- Increased scrutiny around ransomware and other cyber attacks – 2022 will likely bring with it continued action by governments and parliaments to address issues related to ransom payments – including the role of cryptocurrency and cooperation with law enforcement before making a ransom payment – as well as trade sanctions. We expect additional collaboration between governments to coordinate taking down large ransomware gangs. We will also expect to see continued tightening of the cyber insurance market, which has already begun in the EU, making obtaining new cyber policies more difficult and expensive, while offering less fulsome coverage, including requiring insureds to match each dollar paid on a ransom payment.
- Increased privacy compliance obligations in the U.S. and abroad – With the California Privacy Rights Act (CPRA), Virginia Consumer Data Privacy Act (VCDPA), and the Colorado Privacy Act (ColoPA) going into effect in 2023, and more than a dozen other states proposing state privacy laws in 2021, we anticipate more US states to pass privacy laws, which will mean increased complexity on the compliance front for companies doing business in the United States.
In addition, companies with global operations:
• will need to continue to align their operations with China’s Personal Information Protection Law (PIPL) and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD)
• should start to make the necessary changes to align with Quebec’s Bill 64 (An Act to Modernize Legislative Provisions as regards the Protection of Personal Information) which will come into effect in three stages over the next three years and includes GDPR-like penalties
• should be on the look-out for new privacy laws in the United Kingdom, India, Australia and Canada.
- Increased restrictions on cross-border data transfers – Countries around the world are becoming increasingly restrictive with regard to the movement and transfer of personal data. 2022 will likely bring additional restrictions (and in some cases prohibitions) on the ability to transfer personal data outside of a country’s borders. We will expect to see more territorial-driven legislation and regulation, and less harmonization around data privacy related cross-border transfer standards. In the EU, where restrictive regulation of cross-border data transfers probably has reached its peak, we expect increased enforcement of these rules, but maybe also a pathway for data exchanges between the EU and the US in the form of Privacy Shield 2.0 – at least until Mr. Schrems gets back on stage.
- More regulatory enforcement of data privacy and data security laws in the United States and Europe – Government agencies will likely issue more specific regulations and requirements around breach reporting, including enacting stricter notification time periods for regulatory notice of significant cybersecurity incidents. Companies who have not adequately disclosed risks and complied with notification requirements could be targeted in enforcement actions as more governments seek to make examples of non-compliant companies. In the EU, the European Data Protection Board is expected to again overrule a national data protection authority if such authority’s penalties appear to be insufficient.
- Increased focus on AdTech – Regulators and the media will increasingly examine the use of AdTech to track individuals online. 2022 is also expected to bring increased focus by AdTech companies to embrace privacy-forward business models in an effort to address changing expectations and to explore technologies (such as blockchain, tokenization, and cohorts) that are designed to decrease the quantity per personal data that they collect and transmit. If the EU ePrivacy Regulation gets finalized in 2022, companies will need to prepare for its entering into force two years later, i.e., at the earliest in 2024.
About the Authors
Greenberg Traurig’s Data, Privacy & Cybersecurity Practice is composed of a multidisciplinary group of attorneys and professionals located throughout the world. GT’s team of dedicated data protection attorneys have experience working hand in hand with organizations of all sizes to develop practical strategies and provide strategic advice on virtually all aspects of data protection including CCPA, GDPR and other compliance issues; data use, transfer and licensing issues; data breaches and regulatory investigations; and defending against privacy-related class actions.