The last 2 years have seen extraordinary changes and challenges in the world, impacting every aspect of our lives. The relentless rate of change in the risk and regulatory environments for data privacy only increased in 2021. Considering the ever-exciting new technologies, innovations around data we should certainly expect increasing new opportunities, risks, and hence vulnerabilities in 2022. The current scenario demands a progressive, risk-based, and globalized strategy towards data privacy.
Now that 2021 has come to a close, let us look back at the major happenings around data privacy in 2021. Also, let us see what can we expect for data privacy in 2022?
2021 – The Year That Was
2021 has been an interesting year for data privacy. It is the year that all the major tech companies started talking the language of privacy with Apple leading the pack. Lagging way behind was Facebook with its whistle-blower uniting the Democrats and Republicans in calling for regulation.
A Slew of New Privacy Regulations
Despite the global events that took center stage in 2021, the upward trend in data privacy legislation enactment continued. With several countries planning to review and revise their existing data privacy regulations and many others tabling their new privacy regulations the influx of new privacy regulations is only expected to increase in 2022.
Around 38 USA states introduced more than 160 consumer privacy-related bills in 2021. A lot of these bills are limited in scope, focusing on only one area of data privacy like biometric, genetic, and geolocation data. However, 23 states introduced a total of 34 comprehensive consumer data privacy bills in 2021, similar to California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation.
Two of the USA States Virginia and Colorado passed their data privacy laws in 2021. The Virginia Consumer Data Protection Act was signed into law on March 2, 2021, which was soon followed by Colorado Privacy Act which became law on July 6. These laws will become effective on Jan. 1, 2023, and July 1, 2023, respectively.
Less than three months after its approval by the National People’s Congress, China’s Personal Information Protection Law (PIPL) came into force on November 1, 2021. On September 1, 2021, the Data Security Law (DSL) was also entered into effect.
The South Africa Information Regulator's enforcement powers entered into effect on July 1, 2021, nearly a year after the enforcement date of the Protection of Personal Information Act (POPIA).
In the other part of the world, as part of its 50th anniversary, the United Arab Emirates (“UAE”) has issued a set of legal reforms, including the much-awaited Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“PDPL”). The UAE Data Protection law was issued on 26 September 2021 and came into force on 2 January 2022.
The Kingdom of Saudi Arabia has recently published Personal Data Protection Law (published on 24 September 2021. The Personal Data Protection Law will enter into force on March 23, 2022, and regulates the collection, processing, and use of personal data in the Kingdom.
GDPR Enforcement
Following one year of limited enforcement activity majorly owing to the pandemic, 2021 featured an upward trend in GDPR enforcement across the EU. The frontrunner enforcements that grabbed eyeballs were a 746 million euro fine in Luxembourg for Amazon, a 250-page decision of the Irish DPC on WhatsApp, and a pending decision on Facebook, as well as a case sent from an Austrian court to the CJEU.
Guidelines and Decisions
The EDPB issued several important guidelines in 2021. It released the highly anticipated guidance on cross-border transfer restrictions. New guidance issued by the EDPB provides some solid answers to long-standing questions about cross-border transfers and the definition of transfer.
European Commission also issued new Standard Contractual Clauses (SCCs) in June 2021. The new SCCs took into account the decision-making behind the invalidation of the EU-US Privacy Shield. Any new business contracts taking place after September 27, 2021, must use the new SCCs. The organizations to ensure that any contracts entered into before September 27th, 2021 must be updated with the new SCCs by December 27, 2022.
In June 2021, the European Commission adopted two positive adequacy decisions for the UK. Later in December, the European Commission announced that it had adopted its adequacy decision for the transfer of personal data between the EU and South Korea. Organizations transferring the data to the UK and South Korea now have one less obligation to worry about.
Throughout the second half of 2021, supervisory authorities in the Asia Pacific region continued to issue and update their guidelines. Japan's Personal Information Protection Commission (PPC) launched a consultation on its revised guidelines on the Act on the Protection of Personal Information (APPI).
JPC Report on India Personal Data Protection Bill
The Indian Joint Parliamentary Committee (JPC) adopted its report on the Personal Data Protection Bill, 2019, in November 2021. The Bill was tabled in the Houses of Parliament on December 17, after 2 years of prolonged deliberation, and 6 extensions.
2022 The Year That Will Be (Maybe)
New Laws and Regulations
Expect a tsunami of new laws and regulations in 2022. For years now, the USA was talking about a need for comprehensive federal privacy law. Despite the consensus around it, I don’t expect the legislation to be passed in 2022. However, expect a flurry of activities around it though.
In addition to Virginia and Colorado’s new laws, expect at least a few additional states to pass their privacy legislation in 2022. I suggest keeping a close watch on privacy legislation in the states of Maryland, New Jersey, Ohio, Florida, Oklahoma, and Alaska in 2022.
In the last week of 2021, India tabled its much-anticipated JPC report on the privacy bill. The Joint Parliamentary Committee has given several recommendations and introduced some additional concepts, including protection for non-personal data. Considering India being at the center of the world economy (along with a few other countries), the world of Data Privacy now expects India to pass the law in 2022, sooner rather than later.
In 2022, we will see the global businesses’ struggle to comply with China PIPL and a slew of rules and guidelines by the regulators, especially around cross-border data transfers. Chinese law imposes stringent and various data localization requirements on certain sectors – and categories of data, while other businesses are allowed to transfer data from China under specific conditions such as conducting a security assessment and filing it with the CAC.
Privacy Enforcements
Taking the leaf out of 2021, expect the regulators to step up the enforcements in 2022. The primary focus of the regulators may be on issues related to children’s data protection, use of AI, use of health and financial information, and digital marketing.
Digital marketing
Adtech and Digital marketing is not going out of fashion soon and neither are privacy questions arising from them. In 2022, expect the ad tech and marketing ecosystem to try and solve the puzzle of digital marketing regulations from Europe’s GDPR and e-privacy regulation to California’s CCPA and CPRA. Expect the industry to come up with new models for ad targeting, marketing, to keep up with the regulators.
Artificial Intelligence
Artificial intelligence continues to occupy a central role for policymakers across the globe. As artificial intelligence evolves, it magnifies the ability to use personal information in ways that can intrude on privacy interests.
The Cyberspace Administration China (CAC) has released its draft guidelines to regulate the use of algorithmic recommender systems by internet information services. In 2022, expect the EU to continue to advance towards an AI Regulation, which is based on concepts from the field of product liability.
The USA is not far behind. The USA states are stepping up legislative efforts around AI. The California CPRA addresses “automated decision-making technology, including profiling,”. In the California assembly, the Automated Decision Systems Accountability Act of 2021 (AB 13), has been tabled. Several bills are pending in states from Washington and Colorado to New Jersey and Vermont around AI.
The Metaverse
Metaverse is a series of interconnected, interoperable, and immersive ecosystems. Metaverse became the talk of the world last year after Facebook rebranded itself as Meta. It means different things to different people and businesses - from a platform for social communication, work, business, gaming, or entertainment.
It is understood that this virtual world (i.e. the metaverse) will trigger privacy questions around child protection, data sharing, accountability, and more. The Metaverse is going to be an interesting problem to solve for policymakers.
To Summarize
2022 is going to be an interesting year for Data Privacy. Expect a multitude of activities around it, be it in regulatory space, policy-making efforts, or technology trends. New laws, enforcements, guidance, and industry regulations are on the horizon. Expect 2022 to be a very busy year for businesses, privacy/security professionals, and policymakers alike.