We just couldn’t end the year without the top 10 security & privacy news of 2023 and what 5 trends to look forward to in the new year.
What 2023 had in store for us:
- EU-US Data Privacy Framework: Schrems Take 3?
- How Will Data Protection Be Guaranteed With The New Digital Euro?
- EDPB Adopts Finalized Guidelines On The Calculation Of Fines Under GDPR
- Europe’s Data Supervisory Authorities Investigating ChatGPTs Processing
- The 20 biggest GDPR fines – the highest one being registered in May of 2023
- EDPB provides clarity on tracking techniques covered by the ePrivacy Directive
- EU-Japan Agreement on Data Transfers
- California’s Delete Act enhances personal data privacy
- The EU Data Governance Act is officially a go
- Norwegian DPA fine raises the possibility of an EU ban
What we can expect in 2024:
- EU AI regulation could be adopted early 2024
- Changes to UK data protection law
- The possibility for the EU-US framework to be dismantled
- An Increased Commitment to Security
- International Collaboration – a more unified legal framework
TOP 10 DATA SECURITY & PRIVACY NEWS OF 2023
1. EU-US Data Privacy Framework: Schrems Take 3?
The EU-US Data Privacy Framework (DPF) has officially arrived – the European Commission announced its adequacy decision on July 10, 2023. This decision marks a significant development after the EU-US Privacy Shield was invalidated as a result of the, now infamous, Schrems II ruling by the Court of Justice of the European Union (CJEU) in July 2020. The DPF, resembling its predecessor, introduces a self-certification and verification program whereby organizations will be expected to justify that they meet the requirements.
Read more here
2. How Will Data Protection Be Guaranteed With The New Digital Euro?
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a Joint Opinion on the proposed Regulation of the digital euro, which is intended to be the new European Central Bank digital currency. The digital euro will be a secondary payment method to cash and aims to give people the option of making payments electronically, both online and offline.
Read more here
3. EDPB Adopts Finalized Guidelines On The Calculation Of Fines Under GDPR
On June 7, 2023, the European Data Protection Board (EDPB) announced the adoption of the Guidelines on Administrative Fine Calculation under the General Data Protection Regulation (GDPR). The EDPB’s objective with these guidelines is to establish a standardized approach for data protection authorities (DPAs) when determining fines, incorporating consistent starting points. The EDPB emphasized that three key factors are taken into account: (i) classifying the nature of the violations, (ii) assessing the severity of the breach, and (iii) considering the business’s revenue.
Read more here
4. Europe’s Data Supervisory Authorities Investigating ChatGPTs Processing
As of June 2023, Italy, Germany, France, and Spain are among the countries that have begun to investigate the use of ChatGPT in Europe. The European Data Protection Board [EDPB] has even established a dedicated task force to help coordinate investigations. If these agencies demand changes to ChatGPT, as the Italian authority has in the past, it could affect how the service runs for users around the globe. Regulators’ concerns can be broadly split into two categories: where ChatGPT’s training data comes from and how OpenAI is delivering information to its users.
Read more here
5. The 20 biggest GDPR fines – the highest one being registered in May of 2023
In 2023 we’ve seen the biggest GDPR fine of more than €1.2 billion to Meta. Cumulated, the total GDPR fines are now more than €4 billion, which can only be seen as a testament to the importance of being compliant and committed to data protection regulation.
Read more here
6. EDPB provides clarity on tracking techniques covered by the ePrivacy Directive
The EDPB has issued guidelines regarding the technical aspects of Article 5(3) of the ePrivacy Directive. These guidelines are intended to clarify the application of the directive to various technical operations, especially new and emerging tracking techniques. The goal is to offer more legal certainty to both data controllers and individuals.
Read more here
7. EU-Japan Agreement on Data Transfers
At the G7 Trade Ministerial in Osaka, the European Union and Japan have successfully finalized a groundbreaking agreement aimed at facilitating and enhancing the ease, cost-effectiveness, and efficiency of conducting online business. A crucial aspect of the agreement involves eliminating expensive data localization mandates, which pose an unnecessary challenge for businesses in both Europe and Japan. This is significant because it guarantees that companies will not be compelled to store their data in specific local locations.
