Privacy in UK (England and Wales): overview

A Q&A guide to privacy in the UK (England and Wales).

The Q&A guide gives a high-level overview of privacy rules and principles, including what national laws regulate the right to respect for private and family life and freedom of expression; to whom the rules apply and what privacy rights are granted and imposed. It also covers the jurisdictional scope of the privacy law rules and the remedies available to redress infringement.

To compare answers across multiple jurisdictions, visit the Privacy Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit

Mark Watts, Bristows LLP


1. What national laws (if any) regulate the right to respect for private and family life and freedom of expression?

In English law there is no overarching cause of action for "invasion of privacy" (Wainwright v Home Office [2003] UKHL 53).

However, the European Convention on Human Rights (ECHR) has been implemented into domestic law by the Human Rights Act 1998 (HRA). Article 8 of the ECHR provides that "Everyone has the right to respect for his private and family life, his home and his correspondence." Article 10 protects the right to freedom of expression, including the right to hold opinions and receive and impart information.

A court is a public authority within the HRA (section 6(3)(a), HRA) and must act in a way that is compatible with Articles 8 and 10 of the ECHR (section 6(1), HRA). The courts are required, so far as is possible, to:

  • Read and give effect to legislation in a way which is compatible with Convention rights (section 3, HRA).

  • Take into account any judgments or decisions of the European Court of Human Rights (ECtHR) (section 2(1)(a), HRA).

Claims for infringements of Article 8 cannot be brought directly under the HRA against non-governmental bodies. Instead, the claimant can bring an action in tort for misuse of private information (Campbell v MGN Ltd [2004] UKHL 22 and Vidal-Hall v Google [2015] EWCA Civ 311). When applying the legal principles of this tort the court will give effect to Articles 8 and 10, balancing the claimant's right to privacy against the right to freedom of expression. Neither Article takes precedence over the other. The court must take into account justifications for interfering with or restricting each right, with an "intense focus" on the facts of each particular case.

As the ECHR is an internationally binding treaty, incorporated into domestic law, it will not be affected by the UK's decision to leave the European Union. However, there have been indications from the government that it intends to repeal the HRA and replace it with a British Bill of Rights, whereby the ECtHR would only act as an advisory body.

2. Who can commence proceedings to protect privacy?

Natural persons can bring a claim for misuse of private information against private bodies or individuals before the courts of England and Wales. A claim for misuse of private information does not require the private information to be published to be made out (Imerman v Techenguiz [2010] EWCA Civ 908). Where corporate entities seek to protect information they will instead have to rely on the law of confidence.

In the event a public authority, rather than a private body or individual, is alleged to have infringed an individual's Article 8 right, a claim can be brought under the Human Rights Act (HRA) directly (section 7, HRA).

Applications can be made to the European Court of Human Rights (ECtHR) where it is claimed that the UK government has infringed Article 8. The applicant must have exhausted all domestic remedies, and have suffered a significant disadvantage as a result of the alleged violation (Article 35, ECHR) (Mosely v The United Kingdom (2011) 53 EHRR 30, and Peck v United Kingdom(2003) 36 EHRR 719).

3. What privacy rights are granted and imposed?

Article 8 is engaged where the claimant demonstrates they had a reasonable expectation of privacy in relation to the information. Where the information is not obviously private, the test is whether disclosure of the information about the individual ("A") would give substantial offence to A, assuming that A was placed in similar circumstances and was a person of ordinary sensibilities.

The Supreme Court confirmed in PJS v News Group Newspapers Ltd [2016] UKSC 26 that the misuse of private information covers two "components" of the right to privacy:

  • The confidentiality component (protecting the secrecy of private information).

  • The intrusion component (preventing intrusion into an individual's privacy).

Therefore, if private information is disclosed the individual does not lose the right to privacy in that information and could prevent further disclosure or intrusion (unlike the duty of confidence).

The category of what can be protected is wide. It can include activities carried out in public (Von Hannover v Germany (Application no.59320/00) and Application 44647/98 Peck v United Kingdom (2003) 36 EHRR 719). Photographs have been deemed particularly intrusive and children are likely to be accorded greater protection. Business information communicated in the course of a personal relationship could be capable of qualifying as "private", however, this depends on the circumstances (Lord Browne of Madingley v Associated Newspapers Ltd [2007] EWCA Civ 295).

Even if Article 8 is engaged it will be balanced against the right to freedom of expression (see Question 1). Public Interest in the information will be a key factor in determining whether Article 10 will prevail.

4. What is the jurisdictional scope of the privacy law rules?

The Human Rights Act (HRA) applies when public authorities are exercising their functions within in the jurisdiction (Article 1, ECHR), usually interpreted as UK territory. However, there have been exceptional cases where the HRA has applied to the acts of UK public authorities which have taken place outside UK territory (R (on the application of Al-Skeini) v Secretary of State for Defence [2007] UKHL 26).

Judicially recognised as a tort, a claim in tort for misuse of private information can be brought before against non-resident (and non EU-based) defendants where the following conditions are all met:

  • The damage was (or will be) sustained within the jurisdiction or the damage resulted (or will result) from an act committed within the jurisdiction (Civil Procedure Rules PD 6B 3.1(9)).

