Following in the footsteps of the last few years, 2022 is shaping up to be a landmark year for privacy and data security. Here is a quick privacy forecast to help you identify where to focus, and what to expect, in the coming year.
Where to focus now:
· Continue compliance efforts for China’s PIPL. Organizations should look to finalizing compliance efforts with China’s Personal Information Protection Law (PIPL). To help with this effort, a formal English translation of the law was released at the end of 2021 by the National People's Congress (NPC). With PIPL only recently in force, continue to look for further developments as both regulators and the industry at large continue to establish implementation standards.
· Finalize new SCC roll-out for European international data transfers. While the new SCCs issued by the European Commission in June 2021 are already required for new contracts, organizations have until December 27, 2022, to incorporate the new SCCs into contracts dated on or before September 26, 2021. Organizations with one-year deal terms should leverage this cycle by incorporating updated SCCs into their annual renewal cycle.
· Ramp-up compliance efforts for upcoming US State Laws. With California, Colorado, and Virginia privacy laws all set to come into effect in 2023, organizations should continue (or begin) building out their compliance programs to meet the demands of these new laws. Companies who do not currently comply with the GDPR may see heavy compliance loads as Colorado and Virginia align closely (with some important deviations) to GDPR standards.
· Begin compliance efforts for Quebec’s updated privacy law. Quebec’s Bill 64 (An Act to Modernize Legislative Provisions as regards the Protection of Personal Information) will begin to come into effect in the second half of 2022, though most requirements are not effective until September 2023 and beyond. The new Bill expands on previous privacy protections, introducing a wide array of new requirements including enhanced data subject rights, new disclosure and consent requirements, and heightened obligations related to privacy assessments and breach reporting. The Bill also significantly increases potential fines for privacy violations.
What to expect next – new laws and rulemaking:
· CA privacy rulemaking. The California Privacy Protection Agency (CPPA) has a deadline of July 01, 2022, to release rulemaking for certain provisions of the California Privacy Rights Act (CPRA). Organizations should be prepared for additional requirements and clarifications regarding automated decision making, audits and risk assessments, and consumer rights regarding data deletion, correction, and limitation of the use of sensitive data.
· More action for state privacy laws. While Colorado and Virginia were the only states to pass new comprehensive privacy laws in 2021, several other states came close. Expect to see a handful of new state laws pass the finish line in 2022. Top contenders include Connecticut, Florida, Maryland, New Jersey, New York, Ohio, Oklahoma, and Washington.
· More debate for a federal US privacy law. While growing state legislative action is likely to enhance demands for one preemptive federal privacy law, with mid-term elections and the continuation of the COVID-19 virus, it’s unlikely we will see a comprehensive federal privacy law in 2022. That being said, new rulemaking by the FTC or policymaking by the White House is likely in the absence of movement of federal legislation. Updates to existing federal laws and regulations like COPPA and in the area of financial privacy, and, in particular, fintech, are likely.
· HIPAA proposed rulemaking. With the last update to the HIPAA rules was nearly a decade ago, the OCR issued a notice of proposed rulemaking in 2021. Major potential changes include the expansion of patient access rights, the simplification of certain provider disclosure standards, refreshing of the National Institute of Standards and Technology (NIST) guidelines, and changing standards for the treatment of substance abuse and mental health information. Final versions of these rules are expected to be issued sometime in 2022, though a specific enforcement date has not been announced.
· A wave of “privacy-adjacent” legislation out of Europe. With GDPR now the established law of the land in the EU, some EU regulators have shifted focus to on adjacent legislation addressing artificial intelligence, digital platforms and services, dark patterns, and adtech and online marketing. Most likely contenders to become law this year include: the Data Governance Act (DGA), the Digital Markets Act (DMA), the Digital Services Act (DSA), the e-Privacy Regulation (ePR), Network and the Information Security (NIS) Directive (NIS II).
· Continued changes for data transfers out of the EU. While the old EU SCCs have been approved as a temporary solve for data transfers out of the UK, the UK Information Commissioner’s Office has indicated that they expect to publish updated UK SCCs in 2022. The European Data Protection Board has also indicated that a new set of SCCs, focused on international transfers where the data importer is subject to Article (3)(2) of the GDPR, may be in the pipeline.
· India’s personal data protection bill. India’s draft Data Protection Bill is expected to be passed by Parliament in early 2022, and effective on a rolling basis beginning later this year. The draft Bill is particularly notable for several key requirements above and beyond what is currently required by the GDPR. In particular, look for heightened obligations relating to non-personal data, enhanced requirements in the areas of data localization and data breaches notice requirements and a new framework for addressing the use of algorithms.
What to expect next – enforcement trends:
· A growing focus on cookies, adtech and behavioral advertising, dark patterns, data de-identification, and child-oriented privacy and design. While 2021 saw enhanced enforcement across nearly all areas of data privacy and security, expect to see a particular concentration in these areas.
· More movement from the FTC. The Federal Trade Commission (FTC) has already signaled its intent to focus on privacy rulemaking in 2022, particularly in the fields of data security and algorithmic decision making. Look for updates in these areas sometime in February of this year. Expect additional FTC interest in the areas of children’s privacy, privacy issues related to health data and privacy and security practices in the financial sector, all of which were called out in the FTC’s Annual Statement of Regulatory Priorities.