Data Protection in the United Kingdom

From GDPRhub
Data Protection in the United Kingdom
Uk.png
Data Protection Authority: ICO (UK)
National Implementation Law (Original): Data Protection Act 2018
English Translation of National Implementation Law: n/a
Official Language(s): English
National Legislation Database(s): Link
English Legislation Database(s): n/a
National Decision Database(s): BAILII

Legislation

History

The first Act of Parliament concerning data protection was the Data Protection Act 1984. This was then repealed when the Directive 95/46/EC came into force. Instead, the Data Protection Act 1998 implemented the EU Directive.

The General Data Protection Regulation 2016/679 was then implemented into national law through the Data Protection Act 2018.

National constitutional protections

As the UK does not have a written constitution, it is difficult to identify "constitutional protection" of rights. However, that is not to say that constitutional protection do not exist generally. There are certain "civil liberties" that have gained a higher level of protection domestically. However, the right to data protection or privacy is not one of them.

The UK has enshrined the European Convention on Human Rights (ECHR) into national law through the Human Rights Act 1998 (HRA). The ECHR rights are therefore directly applicable in the UK. This includes Article 8 (right to privacy) which encompasses the right to data protection. According to case law, this Act of Parliament (HRA) has been granted a constitutional status. It cannot be repealed "implicitly" as is normally the case with normal Acts of Parliament (it must be done "explicitly"). This was first outlined in Thorburn v Sunderland City Council in 2002 and reiterated in HS2 Action Alliance Ltd, R (ex parte) v The Secretary of State for Transport in 2014. Nonetheless, it is important to note that whilst the HRA's constitutional status grants it further protection, it cannot be equated to the protection afforded when a right is enshrined in the written Constitution of a country as the UK Parliament still has the right to create an Act of Parliament that goes against it, so long as it expressly repeals the HRA (principle of parliamentary sovereignty).

National GDPR implementation law

In United Kingdom, the GDPR is implemented by the Data Protection Act 2018.

The application of the GDPR is however limited during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the Agreement on the Withdrawal of the UK from the EU.

At this point in time, it is uncertain what will happen beyond the end of the transition period (31 December 2020).

Age of consent

The age of consent in English contract law is 18. This is provided for in Article 1 of Family Law Reform Act 1969, which sets the age of majority.

Freedom of Speech

Article 26 of Part 5 of Schedule 2 of the Data Protection Act 2018 provides an exemption for processing for reasons of freedom of expression wherever it is for journalistic, academic, artistic and literary purposes. This exemption is based on Article 85(2) GDPR.

According to Article 26(3) of the 2018 Act, certain GDPR provisions (listed in Article 26(9)) will not apply where the controller "reasonably believes" that these provisions would be incompatible with the aforementioned purposes. This is only the case where processing is carried out for the publication of journalistic, academic, artistic and literary material and where the controller "reasonably believes" that publication would be in the "public interest" (Article 26(2)). There are various factors to consider when determining whether publication would be in the public interest (Articles 26(4) to 26(6)).

Employment context

You can help us fill this section!

Research, Statistics and Archiving

Article 27 of Part 6 of Schedule 2 of the Data Protection Act 2018 provides derogations from certain GDPR rights where personal data is processed for scientific or historical research or statistical purposes. This Article applies only to the extent that those GDPR provisions would "prevent or seriously impair the achievement of the purposes in question". Article 89 GDPR allows Member States to derogate from these GDPR rights for such purposes.

Other relevant national provisions and laws

You can help us fill this section!

National ePrivacy Law

The Privacy and Electronic Communications (EC Directive) Regulations 2003 is the Statutory Instrument that implemented the ePrivacy Directive 2002/58/EC.

Data Protection Authority

The Information Commissioner’s Office (Information Commissioner’s Office) is the national data protection authority for the United Kingdom.

→ Details see ICO (UK)

Judicial protection

Civil Courts

You can help us fill this section!

Administrative Courts

There is no distinction between Civil and Administrative courts in the UK other than different "Divisions" of the same court.

Constitutional Court

You can help us fill this section!