All change? New Government sets out its vision for UK Data Protection and Cyber Reform

The summer has been one of political change, with the Labour Party winning the UK General Election on 4 July 2024. On 17 July 2024, the King delivered his King’s Speech at the opening of the new Parliament under the incoming Government. 

In this section, we look at Labour’s manifesto promises and the contents of the King’s Speech, to see what data protection changes are on the horizon in the UK.

Supporting innovation, boosting growth

In case there was any remaining doubt, The King’s Speech emphasised the importance of data to the UK economy:

• The UK data economy (i.e, data market plus the value data adds to other sectors of the economy) now represents an estimated 6.9 per cent of GDP (as of 2022).
• In 2021, data-enabled UK service exports accounted for 85 per cent of total service exports, and were estimated to be worth £259 billion. The value of data-enabled exports from the UK to the EU alone is estimated at £91 billion.
• Data is critical for UK businesses. 77 percent of UK businesses handle some form of digital data, increasing to 99 percent for businesses employing more than 10 people.

Labour’s manifesto was relatively light on detail when discussing the new government’s approach to data and digital. However, it did provide some clues as to the direction we might be heading in.

Overall, the Government is keen to support innovation and see that blossom into economic growth. It aims to do this by “delivering growth and raising productivity, converting innovation into commercial success” in the UK. We look more closely at its proposals to achieve this objective below.

Expect more regulatory oversight

The Government has expressed an intention to “beef-up” the UK’s regulatory oversight of data and digital. It believes that regulators are currently ill-equipped to deal with the dramatic development of new technologies, which often cut across traditional industries and sectors. 

It has therefore proposed to create a new “Regulatory Innovation Office” (“RIO”), bringing together existing functions across government. This office would help regulators update regulation, speed up approval timelines, and co-ordinate issues that span existing boundaries. 

UK regulators, including the UK Information Commissioner’s Office (“ICO”), are required to oversee a broach range of laws. It remains to be seen how the RIO will interact with regulators and what effect this will have on the ICO’s own approach to regulation, which is to work with organisations, rather than take a strict approach to enforcement.

The Government has also announced its intention to restructure the ICO and give it new powers. On that note…

Data protection reform is back!

The previous government proposed reform to UK data protection law in the shape of the Data Protection and Digital Information Bill (the “Bill”). However, the Bill became mired in the legislative process and did not make it through the “wash-up” period in the days preceding the dissolution of the last Parliament.

Labour was not openly enthusiastic about the Bill when in opposition and did not mention data protection reform in its election manifesto. It was a surprise, then, that the King’s Speech proposed a Digital Information and Smart Data Bill (the “New Bill”) to amend UK data protection law. 

The New Bill is intended to harness the power of data for economic growth and will give a statutory footing to the following uses of data:

• Modernising and strengthening the ICO. The ICO will change in structure, with a CEO, board and chair. It will also get new, stronger powers.
• Targeted reforms to some data laws. It is not clear what these will be, but the government’s intention is to maintain high standards of protection and improve clarity around the safe development and deployment of some new technologies.
• Establishing Digital Verification Services. These will support the creation and adoption of secure and trusted digital identity products and services from certified providers to help with things like moving house, pre-employment checks, and buying age restricted goods and services.
• Developing a National Underground Asset Register, which will digitally map that the way underground pipes and cables are installed and maintained. This measure will give planners and excavators standardised, secure, instant access to the data they need, when they need it, to carry out their work effectively and safely.
• Setting up Smart Data schemes, which are the secure sharing of a customer’s data upon their request, with authorised third-party providers. An existing example of such sharing is Open Banking; expect similar schemes to be rolled out in markets and industries where customer engagement is currently low.

Labour’s manifesto spoke of a desire to “re-set” the UK’s relationship with the EU post-Brexit.  Presumably this includes preserving the UK’s adequacy status for receiving EU data transfers (and the commercial benefits thereof). Do not expect radical reforms to the current data regime that risk upsetting that “applecart”.

What about AI?

Expect a more “hands-on” approach to regulation of AI…just not yet.

The previous government had adopted a “light touch” and “wait and see”-type approach to AI regulation, with the intention of fostering innovation and growth in this technology. 

Both Labour’s manifesto and the King’s Speech referred to an intention to regulate the highest-risk forms of AI system. However, the King’s Speech did not mention specific legislation in this area.

So, UK businesses’ use and development AI systems within the UK remains subject to a patchwork of existing laws (including UK GDPR) and relatively laissez-faire regulatory oversight (at least compared to the EU).  Those UK organisations caught within the extra-territorial reach of the EU AI Act will also have to juggle the more specific and risk-based requirements of that new EU legislation. 

Public services – more data-driven?

Labour’s manifesto proposed to create a National Data Library to bring together existing research programmes and help deliver data-driven public services, whilst maintaining strong safeguards and ensuring that the public benefits.

The idea of a National Data Library is a popular one, attracting significant support from politicians and business. 

The proposal would be of great interest to businesses in the field of scientific research and innovation. It will centralise existing government research programs, enhancing scientists’ and academics’ access to public sector data.

Lastly, it has the potential to allow scientists and start-ups to access more data to train and develop AI models.

National security and cyber resilience

The Government acknowledges that the UK’s digital economy and essential services are exposed to greater risks of cyber attacks from criminal and hostile state actors than ever before.  The new legislation will update the UK’s current legislation by:

• Expanding the remit of the regulation to protect more digital services and supply chains.
• Putting regulators on a strong footing to ensure essential cyber safety measures are being implemented.
• Mandating increased incident reporting to give government better data on cyberattacks, including where a company has been held to ransom.

This proposal is an important and urgently needed change. The UK’s current cyber resilience legislation is a hangover from its pre-Brexit days. The EU has since moved on to strengthen its own protections.

Our views

The King’s Speech and Labour manifesto are usefully indicative of where UK data protection law is going over the next few years. However, it remains to be seen just how much of the above proposals come into legislative force; the previous government announced 21 Bills in the 2023 King’s Speech, but several were not enacted. 

To the extent these proposals make it to Royal Assent, we await their precise form with interest. Freeths’ Data and Information Team will keep a close eye on developments over the coming months and years, so watch this space in future Newsletters.