In the world of privacy and data, after another whirlwind year, what are the safe bets and the long shots for change in 2023?
Like the technology driving it, privacy and data law moves fast, and covers many territories, so it’s not always easy to keep track of developments. Long-awaited rulemaking - such as an overarching US federal data protection law – can get stuck in the weeds, while unexpected developments in technology and politics can serve up some complete surprises.
From the UK
The Data Protection and Digital Information Bill, which tries to make the laws underpinning UK data regulation - UK GDPR - more agile, is still stuck at second reading (though the gossip is that a substantial rewrite of the bill is in progress now). But for many, it serves up a classic cuppa: treading a happy line between expanding data opportunities for business, while staying Europe- friendly to preserve adequacy and easy data transfer. Our favourite to make progress in the next year.
The Online Safety Bill – trying to legislate to make the internet safer for users - is another well-known blend. It’s been derailed by the summer’s parliamentary musical chairs, and by disagreement over freedom of speech. But it’s hard to see this getting nowhere in the next 12 months, especially given the passing of the EU Digital Services Act which tackles some of the same issues. Another safe-ish bet.
More adequacy: Watch out for decisions making data flows easier between the UK and US (the sure thing), and India (the outside chance). After that, we are likely to be in for a long wait while possible partner jurisdictions put in place domestic legislation covering data protection.
Don’t forget that both UK GDPR and PECR (which governs many AdTech rules) are both due to disappear in a puff of smoke under the proposed Retained EU Law (Revocation and Reform) Bill by the end of 2023, unless the government takes positive steps. For international data transfers, this is a game with high stakes, as the whole tea party will collapse if the tablecloth is whipped away too quickly. Not a business-friendly outcome, and we expect that, if the bill proceeds at all, UK GDPR will be saved in some form.
In the EU
The big guns: The European mega-studios have already seen a whole series of new productions: as well as the Digital Services Act, we have the Digital Markets Act (competition law comes to big digital providers), the Data Governance Act all about data sharing in the public sphere, and plenty of new regulation on critical infrastructure. The 2023 blockbusters will be the Data Act, which regulates data generated by the internet of things, and the Artificial Intelligence Act, keeping tabs on high-risk applications of AI.
Transfers between EU and US: Businesses looking for more straightforward EU/US data flows are hoping that the recent EU-US Data Privacy Framework will be finalised as planned by mid-2023 (and one key element of it, the EU’s draft adequacy decision, has just landed). But will the new scheme hold steady, or will it be exploded either by the European Data Protection Board or by member states? Even if it does get final agreement, Schrems 3, the next legal challenge to EU/US data flows, is undoubtedly in production. It’s likely to be some time in the planning, but it will be a must-see and the stakes could not be higher. Expect Oscar-winning action in due course, but not this year.
Other EU highlights expected in 2023: Standard Contractual Clauses (SCCs) for importers subject to the EU GDPR, the ongoing review of adequacy decisions and (possibly) a new EU/Israel agreement. Plus a proliferation of agreements and protocols on cross-border data sharing: watch out for new releases on health data, home rentals, tax and banking. There’s even an outside chance of progress with the long-awaited new e-Privacy Regulation to bring more up-to-date regulation to electronic communications.
Letter from the US
State data protection laws: There’s lots going on at state level for those monitoring the patchwork of new laws on AI, data protection and digital markets in the US. Of note is the new California Privacy Rights Act and Virginia Consumer Data Protection Act, both in force from January.
At a federal level: Despite furious efforts, we are far from having blanket coverage via a US federal data law. Needles are flying at both the Federal Trade Commission and Congress, but the proposed American Data Privacy and Protection Act (the ‘US GDPR’) is not yet sewn up, and may well be unpicked by the Senate next year unless supporters rally round.
US/UK data accord: The US has already agreed to tie the knot with the UK when it comes to sharing data for law enforcement by means of Overseas Production Orders. A wider data sharing protocol between the US and UK was announced alongside the EU-US Data Privacy Framework in October and a decision on adequacy, facilitating the free flow of data to the US, is likely from UK lawmakers during the year.
It’s an ad ad ad ad world
The first few days of 2023 have already brought us decisions which could go to the heart of current AdTech models. The EDPB, which referees the European regulators, has swept away “performance of a contract” as the legal foundation for behavioural advertising, and asked for a massive investigation into Meta activity, as part of disagreements between the platform and several member state regulators. The Irish regulator and Meta will both mount challenges. Meanwhile, IAB Europe (the leading industry organisation) has got regulator agreement to a potential landmark standard for getting user consent, though the CJEU is yet to give its blessing. Our prediction is that the courts will be busy, and advertisers will have to get smarter in how they organise and explain profiling. But despite excited pronouncements to the contrary from privacy pundits we don’t think that targeted advertising is going anywhere soon.
Data: the final frontier
2023 will no doubt bring us a few steps closer to the data dream: a fully international system for transfer and sharing. The OECD, the EU, the French data protection regulator, the CNIL, the APEC countries, and Global Privacy Alliance, are among the national and international bodies all trying to go where no-one has gone before.
Each is taking a different approach. International SCCs, accords on government access to data, certification as a transfer tool, and formal regulator assessments of third countries to aid transfer risk assessment, are all possible routes.
Our prediction is that although there will be interesting developments this year, there are too many obstacles to get global agreement by next Christmas: not least, hugely differing privacy cultures, legal systems, and politics. But if anyone can design a system which works for business and reduces compliance cost and risk, they will indeed live long and prosper.
Whatever happens, expect lots of work on international transfer risk assessments, anonymisation and privacy-enhancing technologies, as well as children’s data.
There has already been unpredictably fast progress in the development of tools to create synthetic media, and particularly deepfake technology. With capabilities like Meta’s Make-A-Video already within reach of armchair directors worldwide, legislators will have to work very hard to keep on top of the risks to privacy, and (some say) to the democratic process itself. New requirements to identify and certify content are inevitable.
One very safe prediction for 2023: it’s not going to get any slower!