A look back at privacy and data protection in 2022
- EU Regulation
- December 20, 2022
- No Comment
Data privacy made more news than ever in 2022. The usual peaks and valleys the IAPP editorial team observed in years prior was replaced by an unprecedentedly busy news cycle that never seemed to let up, which begs the question: What developments were most noteworthy for the privacy profession?
Here’s a rundown of what we saw over the past year and what’s on the horizon for 2023.
Looming over developments in 2022 was Russia’s invasion of Ukraine on Feb. 24. In response, the IAPP contacted and offered support to Ukrainian members, suspended all services in Russia and Belarus, and donated $10 for every attendee at the Global Privacy Summit to the World Central Kitchen to help feed those affected by the invasion. Though it continues today, hopefully 2023 will bring an end to this terrible war.
Major legislative efforts introduced around the world
In September, a massive data breach of Australia’s second-largest telecommunications company, Optus, prompted lawmakers to introduce the Privacy Legislation Amendment Bill 2022, which increases fines to AU$50 million when companies sustain repeated data breaches.
Argentina’s Agency of Access to Public Information opened the consultation process to begin reforming its Personal Data Protection Law, passed in 2000. Reforms are largely modeled after provisions of the EU General Data Protection Regulation.
Canada’s Digital Charter Implementation Act, Bill C-27 was introduced in the House of Commons in June, but was tabled in November. C-27 contains three pieces of legislation within the omnibus package: the Consumer Privacy Protection Act, Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
India scrapped its proposed Personal Data Protection Bill for the revamped Digital Personal Data Protection Bill, which is under public consultation as the year winds down. The bill sheds data localization standards while embedding principles for fairness, lawfulness and transparency, data minimization, storage limitation and accountability.
Indonesia passed the Personal Data Protection Bill, which establishes penalties for mishandling citizens’ personal data. It also empowers the president to appoint members of an oversight authority to enforce the law, a sticking point during the legislative process.
The US inches closer to comprehensive consumer privacy law
Bipartisan comprehensive federal privacy legislation made its way to the forefront in the U.S. with the introduction of the proposed American Data Privacy and Protection Act. The landmark bill offered privacy rights and limited redress to U.S. consumers while imposing requirements and practical standards on companies on a national scale.
The ADPPA was the first federal privacy proposal to clear a U.S. congressional committee, but the U.S. House resisted calling the floor vote. The hang-up mostly concerns opposition from the House’s California delegation regarding the bill’s federal preemption of the California Consumer Privacy Act. The senate also presents a roadblock for the proposal as currently constituted when or if it passes the House.
There is an outside chance it may be put up for a vote during the lame-duck session before the new Congress is convened in January 2023, but the bill is likely to remain relevant in the incoming 118th Congress.
US state-level privacy push continues
In the absence of federal privacy legislation, states continued to act on their own. Connecticut and Utah passed comprehensive privacy legislation, joining the likes of California, Colorado and Virginia. All these laws will take effect throughout 2023.
California remained a nexus of privacy, as the California Privacy Protection Agency embarked on rulemaking for the California Privacy Rights Act, which is set to go into effect Jan. 1, 2023. The California Legislature passed the California Age-Appropriate Design Code Act, an unprecedented children’s online safety bill with privacy requirements.
Flowing forward: EU-US Data Privacy Framework takes shape
The EU and the U.S. finally agreed to a fresh data transfer regime this year. The proposed EU-U.S. Data Privacy Framework could be finalized sometime during summer 2023, which will mark three years since the invalidation of its predecessor — the EU-U.S. Privacy Shield.
The DPF addresses concerns over U.S. foreign intelligence and EU consumer redress. However, the proposal faces a looming Court of Justice of the European Union challenge over whether the EU and the U.S. hit on the shortcomings outlined in the previous deal’s invalidation.
And what if the EU-U.S. agreement can’t rise to CJEU standards? Journalist Luca Bertuzzi painted a picture of potential EU data localization, with EU policymakers “progressively” examining “stricter limitations to trans-Atlantic data flows.”
