Data privacy made more news than ever in 2022. The usual peaks and valleys the IAPP Editorial Team observed in years prior were replaced by an unprecedentedly busy news cycle that never seemed to let up, which begs the question: What developments were most noteworthy for the privacy profession?
Here's a rundown of what we saw over the past year and what's on the horizon for 2023.
Ukraine
Looming over developments in 2022 was Russia's invasion of In response, the IAPP contacted and offered support to Ukrainian members, suspended all services in Russia and Belarus, and donated $10 for every attendee at the Global Privacy Summit to the World Central Kitchen to help feed those affected by the invasion. Though it continues today, hopefully 2023 will bring an end to this terrible war.
Major legislative efforts introduced around the world
Argentina’s Agency of Access to Public Information opened the consultation process to begin reforming its Personal Data Protection Law, passed in 2000. Reforms are largely modeled after provisions of the EU General Data Protection Regulation.
In September, a massive data breach of Australia’s second-largest telecommunications company, Optus, prompted lawmakers to introduce the Privacy Legislation Amendment Bill 2022, which increases fines to AU$50 million when companies sustain repeated data breaches.
Canada’s Digital Charter Implementation Act, Bill C-27 was introduced in the House of Commons in June, but was tabled in November. C-27 contains three pieces of legislation within the omnibus package: the Consumer Privacy Protection Act, Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
India scrapped its proposed Personal Data Protection Bill for the Personal Data Protection Bill, which establishes penalties for mishandling citizens’ personal data. It also empowers the president to appoint members of an oversight authority to enforce the law, a sticking point during the legislative process.
The US inched closer to comprehensive consumer privacy law
Bipartisan comprehensive federal privacy legislation made its way to the forefront in the U.S. with the introduction of the American Data Privacy and Protection Act. The landmark bill offered privacy rights and limited redress to U.S. consumers while imposing requirements and practical standards on companies on a national scale.
The ADPPA was the first federal privacy proposal to clear a U.S. congressional committee, but the U.S. House resisted calling the floor vote. The hang-up mostly concerns opposition from the House's California delegation regarding the bill's federal preemption of the California Consumer Privacy Act. The Senate also currently constituted when or if it passes the House.
There is an outside chance it may be put up for a vote during the lame-duck session before the new Congress is convened in January 2023, but the bill is likely to remain relevant in the incoming 118th Congress.
US state-level privacy push continued
In the absence of federal privacy legislation, states continued to act on their own. Connecticut and Utah passed comprehensive privacy legislation, joining the likes of California, Colorado and Virginia. All these laws will take effect throughout 2023.
California remained a nexus of privacy, as the California Privacy Protection Agency embarked on rulemaking for the California Privacy Rights Act, which is set to go into effect Jan. 1, 2023. The California Legislature The EU and the U.S. finally agreed to a fresh data transfer regime this year. The proposed EU-U.S. Data Privacy Framework could be finalized sometime during summer 2023, which will mark three years since the invalidation of its predecessor — the EU-U.S. Privacy Shield.
The DPF addresses concerns over U.S. foreign intelligence and EU consumer redress. However, the proposal faces a looming Court of Justice of the European Union challenge over whether the EU and the U.S. hit on the shortcomings outlined in the previous deal's invalidation.
And what if the EU-U.S. agreement can't rise to CJEU standards? Journalist Luca Bertuzzi painted a picture of potential EU data localization, with EU policymakers "progressively" examining "stricter limitations to trans-Atlantic data flows."
International data transfers got a boost
More global cooperation and solutions for data transfers emerged in 2022. There’s momentum behind increased participation in the Global Cross-Border Privacy Rules Forum announced by the U.S. Department of Commerce. The Organisation of Economic Co-operation and Development also developed and released globally recognized principles for access to personal data by governments for national security purposes.
EU pressed forward on its Digital Market Strategy
The EU passed two major pieces of legislation: the Digital Markets Act and the Digital Services Act. While both include privacy provisions, the DMA creates rules for content moderation and platform accountability. The EU is also crafting the Artificial Intelligence Act, Data Act and Data Governance Act in earnest. Those remaining proposals are far along in negotiations and will likely be finalized sometime in 2023.
UK data protection reforms slowed by political uncertainty
The U.K. forged ahead with its post-Brexit data protection reforms; however, the resignations of Torie Prime Ministers Boris Johnson and Liz Truss in quick succession in June and October, respectively, complicated expedient reforms. The U.K. said the U.K.’s data protection reforms will not stray too far from the basic principles of the EU GDPR.
Eye-catching fines
Ireland’s Data Protection Commission against Instagram and Meta, respectively. In the U.S., Epic Games will pay $275 million to settle children’s privacy violations with the U.S. Federal Trade Commission. The FTC also fined Twitter $150 million for demonstrating that California Attorney General Rob Bonta is taking compliance seriously and serving as a called “a dark cloud any conceivable method of legally transferring data between the continents” as authorities ordered a halt on the use of the tool for data transfers to the U.S. without supplementary measures. The rulings are in response to 101 complaints applications' user data security practices can leave people vulnerable to prosecution. During a keynote panel at the IAPP’s Privacy. Security. Risk. 2022 conference in October, Center for Democracy and Technology President and CEO Alexandra Reeve Givens said laws in states that have since moved to criminalize abortions are now "normalizing surveillance on your neighbors" while empowering law enforcement to "weaponize data" on an unprecedented scale.
What's in store for 2023?
There’s still much up in the air as we say goodbye to 2022. What legislative privacy efforts will continue to advance in 2023? Will the EU-U.S. finally seal an agreement on data transfers that meets the CJEU’s standards? Will we see privacy enforcement as the dust settles around the Twitter shakeup — following the resignations of members of the platform’s privacy and security teams in the wake of Elon Musk’s purchase? What ramifications will the Roe v. Wade decision continue to have on privacy? And all of this amid a looming economic recession and ongoing devastating war in Ukraine.
We’re still days away from the new year, but the 2023 news cycle is already shaping up to beat 2022.
