Executive Summary
On behalf of Lex Mundi, it’s a pleasure to present you with our Data Privacy Trends and Topics 2023 report. As businesses increase their use of data to drive commercial activity, jurisdictions across the globe
are strengthening regulatory frameworks and
increasing controls on the collection, use and
storage of personal information.
Our network of member firm lawyers
provides local expertise on
anticipating regulatory risk to
overcome these cross-border data
and cybersecurity challenges.
This report was developed based on
contributions from 53 Lex Mundi
member firms and identifies regulatory
challenges and key developments to
keep abreast of during 2023. 55% of
our contributing member firms
confirmed that they anticipate
significant changes to the data
protection landscape in their
jurisdictions during 2023.
We hope you enjoy the compilation. If
you have further questions with
respect to particular jurisdictions
(whether featured in this report or
otherwise), feel free to connect with
your local member firm or with the Lex
Mundi team for further insights.
Global Trends in Data
Privacy in 2023
55%
45%
Significant changes to the
data protection landscape
expected during 2023
Belgium
Liedekerke
Significant changes anticipated?
No. We expect some new guidelines by the
EDPB and BDPA and case law, but no
new acts are to be expected. We have had
the Belgian Privacy Act since July 30,
2018, complementing the GDPR which is
fully applicable within Belgian legal order.
No specific changes in this regard are
expected in 2023.
Other developments
• Data mining (including personal and
non-personal data) cfr DSM.
• The Belgian Act on whistleblowing
(transposing EU Dir. 2019/1937) has
been published and will be applicable
as of February 15, 2023 (for companies
between 50-250 employees as of
December 17, 2023, for some
obligations). The implementation of
such Act will have an impact on the data
protection processes within the
company (e.g., ROPA will have to be
updated, specific privacy policy should
be drafted, possibly a DPIA is required,
etc.).
• Many clients are working to ensure
compliance with EU Regulation
2022/2065 (the "Digital Services Act"),
applicable as of February 17, 2024.
Czech Republic
PRK Partners
Significant changes anticipated?
Yes. The Czech Republic finally seems to
be on its way to adopting whistleblowing
legislation after several unsuccessful
attempts. The bill strives to implement
European legislation and go beyond, at the
same time it is under relatively strong
criticism from non-governmental
organizations. Its final scope and the level
of protection is yet to be awaited. Even
though many firms are in the process of
implementation already, it is
understandable that many are waiting for
the final wording to be able to implement
protection of whistle-blowers, which will
have to take into consideration the data
protection regulation.
Other developments
It is likely that the local data protection
authority will further concentrate its
inspections on cookies and unsolicited
messages and calls. A new adequacy
decision for the transfers to U.S. is eagerly
awaited within the first half of 2023, which
will make a substantial amount of
international transfers significantly easier.
Estonia
COBALT Law Firm
Significant changes anticipated?
No. There has been no discussion in the
legal landscape regarding any changes.
Furthermore, the Parliament of Estonia has
not initiated any drafts regarding data
protection.
Other developments
A recent hot topic in Estonia 2022 has
been the use of cameras for video
surveillance which could also be the focus
in 2023 for the Estonian Data Protection
Inspectorate. In addition, in 2020 Ministry
of Justice drafted a law that would allow
the application of fines in administrative
proceedings (currently the Estonian legal
system does not allow administrative
fines); however due to the fact that the draft
raised questions about the necessity and
how it changes administrative proceedings,
the draft law has not been finalized or
submitted to the Parliament. There is no
indication that it will be done anytime soon.
France
Gide Loyrette Nouel
A.A.R.P.I.
Significant changes anticipated?
Yes. Yes. We expect further developments
around data protection enforcement,
ePrivacy regulation and cyberattacks.
Other developments
We expect to see further changes around
the transfer of data outside the EEA and
the use of cookies.
Greece
Zepos & Yannopolous Significant changes anticipated?
Yes. Digital transformation and regulation of
new technologies has been high on the
regulatory agenda in Greece. New rules
introduced in the second half of 2022 will,
effectively, start being enforced in 2023;
relevant supplementary pieces of legislation,
expected within the following months, will,
hopefully, clarify vague areas and help
organizations navigate a constantly evolving
legal landscape. In this context, recently
introduced regulation on Artificial Intelligence
(AI), Internet of Things (IoT) technologies,
distributed ledger technology (DLT)
applications, etc. pose some challenging data
protection and cybersecurity issues and
compliance requirements that organizations
will need to understand and properly address.
