The environment we face at the end of 2022 is increasingly uncertain amidst geo-political tensions and economic fragility, but new approaches and ideas born of technology and innovation continue to emerge, designed to enrich and enhance the way we live and potentially help respond to the challenges we face. A number of these technologies look set to dominate 2023 and drive new legal developments in data privacy.
AI and the metaverse – opinions will differ
The ongoing march of AI technology across all sectors will be shaping our societies in years to come, for good or ill. Likewise, there's much prominence given to the metaverse even if most of us are not yet clear how it will operate in practice and what the implications will be for people's privacy. The challenge in 2023 and beyond will be for companies and governments to act responsibly and for regulators to achieve a fair balance between encouraging the deployment of new technologies while protecting all of us from abuse, and the most vulnerable especially. While there are a number of international initiatives looking at how to meet these challenges, by far the most likely scenario is that piecemeal legislation will emerge, potentially starting with the EU's AI Act.
The European Commission's proposals to regulate AI include the AI Act and (the new kid on the block) the AI Liability Directive. The submissions in response to the AI Act have been extensive and discussions are ongoing. Certain topics remain complex. There is debate as to which systems should be classified as 'high-risk' and how far the use of AI in biometric recognition systems should be limited. Additionally, there have been further proposals around the extent that the Commission itself can revise the list of high-risk AI systems.
Given the potential for AI systems to be used across all aspects of life as individuals connect with technology, receive medical care, purchase consumer services and operate in the workplace, the impact on privacy and individual freedom must be carefully scrutinised. And what about new technologies which can analyse emotions? How will data protection law handle these developments and the fact that these technologies push further and deeper into assessing people's behaviour?
The legislative juggernaut will gather pace in the EU
The legislative juggernaut in the digital and data space will speed up in 2023. As we look forward, we will also see developments in the law in the medium term. The European Data Strategy is firmly taking shape as new laws are finalised and a timetable is set down for their coming into effect. The swathe of laws being drafted and finalised in the EU – including the Data Act and Data Governance Act - emphasise that the regulation of data is not just about personal data. The main theme is to improve access to and sharing of personal data and non-personal data, both on a business to consumer and a business to business level. The European Commission is also keen to push new initiatives like data spaces. The first version of this is the European Health Data Space, which the Commission believes 'will strengthen the quality and continuity of healthcare and ensure citizens’ rights in relation to their health data'.
In the European Commission's work programme for 2023 (published in mid-October), under the heading 'A Europe fit for the Digital Age', a series of proposed laws are slated as prioritised including the ill-fated ePrivacy Regulation. This replacement to Directive 2002/58 (the so-called Cookies Law which also deals with direct marketing rules) has been stalled for years. Will 2023 be the year that there is finally positive progress towards a new European ePrivacy law? As we've asked that question annually at this time of year since the legislation was proposed in 2017, we are cautious about predicting this will be the year of the ePrivacy Regulation, but, on the other hand, it can't continue to be delayed indefinitely, so you never know.
The EU will also continue to focus on cybersecurity in 2023. The NIS2 Directive is on the verge of being finalised at the time of writing, and the Cyber Resilience Act looks to improve the security of consumer IoT products, while the Digital Operational Resilience Act (DORA) deals with security requirements for the financial sector.
Businesses in and dealing with the EU (and their lawyers) will find themselves busy getting to grips with all the incoming data and cyber legislation over the next year.
Data transfers to the US from the EU and UK should get easier, for a while at least
Shifting the focus to the US, there are signs of a number of developments in 2023. Firstly, we should see the replacement to Privacy Shield and presumably a new name for the resurrected EU-US agreement on data transfers. President Biden's new Executive Order on Enhancing Safeguards for US Signals Intelligence Activities is a solid plank being laid down for the new framework. However, a number of steps remain before the new EU-US framework can be relied on for data transfers – we need to see the draft adequacy decision from the Commission and the opinion of the European Data Protection Board (EDPB) as well as approval from EU Member States. Will the EDPB be as confident as the Commission about the Executive Order? Of course, even if the replacement adequacy decision is finalised, it's very possible that it will still lead inescapably to the next instalment of Schrems' litigation in the Court of Justice of the EU (CJEU).Even if the CJEU were to rule against the European Commission for a third time, it will take a few years to get to that point which means we may well enter a period of stability for data transfers to the US in 2023.
If, however, a new US adequacy agreement looks less than perfect, will businesses want to rely on it for EU-US transfers when there is still uncertainty in the air? Many may choose to continue to rely on Standard Contractual Clauses in the short to medium term given that most have spent the last months putting the new EU versions in place. One piece of the jigsaw that may influence the debate around governments' access to data and the transfer impact assessment requirement is the news that the OECD may formally endorse an agreement on government access practices soon. The expectation is that this agreement would set out certain limits on government access to data. Such an agreement could have a significant impact going forward depending on how robust these limits are and how quickly governments align their access to data practices with the OECD standard.
The end of Meta social media in the EU?
We may see other consequences in 2023 from the rulings on international data transfers. Will Meta be forced to turn off its services (Facebook, Instagram, WhatsApp) in the EU? The Irish Data Protection Commissioner's (DPC) decision on Meta is due in late 2022/early 2023. The saga that began with Max Schrems' complaint to the DPC back in 2013 about Meta's (then Facebook's) transfer of personal data from the EU to the US may finally reach some kind of conclusion. However, if the sword falls on Meta's EU users, the impact will be vast for EU businesses as well as individuals who use Meta's services every day.
The US will get more serious about data protection, but there won't be a Federal Law in 2023
It's quite likely that we will see more enforcement action in the US following the flexing of fining muscles shown in the $1.2 million settlement by Sephora for its violations of the California Consumer Privacy Act's 'do not sell' provision. Now that a number of US states have adopted data protection or privacy laws (some of which come into effect in 2023), there may well be pressure on regulators and officials to show these new laws have real teeth. While discussion on the US's new federal data protection law continues, it does, however, seem unlikely that we'll see a final version passed through Congress in the next 12 months.
The UK will get a new data protection law, but it's unclear how much difference it will make
The future of data protection law in the UK may well be decided in 2023. It seems likely that the government (assuming it remains a Conservative majority government) will want to push ahead and reform UK data protection law. What remains uncertain is exactly what these reforms will mean for the UK's adequacy status from the EU. A UK government spokesperson has again underlined that retaining adequacy is core to its approach and even said that any organisation compliant with the EU GDPR will find itself compliant with any incoming UK replacement. If this is the case, a new UK law may not make that much difference to cross-border businesses which want to embrace a single approach across all of Europe. However, the drive for a UK legal framework that strives for innovation and more flexibility may place strains on an ambition to reassure Brussels about UK privacy standards.
It's not just about a replacement for the UK GDPR though. Like the EU, the UK is looking to make IoT products more secure with the Product Security and Telecommunications Infrastructure Bill, likely to be law by the end of the 2022. While ahead of the EU in that area, it is somewhat behind in other parallel areas of focus like AI, and facilitating sharing of non-personal data. 2023 may be the year that the UK catches up with the EU in these areas.