UK Data Privacy Law 2025: What Your Phone Knows About You

UK Data Privacy Law and Your Smartphone

The UK retained GDPR after Brexit in the form of UK GDPR, enforced by the Information Commissioner's Office (ICO). Combined with the Data Protection Act 2018, this framework provides UK residents with meaningful rights over their personal data.

But legal rights and practical privacy are very different things.

What UK GDPR Gives You

Right of access — You can request all data a company holds about you. Google's "data export" tool gives you a sense of the scale of what's collected.

Right to erasure — You can request deletion of your data. Companies must comply within 30 days for most requests.

Right to object — You can object to processing for direct marketing purposes.

Consent requirements — Companies must have a lawful basis for processing your data. "Legitimate interests" is frequently used and frequently abused.

The Practical Reality

Despite strong legal frameworks, surveillance capitalism continues to operate largely unimpeded in the UK. Enforcement has been inconsistent. Consent mechanisms are deliberately designed to confuse. "Legitimate interests" is interpreted broadly.

The ICO has issued significant fines — British Airways (£20m), Marriott (£18.4m) — but these represent a tiny fraction of the value derived from data collection.

Legal protections help, but they cannot prevent collection that happens within "consented" frameworks.

What Companies Collect and Why It Matters Legally

Location data is of particular interest. UK law enforcement can obtain location data from Google and telecoms companies through standard production orders — no warrant required in many cases.

In 2024, UK law enforcement submitted over 40,000 data requests to major tech companies. The vast majority were honoured.

If your device doesn't create this data, it cannot be handed over.

GrapheneOS and Legal Protections

GrapheneOS complements legal protections by preventing data from being created in the first place. There's nothing to hand over in response to a data request if the data was never collected.

This is meaningful for ordinary users as much as for high-risk individuals. Data that doesn't exist cannot be breached, hacked, or subpoenaed.

Your Rights on GrapheneOS

Using GrapheneOS doesn't affect your UK GDPR rights in relation to other services you use. You retain all rights regarding data held by third-party apps and services. GrapheneOS simply eliminates the OS-level data collection layer.