Happy 2023 Data Privacy Week!
Just as everyone started to get more or less cozy with the regulatory landscape in data privacy/protection and individuals and businesses learned to navigate the shallow waters of data subject requests, risk management, and impact assessments – BOOM 💥 – another tidal wave of regulatory requirements and new challenges rushed in!
2023 is the perfect moment to start internalizing new acronyms (get ready for #NIS2, #DORA, #DPDPB, #CPRA, #CCPA, #CPA, #CDPA, #UCPA, #VCDPA, #ADPPA, #PrivacyPenaltyBill) and legislative acts they stand for.
The underlying motive of the upcoming changes is to boost and enhance the cybersecurity postures of various organizations and manage evolving cyber risks more effectively.
Here is a helicopter view of selected legal developments around the world:
- EU – Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2)
- EU – Regulation on digital operational resilience for the financial sector (DORA)
- US – State & Federal privacy laws
- India – Digital Personal Data Protection Bill (DPDPB)
- Australia – Privacy Penalty Bill & overhaul of the Privacy Act 1988
According to ENISA, the general spending on cybersecurity is 41 % lower by organisations in the EU than by their US counterparts. With the arrival of NIS2, this ratio is expected to shift to cover this enormous gap at least partially. Conservative estimates are that NIS2 entry in force will translate into a ~22% increase in ICT spending over a 3–4-year period.
NIS2 was published just before year-end, and EU Member States now have 21 months to transpose requirements and mechanisms described into national laws. The 2016 NIS Directive – despite shortcomings – served as a cornerstone for increasing Member States’ cybersecurity capabilities. Now, NIS2 will expand the scope and the list of impacted organizations. It is expected that as many as 160 000 organizations will be subject to this new legislation, including digital services providers (platforms and data centre services), electronic communications networks and services providers, manufacturing, food, and the public sector.
NIS2 aims to strengthen cybersecurity postures by, amongst other: improving cybersecurity governance, addressing the security of supply chains, streamlining reporting obligations (early warnings/shortened notification periods), and introducing more stringent supervisory measures and stricter enforcement requirements.
What can you do right now?
- First, try to understand which obligations will apply to your organization and in which compliance bucket your organization will fall into: “Essential Entity,” “Important Entity,” or maybe “other.”
- Next, see if you can create synergies and leverage existing technical and organizational measures implemented during preceding compliance efforts (e.g., GDPR, NIS1, etc.)
- Start looking for the right partners that can adequately support your compliance efforts. Engage your vendors in discussing the approach that best fits your organization.
- Last but not least, initiate planning for increased spending to address any remaining gaps. In compliance could result in administrative fines of up to 10 million euros or up to 2% of the total annual worldwide turnover of the organization.
DORA aims to achieve “a high common level of digital operational resilience,” mitigating cyber threats and ensuring resilient operations across the EU financial sector. It will become directly applicable from Jan 17th, 2025. It will impact the financial sector (banks, insurance companies, investment firms) and its ICT providers (i.e., cloud platforms) – roughly around 22 000 organizations.
New requirements imposed by DORA will effectively boil down to reviewing and updating risk management practices. Financial sector customers will need to transfer as many regulatory risks as possible to ICT providers or apply different risk-mitigating strategies. In any case, ICT providers will need to be able to assure adherence to DORA’s requirements. The whole industry will also need to reassess contractual relations with vendors. DORA will incorporate requirements for contracts between financial companies and their critical ICT providers, including the location where data is processed, service level agreement descriptions, reporting requirements, rights of access, and circumstances that would lead to terminating the contract.
In a separate post – Commvault’s Product Team will perform a more technical deep-dive into DORA’s requirements related to detection (art. 10), response and recovery (art. 11), and backup (art. 12).
US data privacy laws – CPRA/CCPA, CPA, CDPA, UCPA, VCDPA, ADPPA
As of January 1st, 2023, California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act 2018 went into effect. Many temporary exemptions in place expire, imposing additional obligations on companies dealing with California residents’ personal information, e.g., regarding employment-related personal data, opt-out from selling personal information.
2023 is also the year when the Colorado Privacy Act (CPA), The Connecticut Data Privacy Act (CDPA), The Utah Consumer Privacy Act (UCPA), and The Virginia Consumer Data Privacy Act (VCDPA) will become effective. Legislative fragmentation risk is imminent and substantial, and this is the kind of risk that caused the European Union to harmonize the regulatory approach. Let us see whether the same will be true in 2023 in the case of the American Data Privacy and Protection Act (‘ADPPA’) – a proposal for a federal and general data privacy law.
India – DPDPB
Indian legislators plan to introduce a very ambitious Digital Personal Data Protection Bill (DPDPB) this year. When enacted, long-awaited legislation will undoubtedly impact all kinds of organizations due to India’s role as a tech powerhouse and a global outsourcing hub.
Australia – Privacy Penalty Bill & overhaul of the Privacy Act
Australian authorities announced yet another complete overhaul of the Privacy Act dated 1988. The current legislation was summarized as “out of date and not fit for purpose in the digital age.”
In the meantime, still in 2022, Australia passed the Privacy Penalty Bill that increased privacy-related sanctions to levels comparable with trends introduced by GDPR (up to 50m AUD) and expanded regulatory powers of the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA).
The relentless compliance clock just started ticking again. Cross-functional teams consisting of IT, compliance, privacy, legal professionals, and business analysts will spend considerable amounts of time analysing the impact of the cloudburst of legislative developments that emerged at the end of last year and will materialize throughout 2023.
Be aware that the legislative developments presented here could be more comprehensive. You can be sure, however, that they will become standard talking points not only in 2023 but also for the years to come.