This report is based on our first technical workshop for CIPL’s Simplification Project. The workshop was focused on the proposed AI Act Omnibus and explored targeted amendments that could simplify implementation while preserving the AI Act’s objectives: enabling trustworthy, human-centric AI and innovation, while protecting health, safety, fundamental rights, and the environment. The report highlights […]

On June 4, the CIPL hosted its first-ever “CIPL In Focus”—an immersive, full-day event for senior-level professionals to examine in-depth the operational challenges related to a given issue and to share practical approaches for overcoming those challenges. The fast-moving, thought-provoking discussion focused on the future of privacy, data governance, and responsible innovation. The conversation looked […]

As part of CIPL’s research on PETs, this paper provides an in-depth exploration of how PETs can and are being deployed to address privacy concerns specifically within AI systems. The paper describes how these technologies can help operationalize privacy by design and by default when developing AI systems, and also serve as key business enablers, […]

This CIPL report, based on research by Public First, commissioned by Google, highlights how digital advertising plays a significant role in supporting European competitiveness, particularly for small and medium-sized businesses (SMBs). This survey of 4,287 EU SMBs across 13 countries found that 86% attributed revenue growth directly to digital advertising, in particular personalised advertising. The […]

Drawing largely from the experience under the GDPR and several EU digital laws, CIPL partnered with Bae, Kim & Lee LLC on this paper to make the case for shifting away from over-reliance on consent and exploring, instead, other legal bases such as contractual necessity and legitimate interest. The paper argues that to ensure the […]

On December 7th, 2023, the Court of Justice of the European Union (CJEU) ruled that SCHUFA, a credit rating agency, played a “determining role” in a lender’s decision to deny a loan application. The CJEU found that SCHUFA’s role, i.e. providing credit scores, qualified as a “decision” under Article 22 of the GDPR. The court […]

In the modern economy, cloud computing continues to be a transformative technology for digital societies, enabling digital transformation while at the same time driving privacy, security and economic efficiencies. Nevertheless, the use of cloud services increasingly faces significant scrutiny in the European Union. Some of the concerns related to geopolitical tensions and supply chain control […]

This third paper in our series analyzing the Digital Markets Act assess the operational consequences of the DMA obligations for gatekeepers and organizations receiving or getting access to personal data, specifically in the context of Art. 6(9) of the DMA. The article mandates the portability of data provided or generated by a user from a […]

Biometric technologies have emerged as important tools for security, safety, convenience and accessibility. Many of the use cases enabled by biometric technologies are of unquestionable benefit to businesses, individuals, and society, particularly when combined with other emerging technologies such as artificial intelligence, machine learning, and privacy-enhancing technologies. However, certain applications can present challenges and risks […]

Privacy-enhancing technologies (PETs) and privacy-preserving technologies (PPTs) generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals whose data is being used. These technologies not only enhance privacy protections, but also maintain the informational value of data to varying degrees. This White Paper: Provides […]

This paper addresses the growing trend of localities requesting (and sometimes mandating) that data collected by the private sector be shared with the localities themselves. Such requests are generally not in the context of law enforcement or national security matters, but rather are part of an effort to further the public interest or promote a […]

This paper takes an in-depth look at open questions regarding the seeming limitation by the DMA of legal bases available for certain processing of personal data and whether the DMA should consequently be considered as a lex specialis to the GDPR. The paper examines ambiguities related to the scope of DMA in terms of personal […]

This CIPL paper argues that effective regulation of blockchain technologies requires cooperation and collaboration between authorities dealing with data, particularly, financial conduct, competition and data protection authorities. On the basis of this, the paper makes the case that better regulation of digital assets requires the setting of realistic and achievable goals which stem from dialogue […]

Complying with the growing number of laws on children’s privacy in the global marketplace is an increasingly complex undertaking. It involves reconciling measures to protect children from online harm and intrusions into their privacy with the equally important necessity for children to participate and engage online and to access beneficial or even essential online resources. […]

As part of CIPL’s celebrations of 20 years of working with industry leaders, regulatory authorities and policy makers to develop global solutions and best practices for privacy and responsible data use. To mark this occasion, we compiled a volume of short “thought pieces” under the general title of “Perspectives on Privacy and Effective Data Use […]

This Roundtable Series Report provides a summary of key takeaways from each of the roundtables and highlights the latest thinking on these topics as COVID-19 continues to drive digital transformation and organizations continue to leverage data to fight the pandemic, think about other pressing humanitarian issues and find responsible data solutions to today’s unprecedented data […]

Personal data relating to children are processed for many purposes by private and public sector organizations, including the provision of online and offline services, education, social care, healthcare and personal welfare, and as part of information on family circumstances. In some cases, the processing will include special categories of personal data. CIPL recognizes that the […]

Analytics promises to revolutionize business, science, research and education. Powerful algorithms help identify individuals in need of social services, detect fraud, predict the effects of natural disasters, recognize patterns in scientific research and discover trends in consumer demand. Analytics play a role in addressing concerns across all aspects of society – from understanding biology at […]

Written for CIPL by Paul M. Schwartz, Professor of Law, Berkley Law School, University of California, Berkeley; Director, Berkeley Center for Law & Technology This paper offers a contextual examination of analytics. The term “contextual” is used here in reference to an organization’s need to consider the risks that a specific application of analytics poses […]

This white paper provides ten recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and information security more broadly. The Dos and Dont’s of Data Breach and Information Security Policy: Don’t equate data breaches with identity fraud or other consumer harms. Don’t become so […]

This paper creates a 10 step guide to creating a multilayered privacy notice. It argues that creating a privacy notice should not be viewed as an intimidating process. Developing a multilayered notice is no more difficult than a full legally compliant notice. If an organization has already created a full legally compliant notice, they can […]