Privacy

Following Brexit, the UK retained GDPR through the European Union (Withdrawal) Act, creating ‘UK GDPR’. Combined with the Data Protection Act 2018, this forms UK data protection law. UK GDPR mirrors EU GDPR with modifications: references to EU institutions replaced with UK equivalents, the ICO as supervisory authority, and national security exemptions reflecting UK law. The EU granted the UK adequacy status in 2021, allowing data to flow freely between EU/EEA and UK without additional safeguards. However, this adequacy is reviewed periodically and could be revoked if UK law diverges significantly from EU standards. The tension between UK GDPR’s protections and the broad surveillance powers under the Investigatory Powers Act remains a concern for EU adequacy assessments.

The Norwegian Personal Data Act (Personopplysningsloven) implements GDPR in Norway through the EEA Agreement mechanism. While GDPR forms the core of Norwegian data protection law, the Act includes supplementary national rules where GDPR permits flexibility: age of consent for children’s data (13 years), national identification numbers, processing for archiving and research purposes, and employment-related processing. Datatilsynet serves as Norway’s independent supervisory authority with powers to investigate, issue orders, and impose administrative fines. The Act interacts with other Norwegian legislation including Sikkerhetsloven (national security) and Ekomloven (electronic communications), creating a comprehensive framework for data protection in Norway.

Switzerland’s Federal Act on Data Protection underwent major revision in 2023 to align with GDPR and maintain the EU adequacy decision enabling free data flows. Unlike GDPR, FADP applies primarily to private sector processing and federal agencies (cantonal authorities have separate rules). Key changes include: expanded scope covering all processing affecting Swiss residents, mandatory breach notification within 72 hours, privacy-by-design and privacy-by-default requirements, data protection impact assessments for high-risk processing, and stronger penalties (up to CHF 250,000 for individuals). The law maintains Swiss-specific features like the definition of ‘sensitive personal data’ including trade union membership and social assistance data. Cross-border transfers require adequacy assessments or safeguards similar to GDPR. The FDPIC (Federal Data Protection and Information Commissioner) supervises compliance.

The ePrivacy Directive complements the GDPR for the electronic communications sector. It protects the confidentiality of communications, prohibiting interception or surveillance without user consent or legal authorization. For cookies and similar tracking technologies, it requires informed consent before placing non-essential trackers on user devices. The directive also regulates unsolicited communications: email marketing requires prior opt-in consent, while telephone marketing may use opt-out depending on member state implementation. Traffic data (who contacted whom, when, from where) and location data receive special protection and may only be processed with consent or when anonymized. A proposed ePrivacy Regulation has been under negotiation since 2017 to update these rules for modern communications services including OTT messaging apps.

Germany’s Federal Data Protection Act (BDSG) works alongside GDPR to form the complete data protection framework in Germany. While GDPR provides the primary rules, BDSG exercises national opening clauses for specific areas. Employment data processing receives detailed regulation, covering recruitment, employee monitoring, and works council involvement. Public sector processing rules address federal agencies’ specific obligations. Video surveillance in publicly accessible areas has enhanced requirements. The BDSG also specifies when data protection officers are mandatory (beyond GDPR minimums), addresses credit scoring, and sets rules for automated decision-making. Germany’s federal structure means enforcement is split between the BfDI (Federal Commissioner) for federal bodies and sixteen state authorities for private sector and state-level public bodies.