UK Data Protection: an Overview

17 May 2024 • by Vincenzo Solenne

The United Kingdom formally withdrew from the European Union in January 31^st of 2021, leaving behind its shoulders an important gap of rules.

In fact, the Brexit meant the opt out of the U.K. from the entire European legal system, which had covered for decades fundamental sectors of the English society and economy. One of these is the field of data protection, ruled by the Regulation (EU) 2016/679, commonly known as the “General Data Protection Regulation”.

Considering how deeply this topic affect the modern society, it is crucial for the European Union to provide to its citizens the highest standard of security in the process of data transfer from the European Economic Area to the U.K., now considered as a “Third Party”.

According to art. 45, par. 1 GDPR, “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization”.

On June 28^th 2021, the European Commission adopted the implementing decision (EU) 2021/1773 with states that the level of data protection guaranteed by the U.K. legislation is equivalent to the European one.

The English data protection system is based on three main set of rules. On constitutional level, the Human Rights Act of 1998 (which integrates the European Convention of Human Rights) assures protection to the private life, personal data and guarantee the respect of the “due process principle”.

Preparing for the Brexit, the English Government adopted in 2018 the European Union Withdrawal Act, with which the U.K. had incorporated the European law, including the Directive (EU) 2016/680 on data protection. Whitin this context, it’s important to underline that this law required that the disciplines derived from the European law has to be interpreted in conformity with the European general principles of law and the jurisprudence of the European Court of Justice.

The data protection ruling system is also completed by the sectoral police disciplines, which may differ between Regions. In addition, fundamental criteria for the interpreter, concerning the correct exercise of the public authority, are introduced by different documents, such as the Ethic Code, the Code of Practice on the Management of Police Information, the Authorised Professional Practice on the Management of Police Information or the National Police Chiefs Council’s operational guidelines.

Some of the most relevant documents on the correct use of data by the public authorities are generally formulated by the Information Commissioner (I.C.O.) which, even though they are not legally binding, they tend to be considered by the Judicial Power as fundamental criteria of interpretation.

The E.U. Commission, after conducting an in-depth analysis of the English legislation on data protection, finally states in 2021 that the ex-Member State still guarantees an equivalent level of protection to the E.U. one, so that the data transfer of European citizens’ data to the U.K. can be safety conducted.

In fact, the adequacy decision recognized that the English data protection is based on the same principles of law. Specifically:

the data transfer and any kind of data process should be necessary authorized by law, the Common Law or by royal prerogatives;
the data process is based on the consent of the interested subject, which suold be unequivocal and based on a clear information provided by the Police Authority. Specific guarantees are applied to sensitive data, which can be processing by the Authorities only for contrasting actions. However, exceptions to the “consent rule” are permitted whether the data process is functional to the specific aims defined by the Law, such as minors or people at risk protection, frauds prevention, rights asserted in legal proceedings, etc. Nevertheless, each exception should be supported in concreate by the verification of the “effective necessity”, proving that the use of data answers to an urgent social necessity and there are no other less intrusive instruments to reach the public scope;
data have to be accurate, updated and never eccessive than the processing finalities, meaning that, if it necessary, data should be promptly delated or corrected. Moreover, the accuracy of information collected should be periodically reviewed. In any case, data should never be collected for more than necessary, in accordance with the processing finalities;
decision based exclusively on authomatic processing of data could be authorised only by law and concreate necessities;
the whole discipline of data protection in the U.K. is still based on the principles of security and transparency, which means, on one hand, that the Public Authority processing data has the duty to adopt all the most adequate measures to guarantee the correct use and transmission of citizens data and, on the other hand, that people should always be informed on the main aspect of data processing, suc as the identity and the contacts of the G.D.P.R. data controller and the responsible of data protection, the processing finalities, the rights of access, correction and erasing of data and the complaining rights against the I.C.O.
The U.K. legal systems guarantees to people effective both administrative and judicial remedies, including the appeal to the European Court of Human Rights.

The protection of E.U. citizens data does not terminate in the U.K. In fact, the chain alongside information run generally involves different States, so that the adequacy evaluation of data protection also requires that the U.K. is able to guarantee the security for the following data processing.

Following the Schrems decisions of the European Court of Justice, the evaluation of the Third State’s controlling and enforcement systems is essential. In the U.K., the I.C.O. is the independent authority with monitoring powers on data protection. This entity carry on investigations required; it can order to public authorities specific actions to contrast violation and enforce sanctions.

The adequacy decision is going to overdue by the 27^th June 2025. Until this date, the European Commission will continue to monitor the application of the adequacy decision, in light of the continuos cooperation between this twe European Powers in the data processing field.

Need legal advicefor your project?

Related Articles

Employee Monitoring in Italy: what foreign employers often get wrong

Article 27 GDPR for Non-EU companies: when is an EU representative required and why it is often mishandled?

Italian branch, local unit, sales office or distributor: which privacy obligations are triggered?

Need legal advice
for your project?