Law: Data Protection Act 2018 ('the Act') and the UK General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
Regulator: The Information Commissioner's Office ('ICO')
Summary: The UK data protection regime is regulated by the Act and the GDPR has been written into UK law and tailored to become the 'UK GDPR.' The European Commission has adopted two adequacy decisions for the UK, one under the GDPR (Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) and one under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (Commission Implementing Decision of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the Adequate Protection of Personal Data by the United Kingdom). The UK GDPR and the Act establish that the ICO is the supervisory authority in the UK and detail its functions, including an obligation to prepare codes of practice. The ICO is a particularly active authority and regularly issues guidance on a wide range of topics.
Notably, on 2 February 2022, the Secretary of State laid before Parliament the International Data Transfer Agreement ('IDTA'), the international data transfer addendum to the European Commission's Standard Contractual Clauses ('SCCs') for international data transfers (Addendum) and a document setting out transitional provisions, following a consultation on the same in 2021. If no objections are raised, they will enter into force on 21 March 2022. Exporters will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers and will replace the current SCCs for international transfers. Furthermore, they take into account the binding judgment of the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case').