Privacy + Data Security Predictions for 2023

The Morrison Foerster Privacy + Data Security team is unmatched in its ability to provide creative and practical advice concerning all stages of the information lifecycle, from counseling on compliance with complex privacy laws, to resolving breach situations, to litigating privacy and data security claims and defending enforcement actions. We tapped our Privacy team—thought leaders in the field—and to get their opinions on what is likely to happen in the privacy and data security sector in 2023.

Cybersecurity and Data Privacy

Cyber-Attacks and Ransomware

• Alex Iftimie (Privacy + Data Security, Crisis Management) – Prediction for the year ahead:
  
  I expect to see a resurgence in Russian-based cyber-attacks in 2023. As Russia continues to take losses on the battlefield, they will increasingly rely on nontraditional tactics like cyber-attacks, including against Western countries. These attacks will also come from nonstate actors who are reeling from Western sanctions and who continue to view Russia as a permissive environment for their activities.

• Alex Iftimie (Privacy + Data Security, Crisis Management), Miriam Wugmeister (Privacy + Data Security) – Prediction for the year ahead:
  
  The prevalence of ransomware attacks and the amounts paid in ransoms will both decrease in 2023. Between government actions to deter and disrupt ransomware activity, new legal requirements to disclose ransom payments, and declining insurance coverage, we are starting to see an inflection point in the fight against ransomware.

• Alex Iftimie (Privacy + Data Security, Crisis Management), Miriam Wugmeister (Privacy + Data Security) – Prediction for the year ahead:
  
  Ransom and extortion amounts will continue to decrease as insurance companies become less inclined to reimburse for payments and the pressure on companies to disclose extortion payments to regulators and law enforcement increases.

Cybersecurity and the Securities and Exchange Commission

• Haimavathi Marlier (Privacy + Data Security; Securities Litigation, Enforcement, and White-Collar Defense) – Prediction for the year ahead:
  
  In 2023, the SEC likely will issue final cybersecurity rules for public companies and for registered investment advisers and other registrants, respectively. I expect that these final rules will impose heightened disclosure and internal controls obligations on issuers and registrants. I also expect that the SEC’s cybersecurity-related enforcement to continue, especially in cases where the agency perceives there to be a failure to escalate cybersecurity incidents that results in delayed investor disclosures and prolonged exposure of customer data.

Communicating with the SEC When Your Organization Suffers a Cybersecurity Incident

SEC Proposes Cybersecurity Disclosure Rules for Public Companies

SEC Proposed Rule Delineates Cybersecurity Policy Requirements for Investment Advisers and Private Funds

The SEC Gets Tough on Cybersecurity Disclosure Controls

ESG

• Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
  
  In 2023, expect ESG to reach the privacy function, where material risks relating to data privacy and cybersecurity will need to be included. Anticipate that reporting will take place in defined formats and also that in reporting contexts definitions are used that deviate from your regular privacy reporting definitions (e.g., a breach is not only a data breach, it can also be any breach of policy).

U.S. State Privacy Laws

Businesses with California employees will rush to deploy CPRA compliance programs by July 1, 2023

• Kristen Mathews (Privacy + Data Security) – Prediction for the year ahead:
  
  The California Privacy Rights Act (CPRA) will be enforced starting July 1, 2023, and it will, for the first time, apply to employees in addition to other consumers. This means that employers need to present robust privacy policies to their California employees and give them numerous rights, some of which will be challenging to honor in the context of employer-employee relationships, such as the right to have their personal information deleted or corrected by the employer, the right to receive a copy of their personal information that is held by their employer, and the right to opt out of their employer using their personal information for certain purposes. These rights apply to current employees and independent contractors and also job candidates and former employees. We predict that these rights will be exercised in the context of legal disputes, making responding more high stakes.

A MoFo Privacy Minute Q&A: California Employers: Get Ready for Requests from California Employees

A MoFo Privacy Minute Q&A: What PI Access Rights Will California Employees Have Under CPRA Starting January 1, 2023?

Exempt No More: What Does the CPRA Mean for Your HR Data?

CCPA Enforcement Trends

• Vincent Schroder (Privacy + Data Security) – Prediction for the year ahead:
  
  Nearly three years following the effective date of the California Consumer Privacy Act (CCPA), increasing enforcement activity by the California Attorney General suggests that businesses should expect even more vigorous regulatory scrutiny next year. In the first half of 2023, audits by the Attorney General and the new California Privacy Protection Agency will likely continue to revolve around compliance with the CCPA’s extensive disclosure requirements and opt-out rights regarding the selling of personal information. Following the enforcement date of the California Privacy Rights Act on July 1, 2023, the focus might particularly expand to the processing of sensitive personal information.

