Support Centre

UK

Summary

Law: Data Protection Act 2018 ('the Data Protection Act') and the UK General Data Protection Regulation (Regulation (EU) 2016/679) ('UK GDPR')

Regulator: The Information Commissioner's Office ('ICO')

Summary: Since the UK is no longer a member of the EU, from 1 January 2021, the UK's data protection regime has been regulated by the Data Protection Act and the UK GDPR, which is broadly similar the EU GDPR. As a result, the European Commission adopted two adequacy decisions for the UK, one under the GDPR and one under the Data Protection Directive with Respect to Law Enforcement. 

In addition. on September 21, 2023, the Department of Science, Innovation and Technology ('DSIT') published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework, designating the US as a jurisdiction that ensures an adequate level of personal data protection for data transfers in specified circumstances.

Notably, the UK does plan on updating its current data protection regime and reintroduced, on November 8, 2023, the Data Protection and Digital Information Bill which was carried over from the 2022-2023 session. The new bill aims to update and simplify the UK's data protection framework through changes in language and substance to certain provisions. The aim of the bill is to provide flexibility and reduce organizational burdens while maintaining high data protection standards.

Insights

The artificial intelligence (AI) industry in the UK has experienced significant growth over recent years, putting the UK in a strong position in the global AI market. The UK Government has expressed a 'pro-innovation' stance on AI, in terms of public funding, technology policy, and its regulatory approach, and has favored an iterative, sectoral approach to the regulation of AI. The UK's pro-innovation aim is explicit in the Government's white paper on AI regulation (the AI White Paper) and its response to the AI White Paper consultation, published in February 2024 (the Response). Amy Smyth, Fiona Maclean, and Georgina Hoy, from Latham & Watkins LLP, discuss the key ideas of the AI White Paper and the Response and compares the UK's AI regulatory landscape to other approaches around the globe.

In this Insight article, Omar Shah, Vishnu Shankar, Jack Ashfield, and Nina Jayne Carroll, of Morgan, Lewis & Bockius LLP, discuss the UK Competition and Markets Authority's (CMA) initial report on AI Foundation Models (the FM report) published in September 2023. This report provided the CMA's early views on how foundation models (FMs) are developed and deployed as well as potential future regulatory interventions. This Insight article considers the key takeaways that market players in the artificial intelligence (AI) space should be mindful of as increased regulatory scrutiny persists. 

The Data Protection and Digital Information (No. 2) Bill was first introduced to Parliament by the UK Government on March 8, 2023. Following consultation and progress through Parliament, the UK Government unveiled a raft of changes to the proposal in November 2023, renaming the legislation the Data Protection and Digital Information Bill (the Bill), all of which it deemed 'commonsense.' In its 'Changes to data protection laws to unlock post-Brexit opportunity' press release of the same date, the UK Government indicated that the changes would 'safeguard the public, prevent fraud, and unlock Brexit opportunities' creating an 'innovative data protection regime' that will 'allow the country to realize new post-Brexit freedoms which are expected to deliver new economic opportunities…of at least £4 billion.' This is all part of the UK's ambition to be a business-friendly jurisdiction for technology innovation. 

The Bill is expected to become law this spring. In a prior piece, we scrutinized the impact of some of the Government's pro-business ambitions for the prior version of the Bill. Below, Natalie Farmer, Director and Foreign Legal Consultant at Fieldfisher (Silicon Valley) LLP, examines a number of the latest changes and whether they can deliver the innovation and opportunities promoted by the UK Government's press release. It is worth keeping in mind that changes to the UK data protection regime that result in a watering down of protections for the individual may cause the UK to lose its adequacy status, restricting the free flow of data between the EU and the UK. Such a result is unlikely to translate to 'economic opportunities' for UK businesses trading with the bloc. 

In this Insight article, Sarah Cameron and Krish Khanna, from Pinsent Masons LLP, delve into the intricacies of global artificial intelligence (AI) regulation, examining diverse national approaches and their implications for businesses, standards, and international collaboration.

