At the beginning of each year, to help you prioritise your next steps and focus for the year, we gaze into the near future and try to imagine the major trends. We try to predict what will happen and what it will mean for you. What will you need to focus on, when and how much of your time is it going to take?

The question is: can we accurately predict what 2023 has in store for us? Predictions are a tricky business and can make a fool out of anybody. Even the Financial Times, who like us, are leaders in their industry, find themselves proven wrong. That’s the nature of the beast we suppose. With that said though, many of our previous predictions have proven to be right. In 2022, we got 16 out of 21 right.

It’s our hope that with this forecast we’ll be able to empower you to plan your year ahead. Stay ahead of the rest by reading our 2023 predictions.

Data protection authorities will continue to flex their muscles

There will be more stringent sanctions for lawful processing and greater publicity of breaches. Towards the end of 2022, authorities fined a few companies large amounts. Both Meta and Google were in the firing line. Some new headlines were:

In South Africa, we think that the regulator will issue multiple enforcement notices this year. We know that the regulator received more than 700 PAIA complaints in 2022. Therefore, we think that the first enforcement notice will be around PAIA with POPIA ones to follow. We track all data protection fines and report them to the members of the Michalsons data protection programme. We help our members to avoid similar fines.

Based on notices from ICO and articles in the USA, we will also see more authorities, including our own regulator, issuing “warnings” for Data Protection violations.

Courts will increasingly pass judgment on data protection and information security

Being principle-based laws, courts will be called upon to apply them to real work situations. We’ve already seen this happen in 2023 in South Africa in Hawarden vs ENS. We track all POPIA judgments and report them to the members of the Michalsons data protection programme.

Regulating AI will become a primary focus for regulators

OpenAI and Microsoft have democratised AI by making ChatGPT publicly available. The legal issues regarding AI will come to the fore. The EU’s Artificial Intelligence Act will come into operation. The privacy and ethical implications of AI will receive significant attention. Businesses (and possibly the regulator) will address the legal implications of AI.

Consent and preference management will become an essential compliance tool

Consent is just one of the lawful grounds for processing personal data, but it will become more important in 2023. In 2022, CNIL fined apple and fined Microsoft relating to failing to deal with consent correctly. Just last week, on 11 January 2023, the Belgian Data Protection Authority announced that it approved the Interactive Advertising Bureau Europe’s action plan with respect to its Transparency and Consent Framework. Cookie management will continue to be a hot topic in 2023. The information regulator in South Africa will go after a direct marketer in South Africa for failing to get consent from a consumer to market to them.

Authorities will publish more laws to enforce privacy and data protection

In 2022 several countries in Africa and many states in America introduced data protection laws. In 2023 more countries around the world will continue to publish data protection laws to protect privacy. In particular, we will see more data protection laws in Africa and India this year.

Consumers and employees in America get data privacy. America published a draft federal data protection law in 2022 but it will not come into effect in 2023. However, more states in America are set to enact laws. Remember that the California Privacy Rights Act (CPRA) came into full force and effect on 1 January 2023. The CPRA will amend the California Consumer Privacy Act.

In South Africa, Parliament will amend the 2018 POPIA Regulations. We thought this would happen last year, but we know (via a tweet) that the regulator has been looking at the proposed amendments to the 2018 POPIA Regulations since the latter part of last year.

Organisations will use LegalTech to achieve practical outcomes

Organisations will move fast to implement software and tools to achieve practical legal outcomes.

  • You simply can’t sign documents efficiently without an electronic signature platform.
  • You can’t manage privacy and data protection properly without a privacy management tool.
  • You can’t manage cookies without a cookie manager. 
  • You can’t manage contracts without a system or platform. Spreadsheets will die in 2023.
  • You can’t comply with laws without a dynamic electronic online compliance framework.

Lawyers around the world will scramble to learn how to use LegalTech. It will be hard, but most will manage.

Cybercrime will increase and so too will the need for increased cybersecurity measures

Criminals continue to thrive in the cyber environment. There will be more cyber-attacks in the healthcare sector. Like many countries, South Africa will struggle to catch and prosecute cyber criminals. Cybercrime will therefore increase. Organisations will therefore have to protect themselves. On this note, you can join the Michalsons cybercrimes programme.

  • Law enforcement in South Africa will be largely ineffective in cybercrime detection, prevention, and enforcement.
  • The Department of Justice will announce commencement dates for the remaining sections of the Cybercrimes Act.
  • Discussions around a Cyber Commissioner for SA will progress in Parliament, but the Cyber Commissioner won’t be appointed this year.
  • The FSCA will move forward with the Cyber Resilience framework.

