2023 Data Security Incident Response Report Get the Full Report

Global Privacy

International Data Protection

May 25, 2023 will be the fifth anniversary of the effective date of the European Union’s General Data Protection Regulation (GDPR), a law that led the way (and has frequently set the standard) for scores of data protection laws that have since been implemented around the world. For the past five years, many global companies have been operating in a perpetually reactive privacy compliance posture, with new laws coming online faster than full compliance programs can be built and operationalized. As a result, privacy governance efforts often target specific obligations without developing a holistic approach for meeting all (or even most) requirements of the law. As the data protection legal landscape continues to evolve, global companies need to assess and improve the maturity of their privacy compliance programs as part of ongoing risk management efforts.

Enforcement Agenda

Greater Coordination Among European Regulators. Although historically, data protection authorities (DPAs) have largely focused on policing serious infringements brought to their attention through individual complaints, personal data breach notices, or media exposés, we are starting to see a shift in regulatory agendas toward the proactive use of investigative and corrective powers. Throughout 2022, the effectiveness of the European Member State DPAs and their ability to enforce the GDPR were debated in the European Parliament and in the media. Newer laws, such as the European Union’s Digital Services Act and Digital Markets Act, rely more heavily on a centralized regulatory body, and many have proposed that the GDPR might benefit from similar reforms. In response, Member State DPAs are moving toward a more coherent and coordinated GDPR enforcement strategy, including cooperation among the regulators and simplification of their enforcement action processes. As part of this effort, the European Data Protection Board established criteria for determining investigation and enforcement priorities, such as the recurring nature of an alleged violation, whether it intersects with other legal obligations (for example, consumer protection), and the level of risk to individuals.

Enforcement Priorities. Many regulators annually publish their enforcement strategies for the upcoming year or annual reports highlighting their enforcement activities. In Europe, DPAs are clearly prioritizing inspections and sanctions. As a general matter, DPAs expect to see more workforce awareness and internal training to address privacy and data security compliance in an anticipatory manner. The European Data Protection Board has indicated that it will be focusing an upcoming coordinated action on the designation and position of data protection officers – whether they have been properly appointed and are being appropriately deployed within companies.

Member State DPA Enforcement Emphasis On:

Personal data transfers, especially in the context of cloud-based technologies;

The privacy of children and other vulnerable populations, including age-appropriate design, restrictions on profiling and data sharing, and use of CCTV in care spaces;

Advertising technologies, including dark patterns, online marketing, and data brokers;

New and emerging technologies, such as artificial intelligence, digital identities, blockchain, smart cities, and biometric information;

Compliance documentation, such as data protection impact assessments and records of processing activities.

Key Priorities: Advertising Technologies, Emerging Technologies, and Compliance Documentation

Advertising Technologies. Advertising technologies continue to be a priority for many regulators. Regulators in Brazil, California, China, and South Korea have all recently called out data use by online advertising technologies and mobile apps as an area in need of regulatory attention. AdTech has been the subject of a great deal of guidance published by DPAs. Such guidance is often dismissed as non-binding, but companies should take note that these publications are key to understanding regulatory expectations. Moreover, this guidance is often enforceable. Recent guidance has closely paralleled both the enforcement actions we have seen from regulators and their stated enforcement priorities. Accordingly, we expect regulators to focus on the following areas related to advertising technologies in 2023:

  • Protecting individual rights when using digital products and services;
  • Online tracking and transparency, in particular phasing out third-party cookies and providing functional privacy choices to users;
  • Processing personal data from website visitors and app users and providing meaningful choices to people regarding that processing;
  • Preventing dark patterns and other deceptive designs;
  • Further alignment of regulatory positions on the use of cookies;
  • Investigating data brokers and resellers; and
  • Preventing unwanted text messages, telemarketing, and other marketing communications.

New and Emerging Technologies. New and emerging technologies remain a focus for regulators as well, especially technologies that involve novel uses of personal data. Regulators have continued to highlight the close relationship between personal data and digitalization. For many companies, the successful implementation of newer, data-driven technologies will demand a mature privacy compliance program to build on. Several regulators, including DPAs in France, the Netherlands, Norway, and Spain, have or will be creating special units focused on AI oversight and enforcement. With respect to other areas requiring subject-matter expertise, the European DPAs will be able to call on a support pool of experts for assistance with investigations. Regulatory priorities related to newer and emerging technologies for 2023 include:

  • Predictive algorithms and AI, particularly in automated business applications and processes;
  • The collection of personal data through smartphones and apps;
  • Emerging types of data collection, such as emotion recognition;
  • Biometric technologies;
  • New uses of health data; and
  • Anonymization and pseudonymization standards.

“The successful implementation of newer, data-driven technologies demands a mature privacy compliance program as a foundation upon which to build.”

Internal Compliance. Finally, a number of regulators have stated their intention to investigate internal compliance at both public- and private-sector companies. Regulators tend to do this by issuing questionnaires, requesting internal documentation, and/or initiating formal or informal investigations. We have seen growth in this type of action following personal data breach notifications. We expect regulators to use these tactics more frequently as part of their proactive compliance checks.

Enforcement Priorities Include:

Questionnaires and Inspections Related to Employee Data

Data Retention Practices

Reviewing Unreported Personal Data Breaches

Compliance Documentation

Essentially, if documentation is required by law, companies should expect regulators may ask to review it. Among other things, they may ask to examine internal policies and procedures as well as any required compliance materials, such as data protection impact assessments, transfer impact assessments, records of processing activities, and personal data breach records. These types of internal documents are not often the top priority for many companies, but they can become critical to demonstrating compliance or justifying actions that may have created or mitigated privacy risks.

Looking Ahead

Regulators outside of Europe also have initiated similar proactive strategies. South Korea’s Communications Commission, for example, created a cell phone personal data breach prevention program in late 2022 aimed at finding ways to minimize such breaches in the future. South Korea’s Personal Information Protection Commission has recently revised its guidance on technical and organizational safeguards as well as its guidelines on using employment and healthcare data, indicating potential areas of upcoming regulatory focus. Brazil’s DPA highlighted several areas in its agenda for 2023-2024, including international personal data transfers, data protection impact assessments, data protection officers, AI, and developing minimum technical security standards. China continues rolling out regulations related to its recent privacy and cybersecurity laws, including releasing a standardized contract for cross-border personal information transfers. In the upcoming year, we expect to see corresponding scrutiny and enforcement in China.

As new privacy and data protection laws continue to emerge – watch out for pending legal reforms in Australia and Canada, a revised law in Switzerland, and a possible new law in India in 2023 – companies should be taking stock of their privacy compliance programs. Decide what is working and fix what is not. Think about how to streamline your compliance program for improved functionality, considering both applicable data protection laws and your overall risk mitigation strategy. Reacting to changes in the legal landscape will be much less burdensome if you already have a functional, mature privacy compliance program that simply requires modification to meet new challenges.