Special Report
What to Expect in 2023: Trends and Predictions for Privacy
Privacy is becoming a gold standard for success.
This special report is designed to help organisations stay up-to-date with the most recent changes in data privacy and comply with the regulations in a constantly evolving regulatory environment.
As the privacy landscape continues to develop at speed, the actionable insights in this report will be your go-to resource for the privacy updates on the horizon. The analysis and viewpoints of our experts will help you navigate and build your privacy roadmap for 2023 and beyond.
The Current State of Data Privacy
International Data Transfers
Since the CJEU (Court of Justice of the European Union) overturned the then Privacy Shield in its famous „Schrems II“ decision on July 16, 2020, the topic of „international data transfer“ has been a permanent guest on the agenda of data protection officers and statements by European supervisory authorities. In 2022, the topic has gained particular momentum in several respects.
In March 2022, the EU Commission and the Biden administration announced they had reached an „agreement in principle“ regarding a new replacement for the invalid Privacy Shield.
Finally, on October 7, the White House released information on the corresponding Executive Order, which would implement the announced agreement in principle on data transfers between the U.S. and the EU into U.S. law.
The Executive Order addresses the requirements of Schrems II by, among other things, adapting the far-reaching access to data in the context of national security and the complaint and redress procedure.
The legally compliant design of data transfers from Europe to the USA was one of the most frequent, complex, and time-consuming issues that data protection officers in companies had to deal with over the last two years.
There is a movement on this issue, as the Commission published its draft version of the upcoming adequacy decision as an early Christmas gift in mid-December 2022 and the work is being carried out at full speed on the new EU-US Data Privacy Framework. So, the agreement is initially welcomed from a data protection perspective.
However, until the EU Commission adopts an adequacy decision, which is expected in the first half of 2023, everything has stayed in the current legal situation.
Until then, the other possible transfer instruments of Art. 46 GDPR (in particular standard contractual clauses (SCC) and Binding Corporate Rules (BCR)) as well as the exceptional circumstances of Art. 49 GDPR (in particular consent of the data subjects) must be used - with all the known challenges and disadvantages.
Conversion to New Standard Contractual Clauses (SCC)
In June 2021, the European Commission issued new standard contractual clauses, which have been mandatory for new contracts since September 27, 2021.
These new SCCs have a modular structure and now cover all practically relevant data transfer variants without resorting to complicated and partly impractical contract constellations as in the past.
In this context, organisations must have converted all old contracts to the new standard contractual clauses by December 27, 2022. In personal discussions, heads of various German data protection authorities have independently assured us that there will be no further extension of the deadline or „turning a blind eye“ on their part.
Instead, companies that have not adopted old contracts and converted to the new SCCs by the end of December 2022 will face sanctions from the supervisory authorities, as companies had sufficient time for the conversion with one and a half years. In 2022, there were again a large number of regulatory and supervisory measures.
Regulatory and Supervisory Initiatives
Since the Personal Information Protection Law (PIPL) and Data Security Law (DSL) came into force in China at the end of 2021, there are now initial empirical values regarding practical implementation, in particular, data localisation and restrictions on certain data transfers.
Major economic powerhouses, like the U.S. or India, are discussing new nationwide comprehensive privacy regulations while the UK is debating significant amendments to the present legal regime. On the other hand, the European supervisory authorities were also very active again regarding fines in 2022.
From January to October, they imposed fines of more than 550 million euros, with the Irish data protection authority taking the top spot this year with its 405 million euro fine against Meta in September, the second-highest fine ever imposed since the introduction of the GDPR.
In addition, major data scandals, such as the massive data breach at Uber, also made headlines worldwide and shook consumers’ confidence in their data’s secure and lawful handling.
With the rise of social media and online platforms, companies can now connect with customers and users all over the world. But it also made them more vulnerable to data breaches which can damage their brand, reputation and revenue.
Data scandals can devastate a company’s reputation – regardless of size. They have been known to...
