After its election to power in July 2024, the newly formed Labour government wasted little time in announcing its legislative priorities for the coming year. Unsurprisingly, these priorities included several proposed Bills relating to data protection, cybersecurity and digital regulation. At the time of writing, only one of these Bills—the Data (Use and Access) Bill (“DUAB”)—has been introduced to Parliament, with the others expected to follow in early 2025.
1. Data (Use and Access) Bill
The DUAB was introduced to Parliament on 24 October 2024 and seeks to reform the UK’s data protection regime. The DUAB takes several of the concepts that were first introduced in the former Government’s own attempt to revise the UK’s regime, the Data Protection and Digital Information Bill (“DPDIB”), including (i) a list of “recognised legitimate interests” that would not require organisations to undertake a balancing test; (ii) broadening what qualifies as a “strictly necessary” cookie for the purposes of the Privacy and Electronic Communications Regulations (“PECR”); and (iii) reforms to the structure of the Information Commissioner’s Office (“ICO”). In addition, the DUAB:
- Proposes significant changes to the rules around automated decision-making, including by relaxing the prohibition against conducting such processing other than in cases that involve sensitive personal data;
- Introduces a new “data protection test” for international transfers, which in practice will be less onerous than the European Union approach and thus will be welcomed by organisations;
- Increases the maximum fines permitted under PECR to align with the GDPR (i.e., a maximum of the greater of GBP 17.5 million or 4% of global annual turnover); and
- Codifies case law on Art. 15 UK GDPR data subject access requests to allow organisations to carry out reasonable and proportionate searches for a requester’s personal data—again, a proposal that will be well received by organisations, particularly those that receive a large volume of requests.
Taken together, the reforms proposed by the DUAB—and those that were not proposed, including some of the most controversial aspects of the DPDIB—are generally reasonable and targeted and are likely to allow the UK to maintain its data “adequacy” status from the EU, which is set to be renewed (or revoked) by July 2025.
2. Cyber Security and Resilience Bill
The Cyber Security and Resilience Bill (“CSRB”), which aims to strengthen the UK’s cyber defences and to better protect the country’s infrastructure and the economy, looks set to impose new and enhanced obligations on a wide range of organisations that are involved in critical services. The UK’s current cyber law, known as NIS1, is inherited from the EU, but has largely been ignored by business and regulators across Europe. The EU’s new cyber legislation, NIS2, took effect in October 2024—and the CSRB seems intended to broadly align the UK regime with NIS2. Although detail on the CSRB is still to follow, the Government has indicated that the CSRB will (i) expand NIS1 to apply to more organisations across infrastructure and critical services (and their supply chains); (ii) strengthen the ICO’s position; and (iii) increase incident reporting requirements, including to notify regulatory authorities of ransomware attacks.
3. Online Safety Act
Although the Online Safety Act (“OSA”) was introduced by the previous Government, it will become enforceable in stages throughout 2025. The OSA aims at making online spaces safer for children and adults, including by requiring in-scope online services companies (e.g., social media platforms, search services, apps and games) to moderate content, protect children online, and establish tools for users to control the content they receive. Ofcom, the UK’s broadcasting and telecoms regulator, has been granted significant enforcement powers under the OSA, including to issue fines of up to £18 million or 10% of an organisation’s global revenue. Ofcom will submit guidance and codes of practice to the UK Government in the coming year. The first of these codes, on illegal harms, was released on Monday 16 December, and the remainder are expected to follow in line with Ofcom’s roadmap to compliance, available here.
Next Steps
Organisations that are subject to existing UK laws concerning data protection and cybersecurity should pay close attention to the DUAB and CSRB as they move through the legislative process. Similarly, the likely expansion in scope of the CSRB should be of interest to businesses that are not subject to NIS1 but which may now be caught by the new rules—and the same applies to the OSA, whose broad reach covers businesses that may not consider themselves to provide “content” in the traditional sense.In each case, organisations should analyse the extent to which each law applies to their business, and business units, and identify the changes that will be required to processes and procedures in order to comply with these laws. Staying on top of everything is certainly not easy, but by identifying the required changes as early as possible, it will allow you to put in place suitable measures—ideally within an existing compliance framework—in a way that causes as little disruption as possible while mitigating future risks.
For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk, click here.