Below are details of the ten most significant initiatives of data protection authorities, legislative proposals, and trends that are expected to have major implications as regards application of the GDPR in the new technologies sector in 2023.

Amounts of fines imposed by data protection authorities.

In 2022, data protection authorities in Europe (EU countries, EFTA countries, and the UK) imposed fines of EUR 2.92 bn (source: DLA Piper report). The total fines imposed more than doubled in relation to 2021. The sector in which the most fines were imposed was new technologies, mainly online advertising.

In Poland as well, in 2022, the President of the Personal Data Protection Office (PDPO) imposed the most severe fine yet, of more than PLN 4.9 m (Fortum Marketing and Sale Poland S.A. case).

Plan for the Data Protection Authority sector-specific inspections for 2023.

On 18 January 2023, the President of the PDPO announced that a plan for sector-specific inspections had been adopted for 2023. The published PDPO list of sector-specific inspection priorities shows that there are two (out of three) areas that will likely concern new technologies (source: https://uodo.gov.pl/pl/138/2614):

  • means of securing and providing personal data processed due to use of internet applications,
  • means of securing and providing personal data processed due to use of mobile applications.

Electronic Communications Law (ECL) passed – new rules on electronic marketing, a new law applicability to OTT service providers.

The enactment of the Electronic Communications Law (ECL) in Poland will have crucial implications for data processing in electronic communications networks. These laws, expected to take effect from QIV 2023, will replace the current telecommunications laws, and thus lead to certain changes to the law as it currently stands.

As far as laws on data protection in electronic communications networks are concerned, the proposal for the ECL governs three major areas.

  • Firstly, the rules on permissible electronic marketing will be revised. Under current laws, direct marketing is regulated in two pieces of legislation – article 10 of the Act on Electronic Services (AES) and article 172 of the Telecommunications Law (TL). When the ECL comes into effect, this will be governed by a single provision – art. 393 of the ECL bill,  thus also resulting in article 10 of the AES being repealed. These changes will have the direct effect of providing legal protection with regard to e-mail campaigns, including for legal persons, and one of the forms this will take is a requirement for consent.  Under present laws, this requirement is applicable only to the sending of commercial information to natural persons.
  • Secondly, the current rules in the Telecommunications Law on placing and use of various internet identifiers such as cookies have been inserted into the proposal for the ECL.  Under the new legislation, apart from installation of cookies essential for providing a service, users’ consent will be required. This will apply for example to analytical or advertising cookies. Equally, the legal risk connected with use of identifiers of this kind will increase significantly, as the proposal for the ECL gives the President of the Office of Electronic Communications the power to impose fines significantly higher than to date.
  • Thirdly, according to the proposal, it will apply to entities that do not provide telecommunications services, in addition to the conventional telecommunications operators. In particular, this will affect firms providing over-the-top (OTT) services, such as e-mail and online video call and chat tools. When the Electronic Communications Law takes effect, providers of these services will have to comply both with the GDPR and the ECL alike with regard to provisions on electronic communications confidentiality. This will be of crucial importance, for example when evaluating whether it is permitted to process metadata generated when providing e-mail or chat and video call tool services.

Rules on payment by personal data under new Polish consumer protection laws.

An amendment to the Consumer Rights Act came into force on 1 January 2023, implementing Directive (EU) 2019/2161 – the Omnibus Directive. The changes will apply for instance to contracts for digital content (such as e-books), or for digital services (such as provision of access to cloud gaming services).

One of the situations which will now be regulated concern a consumer not paying a specified amount for a product or service, but in exchange providing their personal data for a firm to process for purposes other than solely performing the contract. For example, in return for the service, the provider might process data not only to provide the digital content or service, but for other purposes as well, such as marketing (for example consent to receive e-mails containing offers from other firms in return for free e-mail).

Importantly, the amendment to the Consumer Rights Act is not aimed at amending the GDPR, but laying down the consequences in civil law of payment in the form of personal data, especially as regards a consumer having the same rights as in the case of paid contracts (such as the right to withdraw from the contract).

Implementation of the Digital Services Act – banning the use of dark patterns, protection of minors, profiling restrictions.

Regulation (EU) 2022/2065 of the European Parliament and of the Council on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act – DSA) was passed on 19 October 2022, while most of the provisions in the regulation will come into effect from 17 February 2024.

In terms of data protection rules, the most important DSA provisions concern the following:

  • a ban on the use of dark patterns, or deceptive interfaces, used to manipulate users into acting wrongly or making wrong decisions with adverse consequences (such as unwittingly consenting to personal data processing)
  • a ban on the use of targeted marketing on the basis of profiling as defined in article 4(4) of the GDPR, using the personal data of minors
  • a ban on the use of targeted marketing on the basis of sensitive data profiling as defined in article 9 of the GDPR.

Codes, certification as a mechanism for GDPR compliance.

In 2022, there was a considerable increase in use of compliance mechanisms described in the GDPR (article 40 et seq.).  More national codes of conduct have been approved (of countries including Austria, Spain, the Netherlands), as has the first code in Poland (code of conduct on protection of personal data processed at small-scale medical centers – the Zielonogórskie Agreement). Two pan-European codes have also been adopted (Data Protection Code of Conduct for Cloud Infrastructure Service Providers and EU Cloud Code of Conduct).

