27/01/2023 - By year-end 2024, Gartner predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations. Privacy regulation is on the rise globally and existing legislation is changing rapidly. Organizations are facing the task of ensuring that their Privacy Governance Framework is capable of operationalizing these developments at a global level. What is more, the story does not end with privacy regulations. Overall, we see an evolving digital regulatory landscape. In Europe alone, the Digital Service Act, Digital Markets Act and the AI Act demonstrate that the conversation is only getting broader, emphasizing the need for global digital Governance Frameworks. In 2023, we expect to see a continuation of the strong increase in efforts made by organizations to not fall behind in this quickly evolving digital regulatory landscape.
Evolving Digital Regulatory Landscape – what do we see?
- On the American continents, we see various developments:
- In the US, we have seen the introduction of the American Data Privacy and Protection Act (ADPPA) into the House of Representatives in 2022, where it received bipartisan support. Although a noteworthy step towards potential federal US privacy legislation, the future of the ADPPA is far from set in stone and will be an interesting development to track in 2023.
- Rather, we see the continuous increase in U.S. state privacy laws, including laws in Virginia, Colorado, Connecticut and Utah.
- In California, the California Privacy Rights Act (CPRA) has come into force in January 2023, amending the existing California Consumer Privacy Act (CCPA) to include additional privacy protection measures for consumers.
- We also see developments towards South America, where Argentina has initiated a process to update its 22-year-old data protection law, looking to the GDPR for inspiration.
- In the UK, the Data Protection and Digital Information Bill was laid before the UK Parliament on 18 July 2022. In September 2022 the legislative process was paused to allow for the opportunity to rethink the approach and obtain further feedback.
- In China, we see increased traction related to the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). And in Brazil, the General Data Protection Law (LGPD) has unified existing privacy laws. Developments like these emphasize the need for a global take on Privacy Governance Frameworks.
- In the EU we have seen the Digital Services Act and Digital Markets Act, which together aim to create a safer digital space where the fundamental rights of users are protected.
- The use of Artificial Intelligence is predicted to grow by more than 25% each year for the next five years, so it is no wonder that all eyes are on Brussels for the developments around the AI Act, which is expected to be finalized in 2023.
AI Act: the question is not if, but when
The latest developments in a nutshell:
- The Council of the EU has adopted its common position on the AI Act.
- The Council has narrowed the definition of AI systems to machine learning and knowledge-based approaches.
- General purpose AI systems are addressed through implementing acts.
- The AI Act is expected to be finalized in 2023 already.
- Our advice: do not wait until the AI Act goes into force but start the inventory of AI systems in your organization and ask yourself:
- Am I provider or user?
- Is the AI system high-risk according to AI Act?
- What do I need to do to comply with the requirements from the AI Act?
- According to the Privacy and AI Governance Report from the IAPP, organizations should leverage what they have in place today and “join forces with privacy”. They indicate that “more than 50% of organizations building new AI governance approaches are building responsible AI governance on top of existing, mature privacy programs.”
Preparation is key
Just like the suddenness with which ChatGPT took over almost every news outlet recently, it may well be that the finalization of the AI Act will feel as sudden to even its closest followers. As we have seen with the GDPR and the accompanying GDPR-readiness projects that ran from its conception until May 2018, organizations will need time to adjust whilst continuing their primary business. They must perform and transform simultaneously. Starting off informed and prepared can ease transformation, mitigate risks and in the end save precious time and resources.
Our mission is to help organizations assess the impact of these regulatory developments to enable them to do just that: continue to perform whilst keeping up with regulatory changes. With our experience and pragmatic advice, we can help your organization prepare for the new digital regulations that may apply to your business activities. Need help? Do not hesitate to contact us for an introductory conversation.