International data transfers get a boost
More global cooperation and solutions for data transfers emerged in 2022. There’s momentum behind increased participation in the Global Cross-Border Privacy Rules Forum announced by the U.S. Department of Commerce. The Organization of Economic Co-operation and Development also developed and released globally-recognized principles for access to personal data by governments for national security purposes.
EU presses forward on its Digital Market Strategy
The EU passed two major pieces of legislation: the Digital Markets Act and the Digital Services Act. While both include privacy provisions, the DMA regulates online competition among “gatekeeping” technology companies, while the DSA creates rules for content moderation and platform accountability. The EU is also crafting the Artificial Intelligence Act, Data Act and Data Governance Act in earnest. Those remaining proposals are far along in negotiations and will likely be finalized sometime in 2023.
UK data protection reforms slowed by political uncertainty
The U.K. forged ahead with its post-Brexit data protection reforms, however, the resignations of Torie Prime Ministers Boris Johnson and Liz Truss in quick succession in June and October, respectively, complicated expedient reforms. The U.K. introduced the Data Protection and Digital Information Bill in the House of Commons and an AI “rulebook.” Former U.K. Deputy Information Commissioner Simon McDougall, CIPP/E, CIPM, CIPT, said the U.K.’s data protection reforms will not stray too far from the basic principles of the EU GDPR.
Ireland’s Data Protection Commission issued the second- and third-largest GDPR fines to date — 405 million and 265 million euros against Instagram and Meta, respectively, while in the U.S., Epic Games will pay $275 million to settle children’s privacy violations with the U.S. Federal Trade Commission. The FTC also fined Twitter $150 million for using account security data for targeted advertising in violation of a 2011 consent decree.
CCPA enforcement heats up
The first-ever California Consumer Privacy Act enforcement action — a $1.2 million settlement with beauty retailer Sephora — came in August, demonstrating that California Attorney General Rob Bonta is taking compliance seriously and serving as a reality check for businesses that new requirements under the California Privacy Rights Act are just days away. The new requirements take effect Jan. 1, 2023, while the California Privacy Protection Agency is still working to promulgate final rules, now anticipated to be released in late January.
Google Analytics enforcement in EU casts ‘a dark cloud’ on transfers
Ripple effects from the Austrian data protection authority’s January decision that Google Analytics unlawfully transfers data to the U.S. could be felt throughout the year as DPAs in France, Italy and Denmark followed suit. The ruling cast what Goodwin Procter Partner and IAPP Senior Fellow Omer Tene called “a dark cloud any conceivable method of legally transferring data between the continents” as authorities ordered a halt on the use of the tool for data transfers to the U.S. without supplementary measures. The rulings are in response to 101 complaints filed across EU member states by advocacy group NOYB following the ”Schrems II” decision. Similar decisions are likely still to come.
US Supreme Court overturns Roe vs. Wade
In June, the U.S. Supreme Court overturned Roe v. Wade. The decision paved the way for states to pass laws criminalizing abortions, as well as the prosecution of doctors who provide the service. The decision opened up a privacy can of worms as reproductive health applications‘ user data security practices can leave women vulnerable to prosecution. During a keynote panel at the IAPP’s Privacy. Security. Risk. 2022 conference in October, Center for Democracy and Technology President and CEO Alexandra Reeve Givens said laws in states that have since moved to criminalize abortions are now “normalizing surveillance on your neighbors” while empowering law enforcement to “weaponize data” on an unprecedented scale.
What’s in store for 2023?
There’s still much up in the air as we say goodbye to 2022. What legislative privacy efforts will continue to advance in 2023? Will the EU-U.S. finally seal an agreement on data transfers that meets the CJEU’s standards? Will we see privacy enforcement as the dust settles around the Twitter shakeup — following the resignations of members of the platform’s privacy and security teams in the wake of Elon Musk’s purchase? What ramifications will the Roe v. Wade decision continue to have on privacy? And all of this amid a looming economic recession and ongoing devastating war in Ukraine.
We’re still days away from the New Year, but the 2023 news cycle is already shaping up to beat 2022.