What Data Privacy Changes to Expect in 2023

What changes are coming in 2023 for data privacy technology?

2023 promises to be a year of accelerated change in the data privacy and protection technology space as Automation is the name of the game. The technology space has evolved into over 10 sub-branches with areas like data mapping automation tools, personal data identification, incident managment, privacy program assessment tools and de-identification tools some of the main ones reflected in Gartner’s GRC magic quadrant space. Here’s one list from G2 List of Privacy Vendors which gives you an idea of the burgeoning regtech space.
Gartner predicts that 75% of the global population will have Its personal data covered under privacy regulations next year which means that automation in other areas will come to the fore such as customer privacy request handling, consent management, privacy impact assessments, data transfer tracking and many more areas that touch on the privacy lifecyle.
We can expect consent management platforms (CMP’s) to take over many of the cookie consent and third party sharing permissions to be handled automatically to stay in step with CPRA, GDPR, cookie laws and EU’s new eprivacy laws.
Read our related article on the new EU privacy law HERE.

What changes to expect with the trans-atlantic data transfers in 2023?

Most privacy professionals will be aware of the past problems implementing a standard for personal data transfers between the EU and US over the years. Safe Harbor and Privacy shield died under legal challenges by Max Schrems related to NSA surveillance concerns and Facebook lack of consent approach. The next iteration of agreements between the EU and US has arrived in the form of the Trans-Atlantic Data Privacy Framework (TADPF) or “Privacy Shield 2.0” which is due to come online this year. The new act gives more protections against US surveillance activities. It also establishes a two-tier redress system that includes an independent Data Protection Review Court composed of individuals from outside the US Government to investigate and resolve complaints; and lastly an enhancement over existing rigorous and layered oversight with US intelligence agencies adopting procedures to ensure effective oversight of new privacy and civil liberties standards. So far Max Schrems has indicated scepticism behind the new regulation saying that “it’s only a political announcement and no new functional fixes have been introduced so far” Read the text from Schrem’s (NOYB organization) press release HERE. We can expect to see a legal challenge from Schrem’s if there are weaknessess in the new framework.

How was data transferred before privacy shield 2.0?

Before privacy shield 1 came the safe harbour privacy principles which were in place till 2015. They were designed to prevent private organizations within the EU or US who stored customer data from accidentally disclosing or losing personal information. The Safe Harbor principles were brought down on the grounds that they failed to guarantee all the protective rights guaranteed under EU Law and in addition lacked a specific authority to enforce data protection related rights.

Right after the first case, an updated version of the principle the “EU-US Privacy shield” was broadly welcomed as it claimed to provide more coverage in it’s EU Data Protection principles. In reality it was not much different from the safe harbour principles. The CJEU in July 2020, ruled in the case commonly called Schrems II, that Privacy Shield also did not offer the necessary protection to the personal data of EU residents.

Are standard contractual clauses (SCCs) still in use?

Standard contractual clauses were last updated in January 2021 which remain the primary method for 3rd country transfers of personal data under GDPR. Standard data protection clauses (“SCCs”) remain a sufficient guarantee for data protection provided, the identified supplementary measures implemented in addition to the SCC’s do not contradict with the provisions of GDPR. A data exporter ought to have the responsibility to ensure that these additional clauses neither restricts the rights and obligations in SCCs nor tarnish the level of protection offered. SCCs, therefore, are left untouched by the Schrems II decision and remain a safe practice to ensure privacy in data transfers.
We can expect to see an update to SCC’s once again in 2023 as the European Commission has hinted at another refresh.

What data protection laws are changing in 2023?

California’s CPRA (California Privacy Rights Act) comes into force this year with expanded laws over it’s preceding CCPA (California Consumer Protection Act). Read our related article on CPRA changes HERE. 4 other states including Conneticut, Colorado, Utah and Virginia have comprehensive privacy laws on their books which will see implementation this year. 10 other states have limited privacy laws focused on the protection of minors, we can expect this to change next year to align more with the planned federal privacy law (ADPPA). A look at the current calendar for data privacy bills from the National Conference of State Legislatures shows us over 40 bills in the pipeline coming into 2023.

What about the data privacy job market in 2023?

Data privacy professionals can expect good things this year and for many years to come. Read our related article on job prospects for privacy professionals HERE. Our article points out that there is a 30% year on year increase in demand for privacy pros with many candidates being placed in a week and receiving 3 job offers on average. Entry level positions are commanding an unprecedented $75 to $95 thousand dollars while senior privacy consultant positions come in the $175k to $250k range. Read the article to get fully informed, but it’s safe to say that companies are formalizing the demand for a data privacy professional in their organizations as the position becomes more distinct from a CISO’s remit with new roles like Chief Privacy Officer becoming more prevalent.