Introduction
This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
Data law and practice have continued to evolve rapidly since the 2022 edition of this handbook. Those developments reflect that authorities around the globe are racing to address the ever-growing importance of data, and the risks that misuse of data can pose to individuals, businesses and national interests. Below are a few highlights from the past year. More details can be found in the chapters that follow.
Many international businesses have been particularly affected by the entry into force of China’s first comprehensive data protection regime, the Personal Information Protection Law (PIPL). The PIPL contains several elements similar to the EU’s General Data Protection Regulation (GDPR), including some extraterritorial effects, fines of up to 5 per cent of revenue and scope for consumer protection organisations to bring group actions. The PIPL also impacts on the ability of organisations to transfer data outside China, and has increased compliance burdens for multinational businesses with Chinese interests.
There have been noteworthy developments worldwide relating to data exports and data localisation, including:
- significant new restrictions on businesses exporting data from China under both the PIPL and separate data security laws;[1]
- agreement in principle on an EU–US Trans-Atlantic Data Privacy Framework to replace the Privacy Shield;[2]
- businesses with UK or EU operations:
- striving to implement revised standard clauses for personal data transfers out of those jurisdictions ahead of the expiry of transition periods; and
- navigating emerging regulatory guidance on how to use those standard clauses.
We have also seen new data breach notification regimes enter effect – for example, in China[3] and Japan.[4]
Cyberattacks have continued to increase and cybersecurity ranks as one of the biggest concerns for companies globally. A dedicated chapter explains how cyberthreat intelligence can be used by organisations to better understand, reduce and combat the threats they face.[5] Our chapters on the EU, China, Singapore, Japan and Australia[6] provide updates on the cybersecurity landscape and proposed new cybersecurity laws in those jurisdictions.
Against this backdrop, we can expect regulators to remain focused on the due diligence conducted during and after mergers and acquisitions (M&As) if a target subsequently experiences a data breach. And beyond cybersecurity, data-related laws, from IP protections to antitrust laws, continue to be important considerations in assessing value and risk on transactions. Our chapter on data-driven M&A outlines the issues that businesses should consider when undertaking due diligence on a data-rich target and how related legal and integration issues should be addressed. It also examines data sharing collaborations, given the importance of that practice to many companies.
The US privacy landscape has continued to evolve. Virginia’s new Consumer Data Protection Act and significant reforms to the California Consumer Privacy Act (CCPA) will take effect on 1 January 2023. Utah and Connecticut joined Colorado in enacting data protection regimes due to take effect later in 2023.[7] Recent months also saw the conclusion of the first enforcement action under the CCPA.[8] Tentative moves towards a US federal privacy law endure, with the proposed American Data Privacy Protection Act making slow progress through Congress.
European regulators continue to impose significant penalties for breaches of the GDPR, especially against organisations operating in technology sectors. Over 300 GDPR fines have been announced since the beginning of September 2021, several of which were over €15 million apiece.[9]
Divergent approaches taken by the data protection regulators established in each of the EU’s 27 member states remain a challenge for businesses operating across Europe. New pan-EU guidelines on the calculation of fines[10] and various initiatives that have seen increased coordination between national regulators[11] offered business some hope of a more harmonised approach to GDPR enforcement. However, a decision by the EU’s highest court has limited the scope of the GDPR’s ‘one-stop-shop’ mechanism designed to shield companies from separate enforcement actions by multiple regulators.[12]
Global law and practice on data class actions continues to develop and data litigation and privacy activism is on the rise. In 2022, the EU’s highest court confirmed that laws in individual EU states may allow consumer protection associations to take enforcement actions.[13] The same EU court, which has historically tended to favour data subjects’ rights, is expected to rule in the near future on the extent to which data subjects can claim compensation for infringements of the GDPR where they suffer minimal or no harm.[14] Significant data-related class actions have long been a feature of the US landscape, but the chapters of this handbook reflect that the risk of group compensation claims now arises in many countries.
The pace of change will surely continue to be rapid. Several jurisdictions, including the UK, Australia, the EU and various US states, are currently considering significant reforms to their data or cybersecurity laws. There are likely to be many more key developments to report in the next annual edition of this handbook.
For now, we trust that this edition will be a useful resource for those trying to keep pace with this fast-moving area.
Notes
[1] See the China: Data Localisation chapter.
[2] See the European Union: Privacy chapter.
[3] See the China: Cybersecurity chapter.
[4] See the Japan: Cybersecurity chapter.
[5] See the Cyberthreat Intelligence chapter.
[6] See the European Union: Privacy, China: Cybersecurity, Singapore: Cybersecurity, Australia: Cybersecurity and Japan: Cybersecurity chapters, as appropriate.
[7] The Connecticut Act Concerning Personal Data Privacy and Online Monitoring and Utah Consumer Privacy Act, each due to enter force during 2023.
[8] A settlement required the relevant company to pay US$1.2 million in penalties and comply with a number of injunctive terms. See ‘Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act’ (press release) https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.
[9] See the European Union: Privacy chapter.
[10] Guidelines 04/2022 on the calculation of administrative fines under the GDPR, the European Data Protection Board.
[11] For example, greater cooperation on strategic cases: https://edpb.europa.eu/news/news/2022/edpb-moves-ahead-closer-cooperation-strategic-cases_en and the taskforce established to coordinate responses to complaints concerning cookie banners filed with several national regulators: https://edpb.europa.eu/news/news/2021/edpb-establishes-cookie-banner-taskforce_en. See also ‘Data protection authorities agree on strategic enforcement cooperation – towards a more unified approach?’ https://technologyquotient.freshfields.com/post/102htn2/data-protection-authorities-agree-on-strategic-enforcement-cooperation-towards.
[12] See the European Union: Privacy chapter.
[13] id.
[14] For example, in the Court of Justice of the EU case UI v Österreichische Post AG (Case C-300/21).