  • The claim has a reasonable prospect of success.

  • England and Wales is the most appropriate place to bring the claim (Civil Procedure Rules 6.37).

Where there is an EU-based defendant, or where the event complained of occurred in the EU, jurisdiction will be determined in accordance with the Recast Brussels Regulation (Regulation (EU) 1215/2012). The general rule is that a defendant must be sued in the member state in which it is domiciled (Article 4, Brussels Recast Regulation). An exception to the above rule is that a claim can be brought against a defendant in the member state in which the harmful event occurred or may occur (Article 7(2)).

5. What remedies are available to redress the infringement of those privacy rights?

The following remedies are available to redress an infringement of privacy rights:

  • Injunction (interim and final).An interim injunction will not be granted unless the court is satisfied that the claimant is likely to obtain an injunction following the trial (section 12(3), Human Rights Act (HRA)). Even where there has been widespread publication on the internet, publication in print could still be restrained (PJS v News Group Newspapers Ltd [2016] UKSC 26).

  • Damages (compensatory and aggravated). The level of damages awarded in privacy cases has been significantly raised by case of Gulati (the phone hacking cases). The highest award was GB£260,250 (based on a period of four and a half years of hacking and intrusion) (Gulati and others v MGN Ltd [2015] EWHC 1482, confirmed by Court of Appeal). Exemplary damages have not, to date, been recoverable in an action for misuse of private information.

  • Delivery up or destruction of offending material.

Under the HRA a court can also grant the following remedies for breaches of Convention rights:

  • Make a declaration that a law is incompatible with the European Convention of Human Rights (ECHR) (section 4, HRA).

  • Judicial review.

  • Declaration that a public authority has acted unlawfully.

  • Cancel the public authority's decision.

  • Prevent a public authority from acting in a way which infringes Convention rights.

  • Make any order within its powers as it considers just and appropriate (section 8(1), HRA).

6. Are there any other ways in which privacy rights can be enforced?

Privacy rights can also be enforced in the following ways:

  • The Data Protection Act 1998 (DPA). Section 13 is of particular interest following the case of Google Inc. v Judith Vidal-Hall and others [2015] EWCA Civ 311 where it was held an individual could claim compensation where their personal data was processed in contravention of the DPA, including for mere distress (not just for financial loss).

  • The Protection from Harassment Act 1997.

  • The Regulation of Investigatory Powers Act 2000 (RIPA).This makes it a criminal offence and a civil wrong to intentionally intercept postal and electronic communications (including e-mail and telephone calls) without lawful authority or without the consent of the sender and recipient.

RIPA will be replaced by the Investigatory Powers Act 2016 which received royal assent on 29 November 2016. Its date of implementation has yet to be determined.

  • Communications Act 2003. One of Ofcom's statutory duties is to apply standards that provide adequate protection to members of the public from unwarranted infringements of privacy.

As an alternative to, or in addition to, the above courses of legal action an individual can lodge a complaint with the following:

  • Independent Press Standards Organisation.

  • OFCOM (the media and communications regulator).

  • Advertising Standards Agency.

  • Information Commissioner's Office.


Contributor profile

Mark Watts, Partner


T +44 20 7400 8000

Professional qualifications. Solicitor, 1995; Partner, 2003; Joint Managing Partner, 2010

Areas of practice. IT (software development, system deployment); outsourcing; e-commerce; data protection.

Recent transactions

  • Advising companies deploying business-critical IT platforms and applications.

  • Advising on the creation of social networking websites, cloud computing, mobile apps and online trading websites.

  • Advising many multinational companies on general international data protection compliance issues, particularly on international data transfers matters, such as Binding Corporate Rules.

  • Advising companies how to respond to data protection enforcement actions, including Monetary Penalty Notices.

  • Particular expertise in data protection (formerly Global Privacy Counsel at IBM).

Non-professional qualifications. BSc (Hons.) Physics, University of Wales; D.Phil Semiconductor Physics, University of Oxford

Professional associations/memberships. Mark is on the correspondent panel of Computer Law & Security; member of the editorial board of Privacy & Data Protection.

Recommended for:

  • Data Protection and Information Technology (Key Individual) - Chambers and Partners (2016/2015/2014).

  • Outsourcing (Key Individual) - Chambers and Partners (2016/2015/2014).

  • Media and Entertainment – Legal 500 (2015).

  • IT and Telecoms (leading Individual) - Legal 500 (2015/2014).

  • Data Protection (leading Individual) - Legal 500 (2015/2014).

  • Information Technology: Data Protection - Best Lawyers UK (2015).

  • Technology, Media and Telecommunications (Most Highly Regarded Individual) - Who's Who Legal (2016/2015).

  • Technology, Media and Communications - Super Lawyers UK (2014).

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247799414809", "objName" : "ACT_OWNED - READ_ONLY - 3-525-6372", "userID" : "2", "objUrl" : "", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "25e8a493e:15af86c17b3:5003", "analyticsSessionCookie" : "25e8a493e:15af86c17b3:5004", "statisticSensorPath" : "" }