The Legal Perspective: Data Security Predictions for 2023
Data privacy is a leading concern for businesses today, and with privacy laws expanding, regulatory compliance is set to make the situation complex for marketers. The legal team at ‘Morrison Foerster – Privacy + Data Security,’ provided consolidated feedback while forecasting trends for data privacy in 2023. An excerpt from their report.
CCPA Enforcement Trends
Nearly three years following the effective date of the California Consumer Privacy Act (CCPA), increasing enforcement activity by the California Attorney General suggests that businesses should expect even more vigorous regulatory scrutiny next year. In the first half of 2023, audits by the Attorney General and the new California Privacy Protection Agency will likely continue to revolve around compliance with the CCPA’s extensive disclosure requirements and opt-out rights regarding the selling of personal information. Following the enforcement date of the California Privacy Rights Act on July 1, 2023, the focus might particularly expand to the processing of sensitive personal information.
EU/U.S. Privacy Framework
Because of the EU-U.S. Privacy Framework, companies will once again need to rethink the transfer mechanisms used to transfer personal data from the European Economic Area. While the states are finally getting onboard with the broader definition of personal information used in the rest of the world’s privacy laws, we’re going to continue to see the development of laws surrounding the use of non-personal information outside the United States.
GDPR and ePrivacy
In 2023, we will see a further convergence of laws regulating data, rather than just personal data. The EU’s DSA, DMA, NIS2, and draft AI Act are prime examples of legal regimes taking a wide “data-view.” And it’s not just the EU. China’s regulation of “important data” sits alongside its Personal Information Protection Law (PIPL) regulating the use of personal data. Consequently, privacy governance will converge with data governance, both in respect of regulatory compliance as well as cyber resilience and incident response. 2023 is staged to be a pivotal year for privacy and data security.
The most repetitive question of the past several years: Will the EU finally manage to adopt the new ePrivacy Regulation? Nobody knows but—as an eternal optimist—I think it is looking good. Then again, we said this before so be prepared to wait another year. Or two.
Privacy litigation in Europe: All eyes will be on the European Court of Justice to hand down its decision in the Österreichische Post case: Will the ECJ follow the Opinion of its Advocate General and hold that civil damages may only be claimed under the GDPR if plaintiffs show real and actual damages? Or will a mere violation of the GDPR suffice for damage claims? The decision, which is anticipated in early 2023, will have a significant impact on private enforcement of the GDPR, including on EU privacy class actions.
Germany: Stakes could not be higher in the upcoming decision of the ECJ in the Deutsche Wohnen case, which has the potential to invalidate all fines imposed by German DPAs to date. At stake is whether German procedural rules also apply to fining by DPAs. The rules require that the authority imposing fines has to identify individual managers who are responsible for any GDPR infringement, which DPAs have ignored until now.
Privacy regulation through antitrust enforcement? The European Court of Justice will decide in 2023 whether EU antitrust authorities are prohibited from interpreting the GDPR. The Advocate General previously opined that they are not, if their interpretation of the GDPR is incidental to antitrust findings. And will dominant companies be prohibited from relying on consent as legal basis under GDPR? Stay tuned for case C-252/21!
Diversity, Equity, and Inclusion.
Companies thinking that the GDPR blocks the monitoring of the diversity, equity, and inclusion (DEI) of their workforce be warned. With the publication of the Corporate Sustainability Reporting Directive, disclosure of DEI statistics will become mandatory for their workforce. Watch the MoFo space for new publications and guidance on how to collect DEI data based on privacy by design.
Enforcement of UK GDPR
The UK Data Protection Authority Continues Investigations
In the next year, the UK Information Commissioner’s Office will see a surge in investigative activity relating to companies made vulnerable by insufficient security measures; there has already been a nearly 20% increase in reports of incidents over the previous two years, with no sign that this will slow down. While large fines will no doubt still grab the headlines, the Commissioner noted that non-monetary enforcement action (such as public reprimands and notices) will be a particular focus for the ICO.
Further Clarity for Cookie Consent Layers
The year ahead will provide further clarity for companies that use cookie consent layers on their websites. In Germany, for example, we can expect court decisions on button design, and whether a button for rejecting all (unnecessary) cookies is required to be on the first layer. There will also be more specific guidance (and maybe even case law) on “consent-or-pay walls,” which ask website visitors to make a choice between (1) giving their consent to ad-tracking or (2) entering into a paid subscription with no ad tracking.
More and more browsers are already blocking tracking cookies but expect 2023 to become virtually cookie-less resulting from a dramatic overhaul of the behavioral advertising tech space, once UK regulators and Google get out of the Privacy Sandbox.
Despite the U.S.-EU Data Transfer Agreement, the prediction is that 2023 will keep data transfers in the political arena. Expect 2023 to bring de facto data localization requirements for cloud services due to the new ENISA certification scheme for cloud services standards that will become final and an even stricter data transfer regime for regular data in the upcoming Data Act.