United Kingdom

Privacy Culture

Britons, much like other Europeans do value their right to privacy and the state has an obligation to protect that right for its citizens while keeping it in balance with other rights. In comparison with other European states, the Information Commissioner’s Office (ICO), Britain’s competent authority in terms of Privacy and Data Protection, tends to follow a more business-friendly approach in enforcement. However, the ICO is also one of the most informative authorities, publishing a wide range of relevant information online, keeping UK citizens updated with all the latest trends.

According to a EuroBarometer survey sponsored by the European Commission, Britons feel more slightly more comfortable with the control of their personal data and with sharing it online. ). Other interesting perceptions that the Survey reveals relate to the Britons' attitude towards disclosure of personal data and their perceptions of management of personal data by various parties

Legal History

The basic and most comprehensive UK law governing the protection of personal information at the moment is the Data Protection Act 1998. It has evolved from the 1984 Data Protection Act, the 1987 Personal Files Act and from the incorporation of the EU Data Protection Directive 95/46/EC. The Act has been updated in 2003 and then in 2011 again with the Privacy and Electronic Communication Regulations, and a series of other statutes.

The ICO has been one of the most active data protection authorities across Europe in terms of issuing clarifications of privacy & data protection law for both consumers and businesses. The ICO hosts a wide range of resources for the public concerning identity theft, CCTV, credit, bankruptcy, employment, SPAM, nuisance calls, drones and others. For businesses the ICO has published a number of guidelines, that do not constitute binding law, but rather a best practice which if followed, will lead to legal compliance. The resources published include information on over 30 different topics including audits, anonymisation, Big Data, data sharing, data deletion, marketing, privacy by design, privacy notice, and probably most importantly, monetary penalties.

Enforcement and Court Action

The public body responsible for enforcement of data protection and privacy laws in the United Kingdom is the ICO. Over the last couple of years there is a clear trend for increased enforcement. There has been a significant increase in both the number of monetary penalties imposed as well as in the amount of these penalties. The number of actions taken by the Information Commissioner’s Office in the first half of 2014 is double than all actions taken in the whole of 2013.

In 2014 alone, The UK has seen a total of 69 actions taken by the Information Commissioner’s Office against both public and private companies in breach of Data Protection Rules. There is also a 69% rise in detected security accidents across the UK what is almost three times higher than the Global average. 

Corporate Risk

In the United Kingdom, both public and private organizations in breach of data protection & privacy laws face serious risk for actions by the Information Commissioner’s Office. In 2014, inadequate data security tops the chart in terms of Data Protection Act breaches. For such and other breaches the ICO has the power to impose:

⦁    mandatory undertakings,
⦁    enforcement notices,
⦁    monetary penalties,
⦁    criminal prosecution.

The Information Commissioner’s Office issued 11 Enforcement Notices during 2014 and imposed monetary penalties totaling £1,152,500. The large majority of those concern Direct Marketing breaches of the Privacy and Electronic Communication Regulation. Remedial action was required within a month after issuing the majority of the notices. The number of criminal law prosecutions for breaches of Data Protection & Privacy Laws in the UK has tripled since 2012 to the amount of 18 actions in total in 2014. Half of these concern failure to notify the authority for the processing of personal data. In total 29 actions for mandatory undertakings have been issued. The majority of these concern the public sector.

Future Outlook

Being part of the European Union, the United Kingdom is expected to implement the new, currently debated EU General Regulation on Data Protection (Proposal from 2012) within two years after its adoption. The final text is now highly likely to be agreed upon by late 2015 or early 2016 and to come in force in by 2017/2018. The new text is expected to bring higher standards of protection, increased (monetary) penalties for failure to adhere to obligations and more uniformity across the Continent. The new law is designed as comprehensive EU Regulation, laying very similar if not the same legal provisions across all EU Member states. to ease data protection compliance but that would not come without additional corporate risks and costs.

Data Protection & Privacy law is evolving quickly across the world including in Europe and in the United Kingdom in particular. Developments of UK jurisprudence in 2015 hint the emergence of data protection rights as a non-contractual obligation. In the Vidal-Hall et al v Google case, the UK Court of Appeals confirmed that misuse of private information can breach a non-contractual obligation for the purposes of the rules providing for service of proceedings in the English jurisdiction.  Thus, in 2015 it has been held that individuals who seek redress against a foreign company (Google Inc., based in California in that case) can bring a claim against that company when its in breach of domestic privacy laws and can claim compensation under the Data Protection Act 1998 for non-material loss. The case is still ongoing and the privacy community is following it with keen interest.


1. European Commission, EuroBaromoeter Survey on Data Protection, 28/02/2015 – 09/03/2015  <http://ec.europa.eu/justice/newsroom/data-protection/news/240615_en.htm>

2. Cecile Park Publishing Ltd., Data Guidance, Enforcement Report – Behind the Raw Numbers, September 2014 <http://www.dataguidance.com/dataguidance_enforcement_download.asp> 
3. Pricewaterhouse Coopers Legal LLP, Privacy and Security Enforcement Tracker, March 2015 <http://pwc.blogs.com/data_protection/2015/03/enforcement-tracker-download-here.html>

Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, United Kingdom