On the occasion of Personal Data Protection Day, Kateryna Mishchenko wrote an article for the Avitar blog on Medium. In the article - the exchange of knowledge of experts from different countries (mainly from Britain): global trends and expectations in the field of privacy for 2022.
"The main source of information, in addition to the IAPP materials and the laws themselves, were knowledge-share meetups (from the same IAPP): different countries, cities, everything happens off the record. One of the main values of any event is people. And it is good when these people want to share their vision and their knowledge. I listened to it myself and will tell you.
This review is divided into five parts and combines both the opinion of my British colleagues and my own conclusions.
Everything is predictably stable in Europe, GDPR is gaining momentum. Tentatively, for the 22nd year, we are expecting:
The size and frequency of fines for GDPR compliance will increase from 2021. Growth rates are expected to increase in 2022 as regulators increase their focus on privacy.
According to the CNIL, one (!) French user is enough for them to intervene and start their investigation.
As a private person, I am delighted, but as a DPO, I am a little nervous. Nevertheless, the CNIL is currently one of the most active regulatory bodies.
The state will continue to develop. regulation of data protection issues. Personally, in addition to a number of legislative acts of the EU (Brussels), I am waiting for sectoral changes: banks, real estate. Among the famous innovations, we expect:
According to my British colleagues, the AI Act and the Data Act will affect the big picture. I am waiting for an explanation regarding metallis and new introductory ones in the field of IoT.
In January 2022, the CNIL published the first fine for the use of cookies against Google and Facebook.
From practical notes: the cookie banner is the first thing that the user (well, or the regulator) sees. Where earlier than the availability and quality of the Message on the site. Therefore, it is in the interest of the business to put up a banner that meets the requirements. Interestingly enough, most of the difficulties arise in this question: conversion, leads, competitors and other 105 factors as arguments against.
Meanwhile, businesses are still working out what a cookie-free future will look like. The latest version of the Internet without cookies was abandoned, because the structure of the Internet and business in it will not survive, so alternatives are being sought.
2021 was the year under the motto "sit and evaluate". Today it is already possible to see how the first complaints of Schrems II are accepted for consideration.
The fact that the 22nd year has come does not mean that the grades will be less. I think that the focus will shift from formal assessment to its objective manifestation: recommendations, prescribed additional controls, assessment of vendor counterparts.
Now with whom everything is very interesting, but nothing is clear. This is partly due to the fact that the vast majority of laws are published in Arabic or one of the languages of the Eastern group.
From what is known now:
Player #1: UAE opens Data Office to support new laws/
In honor of the anniversary, there was a large-scale legislative reform in the UAE, which you can read here.
Briefly about the main thing: new federal laws of the UAE on data protection have been issued, an office is opening, sectoral laws have also prescribed requirements for the protection of personal data.
Although the new law is based on the GDPR, there are some significant differences:
The most important thing: the preliminary date of entry into force of the law is mid-March. Six months were allotted for business implementation. There is no official translation into English, there is no clear date, the timing is inexcusable. I wish strong nerves to those who work in this market.
Free zones in the UAE and Qatar (DIFC, ADGM, QFC) are also updating their data protection laws to meet international data protection standards. The main focus is on GDPR and the main ISO and SOC2 certifications.
This is where the fun begins. The new Personal Data Protection Law of the Kingdom of Saudi Arabia was enacted by Royal Decree and will come into force in March 2022.
Among the innovations:
The Million Dollar Question: Is Federal Privacy Law Coming Soon?
It is unlikely that a US privacy law will be passed in 2022. The procedure is too complicated and there is no established practice yet.
That said, we're watching as new state laws are likely to go into effect along with California, Virginia and Colorado.
Judging by the analytics, the main topic in the US regarding medical data is the misuse of HIPPA. These are mainly issues of data publication, transfer and disclosure upon request. It is not yet clear what this will lead to in view of such a proactive attitude of the population.
Canada is updating the current PIPEDA law. The new Consumer Privacy Protection Act not only gives us new acronyms, but also points that we need to consider. Canada continues the Eastern trend towards consent.
Personal opinion: This is rather surprising, since most countries, on the contrary, avoid it and develop other grounds for processing to leave consent exactly as it should be: freely given, specific, informed and unambiguous.
Let's move on to the Pacific region. In this section, I will mainly convey the opinion of other specialists, since I myself do not work with this region.
We observe the patterns governing the processing of PD: special attention to the assessment of cross-border transfer
Detailed rules are said to be available in the development stage and will be published soon. Interested as a third-party user in view of the situation of control over personal data in China.
Briefly about trends:
The exception to my professional ignorance in the context of this region is Singapore. Taking into account the technological boom that took place there during almost continuous lockdowns, Singapore is very interesting precisely in terms of cloud technologies, health tech, analytics and huge, simply incredible databases. Therefore, you can safely add regulations or, at least, recommendations for working with BigData here.
Official statements about the future read as follows: PDPC in 2022 will focus on digital services, cloud technologies and artificial intelligence.
The implementation of Singapore's Data Protection Act, as amended in 2011, continues. A brief overview for those who have forgotten (everyone is aware of course): the concept of "deemed consent" was introduced
Background: Businesses have always been forced to obtain consent for any data processing. The amendments introduced two categories of conditional consent: for contractual necessity and if the company conducts an assessment and understands that data processing will not harm a person.
Singapore's Anti-Spam Law will soon be revised to cover popular messaging platforms such as WhatsApp to stop unwanted messages. How it will work at the moment is unclear to me. But judging by the general impression, Singapore is getting closer and closer to China.
And finally, Latin America. The most amazing region for me, which pleased me the most during two weeks of information gathering.
Secret: If you find it useful or interesting to learn about the Latam market, we can organize a webinar with our partners from Brazil.
In news worth repeating, Brazil has passed its own data protection law – the LGPD – almost as close to our beloved GDPR.
Moreover, people are quite aware of their rights. The media has reported several cases of data breaches since the LGPD came into force.
What will be the effect of media coverage of such cases? Public awareness will increase and the new regulatory body will be focused on enforcement.
Personal opinion: In general, law enforcement in this area is going very well. According to open data on the Internet, the Brazilian consumer protection system receives lawsuits, which increases the level and number of court proceedings. In 2021, there were 6,000 privacy lawsuits. But many lawsuits related to labor relations, where the requirement for privacy is secondary. Many lawsuits go to small cases court, where the plaintiff will not pay the defendant's costs, even if they lose. That is why companies are flooded with lawsuits due to trifles such as an inappropriate request.
Ideally, privacy-related lawsuits and group exposures await us next. Sounds like fun, isn't it?
Overall, the picture is that with the development of digital technologies, data protection in Latin America is gravitating towards GDPR standards.
I don't know what's going on there, but their regulator seems to be clearly promoting innovation. There is quite a lot of good news on the net, for example, about the positive experience of working with bitcoins in El Salvador, Barbados, which opened the first embassy in the Metaverse.
Personal opinion: Brazil has been producing a lot of startups in the last few years, and with the LGPD, it seems to me that AI regulation is just around the corner.
Here are some facts:
That's all. I will answer any questions or comments in the next article. For now, in the next series, a brief overview of everything that is in Ukrainian legislation in the context of personal data.
LinkedIn
YouTube
Instagram
Facebook
Telegram
Medium
