Q&A: the data protection legal framework in United Kingdom

Law and the regulatory authority

Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?

The primary legal instruments include the UK’s Data Protection Act 2018 (DPA 2018) and Regulation (EU) 2016/679 (the General Data Protection Regulation) as transposed into national law of the United Kingdom by the UK European Union (Withdrawal) Act 2018 and amended by the UK Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the UK GDPR).

Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?

DPA 2018 and the UK GDPR are supervised by the Information Commissioner’s Office (ICO). The ICO may:

• seek entry to premises subject to a warrant issued by a court;
• require the provision of information by service of information notices;
• by notice, require government departments to undergo a mandatory audit (referred to as ‘assessment’); and
• conduct audits of private sector organisations with the consent of the organisation.

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

Following the UK’s exit from the European Union, the ICO no longer participates in the GDPR’s ‘one-stop-shop’ mechanism, under which organisations with a main establishment in the European Union may primarily be regulated by the supervisory authority of the jurisdiction in which the main establishment is located (lead supervisory authority).

DPA 2018 requires the ICO, concerning third countries and international organisations, to take steps to develop cooperation mechanisms to facilitate the effective enforcement of legislation relating to the protection of PI, to provide international mutual assistance in the enforcement of legislation for the protection of PI, to engage relevant stakeholders in discussion and activities, and to promote the exchange and documentation of legislation and practice for the protection of PI.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

The ICO has several enforcement powers. Where a data controller or a data processor breaches data protection law, the ICO may:

• issue undertakings committing an organisation to a particular course of action to improve its compliance with data protection requirements;
• serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps, to ensure they comply with the law; and
• issue fines of up to the greater of €17.5 million or 4 per cent of annual worldwide turnover, depending on the nature of the violation of DPA 2018 and UK GDPR.

Several breaches may lead to criminal penalties. The following may constitute criminal offences:

• making a false statement concerning an information notice validly served by the ICO;
• destroying, concealing, blocking or falsifying information to prevent the ICO from viewing or being provided with the information;
• unlawfully obtaining PI;
• knowingly or recklessly re-identifying PI that is de-identified without the consent of the data controller responsible for that PI;
• altering PI to prevent disclosure of the information in response to a data subject rights request;
• requiring an individual to make a subject access request; and
• obstructing the execution of a warrant of entry, failing to cooperate or providing false information.

Criminal offences can be prosecuted by the ICO or by or with the consent of the Director of Public Prosecutions.

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Exemptions from the full rigour of the law apply in some circumstances and for some instances of processing. A wide exemption applies to the processing by individuals for personal and domestic use, but no sectors or institutions are outside the scope of the law. Recent European case law has clarified that this exemption applies only to purely domestic or household activities, with no connection to a professional or commercial activity. This means that if PI is only used for such things as writing to friends and family or taking pictures for personal enjoyment, such use of PI will not be subject to the UK General Data Protection Regulation (the UK GDPR).

The UK GDPR and the Data Protection Act 2018 (DPA 2018) apply to private and public sector bodies. That said, the processing of PI by competent authorities for law enforcement purposes is outside the scope of the UK GDPR (eg, the police investigating a crime). Instead, this type of processing is subject to the rules in Part 3 of DPA 2018. Also, PI processed to safeguard national security or defence is also outside the scope of the UK GDPR. However, it is covered by Part 2, Chapter 3 of DPA 2018 (the applied GDPR), which contains an exemption for national security and defence. Part 4 of DPA 2018 sets out a separate data protection regime for the intelligence services (eg, MI5, SIS (sometimes known as MI6) and GCHQ).

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?

Electronic marketing is specifically regulated by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (as amended), although the UK GDPR and DPA 2018 often apply to the same activities, to the extent that they involve the processing of PI. Interception and state surveillance are covered by the Investigatory Powers Act 2016 and the Regulation of Investigatory Powers Act 2000. The interception of business communications is regulated by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

Are there any further laws or regulations that provide specific data protection rules for related areas?

