Every year since the 1990s, we have seen a dramatic increase in the frequency and sophistication of cyberattacks. Since COVID-19 hit in early 2020, that trend jumped dramatically. There will be no rest for the weary: 2022 will be another unprecedented year, with ransom, vendor/supplier and nation state attacks leading the way. Threat actors will continue to exploit the hybrid work model, disruption to the workforce, and an environment where employees have never met new colleagues in person will increase risk.
Insurers’ willingness to pay/write big ransom policies will decrease
In 2021 ransom demands soared into the tens of millions of dollars. Insurance companies simply won’t keep up with that as a continuing trend. Threat actors fell victim to the old “pigs get fat, hogs get slaughtered” mantra when they potentially outpriced themselves from what had been a fairly compliant insurance industry ecosystem. Insurance companies will continue to harden their positions in terms of writing or paying out astronomical ransoms. After a period of fall out, we expect the threat actors will come back down to earth but that the ecosystem will remain robust.
Increased “old school, new school” type attacks
Threat actors will continue using old fashioned methods, such as visits to the physical premises or the compromise of insiders to penetrate companies’ increasingly sophisticated cybersecurity programs. Nation state threat actors will resort to a combination of old-fashioned methodology along with sophisticated cyber-attacks.
Increased government scrutiny of ransom and incident response
In the wake of Colonial Pipeline and ransoms in the tens of millions of dollars, authorities weighed in for the first time on what has been a siege on private companies, with a Biden/Putin war of words and some law makers threatening to ban ransom payments. We will see more rhetoric and discussion of these issues this year, but do not anticipate passage of meaningful legislation. The SEC, FTC and global regulators will remain focused on cybersecurity with disclosures and response to particular threats (such as Log4Shell, SolarWinds, etc.) driving action.
II. Mergers & Acquisitions
The pace of acquisitions and investment in AI/ML to future proof businesses will continue unabated. Private equity sponsors will continue to invest in ad-tech and data rich companies to enhance the scale and sophistication of their tech driven portfolios.
The proliferation of data driven acquisitions and investments will increase demand for already scarce privacy and cybersecurity deal diligence experts. Sophisticated buyers and investors will leverage deal diligence to understand the rapidly evolving global legal and regulatory landscape, prepare to devote resources to shore-up deficiencies in target company privacy programs, plan for integrating data assets into existing systems, and anticipate corresponding risks inherent in each transaction.
Comprehensive federal privacy legislation
The prospects for comprehensive federal privacy legislation this year look dim with the looming midterm elections and entrenched polarization in Congress. In addition, the passage of CCPA-like privacy laws in Colorado and Virginia, pending measures in other states, and the demise of a major technology industry advocacy association, will take the steam out of the “Big Tech” push for a federal law who are already planning for state law requirements.
FTC Chair Lina Khan will continue to push forward with FTC rulemaking initiatives intended to bolster the agency’s enforcement powers. The FTC’s end-of-year Statement of Regulatory Priorities includes promulgating privacy rules to promote fair use of AI algorithms and corresponding outcomes, as well as limiting “surveillance” business models. Watch for Congressional Republicans, Republican members of the Commission, and industry groups to challenge the contemplated rulemaking as exceeding the scope of the FTC’s Section 5 authority. The pace of rulemaking proceedings, calcification of polarized industry and consumer positions on privacy, and timing of Senate confirmation of the President’s Democratic nominee, Alvaro Bedoya, to the Commission, makes it unlikely that the FTC will adopt privacy regulations in 2022.
State patchwork fills the Federal void
In 2021 the California Attorney General issued notices of alleged noncompliance to companies for failing to comply with the CCPA’s “sale” notice and choice requirements. Watch for continued scrutiny of sales of California personal information, and actions targeting alleged noncompliance with the CCPA’s consumer rights provisions. The new California Privacy Protection Agency will focus on implementing the CPRA. All indications are that the Agency will get off to an aggressive start, including writing rules.
Colorado and Virginia adopted CCPA-like privacy laws. We anticipate that other states, including Florida, Maryland, and New Jersey will follow suit. Subtle nuances in these laws will pose challenges for companies that invested significant resources designing products and services to comply with the GDPR and CCPA. With diminishing prospects for comprehensive federal privacy legislation in 2022, companies will need to anticipate common themes and formulate integrated compliance strategies to mitigate risk and remain competitive. Watch for rulemaking proceedings in Colorado and Virginia.
IV. Cross-Border Data Transfers/Data Localization
It takes two to tango: reviving the Privacy Shield
U.S. and European Commission negotiators will push to hammer out a new Privacy Shield framework. U.S. surveillance of EU personal data transferred under the framework, and the availability of judicial redress for aggrieved EU data subjects will remain thorny issues. Even if the two sides resolve these issues, the risk that a new framework could meet the same demise as its predecessors makes it less likely that companies will have the appetite to use it. Other mechanisms, including new, more flexible SCCs are available but...
