Privacy + Data Security Predictions for 2022

We have tapped our privacy team – thought leaders in the field – to get their opinions on what is likely to happen in the privacy and data security sector in 2022. The last 20 months have necessitated unprecedented changes and challenges in the world, impacting every aspect of our personal and work lives. The privacy and data security sector continues to respond to this situation, making proposals, enacting laws, and finding new ways of doing business.

The Morrison & Foerster Privacy + Data Security team is unmatched in its ability to provide creative and practical advice concerning all stages of the information life cycle: from compliance with complex privacy, to breach, to litigating privacy and data security claims and defending enforcement actions. We hope these predictions will provoke conversation and thoughts on how to navigate the coming year.

CCPA/CPRA and Other State Privacy Laws

Miriam Wugmeister 

• Additional states, including Washington and Illinois, will consider and pass privacy legislation. Given the recent changes by some of the large tech firms making it more difficult to track users across platforms, and the popularity of those changes, we should expect additional states to also propose legislation shoring up consumer privacy protections.

Kristen Mathews 

• Companies will begin in earnest to implement the additional obligations under the California Privacy Rights Act, the Virginia Consumer Data Protection Act and the Colorado Privacy Act in 2022 in order to meet the 2023 deadlines for compliance. This may result in additional efforts to influence the regulations or to change the laws once organizations struggle with implementing many of the new obligations.

GDPR and ePrivacy

EU’s Whistleblowing Directive

Alja Poler De Zwart 

• EU Member States that miss the December 17, 2021 deadline for national implementation of the EU Whistleblowing Directive will be hard-pressed to adopt their implementing laws during 2022. Next year will therefore be another year-in-flux for many multinational organizations when it comes down to figuring out how, when, where, and whether to make their existing hotlines compliant with the new rules in a situation where the new rules either do not exist or are not always entirely clear.

The European Commission’s Requirement for Local Hotlines May Undermine Whistleblower Protection | Morrison & Foerster (mofo.com)

ePrivacy

 Alja Poler De Zwart 

• It is still questionable whether the EU legislators will find common ground on the draft ePrivacy Regulation – an ongoing saga of more than four years – any time soon. Considering this year’s developments, the EU Council and the Parliament should be able to agree on at least a couple of chapters in 2022, if they do not finally reach an agreement on the entire draft. In the meantime, continued focus and enforcement on ePrivacy compliance by various national regulators during 2022 is expected.

Heads up: ePrivacy regulation is coming | Morrison & Foerster (mofo.com)

Alex van der Wolk 

• Although the EU ePrivacy Regulation was believed to be “dead in the water” in 2020, this year has shown it still has a pulse. Will 2022 finally be the year when we will see the long-awaited ePrivacy Regulation come to life?

UK and EU Data Protection

 Annabel Gillham and Alex van der Wolk 

• In terms of privacy litigation, recent court decisions in the UK have laid major stumbling blocks for claimant lawyers and litigation funders claiming damages for General Data Protection Regulation (GDPR) breaches, but the door remains ajar for claimants to reformulate their claims and litigation strategy. Much will depend on whether funders can justify a sharp increase in risk appetite to their stakeholders, and whether the UK legislates for mass data protection claims in the way it does for consumer claims in competition law.

Lokke Moerel 

• We will increasingly see other supervisory authorities (e.g., consumer, antitrust, and financial) creatively stepping in due to what is widely perceived to be a fundamental lack of GDPR enforcement. 

Alex van der Wolk 

• With the UK having significantly limited the ability to bring class action litigation on the basis of opt-out claims, all eyes in 2022 will be on the Netherlands where the courts will decide on multiple privacy class action cases and the admissibility requirements for plaintiffs’ organizations.

Annabel Gillham and Alex van der Wolk 

• Keep an eye out in 2022 for EU Member States’ implementation of the Collective Redress Directive (see The EU Collective Redress Directive is Coming to Town | Morrison & Foerster (mofo.com)). EU Member States have until 25 December 2022 to adopt the Directive into national law and an additional six months for implementation.

Lokke Moerel 

• In 2022, the European Commission’s core ambition to restore the EU’s digital sovereignty and lessen its technological dependencies on third countries will have major crossovers into the privacy space. The many EU initiatives for setting up EU data spaces will put the European Data Protection Board under pressure to prove that the GDPR does not hamper digital innovation, by coming up with practical guidance on how personal data can be opened up for research and innovation.

Annabel Gillham   

• It is likely that the UK will continue to forge its own way in data protection and e-privacy law under a new Information Commissioner (New Zealand’s John Edwards). Time will tell whether the UK can bridge the gap between an innovative and practical approach to protecting personal data and the need to retain an adequacy decision from its nearest neighbors and closest trading partners in the EU. Of paramount importance, of course, should be creating a regime that protects the rights of individuals in practice and not just in theory.