Read more here
8. California’s Delete Act enhances personal data privacy
California Governor Gavin Newsom signed the Delete Act (SB 362), allowing residents to request the deletion of their personal data from all state data brokers, streamlining a process that previously required individual requests to each company. Data brokers must register with the California Privacy Protection Agency and provide an easy, free method for data deletion. Non-compliant brokers face fines. While privacy advocates applaud the bill, advertising companies argue it may harm their industry. Civil liberties and privacy advocates seek stronger data broker regulations due to concerns about data transparency and law enforcement using such data. The law takes effect by 2026 with some exemptions for certain companies. Enforcement mechanisms remain unclear.
Read more here
9. The EU Data Governance Act is officially a go
Effective from September 24, the DGA (Data Governance Act) was implemented. The intent behind the DGA was not to add another acronym to the lexicon of privacy professionals but rather to establish a framework for the secure utilization of public sector data, set guidelines for data intermediary service providers, introduce the notion of data altruism, and institute the European Data Innovation Board.
Read more here
10. Norwegian DPA fine raises the possibility of an EU ban
The penalty issued by the Norwegian data protection authority in August has the potential to extend throughout the entire European Union, exposing Meta to substantial daily fines until significant alterations are made to their tracking ads practices. The Norwegian fine stems from a national resolution that forbids the kind of digital profiling undertaken by Facebook and other Meta entities. If this decision is broadened across the EU, it could potentially trigger a ban on such practices within the bloc.
Read more here
TOP 5 DATA SECURITY & PRIVACY TRENDS TO KEEP AN EYE OUT FOR IN 2024
1. EU AI regulation could be adopted early 2024
The EU AI Act is set to be completed by the year’s end. Following the final EU procedures, known as the trilogue, it is anticipated that the act will be officially adopted in early 2024, before the European Parliament elections scheduled for June 2024. Subsequently, a transition period of at least 18 months will precede the full enforcement of the regulation.
Read more here
2. Changes to UK data protection law
The 2023 Data Protection Regulations (the SI) will, among various adjustments, modify UK data protection legislation to reference rights derived from UK law rather than retained EU law rights. Once parliamentary approval is secured, the SI is slated to take effect at the commencement of 2024.
This regulatory change underscores the government’s ongoing commitment to preserving the UK’s adequacy status and safeguarding the rights of data subjects. Nevertheless, it emphasizes that the Retained EU Law (Revocation and Reform) Act 2023 (REUL Act) has brought about foundational changes to UK data protection law which may face some challenge from the European Commission. While the day-to-day impacts are expected to be minor, this alteration to the underlying principles of the UK’s data protection framework is nonetheless noteworthy.
Read more here
3. The possibility for the EU-US framework to be dismantled
In September, French MEP Philippe Latombe made an announcement indicating his challenge to the adequacy decision on the Data Privacy Framework before the Court of Justice of the European Union.
Mr. Latombe’s statement outlines his pursuit of the immediate nullification of the adequacy decision, coupled with efforts to amend the existing text, which he identifies as having numerous shortcomings. These deficiencies encompass inadequate safeguards for private and family life, constituting a violation of the Charter of Fundamental Rights, particularly in the context of the extensive collection of personal data. Furthermore, there is a failure to adhere to GDPR standards, attributed to the absence of effective remedies, access to an impartial tribunal, and assurances regarding the security of processed data. Several other groups are challenging the framework, such as famed privacy rights advocates NOYB who brought us challenges to the previous privacy shield.
Read more here
4. An Increased Commitment to Security
As cyber threats continue to evolve in sophistication, businesses are intensifying their commitment to safeguarding personal data. A surge in innovative technologies, such as advanced encryption protocols, artificial intelligence-driven threat detection, and potentially blockchain-based authentication, will reshape the landscape of data security. Organizations are increasingly prioritizing proactive measures, instead of reactively responding to breaches. Companies are realizing that securing customer trust requires a resilient cybersecurity framework.
5. International Collaboration – a more unified legal framework
We hope to see much-needed international cooperation in formulating shared standards and protocols for data protection as a response to global concerns about data privacy. As more countries engage with privacy and security laws and regulations, we would like to see countries and organizations working together around the world to raise awareness and legal standards. Data protection is not just an issue for Europe, or for the US – it affects every country.
See Ed Britan’s opinion on the matter here