SCCs will remain a work in progress & beyond
The European Commission will act to develop a set of ‘slimmed down’ SCCs for transfers to non-EU establishments that are subject to the GDPR (a category of transfers not covered by the new SCCs). Watch for the UK ICO’s publication of new SCCs for transfers of personal data out of the UK – a move intended to preserve the practical advantages of alignment with the EU’s approach.
Watch for calls to bring BCRs more closely in line with the transfer impact assessments now required under the new SCCs.
People’s Republic of China Personal Information Protection Law (PIPL)
Effective November 1, 2021, PIPL joins a patchwork of Chinese data privacy and security laws with broad extra-territorial reach that restrict personal data flows from the People’s Republic of China. A significant gray area for companies will continue to be what personal data is subject to data localization requirements. We anticipate that enforcement activity may shed some light on the definitions of critical infrastructure data and other “important” data subject to localization requirements.
V. UK and EU GDPR
If the latter part of 2021 is any indication (e.g., the Belgian DPA’s rejection of the IAB Transparency and Consent Framework; the Norwegian DPA’s imposition of a hefty fine on an app for alleged noncompliance with consent requirements; and the Luxembourg DPA’s fine of €746 million on Amazon, the largest GDPR fine levied to date), and calls for stronger GDPR enforcement against “Big Tech” by NGO’s and Members of the European Parliament, we predict a significant uptick this year in GDPR enforcement activity. Watch for actions involving children’s data, location data in connection with targeted advertising, and health data and hefty fines.
EU strategy for data
We expect the EU Data Governance Act will enter into force in 2022 following the provisional agreement reached between EU institutions at the end of 2021. Companies will need to formulate strategies for using public sector data, including accounting for new data intermediation services for secure data sharing.
Look for the long-awaited proposal for the EU Data Act covering data sharing, smart contracts, use of industrial IoT data, portability, and interoperability as well as database protection.
From New Zealand to the UK – John Edwards takes the reins at the UK ICO
As the former privacy regulator in New Zealand, John Edwards prioritized children’s privacy and looked with increasing disfavor on “big tech.” We anticipate that the new Commissioner will look to strike a balance between the proposed departure from the GDPR announced by the UK Government in 2021 in favor of a more practical (business friendly) approach, while retaining the GDPR’s core protective principles. This balancing act will aim to preserve the European Commission’s (four year) adequacy finding for EU – UK personal data transfers. We anticipate more discussion about the future of the UK data protection regime but little in the way of substantive developments in 2022.
VI. Other Privacy Issues
Artificial Intelligence and Machine Learning
Companies will advance initiatives to eliminate bias in AI/ML in such diverse areas as housing, credit and lending, employment, and targeted advertising. The FTC previously issued two blog posts that appeared to endorse such activities. The posts acknowledged that inclusive demographic (e.g., race, ethnicity) could be collected and used to build and train AI models to correct historic inequities, and that actual demographic data – instead of proxy data (e.g., zip code, education level), is less likely to produce discriminatory impacts. The FTC signaled its intent to promulgate privacy rules to promote fair use of AI algorithms.
Meanwhile, the FTC threw its stake in the ground when it ordered the operator of a photo sharing app to delete algorithms and all underlying personal data after it allegedly failed to adequately honor consumer choice before automatically applying AI technology to their photos. (Users were told they had a choice to have the technology applied). Watch for the FTC to impose similar remedial measures.
The newly formed National Artificial Intelligence Research Resource Task Force will promote the White House’s AI Bill of Rights and use it as a framework to push for federal legislation. Watch for Congress to continue flexing its muscle on AI: In late November, Representatives Waters and Foster sent a letter to federal financial regulators urging prioritization of “principles of transparency, enforceability, privacy, and fairness and equity in response to the regulators” RFI on AI in the financial services sectors.
Industry is not sitting on the sidelines. As 2021 drew to a close, some of the biggest global companies formed a group to address AI bias. This year companies will actively engage with global lawmakers, regulators, and current trade groups to help shape global rules for combatting AI bias.
In 2022 the EU Proposed Regulation on Artificial Intelligence will begin the march through the European Trilogue process. This process will be closely watched by industry trade groups as its impacts will be felt globally given its broad territorial reach and potential for enforcement and significant fines.
Joined at the hip: Antitrust and data
The Biden Administration and the FTC will continue to address the effects of market dominance on privacy as indicated in the FTC’s September 2021 report to Congress. In the Report the FTC indicated that it would focus on the concentrated control over data, including “commercial” surveillance by dominant companies. Any proposed mergers involving large amounts of personal information, including sensitive personal information, will be subject to close scrutiny by the Biden Administration, including possible commitments needed to obtain approvals under various global national merger control and national security screening regimes.
Similarly, European competition and privacy regulators will scrutinize how data privacy protections may be eroded by companies that seek to use their market dominance and large data holdings to gain a competitive advantage. We also expect more cooperation between competition and other regulators to better understand the role of data in competitive dynamics. The Dutch Digital Regulation Cooperation Platform and the UK Digital Regulation Cooperation Forum are two examples.