In 2023, data governance policy hits the ground running

Digital policy develops rapidly. To enable foresight, our monitoring extends to scheduled developments that lie in the future. In this post, we lay out what’s already known on upcoming data governance policy in 2023.


Tommaso Giardini


05 Jan 2023

On 1 January 2023, Microsoft began the phased rollout of the EU Data Boundary for its cloud services . This instance of digital fragmentation followed a turbulent year for the digital economy, in which policymakers and regulators have kept busy imposing new rules: 1404 regulatory developments affecting the digital economy were documented by the Digital Policy Alert (DPA) last year. Of these, almost half stem from a single policy area: data governance (622). To complement previous briefings on past activity and introduce the new forward-looking feature of our website, this post lays out what's already known on upcoming data governance policy in 2023.

Our initiative provides an early warning system for digital policy developments. To this end, we monitor the entire life cycle of policy changes, throughout the public drafting stage (i.e. the announcement, drafting and public consultation), the legislative process (i.e. the introduction and adoption or rejection) and, finally, the implementation, enforcement and, where applicable, revocation. This “life cycle coverage” enables DPA users to stay informed on upcoming developments based on systematically collected policy evidence. To showcase the information contained in the DPA database, we synthesise the domestic1 data2 policy3 developments that are scheduled for implementation next year, currently in the legislative process and still in the public drafting stage.

In 2023, data governance policy hits the ground running

Upcoming implementation dates provide clear foresight into the policy landscape of 2023. Already on 1 January 2023, 9 data policies were implemented globally. In the US, this included the Amendment to the Virginia Consumer Data Protection Act and the California Privacy Rights Act of 2020, which amends the California Consumer Privacy Act to add, among others, employee data protection. Throughout 2023, 23 further data policies will be implemented. Compliance for firms operating across US states will be complicated by novel privacy laws in Connecticut, Colorado and Utah, which pursues a business-friendly approach. In Europe, the Swiss Revised Federal Data Protection Law will introduce the right to data portability, impose new obligations for data controllers and expand the powers of the Federal Data Protection and Information Commissioner. The EU Data Governance Act will enact rules on data marketplace neutrality, facilitate access to public-sector data and establish common European data spaces. In Asia, a batch of Chinese Cybersecurity Standards will set requirements across 14 technologies, including facial recognition, instant messaging and online shopping. Finally, the novel Saudi Arabian Personal Data Protection Law will oblige data controllers to conduct a privacy impact assessment and register with authorities.

70 data policies proposed in 2022 are currently in the legislative process at the time of writing.4 In the EU, the Artificial Intelligence Act would establish data protection rules concerning "high-risk" AI systems, especially relating to their training, validation and testing data. In Canada, the Digital Charter Implementation Act 2022 would enhance consumer privacy protection, establish a specialised “Personal Information and Data Protection Tribunal” and regulate data governance in AI applications. Argentina's Personal Data Protection Law would reform the existing regime from 2000 to enhance data subject rights, introducing the right to access, rectify and delete data. China is considering Amendments to the Cybersecurity Law including stricter network security requirements and higher penalties. Finally, the UK Data Protection and Digital Information Bill would tighten data security rules, ease data governance obligations for small businesses and change online cookie consent practices.

57 data policy proposals are still in the public drafting stage. They are to be monitored closely since their content may change considerably over time. Arguably the most important policy development for the global digital economy is the EU's current circulation of the draft EU-US adequacy decision, aiming to advance the prominent data transfer negotiations following the publication of the U.S. Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities . But important drafting efforts are also ongoing elsewhere. In India, the government held a consultation on the Digital Personal Data Protection Bill 2022 , shortly after the previous proposal including a data localisation requirement was rejected. Two of India's neighbouring countries are deliberating drafts that still prescribe such localisation: Bangladesh's draft Data Protection Act 2022 would require sensitive, classified and user-generated data to be stored locally, while Pakistan's draft Personal Data Protection Bill would demand localisation of "critical personal data". Saudi Arabia consulted the public on amendments expanding the scope of the Personal Data Protection Law even before its implementation. In Namibia, the public provided input on the Data Protection Act containing data protection obligations and data subject rights. Concluding with the EU, a consultation was held on the Data Act containing rules on international non-personal data transfers.

This synthesis of upcoming data policy developments gives a glimpse of what 2023 will bring, but there is more to come. The pace of policy developments is not set to decrease, as the abovementioned policies advance and new proposals emerge. The Digital Policy Alert will monitor digital policy to deliver transparency in 2023 and develop new features to provide users with continuous foresight. To this end, today we introduce a continuously updated DPA thread page on upcoming data policy and an expanded notification service.

[1] The focus on domestic policy excludes the discussion of international agreements on digital trade such as the Singapore-Korea Digital Partnership Agreement.

[2] The focus on data excludes the discussion of relevant developments in other policy areas, such as the EU Digital Services Act and Digital Markets Act.

[3] The focus on policy exludes the discussion of enforcement action (see, for instance, recent developments in competition enforcement).

[4] The writing concluded before the closure of the 117th US Congress session, hence no federal US proposals are considered.