U.S. Privacy

Federal Privacy Legislation Can’t Make It Through a Divided Congress

• Nathan Taylor (Privacy + Data Security, Financial Services) – Prediction for the year ahead:
  
  Despite an end of the year push in 2022, the U.S. Congress continues to fail to make even credible progress towards enacting omnibus privacy legislation. In fact, a divided Congress with each party controlling a separate House is the last straw on the federal front for the next two years, thereby ensuring that the U.S. states will continue to lead the way in this area.

Children’s Privacy

Continued Focus on Protecting Kids

• Julie O’Neill (Privacy + Data Security) – Prediction for the year ahead:
  
  Both federal and state regulators are focusing on children’s privacy- and advertising-related issues, with, for example, the recent passage of the California Age-Appropriate Design Code and the Federal Trade Commission’s October 2022 workshop on “Protecting Kids from Stealth Advertising in Digital Media.” Moreover, all five states with consumer data privacy laws impose obligations specific to the collection and use of children’s personal data. We expect this trend to continue. Companies that know that children use their products or services or that target their products and services to “children”—the relevant age varies across existing laws, from “under 13” to “under 18”—will need to keep a close eye on developments and consider whether it makes sense to adopt child-specific changes on a nationwide basis.

Direct Marketing

New Telemarketing and Texting Laws

• Julie O’Neill (Privacy + Data Security) – Prediction for the year ahead:
  
  Since the Supreme Court narrowed the parameters of an “autodialer” under the Telephone Consumer Protection Act in April 2021, many companies no longer need—at least on a nationwide basis—an individual’s prior consent to place calls or deliver text messages to them. A couple of states, however, have since passed laws requiring such prior consent and providing for steep statutory damages and a private right of action. We expect that other states may follow suit in the coming year.

AI and Ethical Technology

• Miriam Wugmeister (Privacy + Data Security) – Prediction for the year ahead:
  
  Responsible AI and ethical tech will continue to be a trend and only become more important and interesting as the economy slows and organizations looks for new ways to monetize the data that they have and to enhance their products and services in new and creative ways.

AI Companies Be Warned

• Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
  
  While the EU’s AI Act may still be in draft form, EU data protection authorities are already applying similar principles assessing, developing, and applying AI under GDPR. As a result, 2023 may give you time less time to anticipate requirements under the AI Act. Further, once in force, the AI Act will apply also to AI products that were developed before the AI Act went into effect.

Evolving Guideposts for Businesses’ Ethical Use of Technology

• Kristen Mathews, Miriam Wugmeister, Lokke Moerel, Marijn Storm, Lisa Zivkovic (Privacy + Data Security) – Prediction for the year ahead:  
  
  As businesses begin to deploy new and evolving technologies, they will grapple with the ethical issues that arise and look for guidelines and frameworks to use these technologies in a way that does not harm people or society. A good example of a technology that presents these issues is AI used, for example, in the employment and consumer sectors. Industry groups will release guidelines with the hope of staving off regulation, and some governments will release guidelines or regulations. As an example, Europe’s AI Act will provide an example for other jurisdictions’ guidelines and regulations that require the ethical use of technology.

Providers of IoT Devices Have 2.5 Years to Implement Stricter Security and Privacy Requirements to Keep Access to the EU Market | Morrison Foerster (mofo.com)

EU/U.S. Privacy Framework

• Marian Waldmann Agarwal (Privacy + Data Security) – Prediction for the year ahead:
  
  Because of the EU-U.S. Privacy Framework, companies will once again need to rethink the transfer mechanisms used to transfer personal data from the European Economic Area.
  
  
  While the states are finally getting onboard with the broader definition of personal information used in the rest of the world’s privacy laws, we’re going to continue to see the development of laws surrounding the use of non-personal information outside the United States.

GDPR and ePrivacy

EU’s Whistleblowing Directive

• Alja Poler De Zwart (Privacy + Data Security) – Prediction for the year ahead:
  
  The vast majority of EU Member States still need to implement the EU Whistleblowing Directive into their national law. I expect that Member States will hopefully be able to achieve full implementation in 2023. Organizations within the scope of the Directive (i.e., 50 or more workers in an EU Member State) should closely monitor the developments and keep updating their whistleblowing processes, accordingly, keeping in mind that they already have to comply in a number of Member States where implementation laws have been adopted.

Please see our whistleblowing resource center for the latest news: Whistleblowing Implementing Laws At-a-Glance.

• Alex van der Wolk (Privacy + Data Security) – Prediction for the year ahead:
  
  In 2023, we will see a further convergence of laws regulating data, rather than just personal data. The EU’s DSA, DMA, NIS2, and draft AI Act are prime examples of legal regimes taking a wide “data-view.” And it’s not just the EU. China’s regulation of “important data” sits alongside its Personal Information Protection Law (PIPL) regulating the use of personal data. Consequently, privacy governance will converge with data governance, both in respect of regulatory compliance as well as cyber resilience and incident response. 2023 is staged to be a pivotal year for privacy and data security.

