By 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, according to Gartner.
Lawmakers’ efforts have intensified in the last two years, with many data protection law initiatives being passed and adopted. 2022 is likely to continue this trend, with regions such as Europe, the Middle East, the United States, and the Asia Pacific introducing or amending data privacy and protection laws.
In 2021, US states Virginia and Colorado followed in the footsteps of California and passed data protection laws set to come into effect in 2023. California itself signed off on several amendments to its California Consumer Privacy Act (CCPA) which included changes relating to consumers’ right to opt out of the selling of their personal information and authorized agent requests for information concerning consumers’ personal information. The amendments took effect the same day they were passed.
China also passed its first omnibus data protection legislation, the Personal Information Protection Law (PIPL), which seeks to protect personal data and regulate its processing, on 20 August 2021. It came into effect on 1 November 2021.
New Standard Contractual Clauses under GDPR
Since its adoption in 2018, the EU’s General Data Protection Regulation (GDPR) has become the baseline for a wave of new data protection legislation that has swept the globe. Many lawmakers around the world have sought parity with GDPR in hopes of a positive adequacy ruling from the European Commission, which would allow a free data flow between their country and the European market.
When companies need to transfer data to countries that do not have a European Commission adequacy ruling in place, they are obligated to use Standard Contractual Clauses (SCCs) for data transfers under GDPR to ensure the rights and freedoms of the EU data subjects are considered and upheld. In June 2021, the European Commission approved new Standard Contractual Clauses (SCCs). The previous set of SCCs was repealed as of 27 September 2021, meaning that all new contracts entered into after that date must use the new SCCs.
Going into 2022, organizations using SCCs have until 27 December to replace all contracts incorporating the old SCCs. This is likely to prove a significant task for many organizations in the year ahead as they will need to not only swap out the old clauses with the new but also to identify which data transfer contracts need to be reviewed and replaced.
More US states expected to pass data privacy legislation
In 2021, more than 160 consumer privacy-related bills were introduced in the US in 38 states, highlighting the growing concern with adopting laws that guarantee the protection of consumers’ personal information. The passing of the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (CPA) in 2021 is likely to increase momentum in other states and lead to further legislation being passed in 2022.
At least twelve states are set to consider comprehensive consumer privacy legislation in 2022. Florida and Oklahoma came close to passing legislation in 2021, which might mean they will succeed in 2022. New York and Ohio are also high on the list of states likely to see progress in data privacy law adoption in the year ahead. Washington’s Privacy Act failed to be passed for the third year in a row in 2021 after lawmakers could not come to an agreement over including a private right of action into the bill, but 2022 might be the year it finally succeeds.
Japan’s APPI amendments come into effect
Japan modernized its Act on the Protection of Personal Information (APPI) in 2017 to bring it closer to European standards. Thanks to these changes, Japan secured the first adequacy decision issued by the European Commission under GDPR.
Further amendments to the law were enacted on 12 June 2020, based on the results of the Personal Information Protection Commission’s (PPC) review and public consultation. The new changes, among other things, expanded the scope of Japanese data subjects’ rights, made data breach notifications mandatory, and limited the range of personal information that can be provided to third parties. Penalties also saw a significant increase, with corporate entities now liable to fines of up to ¥100 million for violating the PPC’s orders.
While the new penalties have been applied since 12 December 2020, the rest of the new amendments are set to come into force on 1 April 2022.
New data protection laws in the Middle East
On 24 September 2021, Saudi Arabia adopted its first standalone personal data protection law through Royal Decree No. M19/1443. The Saudi Data and Artificial Intelligence Authority (SDAIA) will be in charge of enforcing the new law that will come into force on 23 March 2022 after Implementing Regulations are issued. Companies will then have one year to comply with the new law’s requirements.
The United Arab Emirates (UAE) passed its first federal data protection law, Federal Decree Law No. 45/2021 on the Protection of Personal Data, on 27 November 2021. It also established the UAE Data Office, responsible for enforcing the data protection law through a separate decree. The new law came into force on 2 January 2022. However, the UAE Cabinet will first need to issue a set of Executive Regulations to address the finer details of the law. From the date the Executive Regulations are published onwards, data controllers and processors will have six months to comply with the Data Protection Law.
Towards global data protection
2022 is likely to bring the coming into force of several long-expected data protection laws in several countries. Following a two-year-long postponement because of the COVID-19 pandemic, Thailand’s Personal Data Protection Act (PDPA) is finally due to come into effect on 1 June 2022. Qatar’s Data Protection Regulations and Data Protection Rules 2021 will take effect on 21 May 2022.
Switzerland’s revised Federal Data Protection Act was passed by the Federal Council in September 2020 and is expected to enter into force in the second half of 2022. However, an official date has not yet been set.
On 16 December 2021, the Indian Joint Parliamentary Committee submitted its report on India’s draft Data Protection Bill which included a series of revisions to the text of the law. The Bill might now be passed by the Indian Parliament in its next session starting in February 2022 and come into force in the first half of the year.
In the European Union, several new data protection laws will likely be adopted in 2022, including the Data Governance Act, the ePrivacy Regulation, and the Network and Information Security (NIS) 2 Directive.
Frequently Asked Questions
According to the United Nations Conference on Trade and Development, 137 out of 194 countries have put in place legislation to secure the protection of data and privacy. This new wave of data protection legislation was spearheaded by the EU’s General Data Protection Regulation (GDPR) which made companies liable for the protection of sensitive data in the eyes of the law. From the California Consumer Privacy Act (CCPA) in the US to the Lei Geral de Proteção de Dados (LGPD) in Brazil, organizations collecting and processing personal information must now follow strict requirements for the protection of personal data or face heavy fines. Read more about different data protection laws around the world.
One of the reasons why GDPR has had such a far-reaching international impact has been because of its extraterritoriality clause. Any company collecting or processing the personal information of EU data subjects, whether they have offices in the EU or not, falls under the incidence of GDPR. Given the strong commercial ties between the European Union and the world’s biggest economies, many governments around the globe have decided to enact their own data protection regulations to ensure businesses within their countries adopt the newest data protection practices in line with GDPR. Read more about GDPR.
China passed its first omnibus data protection legislation, the Personal Information Protection Law (PIPL), which seeks to protect personal data and regulate its processing, on 20 August 2021. It came into effect on 1 November 2021. Uniting existing Chinese data privacy laws under one umbrella, the PIPL adds several significant new developments to the protection of personal data in China. Among them are steep fines, extraterritorial applicability, the need for data protection officers, and new rules governing cross-border transfers. Find out more about PIPL.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.