BACK TO RESOURCES

2023 DATA PRIVACY LAWS YOU NEED TO KNOW: CROSS-BORDER AND BEYOND

Mar 15, 2023

Summary

4 min read
  • In 2023, an estimated five quintillion bytes of data will be created daily, which raises concerns about data privacy.
  • More regions, localities, and countries are implementing additional data privacy laws to ensure the safety of individuals’ data.
  • The US will see four new states add privacy laws, while no new US state privacy laws govern geographical cross-border data transfers similar to GDPR or China’s PIPL.

INTERNATIONAL DATA PRIVACY REGULATIONS

In 2023, an estimated five quintillion bytes of data will be created daily.

While this data revolution is exciting, it also raises questions about data privacy. In response to that challenge, more regions, localities, and countries will implement additional data privacy laws in the coming years to ensure the safety of individuals’ data.

The EU’s General Data Protection Regulation (GDPR) is considered the gold standard of data protection. Now, more than 120 countries have implemented international privacy laws, often in an effort to keep up with the EU’s standards. Nader Henein, VP Analyst at Gartner, said, “By year-end 2024, … 75% of the world’s population will have its personal data covered under modern privacy regulations.” This is a positive development that provides assurance to many people around the world concerned about how their personal data is collected, used, and stored.

RECENTLY ENACTED DATA PRIVACY LAWS

As data privacy laws continue to expand, it’s important to be aware of new and updated regulations. For example, Saudi Arabia’s postponed Personal Data Protection Law (PDPL) will go into effect on March 17, 2023. It will be the country’s first federal, sector-agnostic data privacy legislation.

The Canadian Personal Information Protection and Electronic Document Act (PIPEDA) is a national private-sector data privacy law that provides data protection. In September 2023, Quebec will start implementing Bill 64 and become the first jurisdiction in Canada to update privacy regulations to be more in line with GDPR. Quebec’s Bill 64, however, is specific to Quebec and grants consumers certain rights concerning consent and data transparency.

Similar to GDPR, Bill 64 also introduces the “right to be forgotten,” which allows consumers to request that companies stop distributing their personal data. Conversely to GDPR, Bill 64 requires controllers to perform a privacy impact assessment prior to any cross-border data transfers. Industry analysts are closely monitoring the effects of this bill as it could severely impact Quebec-based businesses. They warn it may result in offices moving outside the jurisdiction to accommodate borderless data flow.

Several countries and regions also have privacy laws in draft form that are expected to be published in 2023, including India’s Digital Personal Data Protection Bill and the EU’s ePrivacy Regulation (ePR).

10 DATA PRIVACY LAWS YOU SHOULD KNOW

In addition to the above-mentioned laws, the following currently make up some of the top privacy laws affecting cross-border data internationally:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Australia’s amended Australia Privacy Act
  • Brazil’s General Data Protection Law (LGPD)
  • Chile’s Amended Consumer Protection Law
  • Japan’s Personal Information Protection Act (PIPA)
  • Kenya’s Data Protection Act, 2019 (DPA)
  • Nigerian Data Protection Regulation, 2019
  • South Africa’s Protection of Personal Information Act (POPIA)
  • South Korea’s Personal Information Protection Act (PIPA)
  • Qatar’s Personal Data Privacy Protection Law

It’s also important to note that although PCI DSS v3.2.1 will remain active through March 2024, the PCI SSC already released version 4.0 last year. Therefore, it would be best for enterprises to use this time to familiarize themselves with the new version, update their reporting systems, and plan for and implement changes to comply with the updated requirements.

2023 DATA PRIVACY REGULATORY CHANGES IN THE U.S.

In 2023, the U.S., which has no comprehensive national data protection law, will see four new states add privacy laws in addition to existing California, Maryland, Massachusetts, and New York laws —

NEW 2023 DATA PRIVACY LAWS IN THE UNITED STATES

StateLawEffective Date
VirginiaVirginia Consumer Data Protection Act (VCDPA)January 1, 2023
ColoradoColorado Privacy Act (CPA)July 1, 2023
ConnecticutConnecticut Data Privacy Act (CTDPA)July 1, 2023
UtahUtah Consumer Privacy Act (UCPA)December 31, 2023

 

California also enacted the California Privacy Rights Act (CPRA) as of January 1, 2023, which adds to their existing California Consumer Privacy Act (CCPA).

The United States will also see changes to the National Automated Clearing House Association (Nacha) rules on March 17, 2023, to mandate that “originators of Micro-Entries will be required to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.” This change is phase 2 of a previous rule change on micro-entries. The first phase of the rule defined Micro-Entries as charges under $1.00 made for account verification purposes.

CROSS-BORDER PROVISIONS IN U.S. DATA PRIVACY LAWS

Currently, no new U.S. state privacy laws govern geographical cross-border data transfers similar to GDPR or The People’s Republic of China’s Personal Information Protection Law (PIPL), which impose cross-border data restrictions based on data sovereignty. CPRA, however, enforces contractual requirements when cross-border transfers are made to third parties, including service providers and contractors. In addition, CPA and VCDPA require contracts when PII is transferred to processors. VDCPA defines a processor as “a person or entity that ‘processes personal data on behalf of a controller.’”

DATA PRIVACY COMPLIANCE WITH BORDERLESS DATA

It’s essential to stay on top of developments in privacy law to ensure data compliance. Doing so will require a new approach using simple technological foundations to help you achieve compliance across an entire company, doing business in any country, quickly and efficiently. Operating at a global scale requires your data to move and be processed across complex regulatory, privacy, and sovereignty requirements on a limitless variety of software stacks. Therefore, enterprises using data compliance regulations as their base for system innovations experience multiple advantages, including:

  • Increasing revenue across multiple lines of business in existing and new markets
  • Removing significant risks, costs, and inefficiencies from your business
  • Dramatically improving the experience, brand, and loyalty of your customers

Now is the time to transform protected data into opportunities. With the right investments and strategies, you can unlock the potential to expand your markets, grow revenue, and improve customer experience.

LEARN MORE WITH PROTEGRITY

If you’re unsure where to start, check out our cross-border solution or contact us to learn how to solve regulatory compliance challenges with borderless data.

 

Recommended Next Read