Having received Royal Assent on May 23, 2018, the UK Data Protection Bill is now an Act of Parliament.

The Data Protection Act 2018 (the “Act”) implements the General Data Protection Regulation (“GDPR”) and replaces the UK Data Protection Act 1998.

Notable provisions that make use of the ability of Member States to implement different measures from the GDPR are as follows:

  • Section 9 of the Act sets out the age of consent in relation to information society services at 13 years old, instead of 16 years old.
  • Exemptions from certain rights and obligations set out in the GDPR when it comes to certain criminal and immigration matters, for example, as well as for reasons of freedom of expression and information (e.g., for journalistic, academic, artistic, literary purposes), among a number of other diverse areas.

The Act also sets out that the Information Commissioner’s Office will be the supervisory authority in the UK for the purposes of the GDPR, and as such, is given certain powers under the Act to investigate and enforce its provisions, among other duties.

We will continue to monitor UK data protection developments, in particular the activities of the ICO, and will provide further updates.