January 22, 2019

The UK Adopts Data Protection Act 2018

Having received Royal Assent on May 23, 2018, the UK Data Protection Bill is now an Act of Parliament.

The Data Protection Act 2018 (the “Act”) implements the General Data Protection Regulation (“GDPR”) and replaces the UK Data Protection Act 1998.

Notable provisions that make use of the ability of Member States to implement different measures from the GDPR are as follows:

  • Section 9 of the Act sets out the age of consent in relation to information society services at 13 years old, instead of 16 years old.
  • Exemptions from certain rights and obligations set out in the GDPR when it comes to certain criminal and immigration matters, for example, as well as for reasons of freedom of expression and information (e.g., for journalistic, academic, artistic, literary purposes), among a number of other diverse areas.

The Act also sets out that the Information Commissioner’s Office will be the supervisory authority in the UK for the purposes of the GDPR, and as such, is given certain powers under the Act to investigate and enforce its provisions, among other duties.

© 2019 Covington & Burling LLP


About this Author

Daniel Cooper, Data privacy lawyer, Covington Burling

Daniel Cooper advises clients on information technology regulatory issues, particularly data protection, e-commerce and data security matters.

According to the latest edition of Chambers UK (2018), his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." In 2017, it was noted that "he is very good at calibrating and helping to gauge risk."