What’s on the Global Horizon for Data Privacy in 2023?

January 26, 2023

By: Amber L. Lawyer, Shannon A. Knapp, and Jackson K. Somes

Expect another year of regulatory ambiguity for international data privacy laws in 2023, as the European Commission reviews the EU-US Data Privacy Framework. European Union courts indicate increased scrutiny for behavioral advertising, and a host of new privacy laws are expected across the globe.

The EU-US Data Privacy Framework

On Oct. 7, 2022, President Biden signed an executive order implementing the EU-US Data Privacy Framework (EU-US DPF). The EU-US DPF provides an mechanism for the transfer of data across EU and US borders. As many readers know, the Court of Justice of the European Union (CJEU) previously invalidated the prior data transfer scheme, the EU-US Privacy Shield, because it did not provide an adequate level of privacy protection as required by GDPR.

The EU-US DPF still has to be reviewed by the European Commission before it is implemented. The Biden Administration announced that the updated provisions in the new data transfer framework fully address the concerns raised by the CJEU when it invalidated the Privacy Shield, but the European Commission will be the one to determine if the EU-DPF meets adequate data privacy standards. Once the European Commission issues an adequacy determination, the EU-US DPF Principals will become immediately effective. Although a determination by the European Commission is expected in 2023, legal challenges to the new framework are also expected to shortly follow.

Validity of Contractual Necessity as a Legal Basis for Behavioral Ads Under GDPR in Question

A recent decision issued by Ireland’s Data Protection Commission signaled that EU regulators are closely examining lawful bases for processing user information in connection with behavioral advertising.

At the start of the new year, Ireland’s Data Protection Commission (DPC) fined Facebook’s parent company Meta €390M. In its final decision, the DPC held that Meta did not have a lawful basis under GDPR for processing the personal information of its users for targeted behavioral advertising. Meta asserted that it had a proper contractual basis to process the user data for personalized advertising, as this processing was disclosed in Terms of Services of Facebook and Instagram. However, the DPC declared that the processing of personal data for the purpose of behavioral advertising is not a necessary core element of Meta’s services. Instead, DPC determined that Facebook’s and Instagram’s main purpose is communication with other users.

Although the decision is not an outright ban on behavioral advertising, it does reveal that EU regulators will closely investigate a company’s claimed lawful basis for processing personal data. This ruling could have an important impact on companies with behavioral advertising at the center of their business models.

Going forward, companies across industries should also review their bases for processing personal information, especially operations based on contract, to ensure continued compliance with GDPR.

New International Data Privacy Laws

Around the world, several new international data privacy laws are expected in 2023. India’s first data protection bill is scheduled to pass in the summer of 2023, Canada is expected to overhaul its national privacy laws with the Digital Charter Implementation Act, and the EU Digital Markets Act will take effect in May 2023.

Canada

Canada’s Digital Charter Implementation Act, Bill C-27, was introduced in 2022 and expected to become law in 2023 without many substantive changes. The act seeks to amend an existing data privacy law as well as enact the Consumer Privacy Protection Act (CPPA), Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.

Under the CPPA, organizations will generally need a user’s consent to collect the user’s personal information. However, there are a number of exceptions to the consent requirement, including an exception for “legitimate interests” in conducting business activities. Other key provisions on the CPPA include the requirement to keep personal information anonymized, the right for an individual to request an organization dispose of their personal information and an individual portability right regarding personal information.

The CPPA also creates an enforcement regime for issuing compliance orders and imposing penalties for violations of Canada’s privacy laws. The scheme grants new powers to Canada’s Office of the Privacy Commissioner, including the ability to assess an organization’s privacy program and issue recommended corrective measures.

India

India’s long-awaited Digital Personal Data Protection Bill is also expected to be enacted in 2023. The proposed legislation is expected to provide a comprehensive legal framework for data privacy in India, outlining the rights and duties of citizens processing personal data.

A version of the Digital Personal Data Protection Bill has been in the works in India since 2018. The current iteration borrows from other existing data privacy frameworks. For example, any organization that processes personal information, called a data fiduciary, will have to provide notice of the data collected and the purpose for its collection, and also obtain consent for specific purpose that the personal information is used. The proposed law will also establish affirmative individual rights such as the right for a person to obtain their collected data and the right to correct any inaccurate or misleading personal data.

EU Digital Markets Act

The EU Digital Markets Act imposes a broad range of prohibitions and obligations on entities determined to be “gatekeepers.” Many of the prohibitions and obligations imposed by the Digital Markets Act involve the use of a user’s personal data in addition to addressing anti-competitive practices. A company is presumed to be a gatekeeper if it meets a three-part definition: (1) the company provides a core platform service that serves as an important gateway for business users to reach end users; (2) the company has a significant impact on the internal EU market; and (3) the company enjoys an established or expected entrenched durable position.

Beginning May 2023, the European Commission (EC) will begin the process to designate which companies qualify as gatekeepers. A company presumed to be a gatekeeper by the EC will have the opportunity to rebut the presumption by substantively showing that it does not meet the criteria. The act is expected to primarily target Big Tech companies.

The need for data privacy continues to be recognized across the globe, and the progression toward greater privacy and data-related laws is only gaining speed. Check back in tomorrow for our update on U.S. privacy law.

For more information or guidance concerning any of the topics above, please contact Amber Lawyer, CIPP/US & CIPP/E, Shannon Knapp, CIPP/US, Jackson Somes or any attorney in Bond’s cybersecurity and data privacy practice.