• Alja Poler De Zwart (Privacy + Data Security) – Prediction for the year ahead:
  
  The most repetitive question of the past several years: Will the EU finally manage to adopt the new ePrivacy Regulation? Nobody knows but—as an eternal optimist—I think it is looking good. Then again, we said this before so be prepared to wait another year. Or two.

• Alex van der Wolk (Privacy + Data Security) – Prediction for the year ahead:
  
  Privacy litigation in Europe: All eyes will be on the European Court of Justice to hand down its decision in the Österreichische Post case: Will the ECJ follow the Opinion of its Advocate General and hold that civil damages may only be claimed under the GDPR if plaintiffs show real and actual damages? Or will a mere violation of the GDPR suffice for damage claims? The decision, which is anticipated in early 2023, will have a significant impact on private enforcement of the GDPR, including on EU privacy class actions.

• Hanno Timner (Privacy + Data Security) – Prediction for the year ahead:
  
  Germany: Stakes could not be higher in the upcoming decision of the ECJ in the Deutsche Wohnen case, which has the potential to invalidate all fines imposed by German DPAs to date. At stake is whether German procedural rules also apply to fining by DPAs. The rules require that the authority imposing fines has to identify individual managers who are responsible for any GDPR infringement, which DPAs have ignored until now.

• Alex van der Wolk (Privacy + Data Security) – Prediction for the year ahead:
  
  Privacy regulation through antitrust enforcement? The European Court of Justice will decide in 2023 whether EU antitrust authorities are prohibited from interpreting the GDPR. The Advocate General previously opined that they are not, if their interpretation of the GDPR is incidental to antitrust findings. And will dominant companies be prohibited from relying on consent as legal basis under GDPR? Stay tuned for case C-252/21!

Diversity, Equity, and Inclusion

• Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
  
  Companies thinking that the GDPR blocks the monitoring of the diversity, equity, and inclusion (DEI) of their workforce be warned. With the publication of the Corporate Sustainability Reporting Directive, disclosure of DEI statistics will become mandatory for their workforce. Watch the MoFo space for new publications and guidance on how to collect DEI data based on privacy by design. 

Further Clarity for Cookie Consent Layers

• Dr. Philip Radlanski (Privacy + Data Security) – Prediction for the year ahead:
  
  The year ahead will provide further clarity for companies that use cookie consent layers on their websites. In Germany, for example, we can expect court decisions on button design, and whether a button for rejecting all (unnecessary) cookies is required to be on the first layer. There will also be more specific guidance (and maybe even case law) on “consent-or-pay walls,” which ask website visitors to make a choice between (1) giving their consent to ad-tracking or (2) entering into a paid subscription with no ad tracking.

A Cookie-less 2023

• Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
  
  More and more browsers are already blocking tracking cookies but expect 2023 to become virtually cookie-less resulting from a dramatic overhaul of the behavioral advertising tech space, once UK regulators and Google get out of the Privacy Sandbox.

Information and Communications Technology (ICT) Regulations

Regulations Adding Extra Cybersecurity Homework for ICT Service Providers

• Mercedes Samavi (Privacy + Data Security) – Prediction for the year ahead:
  
  ICT service providers in the EU and UK will soon have to contend with increased regulation and oversight on how they provide their services to regulated financial institutions. Both the EU Digital Operational Resilience Act (DORA) and the UK Financial Services and Markets Bill seek to impose minimum resilience standards and specific obligations on service providers to ensure (among other requirements) that they effectively mitigate and prevent any ICT-related disruptions and cyber-attacks, while granting financial institutions significant audit and information rights. This will likely have a knock-on effect on the way that data protection regulators perceive privacy and security risks regarding ICT service providers.

New European Fintech Regulations Affecting ICT Providers

Enforcement of UK GDPR

The UK Data Protection Authority Continues Investigations

• Mercedes Samavi (Privacy + Data Security) – Prediction for the year ahead:
  
  In the next year, the UK Information Commissioner’s Office will see a surge in investigative activity relating to companies made vulnerable by insufficient security measures; there has already been a nearly 20% increase in reports of incidents over the previous two years, with no sign that this will slow down. While large fines will no doubt still grab the headlines, the Commissioner noted that non-monetary enforcement action (such as public reprimands and notices) will be a particular focus for the ICO.

ICO Fines Organisation £4.4 Million Following Phishing Email Attack

Data Transfers

• Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:

Despite the U.S.-EU Data Transfer Agreement, the prediction is that 2023 will keep data transfers in the political arena. Expect 2023 to bring de facto data localization requirements for cloud services due to the new ENISA certification scheme for cloud services standards that will become final and an even stricter data transfer regime for regular data in the upcoming Data Act.

