Data Protection in the United Kingdom

Data protection laws in the United Kingdom

Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made a number of technical changes to the GDPR in order account for its status as a national law of the United Kingdom (e.g. to change references to “Member State” to “the United Kingdom”). These changes were made under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. At this time, all material obligations on controller and processors essentially remain the same under the UK GDPR as under the ‘EU GDPR’. 

The Data Protection Act 2018 (“DPA”) remains in place as a national data protection law, and supplements the UK GDPR regime.  It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the GDPR such as data subject rights). 

In addition,

  • Part 3 of the DPA transposes the Law Enforcement Directive ((EU) 2016/680) into UK law, creating a data protection regime specifically for law enforcement personal data processing;
  • Part 4 of the DPA updates the data protection regime for national security processing; and
  • Parts 5 and 6 set out the scope of the Information Commissioner's mandate and her enforcement powers, and creates a number of criminal offences relating to personal data processing.

On 8 March 2023, the new ‘Data Protection and Digital Information (No. 2) Bill’ (“the Bill”) was introduced to Parliament following on from the consultation by the Department for Culture, Media and Sport on data protection reforms. The anticipated reforms aim to reduce the compliance burden on organisations. A few of the proposed changes in the Bill include:

  • Amendments to certain definitions, such as “identifiable living individual” (impacting the definition of “personal data”) and the meaning of research and statistical purposes;
  • Amendments to data protection principles, including the addition of recognised ‘legitimate interests’ to assist with determining an applicable legal basis;
  • Amendments to the conduct of data subject rights, by recognising requests that may be “vexatious or excessive”; and
  • Amendments to the obligations of controllers and processors which generally provide more flexibility than the current position, for example with regard to complying with accountability obligations.

It is expected that the Bill will be debated and amended further as it passes through the House of Lords in the first months of 2025, and will likely be enacted through the course of the year.

Territorial Scope

The application of the UK GDPR turns principally on whether an organization is established in the United Kingdom.  As under the EU GDPR, an 'establishment' may take a wide variety of forms, and is not limited to a company registered in the United Kingdom.

The UK GDPR also has extra-territorial effect, following the same principles as set out in the EU GDPR. As a result, an organisation that it is not established within the United Kingdom will be subject to the UK GDPR if it processes personal data of data subjects who are in the United Kingdom  where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) to such data subjects in the United Kingdom or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the United Kingdom.

Continue reading

  • no results

Back to top