Advances in Data Privacy Laws in 2023
In 2023, the primary challenge of cybersecurity lies in creating advancements and implementing systems that adhere to data privacy laws and regulations. In other words, compliance with these laws will be the central focus during 2023. Cybersecurity providers must first and foremost raise awareness among companies and users, emphasizing the importance of staying ahead in meeting regulatory requirements. This can be achieved through educational campaigns on cybersecurity.
With the emergence of large-scale data storage technology known as “cloud,” concerns about control, sovereignty, and privacy have become increasingly prominent. While local data centers are expected to abide by data privacy regulations, the widespread use of cloud technology complicates matters.
Using web-based resources and artificial intelligence often leads to disclosing personal and business information. While technology offers numerous benefits, cybercriminals can exploit it to reveal sensitive data about individuals or companies, such as location, interests, health status, political views, etc. Users who share information with web-based service providers without staying informed about the latest data privacy laws risk significant damage.
As such, keeping up to date with cybersecurity laws is as crucial as staying current with software and hardware advancements. These laws help protect and control personal data more effectively, penalize non-compliant organizations, and provide guidelines for adherence. The following summary highlights recent privacy and data protection developments across various regions.
2023 Updates to the EU General Data Protection Regulation
The EU’s General Data Protection Regulation (GDPR) is a significant international data privacy law, which has influenced over 100 countries in crafting their cybersecurity legislation. One of the latest developments in European data protection is the European Law on Artificial Intelligence, proposed in April 2022 and currently in its first year of implementation. This law promotes the ethical use of AI in industry, with the aim of complementing human labor using democratic principles.
Applicable to private, public, and mixed organizations utilizing AI that impacts EU citizens, the law covers service providers and AI applications developed and executed both within and outside the EU’s borders. The European Data Protection Board has agreed upon four risk levels for AI usage: 1) unacceptable risk, 2) high risk, 3) limited risk, and 4) risk. This regulation made Europe the first global power to establish such guidelines.
Moreover, starting from May 2023, two significant regulations for online platforms will come into effect in the European Union:
- The Digital Markets Act aims to prevent unfair practices by companies that serve as gatekeepers in the online platform economy. These digital platforms play a crucial role in connecting business users with consumers, which may grant them the power to act as private regulators and create bottlenecks in the digital economy. To address these issues, the Digital Markets Act will enforce a set of obligations, primarily prohibiting gatekeepers from engaging in certain behaviors.
- The Digital Services Act applies to all digital services that link consumers to goods, services, or content. It aims to foster a safer and more accountable online environment by regulating online intermediaries and providing new consumer protections and security measures. With its implementation, the European Data Protection Board will once again become a global frontrunner in establishing cybersecurity standards. The act will introduce new obligations for online platforms to minimize harm and mitigate online risks while ensuring the rights of online users. Furthermore, it will place digital platforms within a new transparency and accountability framework. The European Commission is establishing a European Center for Algorithmic Transparency to support its supervisory role.
The United States of America Also Sets a Position on Data Protection
The United States has a stance on data protection but lacks a comprehensive national data privacy law. Individual states have created their own data privacy regulations, with California leading the way. By 2023, several states, including California, Virginia, Colorado, Utah, and Connecticut, will have revised their respective privacy and data protection laws.
These laws strive to grant citizens various rights concerning their personal data, such as access, rectification, deletion, and the ability to opt out of particular uses. The implementation timeline for these laws differs, with some becoming effective as early as January 1, 2023, and others not until December 1, 2023.
It is worth noting that states may take months to implement a law even after announcing it well in advance. This phased approach allows for establishing document management systems, legal solidity, and offers citizens time to adapt and comply. Skipping this process could result in the law’s failure.
Global Stance on Implementing Information Security Laws for Privacy and Data Protection
In recent years, many countries have considered legislation offering various levels of consumer privacy protection, and new developments may arise in 2023. Some of these nations have stated that their privacy and data protection laws are still in progress.
Canada is at the forefront, currently working on the “Personal Information Protection and Electronic Documents Law” project, which seeks to regulate how private companies manage personal information during business activities. This project encompasses three bills related to consumer privacy, data protection, and artificial intelligence systems.
China is formulating its “Personal Information Protection Law” draft with a centralized political approach. This law will be China’s first comprehensive regulation governing internet data and safeguarding Chinese consumers’ personal information. Although an initial version was implemented in November 2021, the overseeing commission is now evaluating consent requirements as the primary foundation for data collection and processing. They are also considering tighter restrictions on cross-border data transfers and imposing stricter penalties for non-compliance.
Brazil’s data protection and privacy law, established in 2020, currently examines personal data of individuals in Brazil, irrespective of the data processor’s location. In Africa, South Africa’s bill focuses on protecting the personally identifiable information of its citizens.
Russia enacted its data protection and privacy law in 2014. However, during the 2021 conflict with Ukraine, new internet protection legislation was introduced to increase control and enhance cybersecurity within local networks. This legislation includes new data regulations and specific warnings against major social networks like Facebook and Twitter. Plans are in place to create a surveillance center and develop defenses against external attacks.
In the aftermath of the Rikunabi scandal, Japan has spent two years working on amendments to strengthen its data protection and privacy law, becoming a benchmark for the European Union in terms of information security. This law requires companies using cookies or similar machine-generated identifiers to verify if the data recipient can identify an individual by combining the data with other available information.
The Crucial Role of Preventive Education in Fostering a Culture of Data Protection and Privacy
Cybersecurity policymakers believe that as companies face substantial fines and severe penalties for non-compliance with privacy and data protection laws, they will allocate more resources to developing robust internal compliance programs. Consequently, governments will advocate for stronger enforcement of these laws.
In 2023, additional data privacy laws will emerge addressing concerns arising from data gathered by Internet of Things (IoT) devices and other connected technologies. Essentially, companies must establish a reputation for adhering to privacy and data protection regulations to gain consumer trust. This will require increased investment in privacy-enhancing technologies, where consumer information precedes personal identity.
As people become increasingly conscious of the risks and hazards associated with the improper use of personal data, their trust in companies providing goods and services will be affected. In brief, data privacy is a matter of global concern, as numerous businesses operate across borders and maintain commercial relationships with each other via the Internet. As a result, it is natural for governments from various countries to collaborate on international privacy and data protection legislation as a future aspect of cybersecurity.
admin is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.