Till Data Do Us Part: A Review of UK and EU Data Protection Arrangements after Brexit | Morrison & Foerster (mofo.com) 

Alex van der Wolk 

• Companies with Binding Corporate Rules (or considering BCRs) should keep an eye out for the European Data Protection Board’s (EDPB) updated BCR requirements, which are anticipated early in 2022. The EDPB is expected to up the ante yet again in respect of what BCRs should include.

Why the EDPB Should Not Torpedo BCR for Processors | Morrison & Foerster (mofo.com)

Lokke Moerel 

• In the vacuum of a renewed agreement between the EU and United States on transatlantic data transfers and the perceived lack of enforcement of Schrems II, we will see data localization and other protectionist requirements seeping in at the national standard-setting level, for example, for cybersecurity standards for cloud services.

Cybercrime/Ransomware

Brandon Van Grack and Alex Iftimie 

• We predict that the U.S. Department of Justice will continue an aggressive campaign to charge and arrest ransomware actors as well as seize funds used to pay ransoms. We also expect to see more Treasury Department sanctions of cryptocurrency exchanges and other intermediaries that facilitate ransomware activity, as well as U.S. government offensive operations to disrupt the systems used by ransomware actors and to recover decryption keys that will benefit victims. International cooperation targeting ransomware groups and the ecosystem that supports them will likewise expand, leading to additional arrests and takedowns. Collectively, despite the unprecedented level of attacks we saw in 2021, these efforts will meaningfully impact the growth of ransomware attacks.

Cyber Incident Notification Requirements

Alex Iftimie 

• In 2022, we’ll see the first national cyber-incident reporting legislation come into effect. The requirements are only likely to apply to federal contractors and operators of critical infrastructure, but it will be an important first step toward replacing the patchwork of disjointed state laws that we currently operate under.

Ransomware Fireside Chat Series | Morrison & Foerster (mofo.com)

SEC and Cybersecurity

Haima Marlier

• The U.S. Securities and Exchange Commission (SEC) has been tough on cybersecurity disclosure controls and we expect this trend to continue in 2022. Gone are the days when the SEC would not “second-guess” cybersecurity-related disclosures. The SEC brought numerous enforcement actions against public companies and SEC-registered financial services providers for deficiencies in cybersecurity disclosure controls and procedures, and is conducting a massive cybersecurity “sweep” requesting information from hundreds, if not thousands, of companies related to the SolarWinds breach.

The SEC’s scrutiny of cybersecurity disclosures comes at a time when the number of ransomware attacks continues to rise and cybercriminals persist in exploiting the now normalized remote working environment.

The SEC Gets Tough on Cybersecurity Disclosure Controls | Morrison & Foerster (mofo.com)

IoT Security

Lokke Moerel 

• In October 2021, Internet of Things (IoT) providers woke up to the reality that, with one simple strike from the European Commission, their products went from largely unregulated to being brought under full EU market control, where EU market surveillance authorities will be able to take corrective action including taking products of the market and ordering recalls. Using its delegated powers under the existing EU regulations for radio equipment (therefore avoiding the EU regulatory co-decision procedures), the EC brought IoT within scope, leaving IoT providers with 30 months to adapt their products to the strict cybersecurity, privacy features, and fraud prevention requirements in order to keep their access to the EU market.

Biometrics

Miriam Wugmeister 

• As online fraud and phishing scams continue to flourish, more products will come to market that use biometrics and behavior analytics to fight fraud.

Open for Business: Are You Prepared for New York City’s Biometric Identifier Information Law? | Morrison & Foerster (mofo.com)

Health Privacy

Melissa Crespo (Privacy + Data Security) – Predictions for the year ahead:

HIPAA Right of Access

• As we await the forthcoming amendments to the HIPAA Privacy Rule, which, among other things, will strengthen patient access rights, we expect the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will continue to focus on expanding right of access initiatives and enforcement in this area. As indicated in HHS Fiscal Year 2022 Budget in Brief, “OCR will engage in rulemaking to further strengthen individuals’ rights to access their own health information, improve information sharing for care coordination and case management and reduce administrative burdens.”

HHS Seeks to Strengthen HIPAA Access Rights and Improve Coordinated Care Through Latest Proposed Amendments to HIPAA Privacy Rule | Morrison & Foerster (mofo.com)

Melissa Crespo 

FTC Health Breach Notification Act

• The Federal Trade Commission (FTC) recently reemphasized its commitment to ensuring the protection of sensitive information collected by mobile health apps and made clear that it intends to bring actions to enforce its Health Breach Notification Rule. We can likely expect the first enforcement action under the Health Breach Notification Rule in the coming year. Entities operating in the mobile health app and device space should take time now to evaluate applicability, particularly in light of the FTC’s recent clarifications on scope of applicability.