The law includes many provisions dealing with information; for example, the regulation of credit files is covered in the Consumer Credit Act 1974. Laws on e-commerce include provisions linked to the regulation of PI. Laws on defamation, copyright and computer misuse also affect data protection. However, there is no specific data protection sectoral legislation. The United Kingdom has a range of soft law instruments, such as codes of practice for medical confidentiality or the management of information held for policing, that apply in specific sectoral areas.

The DPA 2018 requires the Information Commissioner’s Office (ICO) to draw up and publish codes of practice that relate to data sharing, direct marketing, age-appropriate design and data protection, and journalism. A number of these codes are not yet in force and are in the consultation phase. The ICO’s Age Appropriate Design Code came into force on 2 September 2020, and following a 12-month transition period, organisations are now expected to conform to its requirements (as of 2 September 2021). In addition, the ICO’s Data Sharing Code of Practice came into force on 5 October 2021. This code provides practical guidance for organisations regarding how to share PI in a manner that complies with DPA 2018 and UK GDPR.

The PECR sits alongside DPA 2018 and the UK GDPR. They give individuals specific privacy rights concerning electronic communications. In particular, the PECR sets out requirements for:

• making marketing calls, sending marketing emails and texts;
• the use of cookies (and similar technologies) on individuals’ devices;
• keeping communications services secure; and
• customer privacy regarding traffic and location data, itemised billing, line identification and directory listings.

The United Kingdom has implemented the Network and Information Systems Regulations 2018 (the NIS Regulations). The UK NIS regime also includes an implementing act for digital service providers (the DSP Regulation) and specifies security requirements and incident reporting thresholds for certain organisations. While the UK GDPR concerns PI, the NIS Regulations concern the security of network and information systems. That said, there is a significant crossover between the UK GDPR and NIS Regulations, in particular owing to the UK GDPR’s security requirements. In this respect, the application of the NIS Regulations is broader as it applies to digital data and not just PI.

The NIS Regulations apply to operators of essential services (OES) and relevant digital service providers (RDSPs) and are intended to address the threats posed to network and information systems. To this end, its primary focus is on cybersecurity measures. In particular, the NIS Regulations require RDSPs and OES to take appropriate and proportionate measures to manage the risks posed to the security of network and information systems.

What categories and types of PI are covered by the law?

The UK GDPR and DPA 2018 cover PI held in electronic form plus such information held in structured files, called ‘relevant filing systems’. To fall within this definition, the file must be structured by reference to individuals or criteria relating to them, so that specific information about a particular individual is readily accessible.

Ultimately, whether a manual file is part of a relevant filing system is a matter of fact as well as law, and must be considered on a case-by-case basis.

Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?

Organisations that are data controllers or data processors fall within the scope of the law if they are established in the United Kingdom and process PI in the context of that establishment, or if they are not established in the United Kingdom but offer goods or services to individuals located in the United Kingdom, or monitor the behaviour of individuals located in the United Kingdom.

A data controller or data processor is ‘established’ in the United Kingdom if it is resident in the United Kingdom, is incorporated or formed under the laws of England and Wales, Scotland or Northern Ireland, or maintains and carries on activities through an office, branch, agency or other stable arrangements in the United Kingdom. Where a data controller or data processor is established in the United Kingdom, UK GDPR and DPA 2018 will apply regardless of whether the processing takes place in the United Kingdom or not.

Data controllers established outside the United Kingdom that are subject to the UK GDPR and DPA 2018 must nominate a representative in the United Kingdom.

Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The UK GDPR and DPA 2018 apply to data controllers (ie, those who decide the purposes and the means of the data processing) and data processors (who process PI on behalf of data controllers). As such, the data controllers are the main decision makers and they exercise overall control over the purposes and means of the processing of PI. Data processors act on behalf of, and only on the instructions of, the relevant data controller.

Law stated date

Give the date on which the information above is accurate.

9 May 2022