This roundtable was convened around the core idea that a more coherent digital rulebook need not come at the expense of strong protections. Instead, simplification can be understood as an effort to address areas where the EU digital acquis has grown increasingly complex in practice, including at the intersection of data protection, AI, online safety, […]

This report is based on our first technical workshop for CIPL’s Simplification Project. The workshop was focused on the proposed AI Act Omnibus and explored targeted amendments that could simplify implementation while preserving the AI Act’s objectives: enabling trustworthy, human-centric AI and innovation, while protecting health, safety, fundamental rights, and the environment. The report highlights […]

CIPL welcomes the opportunity to comment on the joint draft Guidelines of the European Commission and the European Data Protection Board (EDPB) on the Interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). CIPL appreciates the cooperative nature of these draft Guidelines and the collaboration of the European Commission and […]

Clear, concise, and practical regulatory guidance is essential for organisations, as it provides the legal certainty needed to navigate an increasingly complex and overlapping regulatory landscape. This is particularly important in cases of legislative overlap, where the jurisdictions and competencies of multiple regulators may intersect. CIPL supports the clarification the draft guidelines make, that the […]

As trilogue negotiations on the GDPR Procedural Regulation approach the end, CIPL is sharing key takeaways from our recent roundtable in Brussels which brought together leading regulators and organizations for a constructive dialogue on the state of play of GDPR enforcement. CIPL has consistently highlighted potential challenges and benefits concerning this file from the very […]

The GDPR has been an important tool for protecting individuals’ privacy and has substantially elevated data protection awareness globally. Its impact can be seen in many data protection laws around the world, as well as in the global privacy compliance and data management programs of many multinational organizations that use the GDPR as their baseline […]

The EU digital strategy intends to establish a safe and trusted digital space for individuals and a level playing field for businesses that fosters innovation, growth, and competitiveness in the EU. Specifically, the draft Digital Markets Act (DMA) aims to enable open and fair digital and data markets by fostering competition. In particular, it seeks […]

The One-Stop-Shop mechanism (OSS), is essential to support the consistent implementation of the GDPR in order to achieve the EU single market. The OSS brings important benefits to individuals, organizations and Supervisory Authorities (SAs). However, the OSS is facing a growing amount of criticism and risks being undermined. Its challenges should now be discussed and […]

Following the European Data Protection Board’s (EDPB) Stakeholder Workshop on Legitimate Interests on 27 November 2020, CIPL published this white paper as input for the EDPB’s future update of the guidelines on the legitimate interests legal basis. This Paper is also relevant for any jurisdiction where data protection law includes legitimate interests as a legal […]

On July 16 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as Schrems II, that Standard Contractual Clauses are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. This substantially impacts organizations […]

Following the European Data Protection Board’s (EBPB) stakeholders’ event in Brussels on November 4th 2019, on Data Subject Rights CIPL submitted this White Paper as input for the EDPB’s future guidelines on Data Subject Rights. The EDPB’s stakeholder event on DSR addressed the following GDPR provisions: The right of access (Article 15) The right to […]

The European Commission is currently working on updated standard data protection clauses for international transfers (SCC) to serve as “appropriate safeguards” that are necessary to legitimize the transfer of personal data to a third country in the absence of an adequacy decision. The Commission is currently receiving input from organizations. CIPL welcomes the opportunity to […]

In this report, we seek to outline the positive impacts and benefits organizations have experienced as a result of their GDPR compliance efforts. We also describe the challenges and unfulfilled promises of the GDPR, where organizations feel the Regulation has not lived up to its objectives and has presented practical difficulties, despite their dedication to […]

An important focus in the legislative discussions on the proposed ePrivacy Regulation is the fact that the proposal (mainly the articles 5 and 6 thereof) aims to protect the confidentiality of communications of individuals and legal persons, and in particular addresses the confidentiality of content data and metadata, implementing Article 7 of the EU Fundamental […]

This study was prepared by Brinkhof for CIPL On 10 January 2017, the Commission adopted its proposal for a new ePrivacy Regulation to replace the existing Directive 2002/58/EC. This proposal is currently being discussed in the Council. One of the questions being considered, is the link between the ePR and the General Data Protection Regulation. […]

This report was prepared by Normally Ltd for the Centre for Information Policy Leadership in April 2018. In the discourse on regulation of digital services and the proposed ePR, design has been missing from the discussion. This study makes the case for why we all need design to take a seat at the table. It […]

This Factsheet addresses the following in the context of the proposed ePrivacy Regulation and GDPR: Controllers and Processors Data Protection Principles Transparency Territorial Scope The Lawfulness of Processing Rights of the Data Subject Privacy by Design and by Default Security Risk-based Approach Data Protection Impact Assessment Supervisory Authorities Remedies Sanctions

This paper highlights and explores CIPL’s ten key messages on the principles of transparency, consent and legitimate interest: Transparency is intended to be user-centric and should not primarily envisage legal compliance. Transparency should be context-specific, benefit from the possibilities of new technologies and avoid information overload. Transparency should be provided contextually by different methods and […]

On 6 and 7 March 2017, CIPL held its 3rd major workshop of the GDPR Implementation Project focusing on the issues of transparency, consent and legitimate interest. The workshop was held in the historic premises of Telefónica with more than 140 participants from industry, DPAs, national governments, the European Commission, the EDPS, and academia. The […]

The purpose of this paper is to: Inform the EU DPAs and the Article 29 Working Party as they consider the provisions of the GDPR on criteria to define the lead DPA and the co-operation among DPAs in the context of the OSS and the lead DPA. Signal any practical challenges in implementing these provisions […]

The function of the data protection officer or chief privacy officer is an essential component of data privacy accountability, playing a crucial role in enabling organisations to ensure and demonstrate both data privacy compliance and effective privacy protection of individuals. In recognition of its crucial status within organisations, this function is formally recognised and described […]

In September, we held our second GDPR Workshop in Paris as part of our two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster […]

On 30 June 2016, CIPL and Telefónica held a joint Roundtable in London, with senior business leaders, data privacy officers and lawyers, data privacy regulators and academic experts, entitled ‘Reframing Data Transparency’. The objective of the Roundtable was to build on recent projects, initiatives and legal changes related to data transparency, such as the EU-US […]

On 16 March 2016, CIPL and the Dutch Ministry of Security and Justice co-hosted a workshop in Amsterdam entitled “Towards a Successful and Consistent Implementation of the GDPR”. The workshop kick-started the special CIPL project on the consistent interpretation and implementation of the EU GDPR. The main objective of the workshop was to initiate an […]

The role and function of a data protection officer (DPO) are evolving and will underpin data protection compliance under the proposed European General Data Protection Regulation. Recognizing the critical importance of the DPO function and oversight as a prerequisite for data privacy corporate accountability, many organizations have invested strategically in developing a DPO function, but […]