2022 was another busy year in privacy and data protection. We have seen major new developments at both the EU and the UK level, in terms of new legislation taking effect, changes to the data transfer regime, analytics cookies coming under regulatory spotlight from various EU data protection authorities, and substantial fines issued for breaches of data protection law.

Regulations surrounding privacy and data continue to develop at a rapid pace. Emerging technologies have changed the manner in which personal data is collected and used. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 could be an exciting and a busy year for privacy and data.

We asked some of our Tech & Data team members in the field to get their opinions on what is likely to happen in privacy and data in 2023:

  • Cynthia O’Donoghue, London – “2023 is likely to bring much more data regulation, such as the EU Health Data Space, guidance on processing data for medical and scientific research (along  the same lines of what the UK ICO issued in 2021); the Digital Governance Act, draft Data Act, Digital Services Act and the Digital Markets Act, all resulting in much more complexity in relation to use and processing of personal data in the European Union”
  • Asélle Ibraimova, London – “Despite the EU-US Data Protection Framework expected this year which might alleviate the efforts on data transfers to the US, the in-house legal teams will continue grappling with documenting transfer impact assessments when using contractual mechanisms for transfers of personal data to other third countries. However, as businesses move towards maximising the value of data they hold, the bigger focus this year may be on facilitating data sharing of data between affiliates or between different segments of the business. Another big focus is likely to be on adjusting to data protection developments globally and aligning templates and other data protection-related documents to the new data protection requirements in different localities.”
  • Andreas Splittgerber, Munich – “2023 will be a landmark year for AI regulations in Europe. We are expecting the AI Act to be finalized. We hope this will speed up and not slow down AI development and use in the EU.”
  • Philip Thomas, London – “The use of biometric data will increase exponentially, as facial and voice recognition looks set to overtake two factor authentication as a way to secure smartphones and businesses become increasingly aware of the predictive capabilities of biometric data.  Given the particular sensitivity and risks attached to processing such data, we expect the European Data Protection Board to issue an opinion on the parameters/limitations applicable to biometric data processing, with the UK ICO also publishing guidance on the subject.”
  • Sven Schonhofen, Munich – “Cookie compliance will continue to be an enforcement trend. Supervisory authorities are very active – e.g. with the analytics cookie proceedings, the new cookie guidance from the German authorities, and the European Data Protection Board report on the cookie banner task force. I would be surprised if auditing organisations on their cookie setups was not on the top of the authorities’ agendas for 2023.”
  • Sarah O’Brien, London – “As data becomes more important to businesses, I think we will see companies in all sectors taking a harder line on data “ownership” and data use rights.”
  • Irmela Dölle, Frankfurt – “The European AI Act will soon come into force and manufacturers, operators, and users of AI systems will be confronted with extensive obligations and requirements that they will have to deal with. In particular, developers and users of high-risk AI will have to implement measures such as labelling according to transparency requirements and setting up a risk and quality management system. At this stage of AI development, it is already necessary to observe the legal and regulatory requirements.”
  • Sophie Vella, London – “It will be interesting to see the development and status of EU law within UK data protection law, with the General Data Protection Regulation hanging in the balance as we wait to see how (or if) the UK government retains it in light of the Retained EU Law (Revocation and Reform) Bill, which would revoke all EU-derived legislation by the end of this year.”
  • Florian Schwind, Munich – “I am curious about the judgments of the European Court of Justice (ECJ) in 2023, especially regarding Article 15 of the General Data Protection Regulation relating to the right of access. There are currently a handful cases pending; hopefully, those will provide greater clarity on the scope of the right of access. I predict the ECJ will further strengthen the data subject rights.”
  • Angelika Christoforou, London – “2023 is the year we will see more data-related legislation come into force, for example, the UK Online Safety Bill and the UK Product Security and Telecommunications Infrastructure Act to make internet of things (IoTs) products more secure.”
  • Friederike Wilde-Detmering, Munich – “The EU Commission is going to adopt an adequacy decision for data transfers to the US. Organisations will, however, nevertheless continue entering into the standard contractual clauses and conduct transfer impact assessments to be prepared for a possible Schrems III decision.”
  • Joana Becker, Munich – “I think we will see a trend with regard to the proper handling of children’s data. There are more and more digital offers that directly address children. This raises the question of how to securely and lawfully obtain the parental consent required under the General Data Protection Regulation. In practice, we already see a wide range of approaches, such as a double opt-in procedure, the use of AI or technical verification systems.”