Privacy – Government action

UK Government actions

• In September 2021, the UK Government launched a consultation on reforms to the UK’s data protection regime, including the role of the Information Commissioner’s Office.
• In May 2021, the UK Government introduced its draft Online Safety Bill, which includes duties on service providers to have regard to the importance of protecting users from unwarranted privacy infringements.
• In May 2021, the UK Government published its response to a consultation it launched in September 2020 on the new National Data Strategy.
• In March 2021, the UK Government introduced the Police, Crime, Sentencing and Courts Bill, which includes provisions on using digital data extraction during criminal investigations.
• In December 2020, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 were introduced, to ensure the legal framework for data protection in the UK continues to function correctly after the UK’s exit from the EU.
• In November 2020, reforms to the criminal records disclosure rules came into effect, removing the requirement for automatic disclosure of youth cautions, reprimands and warnings, and removing the ‘multiple conviction’ rule. This followed a 2019 Supreme Court judgment, which found the disclosure rules to be disproportionate and in breach of privacy rights.
• In July 2020, the National Police Chiefs’ Council (NPCC) and Crown Prosecution Service (CPS) announced an end to the use of digital data extraction forms, used to obtain permission from complainants and witnesses to search for relevant information on their digital devices. In September 2020, the NPCC introduced new interim guidance reflecting recommendations from the Information Commissioner’s Office and the Court of Appeal.
• In March 2020, the Coronavirus Act 2020 introduced changes to safeguards under the Investigatory Powers Act 2016; these were in force for 12 months.
• In October 2018, the Data Retention and Acquisition Regulations 2018 amended the Investigatory Powers Act 2016 to make sure the UK’s communications data retention regime followed EU law.
• In May 2018, the General Data Protection Regulation came into force across the EU and the European Economic Area, and came into effect in the UK through the Data Protection Act 2018. These instruments regulate how personal information about individuals is handled, stored, used and shared.
• In May 2018, the Network and Information Systems Regulations came into force, introducing a legal framework to ensure that providers of services operating in areas of critical national infrastructure put in place measures to improve the security of their network and information systems.
• In 2018, the UK Government established the Office for Artificial Intelligence (AI) and the Centre for Data Ethics and Innovation to provide independent, expert advice on the ethical use of AI and data-driven technology.
• The Investigatory Powers Act 2016 led to the setting up, in September 2017, of the Investigatory Powers Commissioner’s Office (IPCO), which replaced and consolidated three previous organisations. A ‘double-lock’ system, introduced in 2018, means that warrants for the interception of communications under the Investigatory Powers Act must be authorised by the Secretary of State and one of the judicial commissioners that support IPCO.
• In November 2016, the Investigatory Powers Act introduced significant changes to the legal and regulatory framework governing the collection, retention, and use of personal data by the state for law enforcement purposes, including by the security services, police and other agencies. It replaced parts of the Regulation of Investigatory Powers Act 2000 (RIPA).