In this Insight article, Joanne Bone, Partner at Irwin Mitchell LLP, explores the impending data protection law reform in the UK, focusing on the proposed replacement of data protection officers (DPOs) with senior responsible individuals (SRIs).

In this Insight article, Emily Jones and Vishal Patel, from Simmons & Simmons LLP, highlight the key proposals affecting providers of Part 3 Services, arising from the Office of Communications (Ofcom) proposals included within its Illegal Harms Consultation (IHC) published on November 9, 2023, on elements of the UK's Online Safety Act (OSA). 

Post-Brexit, the UK General Data Protection Regulation (UK GDPR) applies instead of the EU General Data Protection Regulation (EU GDPR) to businesses in the UK and in relation to non-UK businesses' handling of UK individuals' information in certain circumstances. 

While almost identical to the EU GDPR, there are some key differences in the requirements that organizations subject to the UK GDPR (UK GDPR Firms) need to be aware of and comply with when transferring personal data internationally. Imminent deadlines apply in relation to some of these, as further summarized below. Lawrence Brown, from Simmons & Simmons LLP, considers the implications of the UK requirements in this area, both for UK GDPR Firms and for overseas organizations that deal with them regularly.  

It was obvious from the start that the internet would transform how individuals interacted. What perhaps wasn't taken into account at the time (understandably given those early online interfaces) was how important design would become to the online experience – both for positive and for harmful reasons. The online user experience and digital environments available in 2023 are light years away from the early years of the internet from the mid-1990s. As the design methods became more sophisticated, companies realized they could produce websites that wooed customers to spend more money (and time) on their platforms. Likewise, there are business benefits for targeted advertising or building insights where website interfaces are designed to encourage users to provide their personal data.   

It has taken some time for European law to establish requirements around good design in digital markets. It wasn't until the application of the General Data Protection Regulation (GDPR) from May 2018 that there has been a legal requirement to build online interfaces in a way that promotes data protection by Design and Default (Article 25) – itself a concept that reflects pioneering work from regulators in Canada. Alongside this data protection by design requirement, failing to design online interfaces properly can impact wider data protection principles such as fairness and transparency. It is much harder to argue that the use of personal data is fair when its collection is carried out in a way that is opaque to individuals. Victoria Hordern, from Taylor Wessing LLP, discusses what this joint paper covers on harmful design and contemplates whether we will see further enforcement in this area. 

The Information Commissioner's Office (ICO) is the designated authority in the UK to ensure compliance with data protection laws and uphold information rights in the public interest. The ICO has the power under Part 6 of the Data Protection Act 2018 (the Act) to investigate and enforce data processing activities. In this Insight article, Kelly Hagedorn, Hanna Hewitt, and Lucy Mann, from Orrick, Herrington & Sutcliffe LLP, explore the ICO's power under Part 6 of the Act to issue notices, as well as the ICO's ability to carry out dawn raids and some of the key considerations in relation to these.  

On October 2, 2023, the Information Commissioner's Office (ICO) announced that its draft Data Protection Fining Guidance (Guidance) is open for consultation. In this Insight article, Luke Dixon and Josh Day, from leading national law firm Freeths LLP, provide an overview of the key features of the Guidance and what this means for organizations.  

In the second part of this Insight article, Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, offers a more in-depth exploration of the intricacies related to compliance with the UK Information Commissioner's Office (ICO) guidance on employee monitoring. You can access part one here.

In this Insight article, Toby Pochron, from Freeths, presents a comprehensive overview of the Information Commissioner's Office's (ICO) guidance on Data Subject Access Requests (DSARs) for employers. Toby delves into the key aspects and practical considerations, equipping employers with valuable insights and actionable recommendations in navigating the complex landscape of DSARs.

Data protection legislation has been one of the fastest-evolving areas of law in recent years. An area that has continued to be strengthened and reinforced year after year is the right of access to data for data subjects.

Employers play a crucial role in ensuring that data protection rights are upheld and maintained. It would certainly be arguable that an employer is likely one of the organizations that holds the most data about a data subject, in this case, their employees. The data that an employer holds could reveal significant amounts of sensitive information about that employee, including their financial details or sensitive data about their health and well-being.

Feedback