An overview of data law and practice in 2023

Data law and practice have continued to evolve rapidly since the previous edition of this handbook. Privacy professionals have also been at the cutting edge of the recent generative artificial intelligence (AI) revolution. Below are a few highlights from the past year. More details can be found in the chapters that follow.

In 2023, many businesses have been considering the opportunities and challenges presented by generative AI. Privacy and data lawyers have been at the forefront when it comes to advising on AI, and data protection authorities (DPAs) have often led the charge in trying to regulate AI. For example, in 2023 the Italian DPA temporarily banned a well-known AI chatbot throughout Italy for a short time, and the European Data Protection Board has launched a dedicated task force looking into related issues.

Governments are racing to formulate their response to AI. In August 2023, Chinese laws on generative AI came into force, and several jurisdictions, such as the EU, Canada and Brazil, are progressing wide-ranging AI legislation. Privacy professionals around the world are likely to remain closely involved in advising on the emerging regulatory landscape and new AI-specific legislation. While this handbook does not focus on AI, the past year has demonstrated that a combination of data-related and AI-specific laws will play a critical role in governing this increasingly important technology.

There have been noteworthy developments relating to data exports from the EU and China:

• The landmark Schrems II decision by the Court of Justice of the European Union (CJEU) in July 2020 made it more challenging to transfer personal data from the EU to the US. After years of negotiation, a new EU–US Data Privacy Framework has been agreed and entered force in 2023.^[1] The US also introduced a new set of safeguards and redress mechanisms relating to its intelligence activities that will generally help to facilitate the transfer of personal data from the EU to the US using other common transfer tools, such as the EU’s standard contractual clauses. While these developments gave businesses transferring personal data from the EU to US some welcome news in 2023, the validity of the new EU-US Data Privacy Framework will almost certainly be challenged in the CJEU. The regulation of EU to US data transfers is, therefore, likely to remain a key topic for many organisations to continue to watch in the coming years.
• The regulatory framework governing transfers of data outside China also continued to fall into place in 2023.^[2] For example, in 2023 the Cyberspace Administration of China published the final version of a standard contract that is likely to be a preferred mechanism for certain low volume data transfers from China that do not require a formal security assessment by Chinese authorities.

Cyberattacks have continued to increase, and cybersecurity ranks as one of the biggest concerns for companies globally. The chapters on cybersecurity provide updates on the cybersecurity landscape and proposed new cybersecurity laws in a number of key jurisdictions.^[3]

Against this backdrop, regulators are expected to remain focused on the due diligence conducted during and after mergers and acquisitions (M&A) if a target subsequently experiences a data breach. Beyond cybersecurity, data-related laws, from IP protections to antitrust laws, continue to be important considerations in assessing value and risk on transactions. The chapter on 'Data-Driven M&A' outlines the issues that businesses should consider when assessing a data-rich target, and how related legal and integration issues should be addressed. It also examines data-sharing collaborations, given the importance of that practice to many companies.

European regulators continue to impose significant penalties for breaches of the EU’s General Data Protection Regulation (GDPR), especially against organisations operating in technology sectors. Over 500 GDPR fines were issued between 1 July 2022 and 30 June 2023, four of which were over €50 million apiece.^[4]

The divergent approaches taken to GDPR enforcement by DPAs in the 27 EU member states remain a challenge for businesses operating across Europe. Fortunately, recently finalised pan-EU guidelines on the calculation of fines under the EU GDPR,^[5] and an initiative by the European Commission to introduce new laws to streamline cooperation between national DPAs when enforcing the GDPR in cross-border cases,^[6] offer businesses some hope of a more harmonised approach to enforcement.

Global law and practice on data class actions continues to develop, and data litigation and privacy activism remains on the rise. Data controllers in Europe will, therefore, have generally welcomed a 2023 ruling by the CJEU that confirmed that a data subject cannot claim damages simply for a mere infringement of the GDPR.^[7] Similar issues also came before the courts in Singapore, which have clarified that under Singaporean law, individuals have a right to claim damages for emotional distress but not for a mere ‘loss of control’ of personal data in the absence of such distress or other recoverable loss or damage.^[8]

The pace of change will surely continue to be rapid. Several jurisdictions, including the UK, Australia, the EU and various Asian states (including India), are currently considering or have recently implemented significant reforms to their data or cybersecurity laws, or both. Eleven US states have now passed comprehensive state privacy laws, and tentative moves towards a US federal privacy law endure. Africa has also emerged as a hotspot for new data protection laws.

There are likely to be many more key developments to report in the next edition of this handbook. For now, we trust that this edition will be a useful resource for those trying to keep pace with this fast-moving area.

Notes