Dec 112003

The UK’s Data Protection Act of 1998

Sidley Data Matters Contributors
, ,

On 23 September 1980, the Organisation for Economic Cooperation and Development (“OECD”) adopted a set of guidelines concerning data protection and transborder dataflows. Following on from those guidelines, the EU enacted the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (the “Convention”) in 1981. The UK, in response to the OECD guidelines and the Convention, introduced The Data Protection Act 1984 (the “1984 Act”) which concentrated mainly on Personal Data which were stored and processed ‘automatically’ (i.e. computerised Personal Data). The EU was aware that not all Member States had imposed similar laws and decided that there was a need to harmonise the laws of Member States throughout the EU with regard to data protection. In 1995, after years of discussion the European Data Protection Directive 95/46 EC (the “Directive”) was eventually adopted. The Data Protection Act 1998 (the “DPA”) implements the Directive in the UK, and came into force on 1 March 2000. It replaces the 1984 Act. The DPA allowed for two periods of transition, the first of which ended on 24 October 2001. The second transitional period ends on 23 October 2007, but only applies in limited circumstances to eligible manual data held immediately prior to 24 October 1998. Most businesses which are Processing data in the UK will now need to comply with all of the provisions of the DPA.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.