Privacy Roundup: Top Stories of 2022

New laws, draft decisions, increased enforcements, huge fines — data privacy was in the news all year around. Let’s look back at the top stories from 2022 and what’s on the horizon for 2023.

• Australia passed the Privacy Legislation Amendment Bill 2022 which will increase the penalty for companies that face serious or repeated data breaches. 
• India re-introduced a draft version of the Digital Personal Data Protection Bill after withdrawing its predecessor in response to criticism.
• Indonesia passed the Personal Data Protection (PDP) Act, the country’s first comprehensive data privacy law. Indonesia joined Singapore, Malaysia, Thailand, and the Philippines to become the fifth country in Southeast Asia to have a data privacy law.
• Argentina published a draft bill to update its 22-year-old data protection law in line with the GDPR and other newer data privacy regulations.
• Canada re-introduced Bill C-27, also known as the Digital Charter Implementation Act 2022 after its predecessor failed in the Canadian Senate.

As the United States debated a federal privacy law, the American Data Privacy and Protection Act (ADPPA), two states – Connecticut and Utah adopted consumer privacy legislation in 2022. They join California, Virginia and Colorado to be the five US states with comprehensive data privacy laws. Businesses that handle user data will need to prepare for compliance as the laws go into effect in 2023. 

• California Privacy Rights Act, effective January 1, 2023
• Virginia Consumer Data Protection Act, effective January 1, 2023
• Colorado’s Privacy Act, effective July 1, 2023
• Connecticut’s Data Protection Act, effective July 1, 2023
• Utah Consumer Privacy Act, effective December 31, 2023.

The Belgian data protection authority (DPA) issued a €‎250,000 fine for Interactive Advertising Bureau Europe (IAB)’s Transparency and Consent Framework (TCF) for violating the GDPR. This came days after, the DPA issued a decision reinforcing companies about the consent rules on the use of cookies.

In April 2022, Google rolled out an updated cookie banner in the EU informing users how cookies are used and adding a new ‘reject all’ button for non-essential cookies on search or YouTube. Earlier in the year, France’s data protection agency CNIL had fined Google €150 million for deploying confusing language in cookie banners. 

Privacy rights group NOYB filed 270 complaints with 18 DPAs targeted against website operators for not complying with GDPR requirements in their cookie banners.

The EU passed two major legislations — the Digital Markets Act and the Digital Services Act. The two landmark laws intend to establish a level playing field and will determine how large online platforms operate to ensure fair competition and rights for users. The Digital Markets Act will impose obligations only on online platforms that act as “gatekeepers” such as online search engines, marketplaces and social networks. The Digital Services Act aims to ensure the “proper functioning of the internal market” and protect EU citizens’ fundamental rights such as the protection of personal data and non-discrimination.

In December, the European Commission announced a draft decision on the EU-US Data Privacy Framework (DPF), as it’s called. Earlier in 2022, the EU and US had reached an agreement on a new framework for data transfers. “This framework underscores our shared commitment to privacy, to data protection, and to the rule of law,” noted US President Joe Biden. The US spent two years crafting the new data privacy framework after Privacy Shield was invalidated in 2020. The framework was struck down after the EU’s top court ruled in favour of Max Schrems, an Austrian privacy activist who argued the existing framework did not protect EU data from US surveillance.

Last year, Austria, France, Italy, Norway and Denmark declared that the use of Google Analytics breached the European Union’s GDPR. The Data Protection Authorities (DPA) noted that the use of Google Analytics involved a transfer of personal data to Google LLC in the US, which was in breach of Article 44 GDPR and violation of the 2020 Schrems II ruling. The Danish DPA and French CNIL issued guidance for businesses on how to use GA in a compliant way.

The decisions are based on complaints filed by “None of Your Business,” the privacy watchdog founded by Max Schrems. Google issued a response arguing that there was a fundamental misunderstanding of the way Google Analytics worked.

California Attorney General (AG) announced its first-ever CCPA penalty of $1.2 million to beauty retailer, Sephora. The enforcement action comes after Sephora failed to disclose information about the sale of personal information and process user requests to opt-out of sale, including those received via the Global Privacy Control (GPC), a violation of California’s Consumer Privacy Act (CCPA). The AG noted that this settlement should send “a strong message” to companies and announced his Office’s intent to ramp up enforcement. With the CPRA in effect from January 01 2023, businesses should urgently review their compliance efforts.

Google announced that it will delay the plan to phase out third-party cookies on its Chrome browser until the “second half of 2024.”  The company noted that they received feedback from developers, publishers, marketers, and regulators for “more time to evaluate and test the new … technologies before deprecating third-party cookies in Chrome.” Google also did away with the proposed Federated Learning of Cohorts (FLoC) which was intended to replace third-party cookies. Instead, the company announced a new interest-based targeting proposal called Topics API  that will work by identifying topics, like Fitness or Travel, that represent a user’s top interests for that week based on their browsing history.

Ireland’s Data Protection Commission (DPC) issued the second largest GDPR fine of €405 million to Meta-owned Instagram for mishandling the personal data of users ages 13 to 17, including email addresses and phone numbers. In another enforcement, the Irish DPC issues a €265 million fine against Meta for leaking the data of 530 million Facebook users. In another landmark settlement with over 40 US states, Google agreed to pay nearly $392 million over allegations that the company tracked individuals through their devices even after location tracking had been turned off. 

Following a flux of political changes after the resignations of Prime Ministers Boris Johnson and Liz Truss in quick succession, the UK has put a pause on the proposed reforms to replace GDPR in the UK. In July 2022 the UK government introduced the Data Protection and Digital Information Bill (DPDI) that set out to reform the existing UK GDPR, UK Data Protection Act and Privacy and Electronic Communications Regulations. The proposed Bill aims to make it easier for businesses to comply. In December 2022, the UK’s Information Commissioner John Edwards criticized GDPR fines and outlined a new approach that focuses on fixing the issue rather than on financial penalties.