The requirement for appropriate information security will be a business issue

There will be a greater focus on cyber insurance. Before cover can be placed it will be necessary for companies in many instances to ensure that their information security meets at least minimum thresholds. Resilience will be a key issue.

Many countries will focus on cross-border transfers

Digital markets and economies can only function if there is a flow of personal data across borders. The law has created the regulatory framework for transborder data flows, but everyone is struggling with the practical implementation of the law.

Many people in many countries will focus on trying to enable the free flow of personal data. The EU and the USA will agree data transfer terms and finally solve this challenge. African countries will also agree a framework for personal data to flow within Africa. Africa needs this to create a single data economy on Africa.

Business will implement Privacy by Design (PbD)

Privacy by Design has been part of data protection law for a while. However, the practical need to apply it is growing. The Irish Data Protection Commission fined Meta (previously Facebook) 265 million euros in November 2022 for failure to comply with the provision of the GDPR related to data protection by design and by default. The concept of privacy by design is evolving. It used to be a theoretical nice-to-have regarding relevant data protection laws. Now it is something that relevant supervisory authorities insist upon. They are increasingly likely to take an organisation to task for failing to implement it correctly

More controllers and processors will sign comprehensive DPAs

Many companies (controllers, processors, and sub-processors) have spent lots of time drafting, negotiating, and signing data processing agreements (DPAs). This trend will continue into 2023.

In the past, many signed DPAs as a tick box exercise and didn’t really engage in the implications of what they were agreeing. Or they signed very lean DPAs that didn’t really deal with the issues. In 2023, many will realise the importance of the DPA and sign more comprehensive ones that really get into all the topics. Many will operationalise DPAs so that they don’t just sit in the bottom draw.

Controllers focus on protecting children’s data

Everyone is realising that we need to protect our children. The younger they are the more protection they need. Many controllers will make this is a focus in 2023. So will authorities. For example, the Center for Digital Democracy and others started a petition urging the FTC to prescribe rules that prohibit certain types of engagement optimisation design practices for minors who use digital services.

Controllers focus on data privacy rights in the workplace

The ICO has an ongoing project to replace its employment code of practice. This will create lots of useful guidance for employers all over the world.

The ePrivacy Regulation will take effect in 2023

There have been many delays for many years due to negotiations and lobbying. We think that 2023 will be the breakthrough year in which the ePrivacy Regulation will take effect with a two-year grace period.

Copyright struggles to adapt to new technologies

The speed of technical advancements continues to increase. The law continues to struggle to keep up. One example is AI. In November 2022, OpenAI launched a chatbot called Chat GPT. There still appears to be a lot of uncertainty about how to use this new technology effectively. Who will own the copyright to the works that ChatGPT creates? Does ChatGPT infringe other people’s copyright?

In South Africa, (as we predicted last year) the Copyright Amendment Bill will remain in limbo. We think it will probably continue to do so in 2023. Given the speed of technological change Parliament will need to amend the amendment Bill before it is enacted.

Technical and legal people will bridge the gap

In the past, IT and legal have not seen eye to eye. They seemed poles apart with nothing really in common. Neither spoke the other’s language. IT could not see how tech could be used to solve legal and compliance problems. Legal and compliance hated technology and software. Lawyers have not embraced software to help them do their jobs. This will change in 2023 and technical and legal people will start talking and collaborating to achieve legal outcomes.

Courts continue to embrace technology by moving online

Covid-19 fueled the drive toward a digitised judiciary and saw the implementation of many online solutions including online hearings and electronic management and litigation systems, such as CaseLines and Court Online in South Africa. We expect these trends to continue and increase in 2023 based on the successful implementation of these solutions and stakeholders endorsing the moves. In South Africa, stakeholders who are onboard include the Office of the Chief Justice, the Department of Justice and Correctional Services, the Johannesburg Attorneys Association.

The South African Parliament won’t amend the Consumer Protection Act

In 2022, a Parliamentary Portfolio Committee published a briefing document with proposed changes to the Act. The document did not mention direct marketing, but other sections of the Act may be affected.

The metaverse will not become mainstream

We’re sticking our neck out here and we’re not sure. And who knows what the metaverse is anyway. But many tech companies (like Apple) will launch and start selling their headsets. They will still be expensive and as a result, they won’t go mainstream in 2023. But expect it in 2024.

NewSpace law will become the next frontier

NewSpace, also known as commercial space or private space industry, is an emerging field that encompasses the development and use of space-related technologies and services by private sector entities. As NewSpace companies continue to push the boundaries of what is possible in space, legal and regulatory frameworks will be needed to govern the activities that take place within this new frontier. Space law will become a thing.