Data Regulations

In the UK, the key regulations* that govern data protection are the General Data Protection Regulation (GDPR), the UK’s Data Protection Act (2018) and the Privacy and Electronic Communications Regulations, also known by its abbreviation PECR. The UK’s regulator for data protection is the Information Commissioner’s Office (ICO).

It is worth highlighting that the EU’s Privacy & Electronic Communications Directive (2002), or e-Privacy Directive for short and which PECR is based on, is in the process of being revised to become the e-Privacy Regulations, taking into consideration the changes introduced by GDPR. Even though the UK will leave the EU, the e-Privacy Regulation will have a bearing on UK organisations if they are handling EEA citizens’ data. Like GDPR, the new e-Privacy regulations will have extra-territorial reach.

We thought it would be useful to include links to the California Consumer Privacy Act (CCPA), which came into force on 1 January 2020. The legislation is similar in scope to the GDPR but is the most extensive shake up in consumer data protection laws in the US. There are already moves to implement a privacy law at the Federal level. Like the EU laws, they will also have extra-territorial reach.

EU regulations 

• General Data Protection Regulations (GDPR) (2016) – This is the main law that covers data protection across the EU and EEA Member States.
• Privacy and Electronic Communications Directive (2002/58/EC) – This EU directive covers organisations that wish to send electronic marketing messages (by phone, fax, email or text), use cookies, or provide electronic communication services to the public.
• Privacy and Electronic Communications Regulations (Draft) 8 Nov 2019 13808/19 – Link to the latest draft of the e-Privacy Regulations text. The text remains under negotiation at the EU level.

UK Legislation

• Data Protection Act 2018 – Sets the UK standards for protecting general data, in accordance with the GDPR but it also ensured that the UK had a operable data protection framework after Brexit.
• The Privacy and Electronic Communications Regulations (PECR) (2003) – This regulation is a UK transposition of the EU e-Privacy Directive (2002). Please note that the 2003 legislation is the original statutory instrument, there have been subsequent revisions since then.
• Information Commissioner’s Office Direct Marketing Code of Practice (draft for consultation) – this draft code applies to anyone who processes personal data for direct marketing purposes. It explains the law and provides good practice recommendations for those conducting direct marketing and those who participate in the broader direct marketing ecosystem. The code is undergoing public consultation until 4 March 2020 and is expected to be finalised later in the year.

US Regulations

• California Consumer Privacy Act – This law has similar scope to GDPR and came into effect on 1 January 2020.
• Consumer Data Protection Act – A draft text of a Federal level data protection law

Key Regulatory Bodies

UK’s Information Commissioner’s Office

European Data Protection Board (EDPB) –  The EDPB is composed of representatives of EEA national data protection authorities and the European Data Protection Supervisor. It is established by the GDPR and is based in Brussels.

Federal Trade Commission (FTC) – Unlike Europe, the US does not have a specific data protection authority. Instead the FTC has very broad powers which cover consumer data protection.

*For in depth legal advice please visit the ICO website or consult a legal professional.