Other developments
Organizations falling within the scope of the
newly introduced whistleblowing law (which
has transposed the EU Whistleblowing
Directive), will need to implement appropriate
measures, a quite challenging exercise,
considering the inefficiencies of the Greek
law. Another area that will require compliance
effort in 2023 is observance of rules regarding
the use of AI for HR management, also for
commercial and marketing practices (e.g.,
evaluation of employees, credit risk
assessment of business partners, consumer
profiling). As a first step, organizations will
need to audit and identify AI-dependent tools
used to make operational decisions. Following
that, identifying, assessing and handling data
protection risks linked with the processing
operations is required for GDPR compliance.
Iceland
LOGOS Legal Services
Significant changes anticipated?
No. There are no changes foreseeable in
relation to the legislation. We could see
increase in cases from the Data Protection
Authority and possibly higher fines - but
there is nothing suggesting significant
changes.
Other developments
Transfer of data outside the EEA, use of
cookies.
Luxembourg
Arendt & Medernach
Significant changes anticipated?
No. but there are other matters that might
be on the horizon:
• transfers of personal data to third
countries not offering an adequate level
of protection,
• cybersecurity,
• risks resulting from service providers
handling of personal data, and
• artificial intelligence.
Malta
Ganado Advocates
Significant changes anticipated?
No. Apart from awaiting further
progress/news in relation to the pending
EU ePrivacy Regulation, we do not
anticipate any significant changes to the
data protection landscape in Malta in 2023.
Other developments
None envisaged at this stage given that
last changes seen where in relation to third
country transfers and rights of third-party
beneficiaries.
Netherlands
Houthoff
Significant changes anticipated?
No. No major changes are expected with
respect to the GDPR. Developments will
be based on case law and supervisory
authority guidance.
Other developments
There might be other developments in the
following matters:
• data privacy class actions,
• artificial intelligence, and
• the Digital Services Act/Digital Market
Act.
Portugal
Morais Leitão, Galvão Teles,
Soares Da Silva & Associados
Significant changes anticipated?
Yes. At the end of 2022 we witnessed
several decisions of the Portuguese DPA
applying higher fines. We strongly suggest
that companies expect further action from a
more aggressive data protection authority.
Serbia
Significant changes anticipated?
Yes. The Government shall adopt Guidelines
for Development, Application and Use of
Trustworthy and Responsible Artificial
Intelligence.
Other developments
The Guidelines will represent soft law
defining high risk AI systems, principles and
conditions to be taken into account for
development, application and use of AI
systems and questionnaire to check the
compliance with principles and conditions.
The Law shall define collection, i.e., transfer
genetic and biomedical data from the state
institutions carrying out genome sequencing
and processing biomedical data and store
them on online platform managed by the
Office for Technologic Development and EGovernment
– forming genetic and
biomedical repository with an aim: i) to
connect collected data with patients’ health
electronic records to be used by HCPs; ii) to
(pseudo) anonymize personal data and to
enable access to data, data sharing and
manipulation by researchers and commerce
to do scientific research and development of
AI algorithms in biomedicine for fast
diagnostic of rear diseases and assistance of
prevention of human diseases. The benefits
expected include the development of
precision medicine and better patient
treatment, early diagnostics, improved
registries of diseases, increase of NGS
capacities, development of genetic data
standards, integration of various electronic
healthcare systems, increase of the number
of clinical studies conducted in Serbia, etc.
28
JPM Jankovic Popovic
Mitic
Spain
Uría Menéndez
Significant changes anticipated?
Yes. In particular, in the fields of
compliance and whistleblowing, there are
ongoing substantial changes.
Other developments
Spain is in the process of implementing the
EU Directive on compliance. This
framework includes specific rules on the
importance of the parties involved
(denouncing party, denounced, victim, etc.)
Switzerland
Pestalozzi
Significant changes anticipated?
Yes. The new Federal Data Protection Act
will enter into force on September 1, 2023.
Other developments
Following the implementation of the new
DPA, the 26 Swiss Cantons may also
initiate the revision of their cantonal DPA
data protection act, applicable to all
cantonal and communal authorities.