- Damage your brand,
- Cause consumers to lose trust in your company,
- Put employees at risk,
- Cost you money in terms of legal fees, lost business as well as potential fines and damages claims.
Trust as Precious Asset – Privacy as Human Right
Speaking of trust, various studies in 2022 have once again revealed what we at DataGuard have also been observing in our daily practice for a long time: Transparency is an essential element of trust, and consumers value transparency as the most important thing organisations can do to build and boost trust when it comes to dealing with their personal data.
According to a Cisco 2022 Consumer Privacy Survey, 89% of consumers said they care about data privacy, they care about protecting others, and they want more control. Moreover, 82% of them also said this is a buying factor for them.
In this respect, consent and preference management tools can play a vital role in establishing trust in a scalable way as they allow users to decide what processing of their personal data they want – more transparency and control over your data is hardly possible. Therefore, you should consider consent as a verb – not a noun.
On the surface, consent and preference management might not seem all that impactful, but it can make a big difference to a company’s financial performance.
“We implemented the platform and within 6 weeks had captured consent for over 100,000 passengers with a 68% email opt-in rate.“ Duncan Waugh, Head of Rail IT at FirstGroup
Our experience shows that a large portion of the IT or software budget is spent only on managing internal complexities, such as having a fancy and powerful CRM tool. Instead, valuable resources could be invested in innovation, such as a good consent and preference management solution, resulting in a better product or customer experience and higher productivity as there will be less churn due to higher trust in your brand.
Last but not least, the importance of data protection as a human right was highlighted in a report to the United Nations General Assembly in October, describing privacy and data protection as an “increasingly precious asset in the digital era”.
Another point of proof is that companies should invest in privacy and compliance solutions.
What to Expect in 2023:
Trends and Predictions for Privacy
EU data initiatives – A new era for the Data Economy
Electronic transactions and data collected from our personal devices and other sources now form the basis of some of the world’s largest companies (i.e., BigTech). After decades of data management savagery, it ushers in a new era of consumer distrust and legislative and regulatory action. As an HBR review rightly stated earlier last year, the data economy is built mainly around a “digital curtain” designed to hide industry practices from legislators and the public. Data is considered business property and confidential information, even if the data originates from the customers’ actions.
But EU Data Initiatives (in particular, Data Act, Digital Services Act, AI Act and European Health Data Space) will be adopted or come into force in 2023. They will affect how data must be shared with others – eventually forcing organisations that derive any value from personal data to change how they share, protect, and access it. But what is in store?
The Digital Services Act (DSA) will amend the outdated 2000 e-Commerce Directive. Its extraterritorial scope affects the current business models of many data-driven organisations, including internet service and cloud providers, social media and online platforms, marketplaces, and search engines. It will – among other things – impose additional transparency requirements for online advertising, a ban on dark patterns, and restrictions on advertising based on sensitive data.
On the other hand, the Data Act (DA) aims for harmonised rules on fair access to and use of data. How? By ensuring that a broader range of stakeholders gains control over their data and that more data is available for innovative use while preserving incentives to invest in data generation, leading to a maximised value of data for the economy and society.
As the first vertical data regulation, The European Health Data Space (EHDS) complements the DA. It addresses health-specific challenges to electronic health data access, sharing and creating a common space where natural persons can easily control their electronic health data. It will also make it possible for researchers, innovators, and policymakers to use this electronic health data in a trusted and secure way that preserves privacy.
Many surveys have shown that consumers are very concerned about the use of their personal information in AI applications. The proposal for a regulation laying down harmonised rules on Artificial Intelligence – the AI Act – shall address these concerns and provide for the ethical use of AI. It shall be accompanied by artificial intelligence liability rules, ensuring that victims benefit from the same standards of protection when harmed by AI products or services under any other circumstances.
Yes, there are still a lot of uncertainties on where the respective newly proposed and already agreed initiatives will eventually land. But there is one inevitable conclusion: regardless of the concrete design and details, this set of new rules will impact the global data economy as the GDPR did in terms of being the role model and gold standard for international privacy regulations.
