2021 was a particularly tumultuous year for privacy compliance and information governance, with a rapidly evolving global regulatory environment, governments and corporations continuing to grapple with the persistent challenges of the COVID-19 pandemic and the subsequent acceleration of new technologies.
And now it’s a new year, —a time to deal the cards and attempt to divine what’s ahead. With the caveat that we don’t know what we don’t know, there are several likely privacy and information governance developments on the horizon for 2022 in Australia and other jurisdictions.
In this article, we provide an overview of the changes that organisations should be preparing for in the coming months.
More regulation and more enforcement
National privacy regimes will continue to evolve. In Australia, the review of the Privacy Act 1988 (Cth) has been in progress since 2020 and is expected to be completed in 2022. Submissions on the Discussion Paper closed on 10 January, and the next step will be the release of exposure draft legislation. Though it remains to be seen what effect the impending Australian federal election will have on the law’s review, we anticipate the changes will include higher penalties (an increase in the maximum civil penalty for interferences with privacy to AUD$10 million has been proposed) and more teeth for the regulator. Additional proposals of note include alternations to the definitions of foundational terms such as “personal information,” and the introduction of a requirement that use and disclosure of personal information be “fair and reasonable.” In light of these proposed updates, organisations handling the personal information of Australians should plan how they will meet the new requirements under these regulatory changes.
Of course, Australia isn’t the only jurisdiction of concern. For example:
- China is likely to step up implementation and enforcement of its new Personal Information Protection Law (PIPL), which came into force in November 2021. Terms and infrastructure for enforcement are still under development, but organisations should watch out for an enforcement focus on the export of personal data out of China. Organisations will need to prepare for a quick and flexible response to new requirements and regulatory expectations and be able to demonstrate effective compliance.
- India tabled its proposed national privacy regime in late 2021, but there’s a good chance this will pass in 2022.
- It’s unlikely that the U.S. will find its way through to implementing a national privacy regime in 2022. However, significant movement at the state level will continue. In particular, organisations with U.S. exposure will need to spend time this year ensuring that they are prepared to comply with the elements of the California Privacy Rights Act, the Virginia Consumer Data Protection Act and the Colorado Privacy Act that come into force in 2022 and 2023. Further, it's looking like a number of states are moving towards implementing their own privacy laws, including Maryland, Oklahoma, Ohio, New Jersey, Florida and Alaska.
- In Europe, it's not just the regulators driving change. Activists are ramping up as well. In August 2021, privacy activist group NYOB filed 101 complaints against companies in 30 European Union (EU) member state jurisdictions, in an effort to curb what they are alleging are widespread non-compliant data transfer practices. NYOB has a successful track record with these kinds of adopted (e.g., Schrems II). It's likely these complaints will be determined in 2022, with the result of further changes to the approved approaches for transfers of personal data out of the EU (again).
More privacy-first approaches
Given the current landscape of risk, more organisations will begin investing in privacy and information governance in 2022.
In part, this will be driven by the regulatory environment. In FTI Consulting's most recent Resilience Barometer, 85% of Australian businesses said they are currently under investigation or expect to be investigated in 2022, in particular with respect to business conduct and how they manage customers (39%) and environment, social and governance practices (34%).
Alongside this, the concept of privacy as a competitive advantage appears to be gaining traction, particularly among technology-driven companies and as a response to an increasingly privacy-conscious customer base. Customer demands for transparency, control and ethical data practices will continue to increase. So, in response, organisations will increase investments to meet those challenges, including maturing their governance frameworks around privacy, working to become more transparent and educating their staff to reinforce a culture of trust.
2022 promises to be another year of change. In that context, our advice is—don’t wait. The organisations that are planning to meet these shifts will be the ones that come out ahead. So, start improving your privacy and information governance posture now, and be ready to recover if the cards dealt aren’t in your favour.
Tim de Sousa is a Senior Director within FTI Technology’s Information Governance, Privacy & Security practice. He is a strategic and operational privacy expert with more than 15 years of experience. He works in the intersection of privacy, information governance, emerging technologies and digital transformation in both the public and private sectors. His expertise spans Australia, Asia-Pacific and Europe.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.