Happy International Data Privacy Day! And what better day than today, to explore what 2023 is likely to have in store for data and privacy?
We are just over one year on from the UK government hinting that it might think outside the box in terms of data protection regulation. Two years on from the introduction of the UK GDPR in a post-Brexit Britain. Three years on from the start of a global pandemic which forced a discussion around the tension between public health and data privacy. And over four years on from the GDPR coming into force across Europe, and by extension the world. But the passing of time does not appear to have diminished the worldwide focus on data and privacy issues.
In this post, we set out some predictions for data protection and privacy developments across the UK and EU in the year to come.
- UK Data Protection Reform in a post-Brexit world
2023 is the year that we should see reform to UK data protection law as the UK government will turn its focus back to the Data Protection and Digital Information Bill after the political turmoil of late last year. But what remains unclear is exactly what this reform will look like and what it will mean for the UK’s adequacy status from the EU, as the UK looks to toe the line between maintaining adequacy and yet providing a more business-friendly privacy environment to drive innovation and reduce the compliance burden. That said, changes to the UK law may not make that much difference to cross-border businesses that want to embrace a single approach across the EU and so will need to adopt any higher EU standard. Even so, the reform will be welcome in 2023, as the proposed Retained EU Law (Revocation and Reform) Bill is scheduled to wipe out both the UK GDPR and UK e-Privacy laws at the end of the year, unless ministers actively exclude the legislation (or certain of its provisions) from revocation.
2023 is also the year we will see more data-related legislation and rules, for example the Online Safety Bill (to improve internet safety), the Product Security and Telecommunications Infrastructure Bill (to make IoT products more secure), and potentially AI regulation (see below).
For further details on the Data Protection and Digital Information Bill please see our blog posts here
- Increasing privacy regulation globally
2023 looks to be a year of new and revised privacy frameworks across Asia, Africa and the Middle East, with the EU GDPR still leading the way as inspiration for data protection regimes overseas. A revised proposal of India’s first data protection-specific legislation, the Data Protection Bill, is expected to be presented to Parliament in early 2023. Having been withdrawn by the Government in August 2022 and a less prescriptive proposal published in November 2022, the revised version is expected to comprise a simpler data protection framework (largely consistent with the EU GDPR) for legislative approval. It is anticipated the detail will be dealt with in subsequent implementing regulations.
Other territories looking to establish or re-visit their data protection regimes in the year ahead are likely to include Nigeria, Saudi Arabia and Vietnam, with legislation pending in Canada and Israel. The regime in Australia is also still under development. It remains to be seen which of these regimes will be finalised and adopted into law before the year is through.
- International data transfers – Volume 1 (the EU activity)
The topic of international data transfers seemed to dominate data protection discussions in 2022 (and 2021!) and, although we don’t anticipate perhaps as much change in this area in 2023, it seems unlikely that the complex issues of international data transfers will disappear entirely. To start, let’s not forget the slightly throw-away comment in the EU Commission’s SCC FAQ document last year, which confirmed that the Commission was in the process of developing yet another set of standard contractual clauses to deal with the scenario where data importers are subject to the GDPR because of Article 3. Can we ever have too many sets of standard contractual clauses?!
Then, in other international transfer news, the European Commission launched a process in December towards the adoption of an adequacy decision for an EU-US Data Privacy Framework. If the process goes smoothly, it is likely that 2023 will see the adoption of a new adequacy decision to cover transfers to the US which will go some way in relieving the lingering uncertainty faced by many EU organisations when transferring personal data to the US following Schrems II. Elsewhere, the consultation period for commenting on the draft Protection of Privacy Regulations published by Israel’s Ministry of Justice regarding data transferred from the EEA closed in December and it remains to be seen whether these regulations will be formally progressed (and, if so, will probably help with respect to preserving Israel’s current adequacy status). Could 2023 be a year dominated by adequacy headlines?