Watch our video to get Exclusive Insights from Thought Leaders on developments and trends in the Privacy Landscape!
Have you converted your old contracts to the new SCCs?
Conversion to New Standard Contractual Clauses (SCC)
In June 2021, the European Commission issued new standard contractual clauses, which have been mandatory for new contracts since September 27, 2021. Companies that have not adopted old contracts and converted to the new SCCs by the end of 2022 will face sanctions from the supervisory authorities, as the deadline for amending old contracts expired end of December 2022.
EU-US Data Privacy Framework and Schrems III – A Never-Ending Story
The vexed topic of “international data transfer” has gained momentum again. Likely, there will be a successor regulation to the Privacy Shield in the first half of 2023.
Now that the U.S. side has revealed its plans for implementing the Schrems II decision in detail, the EU Commission has taken this into account and worked at full speed on a draft adequacy decision and submit it to the European Data Protection Board (EDPB).
The EDPB will issue an opinion which is not binding on the Commission. In addition, the EU Parliament and Council may adopt non-binding resolutions at any time. Either way, the EDPB opinion and the parliamentary and council resolution have only a declaratory character, i.e., the EU Commission can use the feedback as an opportunity to revise its draft.
However, significant revisions at this stage are unlikely, given the length of technical and political negotiations. The majority of representatives of the EU Member States must then approve the final Commission draft. As soon as the Member States give the green light, which is to be expected, the Commission will formally adopt its adequacy decision. It then enters into force immediately upon publication in the EU Official Journal. Such a process has taken 4-5 months in the past.
But will this now be the much-longed-for saviour? Yes and No.
As soon as the new EU-US Data Privacy Framework is in force, it can be used as an effective transfer instrument, according to Art. 45 GDPR. But: as in the past, this is likely to be only a pause and temporary legal certainty. Various experts, including the heads of German supervisory authorities, have criticized the measures announced by the U.S. Government as insufficient and not meeting the criteria required by the CJEU in its Schrems II decision.
The main points of criticism, among other things, are that the new Data Protection Review Court to be created is not a proper, ordinary court that will be located at the Department of Justice. That means it will not be fully independent, and those complainants will not be explicitly informed whether they have been the subject of intelligence activities by the U.S. authorities.
Moreover, the CJEU has demanded not only legal remedies against government spying but an end to this warrantless surveillance itself. However, this cannot be assumed at present, so the system change demanded by the court is essentially not taking place. Even if many of the critics’ arguments seem plausible, there are at least good reasons from other credible experts why the new measures meet the CJEU’s requirements. So, whether it is merely old wine in new bottles will ultimately be decided again by the CJEU.
Max Schrems and his organisation NYOB are naturally among the critics of the new regulations. After careful examination, they have already announced they might want to take legal action against a new adequacy decision again. There will probably be a Schrems III decision. So, the urgently needed legal certainty looks different.
It will also be interesting to see how the United Kingdom reacts to this - it can be assumed that the UK will follow suit and enact a similar regulation.
2023 – The Rise of New Means of Enforcement
There will again be many fine proceedings next year, including 8- and 9-digit individual fines. In addition, the first court decisions on record fines from 2020 and 2021 (e.g., against Amazon or Facebook) will probably be issued. Even data protection authorities, such as the Bavarian Data Protection Authority for the Private Sector (BayLDA), announced in their most recent activity report they will have to take more supervisory and reactive measures in the future.
In our opinion, there will also be a gradual change in terms of enforcement of the GDPR. We have already seen in 2022 in the matter of Google Analytics that supervisory authorities across Europe classify specific tools and processing activities as violating data protection regulations and demand the halt of their use.
It will only be a matter of time before supervisory authorities increasingly use the instruments available to them under Article 58 of the GDPR to (temporarily) prohibit processing and transfers and order the deletion of data. Since this has an immediate effect, it has the most significant impact and intensity of intervention. Due to the legal vulnerability of such decisions, the authorities have rarely used them. However, this will change.
