Overview of UK Data Compliance

preface

The UK is currently China's third largest trading partner, second largest investment destination, and third largest source of foreign investment in Europe, while China is the UK's largest trading partner in Asia.

According to the Ministry of Commerce, the National Bureau of Statistics, and the State Administration of Foreign Exchange, China's investment cooperation with the UK has grown rapidly from 2018 to 2022. Both state-owned and private enterprises are relatively active, and investment areas have extended from traditional industries such as finance and energy to high-end manufacturing, infrastructure, information technology, and other fields. As of the end of 2022, China's stock of direct investment in the UK was 19.35 billion US dollars.

This article will mainly introduce the current situation of data protection legislation in the UK, and provide data protection related risk prevention suggestions for Chinese companies going abroad to the UK.

1、 Overview of Personal Data Protection Legislation in the UK

Starting from January 31, 2020, the UK officially withdrew from the EU, and the EU's General Data Protection Regulation (GDPR) no longer applies. Correspondingly, the UK General Data Protection Regulation (GDPR) came into effect on January 1, 2020. The UK GDPR is based on the EU GDPR and has not been substantially revised. The UK GDPR is the fundamental law for the personal data protection system in the UK.

The UK GDPR sets out the core definitions and basic data protection principles related to the processing of personal data, the legal basis for processing personal data, and the relevant responsibilities and obligations applicable to organizations and individuals processing personal data within the scope of the UK GDPR. The UK GDPR also stipulates the rights of natural persons as data subjects, including the right to legal remedies and rights related to personal data.

On September 10, 2021, the UK Department for Digital, Culture, Media and Sport announced that the UK government is soliciting public opinion on the reform of the UK data protection framework. In March 2023, the UK Parliament released the Data Protection and Digital Information Bill (No. 2), aimed at amending the UK GDPR. It is expected that after its passage, the UK GDPR will have significant differences from the EU GDPR.

Another key legislation in the field of data protection in the UK is the Data Protection Act 2018. The Data Protection Act 2018 came into effect on May 25, 2018, and was revised after Brexit and implemented on January 1, 2021.

The 2018 Data Protection Act is a supplement to the UK GDPR and includes certain restrictions on the data protection system stipulated by the UK GDPR. For example, the 2018 Data Protection Act, authorized by the UK GDPR, may restrict the rights of data subjects under the UK GDPR for legitimate purposes such as public safety or protecting judicial independence. The 2018 Data Protection Act also includes provisions related to personal data processing activities outside the scope of the UK GDPR, including government processing of personal data for any enforcement purposes; And the processing of personal data by specific intelligence agencies [9].

In addition to the UK GDPR and the 2018 Data Protection Act, other data security related regulations in the UK include the Telecommunications (Security) Act 2021 [10], Privacy and Electronic Communications Regulations [11], and others.

2、 The main system of personal data protection in the UK

（1） Extraterritorial effect

Both the UK GDPR and the 2018 Data Protection Act have extraterritorial effects. In addition to personal data processing activities applicable to personal data controllers and personal data processors established within the UK (regardless of whether the activity occurs within the UK) [12], personal data processing activities of personal data controllers or personal data processors established outside the UK also apply in the following circumstances:

(1) Provide products or services to data subjects within the UK; or

(2) Monitor the behavior of data subjects within the UK [13].

（2） The meaning of personal data

The UK GDPR and the 2018 Data Protection Act have not changed the key definitions of the EU GDPR. Among them, personal data refers to any information associated with an identified or identifiable natural person, but does not include information associated with a deceased natural person [14].

The UK GDPR provides significant protection for special categories of personal data. Personal data controllers and processors shall obtain the explicit consent of the data subject when processing personal data related to race or ethnic origin, political views, religious or philosophical beliefs, or union membership, as well as when processing genetic data, biometric data, health-related data, or data related to natural human life or sexual orientation for the sole identification of natural persons. The 2018 Data Protection Law provides detailed legal requirements and restrictions that personal data controllers and processors should follow when processing special types of personal data in a dedicated appendix.

