Our predictions for privacy and data legislation in 2023 | GDPREU.org

GDPREU.org look at upcoming privacy and data laws and regulations in the UK, the EU and the United States and predicts what’s likely to be agreed in 2023.

What’s on the horizon for privacy and data in 2023?

It was International Data Privacy Day on 28 January 2023 and to mark it, we have put together some predictions and speculations about what’s coming up for privacy and data laws this year.

From the UK’s take on GDPR’s implementation to the European Union GDPR, by way of US law, we take a look at the global outlook.

Five years of EU General Data Protection Regulation (GDPR)

On 25 May 2023, it will be five years since the European Parliament introduced the General Data Protection Regulation (GDPR) to replace the outdated Data Protection Act.

Since then, the pandemic threw up a new raft of public health and data considerations and, of course, in the UK, the supervisory authority is still grappling with the UK version of GDPR.

The post-Brexit version of GDPR for the UK is broadly in line with the European Union original, in terms of the data protection principles, general data protection rules and the way in which an entity processes personal data.

Will the UK change its stance on the data protection principles of GDPR?

Currently, the much lauded Data Protection and Digital Information Bill, which had its first reading in May 2022, is stuck at second reading. In general terms, this new bill seeks to simplify the UK GDPR.

The Government says this is to make it more agile, but the planned second reading was dropped when Liz Truss briefly became the UK’s Prime Minister. While we can’t say for sure, some experts say that the bill is being substantially rewritten under the current PM, Rishi Sunak’s leadership.

Another data protection bill in the UK is stuck in stasis – the Online Safety Bill is meant to make Internet use safer for people but is currently also stuck between ever-changing premierships and ‘freedom of speech’ concerns.

Predictions for UK privacy measures on personal data relating to citizens

Given the political turmoil in the UK and the myriad challenges the Government is facing concerning Brexit, trade, inflation and energy costs, we think it’s unlikely that much will come of the Online Safety Bill in 2023.

However, by the end of this year the proposed Retailed EU Law (Revocation and Reform) Bill will render UK GDPR (and PECR, which underpins marketing and AdTech) will be defunct. Without the Government making some key steps during the first half of 2023, it’s difficult to see how this will pan out.

Obviously, should the privacy laws as they stand cease to function under this Bill, then it will be chaos for international organisations trying to transfer data. Data protection measures are absolutely vital for business to determine the way that they process data collected.

We can only assume that, should all EU laws be scrapped at the end of 2023 (as the current Government wants) then some form of UK GDPR compliance will be retained.

EU measures for further protections for sensitive personal data

The EU is well ahead with its data protection impact assessments and the implementation of strict rules to protect data subjects and EU citizens. There are various new pieces of legislation with specific criteria for organisational measures from business leaders in every EU country to protect the vital interests of citizens.

Legislation includes:

  • Digital Markets Act setting out the legal obligation for large digital providers to protect the legitimate interests of data subjects and personal data.
  • Digital Services Act
  • Data Governance Act, which sets out a legal form of data sharing in the public sphere.
  • Lots of critical infrastructure legislation.

The Data Act is the big one to look out for in 2023. This will regulate the unlawful processing of data that is created by the Internet of Things. Also worth noting is the Artificial Intelligence Act, which will include standard contractual clauses for supervisory authorities over data generated by AI.

Data flows and data processing between countries

In the UK, the situation with data flow is less clear, given the likelihood of long waiting periods to find out how it will work. However, the EU intends to make data transfer between member states and the US easier via the EU-US Data Privacy Framework, which should be finalised half way through 2023.

However, even if this does make it through this year, there will still be more legal arguments over data flow between EU member states and the US. This will all be cleared in due course, but we don’t expect to see it resolved in 2023.

This year is also expected to see new EU/Israel data privacy laws, new Standard Contractual Clauses (SCCs) for importing from third countries and more discussion over adequacy decisions.

We think that’s it’s also likely that we will see a raft of new rules about data sharing across borders within the EU. And, of course, GDPR compliance continues to be closely monitored.

Is GDPR working for the EU?

GDPR is now firmly bedded in across the EU and is serving to protect data subjects from their personal data being used by data controllers in away that they don’t agree to.

As GDPR forces regular and systematic monitoring of the use of information belonging to the data subject, whether personal data or other data, there is far more protection for people to avoid data breaches.

The legislation covers every aspect of the process, from the legal person engaged as a data protection officer to the personal data of the data subject and the data controller. While there were data protection laws in the EU prior to GDPR being introduced in 2018, it was outdated and relatively useless for today’s sophisticated information systems.

Associations regularly engaged in collecting and storing sensitive information and personal data must comply with the GDPR legislation, otherwise they risk GDPR fines and even criminal convictions in certain circumstances.

What’s in store for privacy and data in the United States?

Over in the US, laws for consumer data are even more complex due to State and Federal differences. At state level, there are plenty of new laws coming soon regarding data protection, digital markets and AI.

For example, from January this year, the Consumer Data Protection Act came into force in Virginia. In California there’s the new Privacy Rights Act as well. At federal level, however, automated decision making isn’t possible and there’s plenty of arguments going on between the Federal Trade Commission and US Congress.

A US version of GDPR has been proposed as the American Data Privacy and Protection Act, but this is far from sorted out. Its outcome depends on Senate wranglings and how much support can be drummed up for this kind of information security protection.