UK Data Protection Legislation














Published 28 Aug 2021

S.3 (9) of the Data Protection Act 2018 as amended by reg 4 and para 4 (3) of schedule 2 of  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 419) defines “The data protection legislation” as 
"(a) the UK GDPR, 
,,,,,,,,,,,
(c) [that] Act, 
(d) regulations made under this Act, and 
(e) regulations made under section 2(2) of the European Communities Act 1972 which relate to ......  the EU GDPR or the Law Enforcement Directive."

Legislative History 

Between 1998 and 2018 the data protection laws of the member states of the European Union had been harmonized by the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31–50)).  That directive was implemented in the UK by the Data Protection Act 1998.

On 25 May 2018 the directive was repealed by the General Data Regulation Regulation (Regulation (EU)  of the European Parliaments and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC OJ 4.5.2016 L119)  known as "the GDPR" The GDPR lay down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.  That regulation did not apply to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.  The Council and Parliament adopted the Law Enforcement Directive (Directive (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA) to lay down rules for such processing.

The GDPR and the Law Enforcement Directive came into force during the notice period provided by art 50 of The Treaty of European Union.  During that time, EU law including the GDPR and the Law Enforcement Directive continued to apply to the UK.   The UK parliament enacted the Data Protection Act 2018 to repeal the Data Protection Act 1998 with effect from 25 May 2018 when the GDPR came into force.   The 2018 Act also implemented the Law Enforcement Directive and supplemented the GDPR.

The United Kingdom left the European Union on 31 Jan 2020 in accordance with the Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community.  Although art 50 of the Treaty provided for EU law (which included the GDPR and the Law Enforcement Directive) to cease to apply to the UK upon its departure, art 126 of the withdrawal agreement provided for a transition or implementation period during which EU law would continue to apply until 31 Dec 2020.

Since 31 Dec 2020, the GDPR has continued to apply to the rest of the European Union.   That is what s.3 (9) of the Dara Protection Act 2018 calls "EU GDPR".  On 31 Dec 2020, all EU laws including the GDPR ceased to apply to this country.   Also on that day, s.3 (1) of the European Union (Withdrawal) Act 2018 incorporated all EU regulations into the domestic laws of England, Wales, Scotland and Northern Ireland.  The Act enabled the government to amend those regulations by statutory instrument. Accordingly, The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 made a number of amendments to both the GDPR and the Data Protection Act 2018. The GDPR as amended and incorporated into domestic law is known as "UK GDPR".

The Legislative Framework

S.1 of the Data Protection Act 2018 as amended by the 2019 regulations provides:

"(1) This Act makes provision about the processing of personal data. 

(2) Most processing of personal data is subject to the UK GDPR. 

(3) Part 2 supplements the UK GDPR. 

(4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes.

(5) Part 4 makes provision about the processing of personal data by the intelligence services.  

(6) Part 5 makes provision about the Information Commissioner. 

(7) Part 6 makes provision about the enforcement of the data protection legislation.

(8) Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament."

Where to Find the Law

The government has published unofficial consolidations of the Data Protection Act 2018 as amended and the UK GDPR known as "Keeling Schedules". Together, these form the nearest thing that we have to a data protection code in this country. 

Proposals for Change

On 26 Aug 2021 Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport issued a press release entitled UK unveils post-Brexit global data plans to boost growth, increase trade and improve healthcare which I discussed in Dowden's Data Protection Plans on 27 Aug 2021.  The press release gave very little indication as to what the Secretary of State had in mind but codifying the Act and the UK GDPR in a single statute would be an obvious improvement.

Further Information

Anyone wishing to discuss this information or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.