Is data protection reform back on the UK’s agenda? Digital regulatory highlights from the King’s Speech

The UK recently elected a new government, and on 17 July, King Charles read a speech setting out the legislative agenda envisioned by Prime Minister Keir Starmer.

The speech outlined 39 new bills, including some that would reform data protection and other digital regulations.

The previous government’s Data Protection and Digital Information Bill (DPDIB) died at the end of the last parliamentary session. But it appears that some of the proposed reforms to the UK’s data protection framework might be revived by the new regime’s Digital Information and Smart Data Bill (DISDB).

What is the Digital Information and Smart Data Bill?

The DISDB has not yet been laid before Parliament, but the Background Briefing to the King’s Speech provides some hints about what the new bill will involve.

In addition to a general promise of “targeted reforms to some data laws”, here are some specific highlights from the briefing paper.

Regulatory reform

The DISDB would reform the UK’s data protection and freedom of information regulator, the Information Commissioner’s Office (ICO).

The ICO is currently a “corporation sole” – an entity centered around one person (in this case, the Information Commissioner) that passes from one office holder to the next.

The DISDB would restructure the ICO into a board, with a Chief Executive Officer (CEO) and a Board, with executive and non-executive directors.

This proposal might resemble the previous government’s plans, which also proposed several measures to give the government greater influence over the ICO’s strategy and membership. It’s not clear whether those more controversial proposals will make it into the DIDSB.

The King’s Speech briefing also mentions giving the regulator “new, stronger powers”, but does not expand on what those powers would be.

Scientific research

The briefing paper discusses two proposals relating to data protection in the context of scientific research:

• Clarifying that “scientific research” can include commercial and private sector activity as well as non-commercial, public sector work
• Enabling controllers to obtain “broad consent” for scientific research, removing any requirement to obtain separate consent for a series of related (but perhaps not strictly “compatible”) activities.

These proposals also appeared in the last government’s DPDIB, so it’s possible that the new bill’s language will closely mirror the old bill.

Digital Verification Services

A large part of the now-dead DPDIB was related to so-called Digital Verification Services. The bill envisioned a system of government certification for companies that provide identity authentication in the context of access to public services.

It appears that this part of the previous government’s bill will be revived in the new government’s DSDIB. The King’s Speech briefing doesn’t provide a lot of detail, so we don’t know whether the relevant part of the DPDIB will be reproduced in full.

Smart Data

As the title of the DISDB suggests, the government intends to introduce new law regarding “Smart Data”.

The term “Smart Data” appears to relate to schemes such as open banking, which allow consumers to securely access their data across different companies providing similar services. Such initiatives are designed to increase competition by making it easier for consumers to switch between service providers.

Part 3 of DPDIB was titled “Customer data and business data”, and included new rules on enabling consumers to consent to the sharing of their data across services. It’s possible that the Smart Data aspects of the DISDB will draw upon this part of the DPDIB.

New powers for coroners

The DISDB proposes an amendment to the UK’s Online Safety Act (OSA) that would enable coroners (and the equivalent professionals in Scotland) to access data from the social media accounts of recently deceased children.

This rule was proposed in the DPDIB following several high-profile incidents where coroners struggled to obtain data from social media companies that might have helped determine the cause of a child’s death. However, some campaigners have suggested that the reforms do not go far enough.

Where’s the AI bill?

The government had mentioned “AI legislation” in advance of the King’s Speech, leading some people to expect an AI-specific bill such as that which recently passed in the EU.

There’s no sign of a “UK AI Act,” but the government might have been referring to a “statutory code” requiring AI companies to disclose their testing data, first mentioned back in February by Peter Kyle, who is now Security of State for Business, Innovation, and Skills (BIS).

The government has also proposed a Product Safety and Metrology Bill that it says will “enable the UK to keep pace with technological advances, such as AI”. This bill might lead to recognition of the standards set by the EU’s AI Act in UK product safety regulation.

However, the new government’s desire to “reset relations” with the EU means it likely won’t reform the EU-derived UK General Data Protection Regulation (UK GDPR) and Privacy and Electronic Communications Regulations (PECR) as drastically as the previous government had intended.