In 2023, the upheaval will lead away from pure enforcement measures on the part of supervisory authorities and toward enforcement under private law to stop processing in violation of data protection and to compensate for data protection violations.
Hundreds of organisations in Germany and Austria were facing waves of warning letters and cease-and-desist orders regarding Google Fonts this summer and fall. Such free riders will probably increasingly use individual court decisions to take action against alleged data protection violations on a broad scale with such mass proceedings in the future.
It is likely to affect websites and apps in particular, as it is possible to prove data privacy-violating configurations and unauthorised tools quickly and objectively with little effort. The fact that such mass warnings are at least in a grey area and are likely to exceed the threshold of abusiveness easily is shown by the first court cases against the lawyers issuing the warnings.
2023 will also be an exciting and revealing year in terms of claims for damages. There are currently more than a dozen cases from various European countries before the CJEU, which will set the course for this year.
Due to its fundamentally very data-subject-friendly interpretation of the GDPR, you can assume that it will interpret this important data subject right rather generously and broadly, with the consequence that claims for damages might increase in the future.
However, the biggest and the most substantial change in law enforcement is likely to be the increased intervention of NGOs and other consumer protection associations. Organisations such as NOYB have filed hundreds of complaints with various European supervisory authorities regarding cookie banners and websites violating data protection laws.
Article 80 of the GDPR allows NGOs and other consumer protection agencies to file complaints with authorities and claim damages on behalf of data subjects. It has been relatively unknown and neglected so far. However, it is likely to lead to increased activity by such organisations, especially after a landmark decision by the CJEU on the legal standing of consumer protection organisations in May of 2022.
The European Consumer Organisation has already announced that its members want to use their powers under the GDPR to enhance consumer data protection. Heads of German supervisory authorities also told us in personal conversations that this is where the music will likely be played in the future in law enforcement. Now is the time for companies to prepare for these changes.
Navigate the intricacies of data privacy with confidence. Our GDPR framework offers the guidance and resources required for compliance in a constantly changing landscape. Consult with our specialists for assistance.
You prefer to read offline?
About the authors
Dr. Frank Schemmel
Practice Lead International Privacy & Compliance
Dr. Frank Schemmel, CIPP/E, CIPP/US, CIPM, CIPT, supports DataGuard since 2018 in various management positions (incl. Head of Privacy) and is currently responsible for the company-wide content and strategic design as well as optimization of the DataGuard service lines „Privacy“ and „Compliance“, a hybrid model of first-class consulting and support through self-developed, scalable software solutions. As a certified Data Protection Officer (TÜV) and Compliance Officer (Univ.), he advises on all topics of data protection, IT security and general compliance. Before joining DataGuard, he worked for Allen & Overy LLP for five years in the area of data protection and employment law as a consultant and legal project manager. He regularly publishes in relevant media and shares his experience as a lector at universities (Duesseldorf, Augsburg), conference speaker (euroforum Datenschutzkongress, bitkom Privacy Conference, IAPP Data Protection Intensive: Deutschland) and webinar host.
Boris Otterbach
Principal Professional Services
Boris Otterbach is a legal expert and certified Data Protection Officer with over 5 years of experience. During his studies at the University of Frankfurt/M and the University of Saarland, he gained deep insights into European law, international law and the field of human rights protection. Data protection was also a central aspect of his education. At DataGuard, Boris works on creating pragmatic solutions for GDPR protection measures to enable businesses to become GDPR-compliant. He strives to empower DataGuard clients to be more effective through automation, ensuring that their business is protected from a legal standpoint and that they can leverage the latest technology to its fullest. As a consultant, he serviced clients primarily in the HR, hotel and hospitality industries. In his role as Principal Professional Services at DataGuard, he empowers the Privacy, Information Security and Compliance teams with his deep know-how and experience to help protect people behind the data.