30 January 2023

William Fry

To print this text, all you want is to be registered or login on Mondaq.com.

We live in an period of extraordinary information creation. By 2025,
it’s estimated that we’ll be producing as a lot information each 3
minutes as had been created by all of humanity as much as the 12 months 2003.
It was evident that 2022 was a milestone 12 months for companies
worldwide in information safety compliance. At William Fry LLP, our
annual celebration of the Council of Europe’s Data Protection
Day, which takes place tomorrow, represents a chance to
replicate on the notable information safety tales of 2022 and set out
our forecasted traits for 2023.

2022 Snapshot

2022 introduced landmark developments and was an vital 12 months

  • Worldwide Data Transfers: The European
    Fee launched a brand new EU-US information switch authorized framework. 27
    December 2022 marked the deadline for companies to transition from
    the previous to the brand new normal contractual clauses
    (SCCs). Varied Supervisory Authorities
    (SAs) made selections on the compliance of Google
    Analytics with the Basic Data Protection Regulation
  • Enforcement: The Data Protection Fee of
    Eire (DPC) issued remaining selections towards
    corporations from varied industries, together with expertise, monetary
    providers, retail, insurance coverage, training and the general public sector. The
    massively different nature of companies implicated in these selections
    demonstrates clearly that every one corporations throughout each trade and
    sector are information-pushed. Greater than ever, elevated DPC enforcement
    exhibits that companies ought to fastidiously scrutinise the method to
    amassing, utilizing and disclosing private information.

2022 Timeline:

January: The EU Commissioner for Justice, Mr
Didier Reynders, offered robust assist for the DPC, which was the
topic of criticism for being behind in investigating massive
web platforms. You possibly can learn extra about it right here.

February: We noticed the primary determination of a SA,
the CNIL, to declare the usage of Google Analytics to be
non-compliant with the GDPR. This determination was solely the start
of a multiplicity of different SA selections with the identical findings
(e.g. Germany, Hungary, Italy, Austria, Denmark, Netherlands, and

March: The Data Protection Act 2018 (Entry
Modification) (Well being) Laws 2022 (2022 Laws)
commenced, materially impacting companies (performing as controllers)
that course of well being information regarding people within the context of
information topic entry requests (DSARs). For a information
to the 2022 Laws, see right here.

April: A big crossover was established
between information safety and rising applied sciences, because the Hungarian
SA issued a effective following a financial institution’s automated evaluation of
recordings of customer support calls by means of synthetic
intelligence. We explored the choice right here.

Could: The GDPR reached a major landmark as
it turned 4. In celebration, William Fry launched a briefing
seven upcoming information-pushed items of EU laws that
will have an effect on companies globally. See our briefing right here.

September: The DPC issued an administrative
effective of ?405m to the Instagram proprietor, Meta Eire Restricted (Meta),
considering the choice of the European Data Protection
Board (EDPB) requiring the DPC to amend its
unique determination. You possibly can learn extra about this determination right here.


  • An Advocate-Basic Opinion took the view that when competitors
    authorities examine a breach of competitors regulation, they need to
    take into account an alleged breach of the GDPR. You possibly can learn extra about
    this determination right here.
  • The DPC additionally printed steering that gives welcome readability
    for companies responding to DSARs. See our article for extra
    info right here.


  • The European Fee gave the inexperienced gentle to a brand new EU-US
    information switch authorized framework by publishing its draft determination on
    US adequacy (Draft Determination). If confirmed by EU
    establishments, the Draft Determination will pave the way in which for
    organisations to switch private information from the EU to the United
    States underneath an alternate switch mechanism referred to as the EU-US
    Data Privacy Framework. You possibly can learn extra in regards to the Draft Determination
    right here.
  • The top of the 12 months additionally noticed a remaining push for companies to
    implement new EU SCCs earlier than 27 December 2022. This was featured right here.

