Clifford Chance

As investment in the tech sector booms and potentially transformative technologies build momentum, responsible business and innovation becomes a focus for companies and regulators alike. In a short series of five articles, we look ahead to five key technology trends to watch in 2022. In this article we look at Digital risk and regulation.

Digital risk and regulation

Access to data and certain technologies is crucial to innovation and everyday operations, so businesses' investment in technology and tech talent will continue, while regulators will be seeking to address risks arising from the growing importance and market power of "Big Data" and "Big Tech".

What's next?

• Data protection and cyber security: For many companies, personal data has become one of their greatest assets and one of their biggest potential liabilities. In 2022, data-related enforcement will remain a key risk as data protection and cyber security laws will be more assertively enforced, particularly for egregious breaches of these laws. In the civil courts, judges will continue to scrutinise claims were data subjects have not suffered material harm. Standalone litigation related to more serious data breaches will continue to be a focus for claimant firms and third party funders. We will see a growing number of privacy and cyber security laws coming into force, with India's Personal Data Protection Act, the EU's Cyber Resilience Act, updates to the EU's Network and Information Security Directive and various US state laws among the expected new cohort, as well as possible amendments to the UK's data protection legislative framework post-Brexit. We will also see guidance and implementing regulations being issued which will further develop the application of existing laws, including China's Personal Information Protection Law, Cybersecurity Law and Data Security Law, the United Arab Emirates' Federal Data Protection Law and Saudi Arabia's Personal Data Protection Law. In the year ahead, companies managing increasingly complex and fragmented data protection compliance programmes will be paying particular attention to developments in international data transfer, sensitive data processing, targeted advertising, data monetisation, selfsovereign identity, IoT and ransomware attack response, as market practice evolves following developments in regulations, guidance and case law in these areas. With data matters often also engaging wider issues, such as risk control and operational resilience, the trend of multiple regulators investigating breaches will continue, prompting many companies to refine their breach response and regulatory interaction strategies, particularly where they have sectoral regulators.
• The digital playing field: We will see the introduction of further regulation designed to protect consumers, promote data sharing, safeguard competition and manage the digital playing field, including the EU's suite of "digital" laws (the Digital Markets Act, the Digital Services Act, the Data Governance Act and the Data Act). With China's State Administration for Market Regulation signalling tighter competition law enforcement and the Biden administration making assertive antitrust enforcement a US priority, "Big Tech" will be navigating new rules and approaches in 2022. More broadly, as countries around the world propose reforms that see competition, privacy and consumer protection laws converge, multinationals across sectors face increasing complexity in their legal compliance, data governance and regulatory interaction strategies.
• Fourth-party Risk: All companies outsource some of their operations – typically "rightsourcing" services and solutions – by selecting from, or mixing, platform-as-aservice, multi-sourcing, shared services and low-code/no-code solutions, as appropriate. These vendors will often engage their own suppliers – fourth-party vendors – over which the ultimate customer may have limited visibility, control or recourse. Reliance on increasingly complex technology (such as AI), wide-spread use of platform and cloud-based infrastructure, and ever increasing regulatory focus on cyber security, supply chain governance and digital operational resilience, will make the "fourth-party risk" introduced through the extended vendor ecosystem an area of focus for many companies in 2022.

For more, read our articles & briefings:

• Ransomware: Prevention & Response
• China's financial markets: trends to watch in 2022,
• PRC passes milestone legislation for personal information protection, PRC data security law – a new milestone in data legislation
• Lloyd v Google: How the supreme court judgment closed the door on Lloyd's £3.3bn data claim
• EU Digital Services Act and Digital Markets Act: What are the implications?
• Digital Markets Act: EU regulation of online gatekeepers remains on track for adoption in first half of 2022
• Japan's Act on Improving Transparency and Fairness of Specified Digital Platforms.