Health App and Device Providers Take Note: Health Breach Notification Rule Enforcement Is Coming | Morrison & Foerster (mofo.com)

Federal Privacy

Nathan Taylor 

• In 2022, the United States will return to a divided government at the federal level. Democrats and Republicans will fail to reach a compromise on comprehensive, generally applicable privacy legislation. As a result, the U.S. “focus” for privacy will remain at the state level.

Financial Institutions Exempt from New Virginia Privacy Law | Morrison & Foerster (mofo.com)

Kristen Mathews 

• Following the FTC’s amendment to its Safeguards Rule, which has been on the books unchanged for almost two decades, additional kinds of businesses will realize that they are now covered by the Safeguards Rule as “finders” that connect consumers with providers of financial products and services.

Antitrust and Privacy

Joseph Charles Folio III 

• The FTC will continue to incorporate privacy concerns into substantive antitrust analysis. As we have discussed in great detail this past year, the Biden administration in general and the Federal Trade Commission under Chair Lina Khan in particular, have signaled aggressive and novel antitrust enforcement. We expect this trend to continue and extend into antitrust/privacy. In September 2021, the FTC submitted a report to Congress highlighting that it would pursue ways to explore and enforce the “overlap between data privacy and competition.” Chair Khan in particular observed in a companion statement that the “concentrated control over data has enabled dominant firms to capture markets and erect entry barriers, while commercial surveillance has allowed firms to identify and thwart emerging competitive threats.” She also noted that “[m]onopoly power…can enable firms to degrade privacy without ramifications[.]” We predict that mergers brought before the FTC that involve large or sensitive data will face heightened scrutiny, and that the FTC will look for data privacy theories in both merger enforcement actions and single-firm conduct actions.

Julie O’Neill 

• The FTC will, consistent with Chair Khan’s indications, continue to treat consumer privacy as a top enforcement priority. Moreover, we expect that she will continue to seek to identify ways for the Commission to obtain civil money penalties for certain privacy-related violations challenged by it pursuant to Section 5 of the FTC Act. The Commission has already started this process by not only asking Congress for civil penalty authority but also relying on an obscure provision of the FTC Act, Section 5(m)(1)(b). Under that Section, the FTC has notified more than 1,800 companies that it has, in the past, found certain specified practices to be unfair or deceptive and that if the notified companies engage in such practices, they will be subject to civil penalties of up to about $43,000 per violation. So far, the FTC has sent such notices to companies in connection with, for example, the use of endorsements and the offering of money-making opportunities, including in the gig economy. We expect that next up will be FTC notices relating to certain data practices, such as deceptive data harvesting or the use of data for targeted marketing.

FTC & Privacy: Will the FTC’s Rulemaking Push Result in New Privacy Rules? | Morrison & Foerster (mofo.com)

Direct Marketing

Julie O’Neill 

• In April 2021, the Supreme Court narrowed the construction of the definition of an “autodialer” under the Telephone Consumer Protection Act, with the result that many companies no longer have to seek an individual’s prior consent to place calls or deliver text messages to their cell phones – at least not on a nationwide basis. Florida, however, quickly filled the gap left by the Supreme Court’s decision, including by providing for statutory damages and a private right of action, and we may see other states follow suit.

China’s Personal Information Protection Law

Paul McKenzie 

• 2022 will be the Year of the Personal Information Protection Law (PIPL). In 2021, the PIPL was pushed through the legislative process and put into effect at breakneck speed. In 2022, the Cyberspace Administration of China and other agencies will need to pass the regulations and administrative infrastructure needed to implement PIPL. Look for new regulations to fill in various gaps in PIPL, as well as set compliance standards specific to specific industries. Meanwhile, companies will need to continue to tolerate an unpredictable regulatory environment in China.

Paul McKenzie

• Data exports will be an area of enforcement focus in China, not only concerning personal data but also, with the adoption in 2021 of China’s Data Security Law, other types of data. Even before detailed implementing regulations are put in place, look for pilot enforcement campaigns, likely starting with some of the larger China-headquartered technology companies.

China’s Personal Information Protection Law (PIPL): Key Questions Answered | Morrison & Foerster (mofo.com)

Other Areas of Privacy

Lokke Moerel 

• Where many focus on changes required by the Digital Services Act and the Digital Markets Act, the EU regulation for electronic identification (eIDs) will likely have the biggest impact on digital business models. The eIDs will be based on personal wallets with attributes and decentralized storage (on users’ devices). Instead of personal data, they can share attributes (like older than 18, or has a driver’s license). Once Digital Identity Wallets have been properly certified, they will have to be accepted by big platforms and services that require Strong User Authentication.

Stay up to date by visiting our Privacy + Data Security page for links to our Privacy Library and our CCPA, GDPR + European Privacy, and Cybersecurity Resource Centers.