There is no better way to kick things off in 2023, and just before Data Protection Day, than with a heads up about what to pay attention to this year in privacy and its ever expanding realm around the world. In short:

  1. Enforcement, enforcement, enforcement – And this is not only about GDPR enforcement reaching maturity, but it is also about some regulators around the world announcing themselves as key players in the field.
  2. The race to AI Regulation, and the AI awakening of DPAs – The question is not if (yes!) or when (this year?), but who will be the first jurisdiction with a general legal framework for AI. Meanwhile, attention should be paid to Data Protection Authorities.
  3. Seeing the results of ever-more-intertwining Competition and Data Protection Law – The intertwinement of the two fields seems to now be widely accepted and incorporated in a new generation of antitrust legal obligations.
  4. Big Intergovernmental Push for Cross-border Data Flows: G7 and G20 – This year will be crucial for moving the conversation forward on how to enable cross-border data flows at intergovernmental level
  5. Privacy Regulatory Movements to Follow: India, Argentina, Australia, Canada, South Korea – Big regulatory movements in privacy and data protection will continue in 2023, and the jurisdictions to follow are India (again!), Australia, Argentina, Canada, and South Korea.

Enforcement, enforcement, enforcement

First point on the list: GDPR is reaching a certain maturity of enforcement which will become evident in 2023. And this is not only about the number of GDPR decisions, cases or amount of fines, both under DPA procedure and judicial redress, but it is more about the enforcement processes put in place at national level and under the One-Stop-Shop, the body of CJEU case-law building precedents and the complexity of the legal issues analyzed related to processing of personal data. 

  • For example, think of the highly debated Irish DPC decisions announced this month in the years-long investigations following complaints about the lawful ground used by Meta for behavioral advertising on Facebook and Instagram. These decisions in the application of the GDPR go to the core principles and aims of EU data protection law and may have implications for entire online business models.
  • On another hand, the EU’s top Court, the CJEU, currently has about 60 pending cases requiring it to interpret and apply the GDPR. More than 20 of these have questions related to Article 5 – principles of processing, such as purpose limitation and data minimisation – and another 18 have questions related to lawful grounds for processing under Article 6. Add to these a couple of cases on Article 22 – the right not to be subject to solely automated decision-making having legal or significant effect on data subjects (with a significant hearing expected this Thursday), one big case concerning the competence of antitrust authorities to enforce in some cases provisions of the GDPR, and you get a big picture of substantive enforcement.

It is not only the European DPAs and court system finding their footing with privacy and data protection law enforcement. The South Korean Personal Information Protection Commission (PIPC) is proving to be just as active in enforcing the country’s recently updated data protection law. Announcing itself on the big global stage last September with the largest fines on record for privacy violations under South Korea’s Personal Data Protection Act (the equivalent of 50 million $ against Google and of 22 million $ against Meta, in cases involving behavioral advertising), the PIPC laid its groundwork for more enforcement this year. 

  • Per its policy agenda for 2023, the PIPC plans to inspect cross-border data transfer practices of some 5000 most popular mobile apps in gaming, finance, shopping, education, social media and entertainment, according to MLex (paywalled). “It also plans an industry-wide inspection to detect potential privacy risks concerning dark-patterns, ad tech, virtual platforms, super apps and smart gadgets.”
  • Two other regulators to watch are the ANPD in Brazil and the Data Protection Commission in Kenya. For the past two years, the ANPD has systematically and patiently hired and trained staff, set up its processes, adopted guidance, and opened public consultations. While it might take another two before LGPD enforcement becomes robust, it is likely that in 2023 we will see the first relevant LGPD enforcement actions, in the light of the ANPD recently gaining independence and in the light of what seems to be a general public policy change in Brazil related to digital rights under the new Lula government. On another hand, the Data Protection Commission in Kenya – also a new regulator created about the same time as ANPD to enforce the country’s data protection law, is signaling that it wants to be a leading supervisory authority in Africa (see, for instance, the delegations last fall to the French CNIL, the German regulators and the European Commission, as well as the first enforcement notice the Office published in November).

Last but not least: the enforcement of the EU’s landmark laws in the Digital Strategy package, the DMA and the DSA, will start rolling this year. And enforcement is largely left in the centralized hands of the European Commission for both acts, in a departure from the national enforcement model coordinated at EU level by a Board that the GDPR advanced. 

  • Under the DMA, the notification and review process by which the European Commission will designate companies as “gatekeepers” will begin on May 1st and will end sometime at the beginning of September with the first designation decisions. Afterwards, gatekeepers will have 6 months to comply with the DMA requirements, which include some strict obligations related to how personal data can be used for online advertising or can be repurposed across services, or ensuring portability of end users’ data to other systems or applications, among others. 
  • As for the DSA, by February 17 online platforms have to report their number of active end users. Based on those numbers, the European Commission will designate Very Large Online Platforms and Very Large Online Search Engines, which have 4 months to comply with their DSA obligations after being designated. The other online platforms under the scope of the DSA have until February 17, 2024 to set their compliance in place. The Commission is setting up an European Centre for Algorithmic Transparency to support DSA enforcement with scientific and technical expertise.

The race to AI Regulation

Read the Full Article at LinkedIn

Check Also

Privacy 2024 Recap – some significant decisions, slow progress for reform

The past year saw a few court decisions of note as well as halting progress toward privacy…