Data Protection Day 2023
On 26 April 2006 the Council of Europe launched a Data Protection Day to be celebrated each year on 28 January. This year marks the 17th anniversary of Data Protection Day, which is now celebrated globally and is also called Data Privacy Day. The day aims to raise awareness of the right to personal data protection and privacy. This is more important than ever in our data-driven economy and increasingly digital, connected world, as we explore new ways that data can drive innovation.
We take a look back at 2022 and look ahead at key trends for data privacy and governance for 2023.
The proliferation of data protection laws continued in 2022 with new laws in, for example, Russia, Indonesia, Vietnam, the United Arab Emirates and certain US States. We are seeing some laws come into full effect – notably the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (see our article: Data Privacy: Preparing for 2023 (and beyond) in California) – as well as regimes further developing the specificity of their requirements (such as China's Personal Information Protection Law) and others strengthening their sanctions (for example, Australia's Privacy Legislation Amendment Bill 2022). Privacy enforcement has been active, including large GDPR fines for Instagram and Meta and the first ever CCPA enforcement action against Sephora (see our articles: One "Fine" Day? Insights from the first fine issued by the California Attorney General under the CCPA and Instagram hit with historic GDPR fine: EU privacy watchdog urges companies to "leave them kids alone"). Joining the data governance landscape are new laws and proposals tackling how certain data sets – containing both personal and non-personal data – may be shared and used.
- Increased complexity in data governance and transfer: Significant new privacy laws and changes to data protection regimes are on the horizon in 2023 – including in the USA, UK, India, Nigeria and Saudi Arabia. Alongside these privacy developments, we will also see wider data governance laws and frameworks being introduced or developed, with the European Union (EU) leading the charge as the Data Act and the Common European Data Spaces initiative follow hot on the heels of last year's enactment of the EU's Data Governance Act (see our articles: The Data Act: A proposed new framework for data access and porting within the EU and An overview of the newly adopted EU Data Governance Act). The increase in the number of such laws – often with extraterritorial effect, and with application to increasingly broad types of data – mean that multinational organisations face increasingly complex data governance and risk management. In 2023 many businesses will be reviewing their data infrastructure, policies, processes, supplier engagements and risk positions to tackle data governance requirements and data transfer frictions in a pre-emptive and holistic manner, as well exploring use of new technologies such as privacy enhancing technologies (See our article: An introduction to Privacy-enhancing technologies (PETs)).
- International cooperation for data transfers: The crowded regulatory landscape and high-profile enforcement activity in relation to data transfers – including the Google Analytics decisions in the EU (see our article: Google Analytics declared illegal in France) – have made international cooperation more crucial than ever in allowing businesses to legally transfer data between continents. With momentum building behind the Global Cross-Border Privacy Rules Forum and progress of the EU-US Data Privacy Framework expected to be fast paced (see our article: Next steps after U.S. President Biden issues Executive Order on U.S. data transfers from 'qualified states'). 2023 should see businesses being able to meaningfully leverage transfer mechanisms afforded by international cooperation efforts. Of course, the testing of these frameworks in court will doubtless follow.
- Enforcement and litigation risk: Data governance will remain a key area of legal, operational and reputational risk across sectors in 2023 given the severe and active regulatory enforcement regimes and increasing cost and risk of litigation. We will see forms of group redress or class actions centring on privacy issues in many jurisdictions including, where possible, under other regimes such as competition or consumer protection laws.see our client briefing: The growing risk of group litigation and class actions and our article: Big Tech: The surge of GDPR claims from consumer protection associations). Key areas of focus for regulators and courts in 2023 are expected to be the processing of children's data and biometric data, automated decision making (including the use of artificial intelligence and machine learning), data monetisation and data transfer.
We regularly produce content on data protection and privacy. Check out more of our content on our Data topic page.
If you don’t want to miss future content sign up for our Talking Tech Updates.