Welcome to the 2023 edition of DLA Piper's Data Protection Laws of the World Handbook. We launched our first edition in 2012 and have been updating the content each year since. This will be our twelfth edition and now provides an overview of key privacy and data protection laws across more than 100 different jurisdictions.
Looking ahead, 2023 promises to be another eventful year in the world of data protection and privacy law. New laws continue to come online across the globe. In 2022, we saw the arrival of brand new data protection laws in Indonesia and Oman, to name but two examples. We also saw proposals to reform the UK’s data protection laws, to move the UK away from the GDPR status quo it inherited from its previous EU membership. The future for those proposals is uncertain, and the UK may go back to the drawing board (again) in 2023.
A number of countries will be hoping that 2023 is the year when long-awaited data protection laws finally get across the finishing line. Egypt and India are two prime examples in that category. Argentina, meanwhile, is an example of a country with a long-standing data protection law, which may make significant reforms to its law (along GDPR lines) in 2023. Further activity is also expected in the world’s largest economies, the United States of America and China.
In the United States, state privacy law developments continue, with five significant state privacy laws coming into force in the next twelve months. On January 1, 2023, Virginia’s omnibus state privacy law, the Virginia Consumer Data Protection Act, and the California Privacy Rights Act, which substantially amended the California Consumer Privacy Act, take effect. Omnibus privacy laws in Colorado and Connecticut—both of which are substantially similar to the Virginia Consumer Data Protection Act—will take effect on July 1, 2023, and on January 1, 2024, Utah’s omnibus privacy law will come into force. Further, both California and Colorado are also undergoing rulemaking processes and are expected to issue regulations that expand on their respective state privacy laws sometime in 2023.
In addition to these upcoming laws, this year is shaping up to be an active legislative season for privacy, and it is very possible that additional states will pass omnibus privacy laws in 2023. At the federal level, a bipartisan group of legislators introduced the American Data Privacy and Protection Act in 2022, which gained some momentum when first introduced but later stalled, in part due to opposition by some legislators to any pre-emption of state privacy laws. While many U.S. businesses and policy groups continue to advocate for a comprehensive, federal privacy law, the likelihood of passing long-awaited federal privacy legislation in 2023 remains uncertain at best.
Privacy class actions also continue to be a key risk area in the United States, including in the context of biometric privacy (under the Illinois Biometric Privacy Act), text messaging (under the federal Telephone Consumer Privacy Act) and call recording, wiretapping and related claims under the California Invasion of Privacy Act and other state laws. Online monitoring and targeting activities—including via cookies, pixels, chat bots, and so-called “session replay” tools—are an area of particular focus in the United States from a regulator and enforcement perspective and are also a developing litigation risk area.
In China, regulators continue to develop their complex cross-border data transfer regime, which incorporates a combination of assessments, standard contract terms, approvals and consent requirements. Many businesses begin this year in the midst of frenzied activity on their China data compliance programmes.
Key Privacy Law Trends
Data localization is set to remain a prominent trend in 2023. Beyond China, the data localization trends extend elsewhere in Asia, and businesses will be watching Vietnam and India closely. In Europe, companies wait with bated breath for the finalisation of the EU-US Data Privacy Framework agreement, expected in Q1 or Q2 of this year (soon to be followed, no doubt, by the inevitable Schrems III challenge).
Increasingly, privacy professionals are also being asked to get to grips with the challenges of Artificial Intelligence (AI) and algorithmic decision-making. AI is fundamentally a creature of data, and so the overlap with data protection and privacy law is unavoidable. However, legislative bodies (and, in turn, regulated entities) will need to work out to balance existing data privacy laws with new AI specific regulation – most notably in the EU, US and UK.
On the cybersecurity front, the methods and tactics of threat actors continue to evolve, and the scourge of ransomware looks certain to remain a major concern for boards throughout this year. Governments are beginning to face up to cybersecurity challenge using regulatory toolkits. The beginning of 2023 saw the entry into force of the EU’s NIS 2 directive – its revised and expanded set of cybersecurity rules for critical infrastructure operators and key suppliers – while the United States is debating its own proposed critical national infrastructure cyber security legislation (CIRCIA). Meanwhile, one of the most notable cybersecurity incidents of 2022 took place in Australia, where a massive data breach involving one of the country’s telecommunications providers led to a swift change in privacy law to increase the maximum level of penalties for data security breaches.
It is now a settled reality that data protection and privacy laws have teeth. Enforcement activity – whether in the form of fines, or orders compelling changes to business practices – continues to provide impetus to the compliance efforts of global businesses. 2022 was a record year in the EU and UK, with a 168% year on year increase in the total value of fines issued. In the US, there continues to be a dual threat in the form of fines or consent decrees from regulators on the one hand, and the spectre of class action risk on the other.
DLA Piper's global data protection, privacy and security team brings deep experience and international reach, bringing practical compliance solutions to the myriad data protection laws.
We hope you continue to enjoy this popular resource, drawing on DLA Piper's global network of offices and trusted local counsel across an unparalleled number of jurisdictions.
If you require further guidance, please do not hesitate to contact us at [email protected].
Data Privacy Scorebox
You may also be interested in our Data Privacy Scorebox, a tool to help you assess your data protection strategy. It requires completing a survey covering 12 areas of data privacy, such as storage of data, use of data, and customers' rights. Once completed, a report summarizing your organization's alignment with key global principles of data protection is produced. The report includes a visual summary of the strengths and weaknesses of your data protection strategy, a practical action point checklist, as well as peer benchmarking data.
To access the Scorebox, please visit www.dlapiper.com/dataprotection.
We are proud to present a dedicated site offering DLA Piper's insight into the General Data Protection Regulation, the once-in-a-generation change in EU data protection laws.
We are proud to also present a dedicated site offering our insight into the ground-breaking new California privacy law.
Data Protection Blog
If you find this Handbook useful, you may also be interested in DLA Piper's Data Protection, Privacy and Security group's Privacy Matters Blog − a blog featuring regular data protection, privacy and security legal updates to help you remain aware of the most important legal and regulatory developments.
We have over 130 experienced privacy and security lawyers across the globe who are close to the regulations in each of their respective jurisdictions and who regularly post summary articles on their local issues.
To access the blog, please visit http://blogs.dlapiper.com/privacymatters/.
To ensure you receive an automatic email when a new article is posted, please enter your details in the 'subscribe' section found on the blog’s right hand sidebar.
This handbook is not a substitute for legal advice. Nor does it cover all aspects of the legal regimes surveyed, such as specific sectorial requirements. Enforcement climates and legal requirements in this area continue to evolve. Most fundamentally, knowing high-level principles of law is just one of the components required to shape and to implement a successful global data protection compliance program.