Also, for the first time, a regulatory authority in the EU has had its certification mechanisms approved (Luxembourg), enabling the authority to certify controllers or processors (compliance mechanism in the GDPR, separate from the codes of conduct).

Transferring personal data from the EU to the United States.

Work is now in progress on a new agreement between the EU and the United States on personal data transfer from the EU to the US.

On 25 March 2022, the President of the European Commission Ursula von der Leyen and United States President Joe Biden announced that they had agreed on the European Union-U.S. Data Privacy Framework.

This Framework consists of three elements:

  • rules on commercial data protection, allowing self-certification by US organizations, 
  • the Executive Order, and
  • additional rules issued by the US Department of Justice.

The implementing regulation and Department of Justice rules are intended to remedy two flaws found by the CJEU in the context of invalidation of the Privacy Shield:

  • the right to privacy may only be restricted where absolutely necessary and in a proportional manner, and
  • a right to redress must be guaranteed for unlawful state oversight

On 7 October 2022, President Joe Biden signed the Executive Order, restricting US agencies’ access to personal data. At the same time, the Department of Justice is working to produce a two-step review system for claims (the institutions created will include a new Data Protection Review Court to review complaints concerning the actions of agencies.

The mechanisms referred to above are now undergoing review by the European Commission to determine an adequate level of personal data protection. This decision is expected to be issued in 2023, and therefore, like the Safe Harbour and Privacy Shield in the past – will be the basis for transferring personal data to the US.

In the meantime, before the adequacy decision confirming the mechanism created under the Data Privacy Framework is issued, a vast majority of data transfers between the EU and the US will be conducted based on the standard contractual clauses approved by the European Commission.

Also, with regard to assessment of adequacy of data protection in the United States, California, and in turn other states, including in particular Connecticut, Colorado, Utah and Virginia, have passed privacy legislation due to come into force in 2023.

The effect of laws on innovation on application of the GDPR.

In 2023, a series of new laws will take effect or are to be drawn up in the EU  that are of crucial importance for the legal framework for introducing various types of innovation. This will primarily affect cloud computing, the Internet of Things, and artificial intelligence.

The new rules on innovation will govern activity that entails personal data processing as well as activity that involves non-personal data, while also observing the rule that laws on innovation will be without prejudice to the GDPR, and thus do not violate or amend it. In particular, these laws cannot be interpreted as forming new legal grounds for processing personal data in the case of regulated activity or as amending the information requirements provided for in the GDPR.

The most important innovation-related laws due to take effect in 2023 include the following:

  • an amendment to the National Cybersecurity System Act (the government plans to pass the amendment in QII 2023)
  • the Data Governance Act (EU Regulation to come into force as of 24 September 2023)

Meanwhile, the main pieces of legislation on which work is still in progress include:

  • the proposal for the Data Act,
  • the proposal for the regulation on artificial intelligence

Data protection in the metaverse.

The legal aspects of protection of data and privacy in the metaverse are becoming increasingly important.

There is presently no legislation regulating data protection and privacy in the metaverse, and there are no plans to pass such legislation, while equally there are no guidelines in this respect issued by the European Data Protection Board or by national authorities.

The specific issues concerning applicability of the GDPR to the metaverse are:

  • the processing of personal data of a special (sensitive) nature. Sensors built into VR sets to enable users to interact with the metaverse use an elaborate network of sensors that record the body’s physical reactions to the designed world. Examples include face recognition systems (recognizing facial expressions, geometry) and systems that track movement of the eyeball, retina, and entire body (position of head and hands, fingerprints, etc.), other physiological reactions (temperature, skin reaction, pulse, oxygen saturation, and electrical activity of muscles, and possibly in the near future brainwaves as well. This is biometric data as defined in article 4(14) of the GDPR, and is a category of data that is subject to special protection.
  • the status of particular parties that conduct data processing in virtual worlds (a controller, joint controller, processor)
  • the means of compliance with the information requirement and determining the legal basis for processing personal data
  • rules on profiling natural persons represented by avatars in the metaverse,
  • transferring personal data to third countries.

“End of the world” third-party cookies.

Google has announced that it will officially cease supporting third-party cookies in Google Chrome, currently the most popular browser, by the end of 2024 (Privacy Sandbox).

The aim of the changes concerning the disabling of cookies is to give users greater choice as to whether they wish to have their activity tracked for targeted marketing. Targeted advertising is to continue to be possible, while use of detailed data on user activity history will not be necessary, For example, this might concern processing information about a user’s interests, but only for a short time, such as a few weeks, after which the data would be erased.  Equally importantly, it is the user who will decide the issues that they consider a priority at any particular time.

The proposed changes will have a profound effect on how firms in the online advertising sector function. On one hand, they will no longer have access to certain data in a user profile, collected according to both their browsing habits, and their observed behavior on a website. On the other hand, data provided freely by a user on particular websites (for example when subscribing to a newsletter) will play a greater role.