EU GDPR regime

EU GDPR regime

The General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) regime became applicable across the EEA (which at the time included the UK) on 25 May 2018. The EU GDPR ceased to apply to the UK on 31 December 2020 at 11 pm.

This subtopic addresses key features of the EU GDPR at a supranational (ie EEA) level. Individual EEA states may exercise a number of national derogations and other discretions to put in place various additional or alternative data protection laws and the various supervisory authorities in each state may adopt different interpretation or approaches in practice. This topic does not consider the position under the laws of specific EEA states or the guidance of specific EEA supervisory authorities. You should refer to guidance from the relevant national supervisory authorities and national law regarding

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

DSIT launches evaluation survey for Software Security Code of Practice implementation

The Department for Science, Innovation and Technology (DSIT) has opened a formal evaluation process for the Software Security Code of Practice, seeking feedback from both software providers and customers on implementation experiences. The evaluation encompasses organisations' access to and understanding of the code, National Cyber Security Centre's Implementation Guidance, and self-attestation requirements. Participation is open to organisations regardless of their implementation status, with responses intended to inform future policy development. The survey closes on 16 December 2026.

ICO secures convictions in largest ever nuisance call investigation

The Information Commissioner's Office (ICO) has secured guilty verdicts against eight individuals for data protection offences following its largest ever nuisance call investigation. On 26 June 2025, Craig Cornick was found guilty at Bolton Crown Court of conspiracy to unlawfully obtain personal data contrary to the Data Protection Act, joining seven others who had previously pleaded guilty to various offences under the Data Protection Act and Computer Misuse Act. The investigation uncovered approximately one million illegally accessed vehicle repair records between 2014-2017. The defendants are scheduled to return to court on 11 July 2025 for Proceeds of Crime Act proceedings, with sentencing to follow. The ICO has indicated a second phase of investigation is ongoing, targeting insurance companies and claims management firms.

Information Law weekly highlights—26 June 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

Commission extends UK data adequacy decisions by six months

The European Commission has extended the UK’s data adequacy decisions under Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) and Directive (EU) 2016/680 (Law Enforcement Directive (LED)) for six months from 24 June 2025. The extension allows continued free and safe personal data transfers while the Commission assesses whether the UK’s new Data (Use and Access) Act 2025 maintains an adequate level of protection.

View Information Law by content type :

News