, playing a crucial role in enabling organisations to ensure and demonstrate both data privacy compliance and effective privacy protection of individuals. In recognition of its crucial status within organisations, this function is formally recognised and described […]

In September, we held our second GDPR Workshop in Paris as part of our two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster […]

This was a closed consultation.

On 30 June 2016, CIPL and Telefónica held a joint Roundtable in London, with senior business leaders, data privacy officers and lawyers, data privacy regulators and academic experts, entitled ‘Reframing Data Transparency’. The objective of the Roundtable was to build on recent projects, initiatives and legal changes related to data transparency, such as the EU-US […]

On 16 March 2016, CIPL and the Dutch Ministry of Security and Justice co-hosted a workshop in Amsterdam entitled “Towards a Successful and Consistent Implementation of the GDPR”. The workshop kick-started the special CIPL project on the consistent interpretation and implementation of the EU GDPR. The main objective of the workshop was to initiate an […]

Risk management has long played an important role in data protection. Over the past three years, CIPL has hosted a series of multinational workshops and published two white papers on risk management and its role in effective modern data protection. In this paper we focus on the interaction of risk management with other data protection […]

In the modern information age of big data, the Internet of Things and cloud computing, new data-driven products and services are enabling scientific and societal developments at a rapid pace and are the key drivers of economic growth. Our digital information society depends and thrives on the ability to generate, collect, aggregate, link and use […]

Legislatures in many countries currently are drafting or amending data protection laws. Often, these drafts and amendments attempt to regulate cross-border data transfers by imposing restrictions on transfers of personal data to other countries that do not have similar data privacy laws. Sometimes they also include so-called data localization provisions that require data or copies […]

Data protection has long relied on risk management as a critical tool for complying with data protection laws and ensuring that data are processed appropriately and the fundamental rights and interests of individuals are protected effectively. Yet these risk management processes, whether undertaken by businesses or regulators, have often been informal, unstructured and failed to […]

On March 20, 2014, the Centre held a workshop in Paris during which more than 50 privacy experts, industry representatives and regulators discussed their experiences and views with respect to the risk-based approach to privacy, the privacy risk framework and methodology, as well as goals and next steps in this project. This paper, titled “A […]

The role and function of a data protection officer (DPO) are evolving and will underpin data protection compliance under the proposed European General Data Protection Regulation. Recognizing the critical importance of the DPO function and oversight as a prerequisite for data privacy corporate accountability, many organizations have invested strategically in developing a DPO function, but […]

Analytics promises to revolutionize business, science, research and education. Powerful algorithms help identify individuals in need of social services, detect fraud, predict the effects of natural disasters, recognize patterns in scientific research and discover trends in consumer demand. Analytics play a role in addressing concerns across all aspects of society – from understanding biology at […]

Accountability builds on traditional notions of fair information practices, but incorporates new elements that require organizations to implement comprehensive privacy programs and base their decisions about data on credible assessment of the risks they raise for individuals and how best to mitigate them. This year, the CIPL has responded to suggestions in public policy discussions […]

In the current data environment, organizations must employ effective and explicit data governance programs to protect individuals against the risks that these uses of information may raise. While individuals must continue to play an appropriate role in making choices about sharing their data, they cannot be held responsible for detailed decisions about vastly complex technologies […]

When the participants in the Accountability Project released its discussion paper on accountability’s essential elements in October 2009, they did so recognizing that within the framework  described in that document, it would be necessary to address questions about the its real-world implementation. CIPL was excited to facilitate further work on accountability, assembling experts to consider […]

Written for CIPL by Paul M. Schwartz, Professor of Law, Berkley Law School, University of California, Berkeley; Director, Berkeley Center for Law & Technology This paper offers a contextual examination of analytics. The term “contextual” is used here in reference to an organization’s need to consider the risks that a specific application of analytics poses […]

This document serves as a compendium of our work conducting throughout our Accountability Project as of 2010, along with other notable contributions on this vital topic, including: Data Protection Accountability: The Essential Elements (October, 2009) Demonstrating and Measuring Accountability – The Paris Project (October, 2010) Privacy by Design: Essential for Organizational Accountability and Strong Business […]

Innovations in technology; rapid increases in data collection, analysis and use; and the global flow and access to data have made an unprecedented array of products, resources and services available to consumers. These developments, however, in no way diminish an individual’s right to the secure, protected and appropriate collection and use of their information. The […]

This white paper provides ten recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and information security more broadly. The Dos and Dont’s of Data Breach and Information Security Policy: Don’t equate data breaches with identity fraud or other consumer harms. Don’t become so […]

This paper recognizes a growing global belief that, to promote competitiveness and innovation, businesses and service providers must address issues related to trust and accountability for information privacy and security in connection with outsourcing transactions. NASSCOM has been working on similar objectives in its exploration of how to develop a credible selfregulatory organization in India […]

This paper creates a 10 step guide to creating a multilayered privacy notice. It argues that creating a privacy notice should not be viewed as an intimidating process. Developing a multilayered notice is no more difficult than a full legally compliant notice. If an organization has already created a full legally compliant notice, they can […]