This year is likely to see significant changes to the laws and regulations dictating how companies collect, store, use and transfer personal data. Regulators in both the United States and Europe are increasing their focus on how companies collect data and—equally important—how they disclose their privacy and cybersecurity practices to the public. This will likely lead to more frequent enforcement actions and greater potential liability for companies in this new year.
EU/US CROSS-ATLANTIC DATA TRANSFER MECHANISM
Since Schrems II invalidated the EU/US Privacy Shield in 2020, companies on both sides of the Atlantic have been eagerly awaiting a replacement. That long wait might finally come to an end in 2023
WHAT TO WATCH: The highly anticipated replacement for the Privacy Shield is close on the horizon. The big unknown is whether the inevitable Schrems III litigation will invalidate this latest solution.
RAPID EXPANSION OF CYBER COMPLIANCE OBLIGATIONS
Companies know that cybersecurity is important, and most take it very seriously. But now, so do the regulators. There has been a dramatic increase in the number of cybersecurity rules and regulations that will require companies to update their practices in 2023.
WHAT TO WATCH: For starters, the US Securities and Exchange Commission is likely to finalize rules that will require public companies to disclose information about their cybersecurity risk assessment program, policies to oversee third-party vendor risk, activities to prevent security incidents, business continuity and recovery plans, and reactions to and impact from prior incidents. Security incident reporting is also enhanced, requiring disclosure within four business days after a company determines it has experienced a material cybersecurity incident.
Companies also will need to update their cyber compliance practices to meet the new Payment Card Industry Data Security Standard 4.0, updated New York Department of Financial Services requirements and various other new cyber rules in 2023.
NEW STATE CONSUMER PRIVACY LAWS
California, Colorado, Connecticut, Utah and Virginia all have new consumer privacy laws that will become effective in 2023.
WHAT TO WATCH: Other states may pass similar laws in 2023.
US FEDERAL CONSUMER LAW UNLIKELY
A split Congress and an impending presidential election mean that a privacy bill is unlikely to make it to the finish line.
WHAT TO WATCH: Increased US government oversight likely will come instead through a variety of regulation, executive orders and enforcement actions.
EU DIGITAL PACKAGE
The European Union continues to be on the forefront of privacy legislation, pushing companies to provide more privacy controls and limit data use in different ways.
WHAT TO WATCH: Europe will likely continue to shape the digital ecosystem as it implements the Digital Services Act, Digital Markets Act, Data Governance Act, Artificial Intelligence Act and Data Act.
CLARITY ON FEDERAL TRADE COMMISSION (FTC) AUTHORITY?
The FTC is expected to continue aggressive enforcement and rulemaking, both of which are likely to end up in the courts.
WHAT TO WATCH: Will the courts add boundaries to the FTC’s authority in the absence of congressional action?
PERSONAL LIABILITY FOR EXECUTIVES
In 2022, one executive was found guilty of a crime and another was included in a personal capacity in an FTC resolution. The question on everybody’s minds is whether this trend will continue in 2023.
WHAT TO WATCH: Anticipate more FTC resolutions that impose restrictions on executives. While we may not see more criminal prosecutions, civil enforcement targeting executives likely will continue.
UBIQUITOUS AND EXPENSIVE CYBER THREATS
It’s not a question of if, but rather when. According to a recent report from IBM, 83% of organizations studied have had more than one data breach, and the average cost of a data breach to a US company is now $4.35 million.
WHAT TO WATCH: While the number of reported data security incidents plateaued slightly in 2022, the threats are at the highest risk level ever, and that’s likely to continue into 2023.
AN EVOLVING INTERNATIONAL LANDSCAPE
While the United States and the European Union attract significant attention in the data privacy space, countries around the globe continue to implement their own data privacy laws.
WHAT TO WATCH: The United States may not get privacy legislation across the finish line, but expect Canada, India and possibly other countries to enact privacy laws similar to the EU General Data Protection Regulation.
DATA SUBJECT REQUEST ESCALATIONS
Consumers are becoming more familiar with their rights and emboldened by aggressive data protection regulators. Will unhappy consumers lead to more regulatory investigations and fines?
WHAT TO WATCH: In the United States and the European Union, expect more data subject requests and more consumers complaining to regulators about insufficient responses, triggering regulatory investigations and actions.