The Evolution of Data Protection

We are currently living in an economy that uses data as currency. From the very beginning of the 21st century, new technological advancements created a pathway for ‘data’ to become the new currency. With the rise of mobile phones, social media, IoT (Internet of Things) and now AI, data has become increasingly valuable and is being stored and exchanged at incomprehensible scales. Companies collect, analyse, and monetise personal data “volunteered” by the consumer to gain further insight into trends, consumer behaviour and preferences. Examples of this can be seen in companies such as Meta Platforms Inc., a social media conglomerate, which collects personal data to make for a ‘better,’ ‘more targeted’ experience for consumers on their apps. 

However, this rapid rise in the data economy has been met with worldwide legislative resistance, as governments worldwide have been pushing for even stronger privacy laws and data protection. Legislating nationwide data protection laws started in Europe, with Sweden, Germany, and France making headway in the 1970s. With the establishment of the European Union (formerly recognised as the European Economic Community) in 1993, policies regarding international data protection soon began to emerge.

Data Protection in the European Union

Prior to the EU’s current system, was the Data Protection Directive (DPD) introduced in 1995 as an ‘essential element of EU privacy and human rights law’. However, by the year 2012, the DPD could no longer keep up with the evolution of how data has been stored or used, both by companies and individuals – it needed reform. The DPD was soon replaced by the GDPR (General Data Protection Regulation) which:

• Broadened definition of personal data – i.e., IP addresses, location data and other online identifications. 

• Expanded individual rights to their data– gave individuals the ability to Opt-in and consent to data being taken, rights to access data and the right to be forgotten 

• Ensured organisations notified the relevant authorities in the case of a data breach

• Enforced laws that were applicable across all member states and introduced stronger penalties for non-compliance with said regulations. 

With every passing technological evolution, the EU continues to introduce new measures to prevent global organisations from taking advantage of the data of citizens of the EU such as the: 

• Data Governance Act which became applicable in 2023. It regulates ‘processes and structures that facilitate voluntary data sharing’ and makes clear who/what can create data and under what circumstances. 

• Data Act (2024) – introduced to legislate fairness into the data economy by making data (in particular industrial data) more accessible. 

Both of these Acts can be used in tandem with the GDPR to tackle any issues that may clash with personal data and are integral in a world where insurmountable amounts of data are being used to create cheaper, faster, and more “intelligent” AI systems such as ChatGPT or (most currently) DeepSeek. 

Data Protection in the United Kingdom 

In the UK, data protection looks a little different. As of the UK’s ‘Brexit’ from the EU in 2016 (and officially in 2020), legislation such as the EU’s GDPR was no longer applicable to British citizens. Although, it should be noted that the EU’s influence was not completely discarded – in 2018 the UK’s own GDPR was introduced in tandem with the Data Protection Act. The two GDPRs share many similarities but there are critical differences in areas concerning national security, immigration, and intelligence services.

It should be noted that in 2021, the EU adopted an ‘adequacy’ decision that guaranteed that the UK could ‘provide an equivalent level of data protection’, therefore allowing personal data to flow freely between the two entities. The decision is to be upheld until the 27^th of June 2025. Should the EU Commission find that the UK has not upheld the same standard of data protection by this date and amendments cannot be made, it is possible that all cross-border data transfers may be suspended or completely cease – this will be critical for any British organisations working within EU borders. 

New Direction 

As mentioned earlier, technological advancements spur legislative evolution, and in the UK new policies and bills have been proposed to minimise the gap. 

In 2024, the Data Protection and Digital Information Bill was introduced to (and approved by) the House of Commons. This bill seeks to enforce regulations for processing personal data and ensuring privacy in electronic communications and trust services such as electronic signatures. It also includes setting up agreements to share information for law enforcement and making provisions about access to customer and business data. The Bill aims to establish an ‘Information Commission’ to oversee how biometric data is handled alongside other things. 

This Bill is currently at the committee stage in the House of Lords and therefore is still in deliberation, however, such a bill would be monumental in supporting the existing data regulation in the UK, particularly regarding biometric data, which is a growing concern for the general public in world incessant on the integration of AI technology in this modern data ecosystem.