The UK government talks a good game about privacy. It claims to champion data protection, insisting that businesses comply with UK GDPR, respect individuals' rights, and uphold strict security measures. Yet, at the same time, it enforces the Investigatory Powers Act (IPA), a surveillance law that grants sweeping powers to intercept, retain, and access personal data—often without the individual’s knowledge or consent. This contradiction raises an uncomfortable question: is the UK government being two-faced on privacy?

UK GDPR: The Gold Standard for Privacy?

The UK General Data Protection Regulation (UK GDPR) was inherited from the EU’s GDPR and remains one of the world’s most protective data protection frameworks. It mandates that organisations:

• Process personal data lawfully, fairly, and transparently.
• Collect data that is necessary and for a specific purpose.
• Ensure data is accurate, up to date, and secure.
• Give individuals the right to access, erase, or restrict their data.

It’s a framework designed to empower individuals and hold businesses accountable. Organisations that fall foul of these rules face hefty fines from the Information Commissioner’s Office (ICO), reputational damage, and, in some cases, legal action. To meet these demands, many companies deploy data protection solutions, GDPR compliance tools, and a robust data privacy management strategy. They also rely on data subject access requests (DSAR) management processes to ensure they can uphold individuals’ rights promptly and transparently.

But while businesses scramble to meet GDPR obligations, the UK government has placed itself above its own rules.

IPA: The Government’s Backdoor into Your Data

The Investigatory Powers Act (IPA), also known as the Snooper’s Charter, grants law enforcement and intelligence agencies vast powers to monitor communications. It compels internet service providers (ISPs) and telecom companies to store individuals’ internet connection records (ICRs) for up to 12 months—even if they are not suspected of wrongdoing. It allows for bulk interception, mass hacking, and the collection of vast swathes of data. And, most concerningly, it gives the government the power to force companies to remove encryption, undermining the security protections UK GDPR encourages.

For businesses trying to protect user information, the IPA creates a direct clash with GDPR’s emphasis on strong data security tools. The recent case of Apple refusing to comply with UK demands to weaken its encryption protections highlights the growing tensions between privacy rights and government surveillance.

Where the Conflict Lies

UK GDPR and the IPA don’t just exist in parallel—they actively contradict each other.

If a business failed to justify why it was keeping personal data for 12 months, the ICO would likely investigate and fine them. Yet, the government forces ISPs and telecom providers to do exactly that. If an organisation secretly intercepted customer emails, it would be breaking GDPR and facing serious legal consequences. But when the government does it, it’s labelled “national security.”

The Hypocrisy of Enforcement

This isn’t just a theoretical contradiction—it’s a real compliance nightmare for businesses. If a company operates in the UK, it must comply with UK GDPR and the IPA. That means:

• Encrypting customer data to comply with UK GDPR, but being forced to break that encryption under the IPA.
• Providing transparency to users about how their data is processed, while also storing and potentially handing over that data in secret.
• Following GDPR’s strict data minimisation rules, while being legally required to retain large amounts of user data (creating challenges in data retention policy management).

These conflicting demands often leave organisations unsure whether to prioritize national security obligations or their privacy impact assessment (PIA) tools and GDPR commitments.

A Threat to the UK’s Data Adequacy?

Beyond the immediate contradictions, the IPA could have serious long-term consequences for the UK’s ability to do business with the EU.

Currently, the UK has an EU data adequacy decision, meaning it can freely transfer personal data between the UK and the EU. But this status isn’t permanent—it’s under review until 2025. If the EU decides that the UK’s surveillance laws undermine privacy protections, it could revoke adequacy. That would mean UK businesses needing to implement alternative legal mechanisms, such as Standard Contractual Clauses (SCCs), to continue data transfers—making cross-border data transfer compliance more complex and costly.

The European Court of Justice has already ruled against mass surveillance laws in the EU, striking down the EU Data Retention Directive in 2014. France, Germany, and the Netherlands have all had to modify their surveillance practices to align with EU privacy rulings. If the UK refuses to do the same, it risks becoming an isolated data island.

So, Is the UK Government Two-Faced on Privacy?

Yes. The UK government demands that businesses respect privacy, but it reserves the right to ignore those same principles when it suits its interests. It tells organisations that data must be collected minimally, encrypted, and transparent—while it mandates mass data retention, undermines encryption, and operates in secrecy. It punishes businesses for privacy violations, yet asks them to violate privacy on its behalf.

Privacy professionals need to push back against this hypocrisy. The UK must align its investigatory powers with its own data protection laws—or risk losing credibility, business, and international trust.

If UK businesses must comply with GDPR, the government should too.

Further Reading:

• UK GDPR Legislation
• Investigatory Powers Act 2016