This year in privacy: Wins and losses around the world

• New laws boost privacy protections, but enforcement is key
• Growing debate around potential harms of AI on privacy rights
• Groundbreaking neurorights verdict in Chile shows new race

This was something of a watershed year for privacy, with key legislations introduced from California to China, and heated debates around what the rapid advance of generative artificial intelligence means for individual privacy rights.

While world leaders agreed at the inaugural AI Safety Summit in Britain to identify and mitigate risks, including to consumer privacy, data breaches exposing personal data were reported at the UK Electoral Commission, genetics company 23andMe, Indian hospitals and elsewhere.

"2023 was a consistently mixed bag built on incredibly positive foundations: there are oversight bodies and policy-makers doing their jobs to hold bad actors to account at levels we have never seen before," said Gus Hosein, executive director at advocacy group Privacy International.

"Looking forward, governments can either act to create safeguards, or they can see the digital world start burning around them with rampant state-sponsored hacking, unaccountable automated decision making (and) deepening powers for Big Tech," he told Context.

"One huge question is this: where do Large Learning Models get their data from tomorrow? I'm worried it will be about getting it from people in ways beyond our control as consumers and citizens."

These are the year's most consequential privacy milestones, and what they mean for digital rights:

EU Digital Services Act

The sweeping Digital Services Act went into effect on Aug. 25, imposing new rules on user privacy on the largest online platforms, including banning or limiting of some user-targeting practices and imposing stiff penalties for any violations.

The EU's success in implementing this and other tech laws such as the Digital Markets Act, could influence similar rules elsewhere around the world, much like the General Data Protection Regulation (GDPR) did, tech experts say.

But enforcement is a challenge, with any infringement procedure against a company dependent on external reports that must be done at least once a year by independent auditing organisations. These audits aren't due until August 2024.

UK Online Safety Bill

The UK parliament in September passed the Online Safety Bill, which aims to make the UK "the safest place" in the world to be online.

But digital rights groups say the bill could undermine the privacy of users everywhere, as it forces companies to build technology that can scan all users for child abuse content - including messages that are end-to-end encrypted.

Moreover, the bill's age-verification system meant to protect kids will "invariably lead to adults losing their rights to private speech, and anonymous speech, which is sometimes necessary," noted the Electronic Frontier Foundation.

India's Personal Data Protection Bill

India passed a long-delayed data protection law in August, which digital rights experts quickly denounced as privacy-damaging and hurting rather than protecting fundamental rights.

The law "grants unchecked powers to the government, including on censorship and surveillance, while jeopardising the rights to information and free speech," noted digital rights group Access Now.

"It's a bad law ... the Data Protection Board lacks independence from the government, which is among the largest data miners (and) people whose privacy has been breached are not entitled to compensation, and are threatened with penalties," said Namrata Maheshwari, Access Now's policy counsel in Asia.

China real-name policy

On Oct. 31, China's most popular social media sites - including microblogging platform Weibo, super app WeChat, Chinese TikTok Douyin and search engine Baidu - announced that so-called self-media accounts with more than 500,000 followers will be required to display real-name information.

Self-media includes news and information not necessarily approved by the government, and the new measures will remove the anonymity of thousands of influencers on platforms that are used daily by hundreds of millions of Chinese.

Users have expressed concerns about privacy violations, doxxing and harassment, and greater state surveillance, and several bloggers have quit the platforms. Authorities in Vietnam said they are considering similar rules.

California Delete Act

California Governor Gavin Newsom in October signed the Delete Act, which enables Californians to either ask data brokers to delete their personal data, or forbid them from selling or sharing it, with a single request.

"It helps us gain better control over our data and makes it easier to mitigate the risks that the collection and sale of personal information create in our everyday lives," the Electronic Frontier Foundation said.

But a federal judge in September blocked enforcement of the California Age-Appropriate Design Code that was seen as a major win for privacy protections and safety for children online when it was passed last year.

Chile neurorights verdict

The Chilean Supreme Court in August issued a ruling ordering Emotiv, a U.S. producer of a commercial brain scanning tool, to erase the data it had collected on a former Chilean senator, Guido Girardi.

The ruling - the first of its kind - puts Latin America at the forefront of a new race to protect the brain from machine mining and exploitation, with countries including Brazil, Mexico and Uruguay considering similar provisions.

"It is a significant victory for privacy advocates and sets a precedent for the protection of neural data around the world through the explicit establishment and protection of neurorights," the NeuroRights Foundation, a U.S.-based advocacy group, said.

(Reporting by Rina Chandran. Editing by Zoe Tabary)