What next for cyber security and data protection regulation in the UK?

by Matthew Niblett on 16 Aug 2024

In this blog, we analyse the Labour government's planned reforms to the UK's data protection and cyber security frameworks.

When Parliament returns from its summer recess on 2 September, the new Labour government will begin its legislative programme - articulated in its July King's Speech - in earnest. Two areas singled out for substantial reform are cyber security and data protection. In this blog, we provide an overview of the UK's cyber security and data protection regimes, before summarising Labour's proposed changes.

Status quo

Data protection

Data protection in the UK is governed primary by the Data Protection Act 2018 (DPA), which implements the General Data Protection Regulation (GDPR) into UK law. The accompanying regulations are known as UK GDPR.

The DPA 2018 introduced strict rules for those using personal data, known as data protection principles, including stronger legal protections for sensitive personal data such as race, religious beliefs, and sexual orientation. It gives people the right to find out what information the government and other organisations store about them, as well as rights when organisations use their personal data for automated decision making and profiling.

The previous Conservative government introduced the Data Protection and Digital Information Bill to create a new data rights regime for the UK. The government claimed it would reduce burdens on businesses and researchers and boost the UK economy by £4.7 billion between 2023 and 2033. The Labour Party, then the official opposition, disagreed with this assessment, arguing that the bill would make data protection rules more complex, that it risked the loss of data adequacy with the EU, and that it would weaken citizens' protections against automated decision making. The Labour Party objected in particular to provisions which would have obliged banks to monitor the bank accounts of those on benefits in order to combat fraud. Parliament was not able to pass the bill before the general election, meaning that the Conservatives' reforms were shelved, and that UK GDPR remains in force.

The Privacy and Electronic Communications Regulations (PECRs) sit alongside UK GDPR and give people specific privacy rights in relation to electronic communications, including marketing calls, emails, texts, and faxes; cookies; keeping communications secure; and customer privacy regarding traffic and location data, itemised billing, line identification, and directory listings. The PECRs are derived from EU law and have been amended several times, most recently in 2018, when changes were made to ban cold calling by claims management services, and in 2018 to ban cold calling by pensions schemes in certain circumstances.

Finally, the UK Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (eIDAS) set out rules for UK trust services and established a legal framework for the provision and effect of electronic signatures, electronic seals, time stamps, documents, registered delivery services and certificate services for website authentication. They are an amended form of the EU eIDAS Regulation and retain many aspects of the EU rules, with some modifications for use within the UK. EU eIDAS qualified trust services are automatically recognised in the UK, but no reciprocal arrangement currently exists. The UK regulation does not include provisions relating to electronic identification schemes, unlike its EU counterpart.

Cyber security

The Computer Misuse Act 1990 was introduced to tackle cyber crime by making unauthorised access to, and modification of, computer data illegal. It represented the first major legislative attempt to tackle cyber threats and criminalise hacking, viruses, malware, and spyware. It applies to any digital operation with a significant link to the United Kingdom, meaning it covers situations where a computer being targeted is in the UK, where the person responsible carried out the operation from the UK, where the person used a server located in the UK, or if the resulting cyber attack caused damage within the UK. It has been subsequently amended on numerous occasions, with its remit being expanded in 2015 to cover the possibility of cyber terrorism and state backed cyber attacks.

The Network and Information Security Regulations (NIS) 2018 provide legal measures to boost the overall level of cyber security of network and information systems that are critical to the provision of digital services and essential services. Following a consultation in 2022, the government announced its intention to update the NIS regulations to improve the UK's cyber resilience, including by giving the government the power to amend the NIS regulations in future, and enabling the Information Commissioner to take a more risk-based approached to regulating digital services.

The Telecommunications (Security) Act 2021 established new security duties on public telecommunications providers and new powers for the Secretary of State to make regulations and issue codes of practice. It includes provisions strengthening Ofcom's regulatory powers, allowing it to enforce the new framework. It also gives the government new security powers to impose, monitor and enforce controls on public communications providers' use of designated vendors' goods, services and facilities within UK telecommunications frameworks.

Finally, the Product Security and Telecommunications Infrastructure Act 2022 created a new regulatory scheme to make smart devices more secure against cyber-attacks. In particular, it gives ministers powers to specify security requirements relating to smart products, with which businesses making such products available to UK customers must comply. The requirements include a ban on the use of universal default passwords and easily guessable default passwords, a requirement for manufacturers to enable the reporting of security vulnerabilities, and a requirement for manufacturers to make publicly available the minimum period of time that the product will receive security updates. These requirements were formalised via the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.

Labour's proposed changes

In July's King's Speech, Labour outlined two bills to reform both the cyber security and data protection regime in the UK. The Cyber Security and Resilience Bill will expand the remit of the NIS Regulations to protect more digital services and supply chains. It will put regulators on a stronger footing to ensure essential cyber security measures are being implemented, and mandate increased incident reporting to give government better data on cyber attacks.

Meanwhile, the Digital Information and Smart Data Bill is a wide-ranging piece of legislation that will make several changes to the UK data protection framework. It will establish digital verification services to support the creation and adoption of secure and trusted digital identity products and services; develop a national underground asset register to give planners and excavators standardised, secure, instant access to the data they need to carry out their work effectively and safely; and it will set up smart data schemes, helping customers share their data securely with authorised third-party providers.

The government will also make changes to the Digital Economy Act to allow it share data about businesses that use public services and move to an electronic system for the registration of births and deaths. It will allow scientists to ask for broad consent for areas of scientific research and allow those doing scientific research in commercial settings to make equal use of the data regime. It will modernise and strengthen the ICO, giving it a CEO, a board, and chair, as well as new, stronger powers. It will reform some data laws where uncertainty is impeding the safe development and deployment of some new technologies, and promote standards for digital identities around privacy, security and inclusion. Finally, it will establish a data preservation process allowing coroners to get access to online information they need when investigating a child's death.

Next steps

Parliament will return from summer recess for two weeks before heading straight into conference recess until mid-October. After that, we expect the government's legislative programme to move ahead swiftly. It is therefore a good time to engage with relevant ministers, including Minister of State for Digital Infrastructure Sir Chris Bryant MP, Parliamentary Under Secretary of State for AI and Digital Government Feryal Clark MP, and Parliamentary Under Secretary of State for the Future Digital Economy and Online Safety Baroness (Maggie) Jones. Inline will be tracking both of these bills and related policy developments, so please get in touch with us if you have any questions.

Topics: Data policy, GDPR, Technology, Politics

Matthew Niblett

Written by Matthew Niblett

Get the latest updates from our blog

Related Articles

Dr Aura Salla, elected in June 2024 to her first mandate as a Member of the European Parliament (MEP), is no ... Read more

The Labour Party's annual conference took place in Liverpool from Sunday 22 September to Wednesday 25 ... Read more

I sat down for an hour-and-a-half in early August with Kai Zenner, longtime policy advisor to MEP Axel Voss. ... Read more

In this blog, we look at the future of European telecoms legislation, including the possibilities for a ... Read more

Comments