2022 was a year full of challenges for global businesses, and in particular in the realm of data protection regulation in the EU. 2023 seems likely to be no less demanding. New laws, increasing and intensifying cyber hazards, privacy enforcement by private individuals and public authorities and data transfer requirements will all be particularly important in 2023.
Below we summarise the top EU data protection trends that we believe will impact businesses in 2023.
A legal landscape far more complex
In 2022 a number of EU laws entered into force further to the EU Commission’s European Data Strategy. Companies impacted by the changes were kept busy assessing the implications of these laws for their businesses. We expect that trend to continue in 2023, with the following laws becoming applicable either this year or next:
- the Digital Markets Act, which targets large online platforms acting as “gatekeepers” and aims to ensure that these behave fairly online;
- the Digital Services Act, which aims to create safer digital spaces;
- the NIS 2 Directive, which aims to improve protection against cyber-attacks by updating the current NIS Directive and which must be implemented into the national law of each EU Member State by autumn 2024; and
- the Data Governance Act, which creates a framework that will facilitate data sharing and provide rules governing the reuse of data.
In addition, the following draft laws are under debate and on their way to be adopted:
- the Artificial Intelligence Act, which will set harmonised rules on the development, use, and distribution of AI systems;
- the Data Act, which will seek to improve access to data, including specific regulations addressing the Internet of Things and cloud providers; and
- the Cyber Resilience Act, which introduces cybersecurity rules for connected products.
Looking further ahead, other initiatives at an earlier stage in the legislative pipeline, include:
- the European Health Data Space initiative, which aims to empower individuals to fully exercise rights over their health data;
- the open finance strategy relating to the consensual access and reuse of customer data across a range of financial services; and
- the AI Liability Directive, which introduces rules governing damages caused by AI systems.
Similar regulatory trajectories are emerging around the world. For example, in China regulations have been further tightened, in particular with regard to cross-border transfers; in Argentina plans to adopt new laws modelled on the GDPR are under consultation; and in Australia fines for violating privacy laws have been significantly increased and the government is considering further wide-ranging reforms to privacy laws.
All these new regulations across the globe have a complex interplay with EU data regulation, and in some instances conflicts between the laws of different jurisdictions will arise.
Cybercrime and cybersecurity risks rising
Another top priority for organisations should be to properly prepare for, respond to, and manage cyberattacks. Organisations increasingly rely on digital services such as cloud infrastructures given the undeniable advantages those services often offer. However, continued trends towards digital transformation will create new touch points where threat actors will be looking for vulnerabilities. Cybercrime will remain a growing business model among criminal entities.
Organisations should not hesitate to prioritise taking action to assess and address relevant risks, including considering how to handle ransom demands and setting up policies and processes to comply with applicable requirements. See our blog post on risks and key-issues to bear in mind when considering ransom payments.
A cybersecurity breach will often occupy an organisation’s time and resources well beyond the time that cybersecurity has been restored and reporting obligations have been fulfilled. Lengthy litigation will often follow such attacks.
Mass private enforcement through privacy litigation
2023 is expected to mark the beginning of mass privacy litigation in the EU. Various law firms and consumer associations across Europe have positioned themselves to litigate damages for their clients following reports of cyber incidents or fines by regulators.
The interpretation of the rights and obligations arising under the GDPR and other data laws is ultimately in the hands of national and EU courts. Litigation arising from mass claims may help clarifying some of the many areas of legal uncertainty regarding the GDPR that have not yet been addressed by those courts. A number of claims brought by individuals have already contributed in that regard.
It will be interesting to see how the Court of Justice of the European Union (CJEU) positions itself, especially after it recently encouraged representative actions by ruling that consumer protection associations and competitors may seek injunctions in their own name against controllers under the GDPR if national law so allows. Soon, the CJEU will also decide on the threshold for claiming non-material damages, as well as on whether imposing a fine against a company requires identifying an (at least) negligent violation of the GDPR by a member of that company’s management.
In any case, organisations should prepare to face an increase in privacy litigation.
Public data protection enforcement unleashed
2023 should also be a busy year for data protection authorities (DPAs). Numerous fines amounting to over €2.5bn have already been imposed under the GDPR, with the highest to date reaching €746m (though this was later suspended by the Luxembourg administrative court). It seems likely that the biggest fines are yet to come.
Large fines under the GDPR should not be surprising. Fines amounting to billions of euros are likely on the horizon and DPAs, including historically quieter ones, are becoming more and more active. See our 2022 Global Data Risk Report.
This is due, among other things, to the increasing harmonisation of the efforts and approaches of national DPAs as a consequence of the work of the European Data Protection Board (EDPB). As outlined by the EDPB in its statement on enforcement cooperation of 28 April 2022, “more than ever, strong and swift enforcement is crucial for ensuring a consistent interpretation of the GDPR”. Enforcement is being facilitated by a growing number of uniform and stringent EDPB guidelines such as the EDPB’s guidelines on the calculation of administrative fines under the GDPR.
Turbulence in international data transfer requirements
Finally, 2022 saw many organisations occupied with setting up and implementing revised data transfer mechanisms and instruments in order to comply with new legal requirements after the landmark 2020 ‘Schrems II’ decision of the CJEU.
International data transfers will continue to evolve in 2023. In particular, the EU Commission is seeking to implement a new framework for transfer of personal data from the EU to the US.
Discussions between the UK with the US to agree on a new framework to replace the Privacy Shield are also ongoing and the UK recently finalised an adequacy regulation with South Korea.
Organisations now benefit from some further official guidance, for instance the Q&A on the Standard Contractual Clauses recently issued by the EU Commission. However, international data transfers are likely to remain a challenging and developing area in 2023.