For further details on international data transfers (the EU activity) please see our blog posts here and here
- International data transfers – Volume 2 (the UK position)
As with the EU, there was also a lot of fanfare around the topic of international data transfers last year in the UK, particularly with the coming into force of the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU SCCs (UK Addendum). Whilst we have seen more implementations of the UK Addendum to date (on the basis that many organisations that process personal data will process both EU and UK personal data), we have started to see more implementations of the IDTA and we predict that this trend may continue. Looking ahead, and setting aside the possibility that the UK’s data protection regime (including with respect to international transfers) may be reformed, it is hoped that 2023 might also see a new UK-US personal data transfer mechanism resulting from ongoing discussions between the two nations (including between the UK’s Digital Secretary and the US Secretary of Commerce to discuss digital priorities late last year), and the UK Government certainly seems to be focussed on its high priority jurisdictions for the purpose of adequacy.
For further details on international data transfers (the UK position) please see our blog posts here and here.
- US privacy becomes more serious, but still no federal law
US states will likely continue in 2023 to fill the federal law-shaped hole with new comprehensive privacy laws (think the new California Privacy Rights Act and Virginia Consumer Data Protection Act, both in force from January 2023, and new laws in Colorado and Utah to follow later this year) leading to a patchwork of legislation. We are also likely to see states address more discrete issues, for example with respect to biometrics, health data and, as was recently done in California, children’s privacy. However, whilst new data privacy legislation is always welcomed, this patchwork of laws will undoubtedly present compliance challenges and cause the burden on businesses to grow heavier. Perhaps this will result in pressure to enact federal privacy legislation continuing to mount. While 2023 may not be the year that it will be passed, what progress can we expect to the see with the proposed American Data Privacy and Protection Act (fondly called the ‘US GDPR’), if any? As noted above, also expect 2023 to be the year that an adequacy decision for EU-US transfers…and for this to be promptly challenged by Schrems returning for a third bite of the cherry?
- Further move towards data localisation?
Despite the anticipated easing of international data transfers between certain jurisdictions (such as the UK/EU and US), will 2023 see a further move towards data localisation and regional practices? In the fall out from Schrems II, organisations wishing to avoid the time, effort and cost of due diligence on transfers or implementing supplementary measures, may well continue to self-select vendors based on hosting location to keep data in country/region rather than navigate the regulatory challenges now associated with international data transfers. Add to this navigating further potential restrictions around transfers of non-personal data under both the forthcoming Data Governance Act and proposed Data Act (see below), as well as the EDPB’s recent suggestion (in the outcome of its investigation into the use of cloud-based services by the public sector) that European public authorities move towards using EU-based “sovereign” cloud providers rather than large foreign providers, and it will be interesting to watch the impact of global transfers as a whole in 2023. There are, however, limitations on this prediction; whilst data localisation may be a solution, it is not always the solution to regulatory compliance where it is not a practical and reasonable one.
- EU spotlight on regulating non-personal data
The plethora of legislation coming out of the European Data Strategy looks set to continue in 2023, with new legislation being finalised as well as confirmation of when legislation is coming into effect. Of particular note, the EU is looking to regulate the use of data beyond just “personal data”, in the form of the Data Governance Act (DGA) and the proposed Data Act (DA), as well as establishing nine common European data spaces. The DGA is due to apply in September 2023 and seeks to increase trust in data sharing; create new rules on the neutrality of data marketplaces; and facilitate the use of public sector data. Whilst the DA aims to establish a cross-sectoral governance framework to make it easier for businesses to access and use data, this has the potential to fundamentally change the environment for data-driven business models in the EU (including where data is used for AI purposes).
Looking closer to home and in an effort to unlock “the power of data for the UK” pledged by the DCMS in its National Data Strategy, will this be the year that the UK’s focus also goes beyond just “personal data” too? Or will the overhaul of the UK’s data protection regime overshadow such efforts?
- Diverging cookie approaches and the death of third party cookies
This prediction now seems like an annual ritual, but will 2023 be the year that we finally see the EU ePrivacy Regulation come into force? Maybe we will by the mid or end of 2023 – but even then a potential transitional period of 24 months means the legislation would not come into effect before mid- or end-2025. Will we also see the UK going in a different direction as part of its data protection regime overhaul? The Data Protection and Digital Information Bill proposed reforms to cookies, which would allow an ‘opt-out’ rather than an ‘opt-in’ model for cookie consent, reducing the need for click through consent banners, which might be welcome news to many. 2023 will also likely continue to see the deprecation of third party cookies as first party data and user intelligence are becoming the new lifeblood of the AdTech world.