（3） Main obligations of personal data controllers and processors

Similar to the EU GDPR, the obligations of personal data controllers and processors run through the entire UK GDPR, covering compliance with the basic principles of personal data processing, having a legal basis for processing personal data, protecting personal data, adopting default privacy protection policies, etc.

In principle, the processing of personal data should obtain the consent of the data subject, unless one of the following other legal grounds is met:

(1) Necessary for the achievement or performance of a contract to which the data subject is a party;

(2) Necessary to fulfill the legal obligations of personal information controllers;

(3) Necessary to protect the important interests of data subjects or other natural persons;

(4) Necessary for carrying out tasks in the public interest or for exercising official powers granted to personal data controllers;

(5) Processing is necessary for the legitimate interests pursued by personal data controllers or third parties, unless these interests are subordinate to the interests or fundamental rights and freedoms of the data subject whose personal data needs to be protected, especially when the data subject is a child [17].

In addition, personal data controllers and personal data processors are also required to fulfill other personal data protection obligations, including complying with the basic principles of personal data processing [18], adopting security measures that match processing risks [19], adopting default privacy protection policies [20], conducting data protection impact assessments [21], and notifying data subjects and the Information Commissioner's Office (ICO) of security incidents [22].

（4） Registration system

The 2018 Data Protection Law requires all personal data controllers to register for an ICO and pay an annual fee, unless they meet the exemption criteria [23].

The Data Protection (Charges and Information) Regulations 2018 [24] further stipulate fee levels based on the potential risks of personal data controllers processing personal data. The amount of fees for different levels depends on the number of employees, annual revenue, organizational size, and organizational type (such as different types of organizations for enterprises, public institutions, charitable organizations, or occupational pension plans) [25]. If all personal data processing activities of the personal data controller are exempt from paying fees, the personal data controller is not required to pay such fees. Exemption situations include processing personal data purely for personal or household purposes, or filming in public places.

If the personal data controller fails to pay the fees in full, they may be fined up to 150% of the fees that the organization should have paid in the current year [27].

（5） Data Protection Officer

According to the UK GDPR, if any of the following situations are met, the personal data controller or processor shall appoint a data protection officer:

(1) The data controller or processor is a public authority;

(2) Its core personal data processing activities require regular and systematic large-scale monitoring of data subjects;

(3) Its core personal data processing activities include large-scale processing of special types of personal data [28].

Enterprise groups can appoint a data protection officer to be responsible for multiple legal entities, provided that each enterprise can easily contact the data protection officer. Data protection officers should possess professional knowledge of data protection laws and practices. The UK GDPR allows companies to hire personnel from third-party companies as data protection officers. Personal data controllers and processors must ensure that data protection officers are appropriately and promptly involved in all issues related to personal data protection, report directly to top management, and shall not be dismissed or punished for carrying out their duties as data protection officers.

The main responsibilities of a data protection officer include providing advice and reminders on UK data protection laws and regulations, monitoring the organization's data compliance, conducting employee training, advising and supervising data protection impact assessments, and serving as a liaison to communicate with regulatory agencies.

（6） Data protection regulatory agencies

The specialized data protection authority in the UK is ICO, responsible for safeguarding the privacy rights of data subjects based on public interest, promoting information disclosure, supervising the implementation of data protection regulations, receiving complaints from data subjects, and formulating interpretation guidelines and specific policy documents for data protection regulations.

The 2018 Data Protection Law further refines the enforcement rights of ICOs, including requiring personal data controllers or processors to provide information to ICOs, conducting compliance assessments, issuing orders requiring personal data controllers or processors to take or not take certain actions, and imposing administrative fines [35].

