Data privacy in 2023: Is your organization ready for great regulation?  

Ever-growing legislation

The United States has played  catch up with Europe, and several state privacy laws will take effect in 2023. Although the new laws mirror the general direction of the GDPR, there are differences in the scope of main definitions, privacy rights and exceptions which must be paid attention to. 

In some ways the US state laws are more business friendly than GDPR, but tiny variations between different states make compliance with all of them much more challenging. As it is said, the devil lies in the details. For this reason we hope there will be developments regarding the American Data Privacy Protection Act. The proposal welcomes 2023 under congressional review, but there seems to still be hope for a federal law to get passed next year. 

The European Union has not rested either, trying to keep its regulatory environment up to date with technological developments. The Digital Markets Act will be applied in 2023 and the Digital Services Act will follow in 2024. 

The new acts aim to allow more competition in the data-centric business by opening up data monopolies within big tech companies and creating more transparency. The texts of the AI Act and Data Act are currently negotiated. 

The final wording of the acts may change but as the name suggests the AI Act will start to regulate artificial intelligence (AI) systems, creating new documentation and risk management obligations mainly aimed at companies which use high-risk AI and prohibiting use of AI for some purposes. 

The Data Act will introduce regulation to make data sharing and portability more effective. 

We haven’t forgotten about ePrivacy regulation either. The progress on it has been slow and it’s difficult to predict if the final text will finally be agreed upon. 

From a member states’ perspective, 2023 is a year when member states must implement the Whistleblower Directive for medium-sized enterprises. While the laws should be already in place for private companies with more than 250 employees and the public sector, countries haven’t been excellent in this regard. Several member states, led by France and Ireland, adopted their implementation laws in 2022, but some are still working on the draft law. 

Privacy and data protection topics are not only popular  in the EU and the USA. A new data protection law is expected to be adopted in India and we are also monitoring developments in other regions to guarantee Veriff's service is in compliance with all market requirements.

Upcoming court practice could potentially shake things up

While the amount of data protection legislation seems to grow, the laws already adopted cannot be considered to be final and forgotten. There are plenty of privacy related court cases currently in the Court of Justice of the European Union (CJEU) which might change the understanding of GDPR. 

Firstly, in case No. C-300/21 the CJEU will decide the limits of civil damage claims for data protection infringements. Recent years have seen an increase in private enforcement of data protection rules. This is expected to grow in 2023 when all  member states have to adopt a procedure to allow class actions in the data  protection field. The advocate general has expressed an opinion that GDPR does not allow punitive damages and the mere fact of a violation does not justify damages. If the court follows the opinion of the advocate general, this will likely discourage private enforcement of GDPR in the future as it would limit the cases where damage can be claimed. 

The second case we will be following is No. C-621/22, which was recently submitted by a Dutch court. GDPR allows data processing when there is a legal basis to the processing. One of the most flexible legal grounds in the GDPR is legitimate interest. Dutch supervisory authority is of the opinion that pure commercial interest cannot be legitimate interest. Such a strict interpretation would force several companies to rethink the legitimacy of their data processing. It is expected that the Netherlands is in the minority with their strict approach, but where the CJEU strikes the balance between commercial interest and legitimate interest would have commercial consequences to businesses.

Coming back to the EU’s plan to allow more competition regarding personal data, in case No. C-252/21 the CJEU will  decide on the limits of supervisory control. Notably, the Federal Cartel Office in Germany intervened in how Meta Platforms may process personal data and prohibited certain processing activities. Meta appealed the decision. The attorney general’s opinion has been liberal allowing competition authorities to cover incidental questions of data protection matters in certain cases. The court does not need to follow the same opinion, but it does have to decide where the competence limits lie between different supervisory authorities  and hopefully the final ruling gives an easily understandable explanation to keep supervisory proceedings’ scope predictable to companies. 

Ready for 2023

Veriff aims to make the internet a safer place. Veriff’s mission isn’t achieved once someone’s identity is verified — we have to ensure our users’ data remains safe beyond verification. An important part of internet safety is keeping the data safe and data processing transparent. 

To tackle the challenges of different privacy regulations, Veriff is determined to offer all data subjects a high level of protection regardless of their location. This simplifies work processes and provides equal protection to data subjects. In addition, we constantly monitor changes in the legal and technological landscape, not just when a new law is adopted but also how the meaning changes in time whether it be because of a court’s interpretation or due to technological developments to provide the best service possible and online safety to people.