Domain 11 of 18

Privacy and sovereignty of the individual

Britain's data watchdog found the online advertising industry systemically breaking the law in 2019. Seven years on, it has yet to enforce. That is the pattern across UK privacy: rights exist on paper, and almost nothing makes them bite. Courts closed the group-action route. Complaints take about a year. The entire national advocacy sector runs on less than £10m.

Meanwhile the checks multiply (age verification, digital ID, a health record you cannot fully opt out of), mostly built without privacy safeguards written into law. The gaps below are enforcement machinery, missing legal shields and buildable alternatives: the things that would turn Britain's paper rights into working ones. The buildable half of privacy (encrypted messaging, personal data stores, credentials that prove without exposing) lives under portable sovereignty; what remains here is mostly the law catching up.

Full landscape notes (July 2026)

The UK's privacy settlement was rewritten in 2025–26. The Data (Use and Access) Act 2025 (DUAA, Royal Assent June 2025; main provisions commenced 5 February 2026) loosened UK GDPR ("recognised legitimate interests", broader automated decision-making, opt-out analytics cookies) while putting digital verification services on a statutory footing and restructuring the ICO into an Information Commission during 2026. The EU renewed adequacy in December 2025, to 2031 with a four-year mid-point review. Enforcement remains the weak joint: the ICO favours engagement over sanction; 2025 produced only seven fines (£19.6m, mostly security breaches, including 23andMe's £2.31m), and its 2019 finding that real-time bidding adtech is systemically unlawful has still produced no RTB enforcement. Complaints take roughly a year to resolve. The Online Safety Act's age-verification duties (July 2025) triggered a 1,400%+ VPN sign-up surge and breaches exposing verification IDs (Discord's third-party provider ~70,000 IDs; the Tea app), with no mandated privacy-preserving architecture. The government's digital ID scheme (announced September 2025) drew a 2.9m-signature petition, a January 2026 retreat from compulsion, and a Digital Access to Services Bill in the May 2026 King's Speech, with credentials locked to the GOV.UK Wallet and oversight sitting inside DSIT. A secret Technical Capability Notice forced Apple to withdraw Advanced Data Protection from UK users; IPT litigation continues in 2026. Health-data centralisation (Palantir's Federated Data Platform, Single Patient Record from 2028) proceeds under an opt-out that largely does not apply. Advocacy capacity is thin and philanthropically precarious.

The gaps (12)

119urgency 3policyShort (0–2y)State-led

No opt-out collective redress route for data protection breaches

Harm a million people a little each and British law has no working way to make you pay.

120urgency 4institutionalShort (0–2y)Build now

No UK equivalent of noyb: a resourced strategic data rights enforcement organisation

Europe has an organisation that sues over data rights for a living. Britain doesn't.

121urgency 2policyShort (0–2y)State-led

No merits accountability when the ICO declines to enforce

There is no appeal when the data watchdog looks at a breach and does nothing.

122urgency 4toolingShort (0–2y)State-led

Age assurance without mandated privacy-preserving architecture

Age checks turned ID uploads into honeypots. One breach spilled 70,000 of them.

124urgency 3policyMid (2–7y)State-led

No statutory shield for end-to-end encryption

Every British Apple user has weaker cloud security than the rest of the world.

125urgency 4institutionalShort (0–2y)State-led

A health data opt-out that doesn't opt you out, and no patient-facing access audit

The NHS data opt-out doesn't cover the biggest NHS data platform.

126urgency 2policyMid (2–7y)State-led

Genetic discrimination prevented only by a voluntary insurance code

Your genome is protected by a gentleman's agreement with the insurance industry.

127urgency 2fundingMid (2–7y)Build together

No public funder for PETs deployment or privacy infrastructure maintenance

Britain writes world-class privacy tech guidance, then funds none of the tech.

129urgency 3knowledgeMid (2–7y)Build now

No UK data broker register or deletion mechanism

Companies you've never heard of trade your data. Not even the government has a list.

159urgency 3policyShort (0–2y)State-led

Two-tier data protection enforcement: the public sector is effectively exempt from fines

The Post Office exposed Horizon victims' data. Its punishment was a stern letter.

216urgency 3institutionalShort (0–2y)Build now

No landing-spot institution for the debanked, de-platformed and digitally excluded

Lose your bank account and no institution in Britain is tasked with getting you back.

228urgency 3policyShort (0–2y)State-led

Publicly funded training data has no rules on who ends up owning it

The public pays for the training. A private company keeps the data.