The forms of punishment for ICO include condemnation, enforcement notice, monetary penalties, prosecution, etc. [36]. As of September 13, 2024, out of the 166 penalties announced by ICO, 43 organizations were fined, with fines reaching up to £ 20 million (approximately RMB 186 million).

（7） Punishment measures

The UK GDPR sets two levels of penalties for violations committed by personal data controllers and personal data processors:

(1) For illegal acts that violate certain compliance obligations of personal data controllers and personal data processors, the maximum fine is £ 8.7 million (approximately RMB 81 million), or 2% of the company's global annual revenue in the previous fiscal year, whichever is higher;

(2) For violations of the core data protection obligations under the UK GDPR, the maximum fine is £ 17.5 million (approximately RMB 163 million), or 4% of the company's global annual revenue in the previous fiscal year, whichever is higher.

（8） Exercise of Personal Data Subject Rights

The UK GDPR provides multiple pathways for personal data subjects to safeguard their rights related to personal data. If a personal data subject suffers "material or non-material damage" due to a violation of the UK GDPR by a personal data controller or processor, they have the right to claim compensation from the personal data controller or processor. This means that even if personal data subjects suffer "non-material damage", they can still claim economic compensation [39]. Personal data subjects may authorize consumer protection agencies to exercise their rights and make claims on their behalf. Personal data subjects can also file complaints with the ICO [41], and if they have objections to the ICO's decision, they can also seek judicial remedies [42]. In addition, personal data subjects can seek various effective legal remedies (such as judicial remedies) against the illegal behavior of personal data controllers or processors [43].

（9） Marketing through electronic means

Electronic marketing activities often involve the use of personal data, and the UK GDPR applies to most electronic marketing activities. According to Article 47 of the introduction, the most reasonable basis for the legality of processing personal data in electronic marketing activities is consent or for the legitimate interests of the personal data controller.

The strict consent standards of GDPR in the UK pose a challenge to electronic marketing activities. The UK GDPR requires individuals to provide explicit consent when collecting consent, and the language used should include a clear selection mechanism (such as checking unchecked consent boxes or signing statements), rather than simply accepting terms and conditions or implying consent through actions such as accessing websites. The UK GDPR also stipulates that personal data controllers or processors should safeguard the right of personal data subjects to unconditionally refuse direct marketing (i.e. sending marketing activity notifications to individuals).

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PEC Regulations) [46] provide specific rules for electronic marketing. The PEC regulation originated from the European Union's Directive 2002/58/EC ePrivacy Directive and was retained after Brexit.

The PEC regulations prohibit the use of automated calling systems without the recipient's consent [47]. The regulation also prohibits electronic communication for direct marketing purposes without the prior consent of consumers, such as sending emails or text messages, unless consumers provide relevant contact information during the procurement of products or services involved in marketing activities, and marketers must provide an "opt out" option. These requirements only apply to individual consumers and not to corporate subscribers [49]. When sending electronic marketing notifications, PEC regulations require senders to truthfully disclose their identity and provide unsubscribe options [50].

3、 UK Cross border Regulation System for Personal Data

Similar to the EU GDPR, the UK GDPR does not require localized storage of data, but requires that personal data be transferred across borders only when certain prerequisites or data security mechanisms are met. The precondition for the UK GDPR to allow cross-border transfer of personal data is that the destination country or region has obtained an adequacy decision, or that the cross-border transfer has appropriate safeguards in place.

（1） Sufficiency determination

The UK GDPR acknowledges the adequacy determination of the EU GDPR. On this basis, the UK itself is also responsible for issuing other adequacy determinations by its Secretary of State for the Home Department. At present, the following countries, regions or organizations are considered to have sufficient levels of personal information protection and can transfer personal data from the UK without further protection:

(1) Member states of the European Economic Area;

(2) Institutions, organizations, offices or agencies of the European Union or the European Economic Area;

(3) Strait of Gibraltar;

(4) The countries, regions or organizations covered by the European Commission's comprehensive adequacy determination;

(5) Countries, regions, or organizations covered by partial adequacy determinations by the European Commission (such as Japanese private organizations granted adequacy determinations by the European Commission); and

(6) The countries, regions, or organizations covered by the adequacy assessment in the UK. As of the date of publication of this article, including South Korea [53] and the United States [54] (only the transfer of personal data to Americans on the list of data privacy frameworks established according to the revised EU US privacy framework arrangements) [55].

