#GlobalPrivacy: What to Pay Attention to in 2023.
👩‍⚖️ 1) Enforcement, enforcement, enforcement
GDPR is reaching a certain maturity of enforcement which will become evident in 2023.
And this is not only about the number of #GDPR fines, but it is more about the enforcement processes put in place at national level and under the One-Stop-Shop, the body of CJEU case-law building precedents and the complexity of the legal issues analyzed related to processing of personal data.
1/several
Think for instance of the Irish DPC/EDPB Decisions in the Meta cases: these decisions in the application of the #GDPR go to the core principles of EU data protection law and may have implications for entire online business models.
Think also about the fact that the CJEU currently has 60 pending cases requiring it to interpret and apply the GDPR (kudos to https://gdprbeetle.eu/which-cjeu-data-protection-cases-are-currently-pending/)
But It is not only the EU DPAs & court system finding their footing with data protection law enforcement.
2/
The South Korean PIPC is proving to be just as active in enforcing the country’s recently updated data protection law.
Announcing itself on the big global stage last September with the largest fines on record for privacy violations under South Korea’s Personal Data Protection Act (the equivalent of 50 million $ against Google and of 22 million $ against Meta, in cases involving behavioral advertising), the PIPC laid its groundwork for more enforcement this year.
3/
South Korea levied tens of millions of dollars in fines on Alphabet's <a href="https://www.reuters.com/companies/GOOGL.O" target="_blank">(GOOGL.O)</a> Google and Meta Platforms <a href="https://www.reuters.com/companies/META.O" target="_blank">(META.O)</a> for privacy law violations, authorities said on Wednesday.
🇧🇷 🇰🇪 Two other regulators to watch are the ANPD in #Brazil and the Data Protection Commission in #Kenya. For the past two years, the ANPD has systematically and patiently hired and trained staff, set up its processes, adopted guidance, and opened public consultations.
While it might take another two before #LGPD enforcement becomes robust, it is likely that in 2023 we will see the first relevant LGPD enforcement actions.
Created 2 yrs ago, the Kenyan DPC is already active and vocal.
4/
🇪🇺 Last but not least: the enforcement of the #EU’s landmark laws in the Digital Strategy package, the #DMA and the #DSA, will start rolling this year.
And enforcement is largely left in the centralized hands of the European Commission for both acts, in a departure from the national enforcement model coordinated at EU level by a Board that the GDPR advanced.
5/
🤖 2) The race to AI Regulation, and the AI awakening of DPAs
The question is not if (yes!) or when (this year?), but who will be the first jurisdiction with a general legal framework for AI. The EU, Brazil and Canada are the frontrunners in the race to adopting a general law that applies to AI systems.
6/
Meanwhile, attention should be paid to Data Protection Authorities. 🕵️
They are increasingly realizing that there are many AI systems running with the help of personal data processing, which brings such AI systems under their realm of enforcement.
This, paired with the enforcement appetite explored at point 1. above, will likely lead to some interesting decisions applying data protection law to the processing of personal data underpinning AI systems.
7/
🤓 See some manifestations of this already last year, with a decision from the Hungarian DPA against a bank using an emotion recognition AI system for its customer services; https://www.lexology.com/library/detail.aspx?g=a9c66d5f-4faf-4500-a1bd-458bf9ebcec7
✍️ Of note, the CNIL published in September 2022 guidance on the GDPR and AI systems: https://www.cnil.fr/en/artificial-intelligence-cnil-publishes-set-resources-professionals
✍️ The Spanish DPA published extensive guidelines on AI and the GDPR already since 2020; https://www.aepd.es/sites/default/files/2020-02/adecuacion-rgpd-ia.pdf
8/
3) Seeing the results of ever-more-intertwining Competition and Data Protection Law
Scholars and some regulators have been writing for years now about how some parameters of competition law should include assessments of how lawfully or unlawfully companies collect, share and overall process personal data in a given market, when assessing anticompetitive behavior. The intertwinement of the two fields is now widely accepted & incorporated in new antitrust legal obligations.
9/
↔️ 4) Big Intergovernmental Push for #Crossborder Data Flows: G7 and G20
Cross-border #data flows entered the world of high-level intergovernmental organizations decidedly in 2019, when Japan proposed the concept of Data Free Flow with Trust as a guiding principle for rule-making in this field, under the leadership of Shinzo Abe, the late prime minister of Japan. DFFT was endorsed in June 2019 by the members of the G20 nations, with only India expressing opposition towards it back then.
10/
🌏 This year will be crucial for moving the conversation forward on how to enable cross-border data flows at intergovernmental level, for several reasons.
First of all, Japan is back in a leadership position, this time holding the Presidency of the G7 and it has made its intentions very clear to continue pushing for DFFT by promoting regulatory cooperation.
In this respect, the DPAs of the G7 countries are working on “convergence to foster future interoperability” of transfer tools.
11/
Second, #India will hold the Presidency of the #G20 and very recently the country marked a shift away from data localization with the withdrawal of the 2019 Personal Data Protection Bill and the introduction of the Digital Personal Data Protection bill last fall. 🇮🇳
This recent piece published by the Atlantic Council explains how “India’s #datalocalization pivot can revamp global digital diplomacy”: https://www.atlanticcouncil.org/blogs/southasiasource/indias-data-localization-pivot/
12/
🔎 5) Privacy Regulatory Movements to Follow: India, Argentina, Australia, Canada, South Korea
Big regulatory movements in privacy and data protection will continue in 2023, and the jurisdictions to follow are India (again!), Australia, Argentina, Canada, and South Korea. If you're interested why, ask me for details.
For pointers on what to be looking for in US lawmaking, see my colleague Keir Lamont’s analysis in https://fpf.org/blog/five-big-questions-and-zero-predictions-for-the-u-s-state-privacy-landscape-in-2023/
This wraps up my first Masto thread.🤓
END
Entering 2023, the United States remains one of the only global economic powers that lacks a comprehensive, national framework governing the collection and use of consumer data throughout the economy. Congress made unprecedented progress toward enacting baseline privacy legislation in 2022. However, the apparent impasse in the efforts to move H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”)...
Gabriela Zanfir-Fortuna
