By 2023, 65 percent of the world’s population will have its personal data covered under modern privacy regulations, up from 10 percent in 2021, according to a technology and consulting company. In light of this, 2022 will see regions such as the Asia Pacific region, Europe, the Middle East, and the United States introducing new data privacy and protection laws.
In celebration of Data Privacy Day, we are highlighting some of these laws as well as some global data privacy and protection questions, expectations, and trends that lie ahead in 2022.
Without further ado, below are some of the privacy laws from around the world that we anticipate will go into effect in 2022 or that recently went into effect.
Australia
2022 will see draft anti-trolling legislation, renewal of the Privacy Act 1988, and the introduction of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 to Parliament.
China
2022 will see numerous national-level and local-level laws regulating the processing of data and personal information, many of which have a cross-border element (e.g., the Administrative Regulations on Network Data Security and the Measures for Security Assessment of Cross-Border Data Transfer).
- On January 1, 2022, the Shanghai Data Regulations went into effect.
- On January 1, 2022, the Shenzhen Special Economic Zone Data Regulations went into effect.
Germany
2022 welcomed Article 327q of the German Civil Code, which went into effect on January 1, 2022. Article 327q enhances consumer personal data protections.
India
2022 will likely see the passage of India’s Personal Data Protection Bill, 2019, which will cover both personal and nonpersonal data.
Ireland
2022 will see the commencement of the final sections of the Data Sharing and Governance Act 2019.
Israel
In 2022, two amendments to the Protection of Privacy Law, 5741-1981 may be enacted.
Japan
On April 1, 2022, amendments to the Act on the Protection of Personal Information will go into effect.
Qatar
On May 21, 2022, the Data Protection Regulations 2021 and the Data Protection Rules 2021 will take effect.
South Korea
2022 will likely see significant amendments to the Personal Information Protection Act.
Sri Lanka
In 2022, the Act to Provide for the Regulation of Processing of Personal Data may go into effect.
Switzerland
In 2022, the revised Swiss Federal Act on Data Protection and its revised ordinances are expected to go into effect.
Thailand
In 2022, the Personal Data Protection Act 2019 may go into effect.
Turkey
2022 may see amendments to the most controversial provisions of the Law on Personal Data Protection (Law No. 6698).
European Union
2022 will see a wave of data protection legislation, including the Digital Services Act and Digital Markets Act, Data Governance Act, ePrivacy Regulation, NIS II Directive (Security of Network and Information Systems), Artificial Intelligence Act, and the Data Governance Act.
United States
Several privacy laws will go into effect within the next 18 months in California (the California Privacy Rights Act (CPRA), which is effective on January 1, 2023), Colorado (the Colorado Privacy Act (CPA), which is effective on July 1, 2023), Virginia (the Consumer Data Protection Act (CDPA), which is effective on January 1, 2023), and New York (the employee monitoring amendment to the New York Civil Rights Law, which is effective on May 7, 2022). In addition, privacy rights legislation is under consideration in the following states:
- Alaska: Consumer Data Privacy Act
- Florida: Florida Privacy Protection Act
- Maryland: Maryland Online Consumer Protection and Child Safety Act
- Massachusetts: Massachusetts Information Privacy Act
- Minnesota: Minnesota Consumer Data Privacy Act
- Mississippi: Mississippi Consumer Data Privacy Act
- New Jersey: New Jersey Disclosure and Accountability Transparency Act
- New York: NY Privacy Act and Digital Fairness Act
- North Carolina: Consumer Privacy Act
- Ohio: Ohio Personal Privacy Act
- Pennsylvania: Consumer Data Privacy Act
- Washington: People’s Privacy Act, Washington Privacy Act, and Washington Foundational Data Privacy Act
The Big Questions, Expectations, and Trends for 2022
The big questions
- Will 2022 see a comprehensive U.S. federal privacy law?
- Will the UK’s data adequacy decision remain valid?
- Will 2022 be the year the cookie jar is emptied? Will there be a cookie-less future?
The expectations
Employers can expect the following developments in 2022.
- More General Data Protection Regulation (GDPR) enforcement;
- Results from the UK government’s consultation on the data reform, which may result in new legislation during 2022;
- The UK government may be advancing its own program of data adequacy partnerships with Australia, Colombia, Dubai International Finance Centre, Singapore, South Korea, and the United States;
- The results from the UK Information Commissioner’s Office (ICO) consultation on the draft international data transfer agreement (IDTA) and guidance, which replace Standard Contractual Clauses (SCCs);
- More clarity on international data flows following an Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) ruling that the use of search engine analytics violates the “Schrems II” decision; and
- A harmonized position across Europe and the United Kingdom on the processing of COVID-19 vaccination data in the workplace.
The trends
Here are some trends that have emerged have data privacy legislation and court decisions.
- Organizations may start striving to amend contracts; whilst the old SCCs were repealed on 27 September 2021, organizations have a grace period until December 27, 2022, to amend contracts executed before September 27, 2021;
- The rise of transfer impact assessments: the new SCCs require data exporters to conduct an assessment of the laws and practices of the third country of destination that are applicable to personal data transferred;
- Further regulatory scrutiny on privacy notices following the Digital Preservation Coalition (DPC) imposing a fine of €225 million on an app for failing to discharge its transparency obligations under the GDPR in the context of its privacy notice.
- Further regulatory scrutiny on data minimisation following the DPC’s decision in a December 2020 case coupled with a complaint filed against a dating app for requesting excessive information from individuals when exercising their GDPR rights;
- A rise of data protection of children and other vulnerable groups, for example, through the use of end-to-end encryption technologies (which the ICO’s position advocates) and various regulatory strategies (such as Ireland’s Data Protection Commission’s (DPC) Regulatory Strategy for 2022-2027); and
- A rise of claims related to privacy and data protection, in particular, data breach claims following the likely rise of ransomware attacks.