2023 Predicted Trends

2023 guarantees to be one other bumper 12 months for information. Some traits we
anticipate to see are:

  • Synthetic Intelligence (AI) & Data
    We anticipate that new legal guidelines coming down the tracks
    on AI and different rising applied sciences will impression what companies
    want to contemplate when processing private information. Authorized points
    surrounding datasets and coaching information fashions, together with
    mental property (IP) concerns, will
    emerge. Whereas there are exceptions for textual content and information mining
    concerning IP, there are not any exceptions concerning information safety.
    Threat assessments to establish whether or not AI programs are excessive-threat
    programs, by which case impression assessments could also be required. The
    EU’s upcoming AI Act identifies this as important to regulating
    excessive-threat AI programs. You possibly can learn extra in regards to the AI Act right here.
  • Ever-rising cyber-assault panorama &
    EU Member States could have 21 months to transpose
    the NIS2 Directive (NIS2D) into their nationwide
    legal guidelines. NIS2D is responding to the growing quantity and severity of
    cyber-assaults throughout the EU and worldwide. NIS2D goals to make sure a
    excessive, frequent degree of cybersecurity throughout the EU. At this stage,
    organisations ought to take into account whether or not their companies fall inside
    its scope, as they might must conduct an in depth overview of their
    technical and organisational measures to make sure compliance. To learn
    extra in regards to the NIS2 Directive, click on right here.
  • EU-US Data Transfers could get extra manageable (for a
    whereas) and “Additional” SCCs:
    Presumably essentially the most
    vital information safety headline for spring 2023 can be
    (once more!) about EU-US transfers of non-public information, as companies
    globally await EU establishments to provide the inexperienced gentle to Draft
    Determination. We additionally await the EC’s publication of its
    lengthy-awaited set of SCCs to cope with non-EU primarily based companies
    topic to GDPR’s further-territorial impact underneath Article 3(2)
    of the GDPR.
  • Elevated and Extra Onerous Transparency
    The EPDB’s three binding dispute
    decision selections (primarily based on Article 65 of the GDPR), that
    involved Meta and reversed the draft selections of the DPC, create
    elevated transparency obligations for companies about what they
    have to incorporate in information safety notices. They need to present
    vital element of any processing in clear, intelligible
    language. Many companies should revisit their privateness notices
    following these selections to make sure compliance.
  • An Rising Transfer to the Cloud: It’s
    anticipated that complete world cloud spending will develop even sooner in
    2023. We’ve got seen in our apply an enormous take-up by companies
    transferring from on-premise servers to internet hosting information on cloud providers,
    reminiscent of these provided by Google, Amazon and Microsoft. Cloud
    providers at the moment are the mainstream type of ICT provision for personal
    and public organisations, each massive and small, and we’re seeing a
    corresponding improve in cloud offers within the Irish market. Data
    safety concerns all the time play an important function in any such
    transfer, so companies must be alive to their information safety
    obligations when doing so. For extra insights on the cloud, comply with
    our Digital Transformation Collection
    right here.
  • The content material of this text is meant to supply a common
    information to the subject material. Specialist recommendation must be sought
    about your particular circumstances.

    POPULAR ARTICLES ON: Privacy from Eire

    Metaverse As A Enterprise

    KP Regulation

    Noting that the metaverse is not going to be constructed in a single day by a single firm, Meta mentioned that most of the merchandise to be designed for Meta’s idea will solely be totally realized throughout the subsequent 10-15 years.

    Regulating Cybersecurity Throughout The EU And The UK

    McDermott Will & Emery

    On November 28, 2022, the Council of the European Union formally adopted the Community and Data Safety 2 Directive (NIS 2 Directive), changing the present NIS Directive (Directive 2016/1148/EC).

    Higher Late Than By no means: Slovenia Final EU Member State To Undertake GDPR Implementing Act

    Schoenherr Attorneys at Regulation

    On 15 December 2022, the Slovenian Parliament lastly adopted the Data Protection Act (Zakon o varstvu osebnih podatkov, ZVOP-2, “ZVOP-2”), a nationwide regulation implementing the EU Basic Data Protection Regulation (“GDPR”). The act had been a number of years within the making, with the earliest draft launched for public session again in 2017.

    What's Your Reaction?

    hate hate
    confused confused
    fail fail
    fun fun
    geeky geeky
    love love
    lol lol
    omg omg
    win win
    The Obsessed Guy
    Hi, I'm The Obsessed Guy and I am passionate about artificial intelligence. I have spent years studying and working in the field, and I am fascinated by the potential of machine learning, deep learning, and natural language processing. I love exploring how these technologies are being used to solve real-world problems and am always eager to learn more. In my spare time, you can find me tinkering with neural networks and reading about the latest AI research.


    Your email address will not be published. Required fields are marked *