Also surfaced by this domain’s research (3)

Who is already here: key actors (15)
  • Information Commissioner's Office (becoming the Information Commission) (regulator (government body)): UK data protection regulator; restructured into a board-led Information Commission under the DUAA in 2026; criticised for favouring engagement over enforcement, notably on adtech/RTB.
  • Open Rights Group (advocacy nonprofit): Main UK digital rights campaign group (adtech complaints, digital ID, age verification); member-funded with JRRT/Luminate grants; originated the RTB complaints the ICO never enforced.
  • Privacy International (charity): London-based; litigating the Apple Technical Capability Notice at the Investigatory Powers Tribunal and challenging secret surveillance orders in 2026.
  • medConfidential (advocacy group): Tiny but pivotal health-data confidentiality watchdog; tracks the FDP, Single Patient Record and National Data Opt-Out erosion; runs a volunteer data-release register.
  • Foxglove (legal nonprofit): Tech-justice litigators; challenged the NHS–Palantir Federated Data Platform contract and government data deals.
  • Big Brother Watch (civil liberties group): Campaigns on digital ID, online age checks and data exploitation; co-authored the December 2025 joint briefing for the digital ID petition debate.
  • Ada Lovelace Institute (research institute): Nuffield-founded; research on data governance, digital identity and public attitudes; key evidence source but not an enforcement actor.
  • AWO (company (data rights law firm/consultancy)): Specialist data rights legal practice bringing individual and strategic UK GDPR claims; closest UK analogue to enforcement-focused capacity, but commercial.
  • Office for Digital Identities and Attributes (OfDIA, within DSIT) (government body): Governs the DVS trust framework (statutory from 1 December 2025, v1.0 March 2026, UK CertifID trust mark); sits inside DSIT rather than independent of it.
  • Yoti (company): Leading UK age-assurance and digital ID provider; certified under DIATF; major beneficiary of Online Safety Act age checks and party to debates on privacy standards.
  • Age Check Certification Scheme (ACCS) (certification body): Runs the ICO-approved UK GDPR certification for age-assurance providers, the only privacy certification in the AV market, but voluntary.
  • Age Verification Providers Association (trade body): UK-based global trade association for AV suppliers; lobbies for age assurance and defends the sector's privacy record post-breaches.
  • Genomics England (government-owned company): Runs the National Genomic Research Library and the Generation Study (100,000 newborn genomes); governance of access, commercial use and future law-enforcement requests is the live issue.
  • REPHRAIN (UKRI research centre): National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (Bristol-led, EPSRC-funded, Phase II); academic PETs and online-safety-privacy research.
  • Mydex CIC (community interest company): Long-running personal data store operator; exemplar of the personal-data-intermediary market that lacks a legal authorisation regime (DSIT consultation live to 31 August 2026).
Funders active or plausible here (11)
  • UKRI / EPSRC (REPHRAIN centre, PETs and online-harms research; Safer Streets R&D challenge)
  • DSIT (PETs cost-benefit tool, UK–US PETs prize legacy, digital identity programme; plausible home for a PETs adoption fund)
  • Innovate UK (plausible funder of PETs commercialisation; currently no standing programme)
  • Joseph Rowntree Reform Trust (core funder of Open Rights Group and democratic-rights campaigning)
  • Luminate (Open Rights Group and data-rights field funder)
  • Open Society Foundations (historic funder of UK digital rights; retrenched from Europe, and the gap its exit left is itself part of the problem)
  • Nuffield Foundation (founded and funds the Ada Lovelace Institute; data governance research)
  • Wellcome Trust (health data governance and public-trust research; plausible funder of patient-data transparency infrastructure)
  • ICO / Information Commission grants programme (previously funded privacy research; could be revived for PETs and enforcement research)
  • Digital Freedom Fund (European strategic litigation support, extendable to UK data rights cases)
  • Tech-wealth and consumer-facing philanthropy (e.g. Proton, Mozilla Foundation) as plausible entrants for privacy-tool and advocacy funding
Policy notes

The DUAA 2025 tilts deregulatory (recognised legitimate interests, relaxed automated decision-making, opt-out analytics cookies) while EU adequacy (renewed December 2025 to 2031 with a four-year mid-point review) caps divergence. Individual redress is the systemic hole: Article 80(2) opt-out actions were never implemented, Lloyd v Google closed the courts route, s166 DPA offers only procedural review, and Delo confirmed the ICO need not determine complaints. Encryption is unprotected in statute: secret IPA Technical Capability Notices (Apple litigation at the IPT, 2026) and unused OSA s121 scanning powers persist. The Digital Access to Services Bill (May 2026 King's Speech) currently lacks statutory unlinkability and independent oversight. Health-data centralisation outpaces the non-statutory National Data Opt-Out; genetic discrimination rests on a voluntary ABI code (2025 review). Live windows: digital ID Bill passage, DSIT data intermediaries consultation (closes 31 August 2026), data broker call for evidence.