As growing public awareness of data privacy issues continues to put pressure on countries to enact stricter privacy laws, businesses will face new compliance requirements, increasing uncertainty as well as costs.
The impact of these regulations on businesses will be exacerbated by the increasing use and development of new technologies in 2022.
Fragmented data privacy regulations
While the US still lacks a harmonized privacy regime, calls for federal data protection legislation will increase as state-level regulations are adopted, such as Virginia’s Consumer Data Protection Act (CDPA), which is set to take effect in 2023. In 2021, at least 38 US states introduced more than 160 consumer privacy-related bills, yet only three states have comprehensive consumer data privacy legislation. The new year will see many more states introducing comprehensive consumer privacy legislation—including Arizona, Connecticut, Florida, Minnesota, Mississippi, and Washington.
China also introduced its first comprehensive data protection law, the Personal Information Protection Law (PIPL), in November 2021. This new legislation provides a comprehensive set of rules around data protection, similar to that of the General Data Protection Regulation (GDPR) in Europe. The new law makes it even costlier for companies to store Chinese user data overseas and data localization requirements will reform the way Big Tech cloud platforms operate. India is also following suit with its Personal Data Protection Bill, which is expected to come into force in the first half of 2022.
Fragmented data privacy regulations globally and within the US will create uncertainty for businesses as they face a range of distinct compliance requirements. As countries prepare to implement these new, more stringent data privacy regulations in 2022, businesses will need to plan to accommodate new compliance requirements.
The absence of an agreement between the EU and the US on data transfers, since the ECJ declared the EU-US Privacy Shield invalid, will continue to add to the uncertainty created for businesses surrounding the legality of transatlantic data transfers. While EU and US agencies continue to work together towards establishing a new Privacy Shield that is satisfactory to European data protection authorities, many are concerned that any deal agreed upon will eventually be invalidated by the CJEU.
The UK data protection regime is taking a new direction
In September 2021, the UK government published a consultation entitled ‘Data: a new direction’, which set out proposals for a re-framing of the data protection law in the UK post-Brexit. These proposals include plans to drive data privacy in a new direction by relaxing privacy rules to encourage data-driven economic growth and innovation. Deregulation that causes a downgrade in data protection standards will risk losing the adequacy decision granted to the UK by the EU.
Enforcing the regulations
2021 saw improved enforcement of the GDPR, as evident through large fines issued to some of the biggest tech companies—such as the $888 million fine levied against Amazon by Luxembourg’s National Commission for Data Protection.
While the GDPR is commonly used as the global standard, privacy regulations becoming increasingly fragmented will create greater ambiguity for businesses. As new regulations are enacted globally, regulators will need to focus their efforts on ensuring that laws are complied with and take effect.