Thales Blog

Data Privacy Legislation: What You Should Be Looking for in 2023

January 25, 2023

Todd Moore Todd Moore | VP Encryption Products, Thales More About This Author >

Comprehensive data protection laws exist across the globe. While each law is different, there are many commonalities in terms of the rights, obligations, and enforcement provisions. Lawmakers’ efforts have intensified in the last two years, with many data protection law initiatives being passed and adopted. This trend continued through 2022, with regions such as the Middle East, the Asia Pacific and States in the US introducing or amending data privacy and protection laws.

The ever-lasting impact of GDPR

Gartner has estimated that by 2023, 75% of the world’s population will have its personal data covered under modern privacy regulations. The International Association of Privacy Professionals (IAPP) in cooperation with Westin Research Center have produced an interactive map identifying those countries with data protection laws.

IAPP has also published a chart mapping tool for many of the global data protection laws, including the laws in the U.S. and E.U. This comprehensive tool is a fine demonstration of the commonalities shared between the various privacy legislations across the globe, and of the impact that GDPR has had. An example of one mapping, including the E.U., is shown below.

3 trends behind today’s privacy governance

Three trends summarize the most significant changes in privacy and data governance today:

  • Increasing regulatory complexity

Keeping up with the rapid regulatory or compliance law changes is a huge problem for businesses and privacy professionals. By utilizing standard well-documented security best practices, privacy and compliance teams can proactively keep ahead of the regulatory changes. Incorporating flexibility and agility into the architecture of business systems will help with the evolution to these new standards.

  • An evolving data and technology landscape

Business teams occasionally see compliance as a roadblock to innovation as cutting-edge technology and data usage techniques continue to emerge. However, incorporating a privacy by design approach can help businesses stay compliant with legislations while still performing at the top of their game.

  • Growing stakeholder awareness

Business procedures, ethics, and governance are highly scrutinized by stakeholders such as customers, employees, and investors. As a result, transparency and consent are very important. In the coming years, the ability to win over consumer trust through transparent communications will be a strategic differentiator for businesses.

The evolution of privacy is moving past the realm of legal compliance and into an era of integrated data governance and trusted data use. Additionally, boardrooms and stakeholders are giving privacy a greater amount of visibility. This gives compliance teams the chance to tell a compelling story about how privacy efforts are being deeply integrated throughout the enterprise to achieve new goals.

Major privacy milestones in 2023

Four significant events are coming up in 2023 that you should keep an eye on.

1. US-based legislation coming into effect

Depending upon which state privacy laws apply to your business, now is the time to assess and implement data governance controls to comply with the California Privacy Rights Act or the Virginia Consumer Data Protection Act by January 1, 2023; Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring or the Colorado Privacy Act by July 1, 2023; and the Utah Consumer Privacy Act by December 31.

On a federal level, the American Data Privacy and Protection Act (ADPPA) is the most significant federal data protection law in the United States since the U.S. Privacy Act of 1974. The ADPPA takes a fairly comprehensive approach to protecting privacy, incorporating many of the policies of GDPR, and represents a step forward in how the nation protects people’s rights and their data.

2. Moving away from third-party cookies

Third-party cookies won't be used after December 31, 2023. This constitutes a substantial shift from current targeted advertising and personalization approaches, but it also creates new options for businesses and marketers.

3. Cross-border data transfers and the Data Privacy Framework

In July 2020, the Court of Justice of the European Union (CJEU) identified the EU-US Privacy Shield Framework to be inadequate. Although the case referred to data transfers between the EU and the US, the implications are global. The European Data Protection Board (EDPB) issued guidance that clarifies next steps, and organizations will have to reassess their processes for handling international data transfers.

In October 2022, the Biden Administration published the EU-US Data Privacy Framework, which was met with mixed reactions. The European Commission will have now to adopt an adequacy decision, which is not expected before spring 2023.

4. New EU directives

The EU Data Governance Act (DGA) will facilitate data access and sharing with the public sector to benefit the public good. This will add yet another layer of complexity as organizations seek to understand their data and what it takes to facilitate compliant data transfers. The EU DGA entered into force on 23 June 2022 and, following a 15-month grace period, will be applicable from September 2023.

In addition, in February 2022, the European Commission proposed the EU Data Act, which will “give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms,” as Margrethe Vestager, Executive Vice-President for a Europe fit for the Digital Age, said in a press release.

These new directives point to the rising importance of maintaining a single source of truth for data cataloging and data mapping. Orienting your business towards this strategic direction will pay dividends once these new obligations enter full force.

Is it time for one global privacy legislation?

"Although I am very positive that this would enhance the level of personal data protection worldwide, while also adding to companies' standardization of procedures, I would expect that it would not be very effective,” says Konstantinos Kakavoulis, a Greek lawyer specialized in digital law, data protection and intellectual property, and co-founder of the civil society privacy organization Homo Digitalis. “The problem is an intrinsic disadvantage of international law; its non-enforceability. Due to the sovereignty of states, it is impossible to enforce such a set of rules. It would be up to each state or corporate entity to adhere to international personal data processing standards. However, I would love to see such a thought turning into reality. After all, we already have a great international instrument to follow as a paradigm - the 'Ruggie Principles on Business and Human Rights', which have contributed significantly to the compliance of many corporations all around the globe and multinational corporations with human rights law, despite being 'soft law'."

Discover how Thales can help you be compliant with an increasing web of privacy legislations.