What Does Data Protection Look Like For The World In 2022
As reported last year, the European General Data Protection Regulation (GDPR) continues to be the new global standard and adhering to it will make compliance with future privacy laws much easier and more efficient. In 2022, the China Cyberspace Administration and other agencies will need to approve the rules and administrative infrastructure needed to implement the General Data Protection Regulation. Businesses will begin to seriously comply with additional obligations under the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act in 2022 to meet the 2023 compliance deadline. Raising U.S. and International Privacy Obligations — With the California Privacy Rights Act (CPRA), the Virginia Consumer Data Privacy Act (VCDPA), and the Colorado Privacy Act (ColoPA) enacted in 2023 and more than a dozen other states Proposing Laws privacy laws in 2021, we expect more U.S. states to enact privacy laws, which will mean greater compliance complexity for companies operating in the United States.
Many companies have fully complied and continue to comply with the EU General Data Protection Regulation (GDPR), it is worth noting that in the summer of 2021 the European Commission published new Standard Contractual Clauses (SCC) for the transfer of personal data from the EU to third countries such as the United States. The use of Standard Contractual Clauses (SCC) in accordance with Article 46 of the GDPR would not be sufficient; companies will need to back it up with additional protections for personal data. From an EU perspective, a key area that companies will focus on in 2022 is updating existing data transfer agreements to replace them with new EU standard contractual clauses before the December 27 deadline, and respecting the influence of Schrems associated with this. II solution.
The current agreement will be replaced by a new SCC on December 27, 2022, which will require a review of existing cross-border data contracts with the European Commission. Cross-border data transfers will continue to be a hot topic in 2022, thanks to recently issued guidelines by the EDPB and the enactment of China’s new privacy law, the Personal Information Protection Law (PIPL). The China Personal Information Protection Law (2020), China's first attempt to establish data privacy rules, was due to take effect in 2021 but has been suspended.
As mentioned above, on June 4, the European Commission adopted new standard contractual clauses for the transfer of personal data from the European Union to "third countries", including the United States. On August 20, China passed the Information Protection Law (PIPL), the first global privacy law similar to the EU GDPR. PIPL clarifies and improves China's existing data privacy and cybercrime laws by establishing high-level principles that appear to be similar to the US tri-state data protection laws and GDPR, but the interpretation and application in practice are quite different. Over the past two years, some Chinese regulators, including the Cyberspace Administration of China (CAC), which enforces the PIPL, have weighed in the area with new regulations on data security, data transmission, artificial intelligence, and more.
The new regulatory measures will include data protection laws in India and China, AI regulation in the European Union, and automated decision-making rules in U.S. states. In 2022, we should see the way the UK handles cross-border data flows, as well as potential further changes to simplify the UK’s GDPR, and we should expect the US to resume efforts to develop its own privacy laws. He is expected to unveil his long-awaited CPRA rules. We may also see changes to Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA) and Hong Kong's Personal Data Privacy (Privacy) Regulations after the Thai Privacy Act comes into effect.
Exporting data will be a subject of intense scrutiny in China not only for personal data but, with the enactment of China's Data Security Law in 2021, other types of data. Some companies, depending on the size of the company and the type and amount of personal data transferred, will be subject to PIPL's security assessment requirements, which include identifying potential risks, ensuring adequate security measures, and data processing agreement provisions regarding protection, security and liability related to the processing of personal data. APPI will come into effect on April 1, 2022, and transitional measures for companies sharing data with third parties will come into effect on October 1, 2021. Throughout the grace period, businesses have been advised to implement security measures ahead of the launch of the new security law passed this year, and additional by-laws have been enacted during this period to help businesses effectively protect their assets and personal data.
Assessing security procedures should also be a priority in 2022, as the CPRA explicitly requires companies to implement sound security procedures and practices, and requires annual cybersecurity audits and risk assessment submissions to the newly created California Privacy Protection Agency (CPPA). The volatility and complexity of cybersecurity and data privacy will continue to grow in 2022, and new technologies will continue to bring great promise, especially if lawyers are at the forefront to ensure privacy and security from the outset. Recent actions by the European Data Protection Board (EDPB) and the Federal Trade Commission (FTC) indicate that the privacy aspects of AI and machine learning will be the focus of increased attention in 2022. Privacy protection between the EU and the US, new laws in China and India, the growing application of the EU General Data Protection Regulation and much, much more, there is undoubtedly a lot going on in the field of data protection and privacy.
The UK is likely to continue to forge its own path in data protection law and e-privacy under a new Information Commissioner (New Zealander John Edwards). One of the biggest data protection and privacy changes in 2020 will continue to be a headache for companies moving personal data from Europe to the United States in the coming years in Europe as they face the effects of Schrems II.
Helpful Links:
https://www.dataprotectionreport.com/2022/01/data-privacy-concerns-2022-and-beyond/
https://www.mofo.com/resources/insights/211124-privacy-data-security-predictions-2022.html
https://www.goodwinprivacyblog.com/2022/01/03/the-year-ahead-privacy-developments-in-2022/
https://www.connectontech.com/data-protection-day-key-developments-and-looking-ahead-to-2022/
https://www.gibsondunn.com/international-cybersecurity-and-data-privacy-outlook-and-review-2022/
https://www.jdsupra.com/legalnews/top-10-for-2022-happy-data-privacy-day-6361977/
https://www.insideindianabusiness.com/articles/data-privacy-laws-five-to-look-out-for-in-2022
https://www.reuters.com/legal/legalindustry/cybersecurity-data-privacy-foresight-2022-2022-01-21/
https://infopulse-scm.com/articles/main-data-privacy-trends-to-watch-in-2022-2025/
https://venturebeat.com/2022/02/07/3-data-privacy-trends-to-watch-in-2022-and-beyond/
https://www.accountablehq.com/post/data-privacy-predictions-for-2022
https://www.dataversity.net/what-data-protection-will-look-like-in-2022/
https://www.admonsters.com/data-privacy-trends-2022/
Do you have some staff you want to upskill within your business in Data Protection?
Or, do you want to futureproof your career and learn more about this topic?
We have two courses currently available at the moment:
Foundations Certificate in Data Protection
Practitioner Certificate in Data Protection
Make sure you check them out - you can access these BCS Accredited Online Courses now and get started on your learning journey.
