In 2022, we saw broad support behind federal privacy legislation in the US Congress. While the American Data Privacy Protection Act (ADPPA) did not see the president's pen prior to the midterms, the fact that such a bill saw a committee vote in the House — approved 53–2, with bipartisan support — and both industry and advocates promoted passage is notable. The question is no longer whether we will see federal privacy law, but when. And while the ADPPA took up much of the attention in the US in 2022, the year also brought a progressive Federal Trade Commission (FTC) launching a broad regulatory initiative, continued growth of state privacy issues in California and beyond, and the introduction of an executive order to repair the Privacy Shield program. In 2022, US privacy was searing hot.
Last year also saw continued growth in the international realm. China's new law began to show the significant risks of noncompliance. India continued its parliamentary moves toward passage of a comprehensive data protection law. And the Europen Union saw significant traction in enforcement activity. More than 100 countries now have national privacy laws, and the field grows every day.
These trends will continue, and accelerate, in 2023. Expect more state law in the US, more regulatory and enforcement action from the Federal Trade Commission, an active enforcement environment in the EU — major cases are expected in Ireland, very soon — and continued maturity and growth around the world as privacy professionals grapple with the complexity and risk of these laws.
Predictions for 2023
2023 will be a turbulent year in privacy. Economic headwinds and disruption in the tech industry may give rise to calls for additional privacy protections and stronger enforcement. M&A activity may highlight the fact that corporate privacy policies may be modified or ignored when competing interests take priority. Data transfers will still be a central concern, with the EU assessment of adequacy for the updated Privacy Shield emerging early in the new year.
Here are a few key trends to watch:
- Tighter budgets, but an even tighter talent pool. Privacy leaders will struggle with two competing themes. On the one hand, privacy budgets, like all expense lines in organizations, will feel the pressure of recessionary forces in the global market. Privacy leaders will need to do more with less in many cases. Conversely, the talent shortage in the privacy field will continue to get worse with experienced privacy pros commanding greater salary levels and poaching of top talent across the field.
- Who's your data privacy officer (DPO)? The EU Data Protection Board has announced that the appointment and role of the DPO under the General Data Protection Regulation (GDPR) will be a shared enforcement priority across the EU for 2023. Now is a good time to make sure that: (1) you have a DPO; (2) you have registered them appropriately with your DPA; (3) they are adequately trained, experienced, and resourced for the job; (4) they have independence in their duties; and (5) they have access to the top levels of management. Expect more from the European Data Protection Board (EDPB) guidance too. We may see expectations emerge around proper qualifications, independence, and conflicts within the DPO role.
- Something old, something new. New laws take up much of our focus in the privacy field, and rightly so. The American Data Privacy Protection Act (ADPPA), Brazil's General Data Protection Law (LGPD), and China's Personal Information Protection Law (PIPL) all present new compliance complexity for privacy pros. But do not lose sight of the number of laws that are being updated, even overhauled, around the world. Canada, Australia, New Zealand, and more have completed or initiated major reform of their existing privacy laws. These changes can be just as consequential as a new law.
- Enforcement risk and creativity. Often, we focus on the monetary size of an enforcement action. But there are other enforcement tools available to regulators around the world. Watch for the rise of executive liability (sometimes criminal!), data disgorgement, and board oversight obligations as regulators look to change corporate behavior. These tools undoubtedly change the risk profile for privacy and may elevate attention to the highest levels in organizations.