- Tech vs data regulation – the balancing act continues
Hot on the heels of the Digital Services Act and the Digital Markets Act of 2022, the pace of regulation in the EU digital arena shows no signs of slowing in the year ahead. As organisations grapple with using new technologies responsibly, we will continue to see regulators looking to develop appropriate legislative frameworks to address the legal complexities that arise (including in respect of data) and encourage the take-up of trustworthy emerging technologies, without stifling innovation and investment in the technology. This is particularly true of artificial intelligence, where the EU is leading the charge with its tiered risk-based approach to regulating AI systems under the proposed AI Act, which is expected to be adopted by the end of 2023. Its siblings, the proposed EU AI Liability Directive and EU Product Liability Directive, will also progress through the legislative process in the 12 months ahead.
2023 is also likely to see the UK government publish its long-awaited White Paper setting out its “pro-innovation national position on governing and regulating AI”. Based on the AI Regulation Policy Paper 2022, we can expect the White Paper to take the form of a proportionate, light-touch, sector-led approach, with common principles but a less prescriptive or centralised approach than the EU. Consistent with this approach, it will be interesting to see whether the Data Protection and Digital Information Bill retains the previously proposed relaxation of the rules around automated decision making?
Given the European Commission is turning its attention to virtual worlds in the coming months as well (including the metaverse), expect 2023 to throw up plenty of knotty regulatory considerations stretching the application of existing regulatory frameworks. With the deeper interaction between users and virtual environments in the metaverse, deeper profiling and the sharing of multiple data sets between metaverse platforms, as well as complex chains of data controllers and processors collecting personal data ranging from basic identifiers to sensitive biometric data such as eye movements and brainwave patterns, expect privacy challenges to remain front and centre of any related EU initiatives.
For further details on UK’s approach to regulating AI and regulatory issues in the metaverse please see our blog posts here and here respectively.
- Adtech – down but not beaten?
2023 has already seen a big decision in the AdTech/ social media sphere as the European Data Protection Board has stated that “contractual necessity” as the lawful basis for behavioural advertising is not appropriate. Expect this EDPB decision to be challenged, including by the Irish Data Protection Commissioner for ‘overreaching’, in 2023. In the meantime, it will be interesting to see the effect that these decisions have on the business models of providers in the adtech value chain.
Elsewhere in the AdTech space, the IAB Europe has received Belgium Data Protection Authority approval of its action plan regarding its updated Transparency and Consent Framework (a consent solution developed by IAB Europe that has become a widely used approach to collecting and managing consent for targeted advertising cookies in the EU), although the CJEU has yet to give it its seal of approval.
Overall, 2023 looks set to bring more action in this space as the focus on targeted advertising will not wane, but while this may start to shape new targeted advertising models as organisations look for privacy-friendly alternatives, we think targeted advertising will be with us for a while longer yet.
- Privacy regulation through competition enforcement?
2023 will see the Court of Justice of the European Union (CJEU) determine whether national competition authorities of EU Member States are entitled to establish breach of the EU GDPR in competition proceedings, and the extent to which this can form the basis for establishing an infringement of competition laws. These questions are at play in the reference for a preliminary ruling in Meta Platforms and Others v Bundeskartellamt (Case C-252/21), in the context of ongoing proceedings in Germany concerning whether Facebook infringed competition law through its data collection practices. In September of last year Advocate General Rantos gave an opinion which concluded that whilst a competition authority cannot make a ruling “primarily” on breach of the GDPR, it can take into account the compatibility of conduct with the provisions of the GDPR as an “incidental” question when applying competition laws. Advocate General opinions are not binding on the CJEU but are often followed in practice. Given the increasingly vital role that data plays in a number of organisations’ business strategies, and the growing potential overlap between the remit of competition authorities and data protection authorities on data processing issues, the CJEU’s judgment is much anticipated.