Privacy Predictions for 2023￼
Yogi Berra once warned that “it’s difficult to make predictions, especially about the future.” Proving his point, Cooley Partner, Travis Leblanc confesses that at last year’s Spokes Conference he called it right just 33% of the time.
Uncowed, the closing session of the 2022 Summer Spokes Technology Conference (held June 22-23) offered some near-term privacy predictions once again. But more than just making crystal ball gazing, the Privacy Predictions for 2023 roundtable provides deep insights into the challenges (political and technological) in advancing privacy around the world.
The roundtable, hosted by WireWheel founder and CEO Justin Antonipillai Included:
- Travis Leblanc, Cooley’s Cyber Data Privacy Practice Co-Leader who is also a member of the Privacy and Civil Liberties Oversight Board (PCLOB) that oversees the privacy and civil liberties practices of the intelligence community
- The widely read Gabriela Zafor-Forutna, Vice President for Global Privacy at the Future of Privacy Forum (FPF), and
- Omer Tene, Partner in Goodwin’s Cyber Security Practice who is also a senior fellow at the FPF. Tene founded the Cyber Week held in Tel Aviv.
The next 18 months around the world
“I am absolutely watching India,” says Zafor-Forutna. “For example, there is a fair chance that we will finally see the personal data protection deal pass after three-plus years of debate. This would bring more than one-billion people within the scope of personal data prediction rights.
A very interesting number that I’ve seen recently from a Gartner report was that 75% of the global population in the next three to five years will be covered by some form of privacy rights.
—Gabriela Zafor-Forutna, FPF
“Southeast Asia is a region that’s also very active in this space. I would urge folks to also keep an eye on Indonesia. Australia has had a couple of public consultations on the privacy law and also the data security regime, so we might see some action there as well.
“And Canada just last week published a comprehensive bill that covers both federal privacy law and provisions related to AI and data generally quite similar to the EU Data Act in the EU.“Here in the U.S., I’m hoping to see the successor to the Privacy Shield resulting from the U.S.-EC negotiations.
“Here in the U.S., I’m hoping to see the successor to the Privacy Shield resulting from the U.S.-EC negotiations.”
The ADPPA and Privacy Shield
Tene, with a bit of tongue in cheek, offers that we will see the EU and U.S. negotiate a successor to the new transatlantic data privacy framework after it too is struck down…by Schrems III.
Leblanc, however, predicts we will see a privacy shield replacement – and adequacy decision from the EC with all relevant approvals – in the next 6 to 12 months.
I’ll also put on the calendar that there will be heavy debate in the U.S. regarding Section 702 of the Foreign Intelligence Surveillance Act reauthorization at the end of next year, concerning the extent to which it should be expanded potentially, or possibly even ended. 702 is at the center of the CJEU discussions concerning cross-border data transfers.
“The American Data Privacy and Protection Act (ADPPA), which is a ‘three corners bill,’ having the support of Republicans and Democrats in the House and Senate Republicans, is waiting for the ‘fourth corner’ – Senate Democrats — to rally behind it,” notes Tene.
The bill was introduced formally (21 June 2022), it even has a number now: H.R. 8152…you can’t overstate how big a deal this is, opines Tene. “It is broad, deep, and includes innovative concepts that we have yet to see anywhere in the world.
—Omer Tene, Goodwin
He further suggests that “CCPA/CPRA would basically be gone, except strangely (and ironically) for the provisions protecting employee data.”
Is Tene predicting it’s going to pass, then? “No, I’m predicting the Phoenix Suns will win the championship next time. I refuse to be bullied into making predictions.”
“I don’t want to be the naysayer here on the ADPPA but earlier today (3 June 2022) , Senator Cantwell made clear that she’s opposed to it and Senate Leader Schumer has said, there is no way that bill is going to be taken up in the Senate this congress, advises Leblanc.
At this point, there is a quickly closing window on the opportunity to actually consider any legislation – including the ADPPA – in the Senate because we are in an election year…and a third of the Senate (post August recess) begins to focus their attention on the November elections.
