The data privacy and compliance landscape continued to evolve at a lightning pace throughout 2022. It is fair to say that in the last couple of years, post-GDPR, the focus on data protection legislation has intensified across all major geographies as more social and economic activity finds its way online. 157 out of a possible 194 countries have now put in place legislation to secure the protection of data and privacy. That’s a healthy 81% of nations sharing common cause as the increased frequency of collection, use and sharing of personal information shows no sign of abating: In many respects, one could say this is only a beginning.
The year ahead looks to pick up where 2022 ended with even more vigour. In Europe alone, 2022 saw a number of sister data laws progress or come into effect. The EU introduced two significant pieces of legislation in the Digital Market Act and the Digital Services Act, and while these acts respectively address competitive and commercial aspects of data, both include privacy provisions and broader implications which add a new layer of complexity to the area of data protection compliance. In 2023, the EU will continue to work on and churn out more impactful ancillary data centric legislation to tackle technological advances with the crafting of the Artificial Intelligence Act, Data Act and the Data Governance Act (as well as the e-privacy regulation) all poised to advance, be passed, or come into effect by the end of the year or in 2024; at least that is the intent.
For my money, in so far as privacy professionals are concerned, the AI Act is the most interesting of the newer imminent legislative initiatives. Algorithms and algorithmic accountability continue to dominate recent data and technology discussion and debate. Transparency, explainability, fairness and non-discrimination are all noble tenets that are being transcribed into the law. Privacy policies are expanding beyond data handling and processing and reflecting design and engineering attributes and developments. In short, we are grasping the entire data science value chain. Much is being done elsewhere to support such evolutions, NIST - the US National Institute of Standards and Technology - released its AI Risk Management Framework accompanied by a playbook with suggested actions and guidance. And it didn’t go unnoticed that the U.S. Algorithmic Accountability Act was reintroduced in 2022, though it has not been approved in either the Senate or the House of Representatives yet, where it was first introduced in 2019. Without highlighting ongoing AI efforts in other jurisdictions, the global stage is set for AI to become one of the more compelling issues and challenges faced by professionals working in privacy as it intersects and overlaps with data protection law. Expect AI to be omnipresent and far reaching throughout the year as companies chart their data policies and paths forward.
In other areas, the emergence of data sharing technologies in addition to privacy enhancing technologies will continue to pepper the privacy landscape evolution. This is core to the future data economy based on the sharing of both personal and non-personal data. The challenge will be to elevate, augment, and codify data laws to achieve greater outcomes to satisfy compliance as well as business enablement and innovation objectives. In the background, the EU has taken a lead here with the advent of an eventual Data Act which looks to address scope, rights, and obligations in this regard. We should expect a wave of reinforced focus and effort in the areas of privacy and ‘regtech’ engineering to meet the needs of downstream data (business) models going forward.
The recent Meta enforcement decision handed down by the Irish Data Protection Authority also gives pause for reflection. The argument in this case centers around the unlawful usage of the performance of contract – terms of use - as a legal basis for targeted (and behavioral) advertising practices. If and when this becomes the applicable precedent, it may have far reaching consequences well beyond the social media industry impacting diverse industry companies of all sizes operating all manner of digital platforms and services; think broadly here along the lines of Apps and IoT device services deployment. Meta will appeal the decision, so there is still some way to go till this case is concluded.
All said and done, data privacy practice will continue to be a dominant component in both regulatory and industry parlance as organisations see data compliance - as a business trend - and regulatory requirements continue to converge in 2023. Professionals working in and around data writ large will have a busy year advising and working with their organisations on the complexity of integrating ever more sophisticated operational and technological solutions. In summary, there is an essential need now to completely rethink data-driven competitive advantages. The organisations that can demonstrate that they are responsible and trustworthy custodians of data are probably more likely to reap the benefits, attracting the talent, and importantly the customers to realise their future growth.
Have a great year!
Paul Jordan
Chair, PICCASO