China’s Personal Information Protection Law (PIPL)

• Paul McKenzie, Gordon Milner, Chuan Sun (Privacy + Data Security) – Prediction for the year ahead:
  
  China will be a hub of activity in 2023. The most immediate concern for companies doing business in China will be compliance with rules governing cross-border data transfers. Companies subject to a security assessment requirement for data exports are already starting to prepare filings and, in the first quarter of 2023, we will start to see responses from the Cyberspace Administration of China (CAC) to the first wave of filings. We expect to see other aspects of China’s cross-border data regime fall into place early in the year and increasing enforcement of the PIPL.

China’s PIPL One Year On: What You Need to Know Now

Health Privacy

• Melissa Crespo (Privacy + Data Security) – Prediction for the year ahead:
  
  We expected significant modifications to the HIPAA Privacy Rule in 2022, which have yet to be issued. In 2022, the Office for Civil Rights (OCR) also released a Request for Information on what constitutes “recognized security practices” when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule under the HITECH Act and sharing civil money penalties with harmed individuals under the HITECH Act. Perhaps 2023 will be the year we see a significant overhaul of privacy and security rules to catch up with the rapidly changing face of health care and technology.
• Melissa Crespo (Privacy + Data Security) – Prediction for the year ahead:
  
  Health privacy and security appear to remain a top-of-mind issue for lawmakers. In 2023, we can expect lawmakers to continue efforts to implement laws to protect health information not already covered by HIPAA, or more protections for sensitive health information, particularly in light of Roe v. Wade being overturned.

Privacy Tips (ceros.com)

MoFo Privacy Tips for Protecting Reproductive Rights Series

Crypto

• Michael Burshteyn (Privacy + Data Security) – Prediction for the year ahead:
  
  This past year saw tens of billions of dollars in cryptocurrency and digital assets lost. These losses stemmed from smart contract exploits, insider and external attacks, and collapses of centralized exchanges and decentralized protocols. At the same time, developers have continued to adopt web3 technologies and builders are continuing to develop innovative applications of blockchain, crypto, and related technologies. In response, 2023 is likely to see sharpened regulatory attention in an attempt to create predictable conditions for more mainstream adoption. A surge in litigation related to cryptocurrency token disputes and losses is on the horizon as well.

U.S. Government’s Software Attestation Requirements

• Tina Reynolds, Markus Speidel (Litigation, Government Contracts) – Prediction for the year ahead:
  
  Companies whose software products are sold to the U.S. government will need to begin providing attestations concerning the vendor’s software supply chain security in 2023. Federal agencies will be required to collect attestation letters from suppliers of “critical software” by mid-year, and from all suppliers by the end of the year. Affected vendors must attest to compliance with the relevant NIST guidance and may also need to supply a complete Software Bill of Materials, depending on software criticality or agency need. Additional agency guidance is expected in early 2023.

Companies Selling Software to the U.S. Government Soon Must Attest to Compliance with NIST Guidance on Software Supply Chain Security

New Cookie Regulations in Japan

• Takaki Sato (Mergers + Acquisitions) – Prediction for the year ahead:
  
  The amended Telecommunication Business Act will come into force by June 17, 2023. Under the amended Act, new restrictions on cookies will be imposed on the service providers that are active in specific areas, such as messaging services, video-sharing sites, online shopping malls, online search services, and online information providers (e.g., news and video sites). Under the updated rules, the use of cookies by these service providers will be subject to specific transparency and consent requirements. We will also see how exemptions will be applied, for example, whether first-party cookies will indeed be exempted, as we expect. The new regulations will also be applicable to foreign enterprises targeting customers with cookies placed in Japan.

New and Revised Privacy Laws in Asia, Africa, and the Middle East

• Cynthia Rich (Privacy + Data Security) – Prediction for the year ahead:
  
  After many years of deliberation and debate, India is likely to enact comprehensive privacy legislation in 2023. In August 2022, the government withdrew its Personal Data Protection Bill, 2019 and replaced it in November with a considerably scaled back, less prescriptive legislative proposal. After a one-month public consultation, the government intends to submit its revised proposal to Parliament in early 2023. The government’s new strategy appears to be to win legislative approval of a basic privacy framework that is largely consistent with the EU’s GDPR and then hash out the more contentious issues that derailed its prior legislative proposal in subsequent implementing regulations.
  
  
  Other jurisdictions where we may see enactment of new or revised legislation in 2023 include Saudi Arabia, Nigeria, and possibly Vietnam. Legislation is also pending in Canada and Israel, and under development in Australia, but those are less likely to be approved in the coming year.

Stay up to date by visiting our Privacy + Data Security page for links to our Privacy Library and our CCPA + State Privacy, GDPR + European Privacy, and Cybersecurity Resource Centers.