—Travis Leblanc, Cooley
And “if the Senate does flip from Democrat to Republican there’s going to be a mad rush to push through several confirmations and key priorities,” he continues. “There is a challenge, practically speaking, for floor time, even if it had the support of the Chair of the Commerce Committee, which it doesn’t.
The FTC and the States
On the regulatory front, Leblanc notes that “the Federal Trade Commission now has a fifth Commissioner(Alvaro Bedoya) giving Chair Khan a majority. We expect they will begin a process to promulgate privacy rules around privacy and security, including perhaps, updating COPPA.
“In addition to the FTC, I expect we’ll see some activity at the SEC which has advanced two rule makings related to cyber security. The one that’s getting the most attention is around the disclosure and governance controls associated with public companies in the U.S.
I do anticipate that a lot of activity at the state level as well. Assuming no preemption [there are] the CPRA regs that were recently voted on by the new California DPA covering issues from dark patterns to contractual requirements which are now in draft form and expected to be finalized later this year.
If you do business in California, I strongly encourage that you take a look at those and begin a process soon of coming into compliance with them.
—Travis Leblanc, Cooley
Colorado Attorney General Phil Weiser (who spoke with Justin) is also looking at regulations concerning issues like dark patterns as well. So, I predict will see something from Colorado in the next 18 months, says Leblanc.
On the tech front, Antonipillai predicts significant investment in Web 3.0. He also predicts less investment in n cryptocurrencies, but more in blockchain.
He further predicts that in the next 18 months we will see advances in how sensitive data can be shared and controlled for things like medical information with investments in this area driving critical innovation (see here and here).
The hot really topic, however, is artificial intelligence (AI).
I predict there will be at least one major step forward in AI in the next 18 months that causes all of us to feel like some version of it is almost sentient. We’re going to see technology that’s driven by AI almost mimicking the level of human thought and making it harder to even think about it from a regulation perspective.
A lot of regulation is trying to address transparency and understanding the way neural networks work. I predict we’re going to have steps forward in AI that makes it very hard to think about how you apply a law to it.
—Justin Antonipillai, WireWheel
“Legislators are trying to regulate the conduit of those that are building these systems,” says Zafor-Forutna. “For example, the EU tries to put in place some rules for providers of AI systems, but how much those rules will help, we don’t know. Perhaps the prediction for the next 12 to 18 months is that we all become a bit more literate in understanding the different shades of AI and machine learning.”
“There’s a lot of policy activity around AI in the U.S.,” says Tene. State laws have provisions concerning automated decision making and the ADPPA also has a very interesting regime around AI including requirements for businesses to do ‘algorithm impact assessments.”
Interestingly notes Zafor-Forutna, Brazil could be the first jurisdiction to adopt a comprehensive framework around AI.” There’s a proposal going through the congress on AI law right now. She also notes that Singapore, in a different approach, is looking to take advantage of existing regulations.
The challenges posed by Blockchain
“There is a fundamental tension in my view, between blockchain and some fundamental rights In Europe such as the right to be forgotten or the right not to have your data transferred,” avers Antonipillai.
I think there’s an even more fundamental tension, which is GDPR relies upon the assumption that a natural or legal person (a data subject) can enforce their rights which then relies on the assumption that they’re established in the EU. When you’re dealing with a distributed ledger or blockchain technologies you may not know.
—Travis Leblanc, Cooley
Perhaps this is an example of how technology like AI and blockchain are outpacing the regulatory systems that we set up offers Leblanc.
“It’s no surprise that regulations which were not adept to deal with the Internet, struggle with even newer technologies like the blockchain,” says Omar. “And the tension isn’t just with privacy law, it’s with other laws as well such as copyright or horrible stuff like child pornography which once on the ledger, can’t be deleted.
“There are some technological fixes to it, but I do agree with the premise that it’s difficult to stay on pace with technological development.”
But “the Groundhog Day for privacy professionals – the primary issue we deal with – is adtech digital marketing which is obviously under intense regulatory pressure all over the world. If the ADPPA passes, it has very strict limits on advertising technologies. And, of course, there is CPRA and Colorado.”
“If people can easily opt out in on place, others will be expected to do it, and that will significantly change the dynamics of the market.”