（2） Appropriate safeguard mechanisms

In addition to the adequacy determination passed by the destination country or region, if appropriate safeguard mechanisms exist, the transfer of personal data from the UK to overseas is also allowed. Appropriate safeguard mechanisms include:

(1) Legally binding and enforceable documents between public authorities or institutions;

(2) Binding Corporate Rules (BCR) in accordance with Article 47 of the UK GDPR;

(3) The standard data protection provisions specified in the regulations formulated by the Minister of Home Affairs under section 17C of the 2018 Data Protection Act;

(4) The standard data protection clauses specified in the documents released by ICO in accordance with Article 119A of the 2018 Data Protection Law;

(5) Approved code of conduct in accordance with Article 40 of the UK GDPR (along with binding and enforceable commitments to take appropriate protective measures); perhaps

(6) Approved certification mechanisms under Article 42 of the UK GDPR (along with binding and enforceable commitments to take appropriate protective measures) [57].

Regarding the aforementioned standard data protection clauses, ICO has released two standard contractual documents on March 21, 2022, in accordance with legal provisions such as GDPR in the UK. The first is the International Data Transfer Agreement (IDTA), also known as the UK version of SCC; The second is the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. The main purpose of the latter is to attach the contract jurisdiction to the former EU SCC after Brexit and transfer it to the UK. In addition, ICO has also released a risk assessment template, and when the risk assessment is too high, both parties should fill in the additional protection clause in Annex 2 of the IDTA when signing the IDTA [60].

（3） Exceptional circumstances

If there is no sufficient recognition or appropriate safeguard mechanism, in some cases, the UK GDPR also allows cross-border transfer of personal data. These exceptions include:

(1) After fully informing the data subject of the absence of sufficient identification or appropriate safeguard mechanisms at the destination and the risks involved, the data subject expressly agrees to cross-border transmission;

(2) Measures necessary for the performance of the contract to which the data subject is a party, or measures required at the request of the data subject prior to the performance of the contract;

(3) Cross border transmission is necessary for the signing or performance of a contract between a data controller and another natural or legal person for the benefit of the data subject;

(4) Necessary for important reasons of public interest;

(5) Necessary for establishing, exercising, or defending a claim;

(6) Necessary to protect the vital interests of the data subject, and the data subject is unable to consent due to physical or legal reasons;

(7) Within the scope permitted by British law, cross-border transfers of information from registers used to provide information to the public by the public with legitimate interests [61].

（4） EU transfers data to UK

After Brexit, the UK considers the EU as a third country. Therefore, for the transfer of personal data from the EU to the UK, the preconditions stipulated by GDPR must be met before proceeding. On June 28, 2021, the EU passed a adequacy decision related to the UK, recognizing that the UK provides the same level of personal data protection as the EU. This makes it easier for personal data to flow from the EU to the UK.

epilogue

Although the UK officially left the EU on January 31, 2020, its data protection system still follows the majority of the institutional design of the EU GDPR. Its key definitions, data protection principles, obligations of data controllers and processors, administrative penalty mechanisms, etc. are similar to the EU GDPR. However, the UK's Bill 2 has entered the stage of review in the House of Lords, and if passed in the future, it may significantly change the legal requirements for data protection in the UK, making it significantly different from the EU GDPR. Therefore, we suggest that Chinese companies planning to go abroad to the UK continue to pay attention to the provisions and changes of UK data protection laws and regulations, ensure that personal data processing activities comply with UK legal requirements, and establish corresponding overseas data protection systems.