In the UK, Data protection and online privacy are governed by three main pieces of legislation:
UK GDPR,
Data Protection Act 2018 (DPA 2018)
Privacy and Electronic Communications Regulations 2003 (PECR).
Each plays a unique role while working harmoniously to create a comprehensive legal framework for UK data protection.
This article explores these laws, their relationship to one another, and their EU counterparts.
What Is the UK GDPR and How Does It Work?
The UK GDPR (General Data Protection Regulation) forms the backbone of the UK’s data protection regime. Retained in domestic law after Brexit, it is the UK’s version of the EU GDPR. Originally designed to harmonise data protection across the European Union, the GDPR ensures consistent rights for individuals and obligations for organisations.
Post-Brexit, the UK incorporated the GDPR into its legal framework via the European Union (Withdrawal) Act 2018.
The UK GDPR mirrors the structure and principles of the EU GDPR, including:
Principles of data processing (e.g., lawfulness, fairness, transparency).
Individual rights such as access, rectification, and erasure.
Obligations for data controllers and processors.
For more details, visit the ICO’s Guide to the UK GDPR.
Under the UK GDPR, the maximum fine for non-compliance is £17.5 million or 4% of global annual turnover, whichever is higher. |
The UK GDPR includes amendments specific to the UK, such as replacing EU supervisory authorities with the Information Commissioner’s Office (ICO). It applies to organisations processing personal data in the UK or targeting UK residents.
What Is the Data Protection Act 2018, and Why Is It Important?
The DPA 2018 complements the UK GDPR by addressing gaps and tailoring data protection rules for the UK’s unique needs. While influenced by EU rules, it is a standalone UK law.
The DPA 2018:
Provides additional provisions and exemptions for processing personal data.
Covers areas outside GDPR’s scope, such as law enforcement and intelligence.
Outlines rules for processing special categories of data (e.g., criminal convictions).
Sets the legal age of consent for data processing at 13 in the UK.
For the full text, see the UK Government’s Legislation Website.
The DPA 2018 allows the processing of personal data for scientific or historical research purposes under certain conditions, even without the subject’s consent. |
The DPA 2018 replaced the earlier Data Protection Act 1998, which implemented the 1995 EU Data Protection Directive. It remains an essential element of the UK’s legal framework post-Brexit.
What Are the Privacy and Electronic Communications Regulations 2003 (PECR)?
PECR governs specific aspects of online privacy, particularly around electronic communications. Derived from the EU’s ePrivacy Directive (2002/58/EC), PECR focuses on:
Consent for cookies and similar tracking technologies.
Rules for electronic marketing via email, text, or phone.
Confidentiality of electronic communications.
While PECR remains tied to the EU’s ePrivacy Directive, it is part of UK law post-Brexit. The UK government has signalled potential reforms to align PECR with domestic priorities. Until then, organisations must comply with its existing requirements, especially regarding cookie consent and marketing practices.
For practical guidance, visit the ICO’s Guide to PECR.
In 2022, the ICO fined a company £1.35 million for making 10 million nuisance marketing calls, underscoring the significant penalties for PECR breaches. |
How Do These Laws Work Together?
Together, the UK GDPR, DPA 2018, and PECR create a cohesive legal framework for data protection and privacy:
UK GDPR provides overarching principles and rules for personal data processing.
DPA 2018 adds UK-specific provisions and addresses areas like law enforcement.
PECR regulates electronic communications, marketing, and cookie consent.
For example, a website must ensure:
Data handling complies with the UK GDPR and DPA 2018.
Cookie usage is compliant with PECR.
Fact: According to the ICO, cookie-related complaints increased by 82% between 2020 and 2021, reflecting heightened public concern over online tracking.
How Do These Laws Compare to Their EU Counterparts?
The UK GDPR and DPA 2018 are closely aligned with EU legislation:
EU GDPR:
The UK GDPR is a direct adaptation of the EU GDPR. Organisations operating in both regions must often comply with both sets of rules.
EU ePrivacy Directive:
The ePrivacy Directive underpins PECR. In the EU, it is set to be replaced by the ePrivacy Regulation, but the UK has not committed to adopting this change.
Brexit has introduced complexities for international organisations. UK organisations transferring personal data to the EU benefit from an adequacy decision, allowing free data flow. Transfers to other countries, however, require compliance with UK-specific rules.
For more on EU GDPR, visit the European Commission’s GDPR Portal.
Since 2018, the EU GDPR has resulted in over €4 billion in fines, with tech giants such as Amazon and Google among the most heavily penalised. |
What Does the Future Hold for Data Protection and Privacy Laws in the UK?
The UK government is considering updates to data protection and privacy laws to reflect the country’s independent priorities. Proposed reforms, such as the Data Protection and Digital Information Bill, aim to reduce compliance burdens while maintaining high privacy standards.
For updates on legislative changes, visit the UK Parliament’s Website.
The proposed Data Protection and Digital Information Bill could save UK businesses up to £1 billion over 10 years by streamlining compliance. |
For now, organisations must navigate the current framework of UK GDPR, DPA 2018, and PECR to protect personal data and uphold privacy standards effectively.
Comentários