2022 was a big year for privacy. Enforcement under the EU’s General Data Protection Regulation (GDPR) truly started to bite, a US federal privacy law looked more feasible than ever, and public awareness of privacy continued to grow.
But 2023 looks to be even more exciting for privacy watchers. AI will begin to dominate work and personal life, multiple new laws will kick in across the US, and businesses will start to take the value and necessity of privacy more seriously.
As you plan for the year ahead, here are five privacy trends to look out for in 2023.
1. Privacy and AI will converge and conflict
2022 was a landmark year for AI, when automated tools like the image generator DALLE-2 and the chatbot ChatGPT went mainstream.
As AI advances and becomes more integrated into our daily lives throughout 2023, expect some difficult conversations to emerge about the intersection of privacy and AI.
Data protection law has serious implications for the use and development of AI. For example, the GDPR’s legal bases, principles, and rights often apply in the context of AI.
These GDPR provisions are relevant to the collection of personal data to train AI systems—and they also apply to the use of personal data in AI-driven decision-making.
Some AI use cases might not be compatible with data protection law. While some data protection regulators, such as the UK’s Information Commissioner’s Office (ICO), have released guidelines on using AI, much of this guidance leaves many questions unanswered.
New draft laws, such as the EU AI Act and the US Algorithmic Accountability Act, may provide some clarity. But these are unlikely to pass in 2023. This year, expect a lot of AI debate—and some enforcement action—under existing privacy and data protection law.
2. Businesses will prioritise trust and control
As the public’s awareness of their privacy (or lack of privacy) continues to grow, businesses are beginning to recognise the importance of privacy to build trust and brand reputation.
It’s clear that data protection and privacy enforcement ramped up in 2022. For example, consider the multimillion-euro fines issued against US tech firms by the Irish Data Protection Commission (DPC)—and the first settlement under the California Consumer Privacy Act (CCPA).
But many businesses are coming to understand that avoiding enforcement is not the most important thing about privacy. Instead, they focus on transparency and offer users a greater choice regarding their personal data.
Big tech companies and small businesses are starting to prioritise transparency and user control to build customer trust. This trend will flourish in 2023 as more businesses realise the value of privacy.
3. Privacy-By-Design will flourish
In 2023, we’re likely to see a great emphasis on privacy by design and data protection by design. This approach involves integrating privacy and data protection principles into the early stages of development rather than as an afterthought.
Businesses and regulators are increasingly recognising the value of privacy by design, and several recent high-profile enforcement decisions have reinforced the importance of this approach (see, for example, the €405m fine against Instagram in September 2022).
In 2023, more and more organisations will recognise the value of adopting a privacy-by-design approach.
This strategy will allow companies to comply with the law and build trust with their customers and create more secure and user-friendly products.
4. Impact Assessments will increase
Conducting privacy or data protection impact assessments (PIAs or DPIAs) can help companies identify and address data protection risks and demonstrate their commitment to protecting their users’ privacy.
EU-operating organisations have been conducting DPIAs for some time. This year will see impact assessment requirements expand further beyond Europe.
Five US state privacy laws will take effect in 2023. Three of these laws (in Colorado, Connecticut and Virginia) require covered businesses to conduct data protection impact assessments in certain circumstances.
As more companies are required to perform these assessments, they should start to recognise the value of assessing the impact of their data processing activities on people’s privacy.
5. More privacy lawsuits are coming
As people become more aware of their rights, we should see an increase in privacy lawsuits in 2023. Lawyers and litigation firms continue to spot opportunities in this area, and several high-profile privacy lawsuits were launched in 2022.
For example, in April last year, a class action against software firm Oracle accused the company of tracking over 5 billion people via cookies without consent.
A class action was filed against Meta in September over iOS tracking, and the company also settled a class action over the Cambridge Analytica scandal for $725 million in December.
These are just a few examples. This trend will continue in 2023 as companies face increased scrutiny over their data practices.