In the Queen’s Speech on 10 May 2022, the UK Government set out its legislative programme for the months ahead. This includes: reforms to UK data protection laws (no details yet); confirmation that the government will strengthen cybersecurity obligations for connected products and make it easier for telecoms providers to improve the UK’s digital infrastructure; and new rules to enable the use of self-driving cars on public roads. In addition, the government confirmed its plans to move forward with the Online Safety Bill. As part of the government’s broader agenda to “level up” the UK and provide a post-Brexit economic dividend, many of the legislative initiatives referenced in the Queen’s Speech are presented as seeking to encourage greater use of data and technology to support innovation and enable growth.

We summarize below the key digital policy announcements in the Queen’s Speech and how they fit into wider developments in the UK’s regulatory landscape.

Data Reform Bill

Last year, the government consulted on plans to amend the UK’s data protection regime post-Brexit, focusing on areas where it sees opportunities to reduce compliance burdens on businesses (see our previous blog here). Whilst we continue to await the government’s response to that consultation and further details of what the reforms entail, the government has now confirmed its intention to proceed with a Data Reform Bill over the next parliamentary year. According to information published alongside the Queen’s Speech, the government considers the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 to be “highly complex and prescriptive” encouraging “excessive paperwork, and creat[ing] burdens on businesses with little benefit to citizens”. The government aims to change the law to require companies to focus on the outcomes of their practices “rather than ‘tick box’ exercises”, and intends to restructure the Information Commissioner’s Office.

Draft Digital Markets, Competition and Consumer Bill

A Draft Digital Markets, Competition and Consumer Bill was also announced with the aim of creating new competition rules for digital markets and the largest digital firms. This will include giving statutory powers to the Digital Markets Unit within the Competition and Markets Authority (CMA) to designate “a small number of firms who are very powerful in particular digital activities, such as social media and online search” and impose legally enforceable rules and obligations on them “to ensure they cannot abuse their dominant positions at the expense of consumers and other businesses.” The EU institutions recently finalized similar rules through the EU Digital Markets Act (see our blogs here and here for further details).

Online Safety Bill

On 17 March 2022, the UK Government introduced the Online Safety Bill (OSB) before Parliament, which contains several additions and amendments to the version first proposed in May 2021. The OSB places obligations on “user-to-user” services—essentially, content-sharing services—and search services that “have links” to the UK. The OSB imposes duties of care on services in relation to illegal content as well as content that is legal but “harmful”, as defined in the OSB. In the Queen’s Speech, the government confirmed its intention to move forward with the OSB in the forthcoming Parliamentary session. The bill is currently in the Committee Stage before the House of Commons. Some provisions could come into force as early as the final quarter of 2022.

Transport Bill

The government’s planned Transport Bill anticipates technological innovation in the automotive sector. Among other things, the Bill will include “new laws that safely enable self-driving and remotely operated vehicles and vessels, [and] support the roll-out of electric vehicle charge points”. This follows last month’s announcement that the government is seeking to amend the Highway Code to facilitate the use of self-driving vehicles on public roads in the UK.

Product Security and Telecommunications Infrastructure Bill

At the end of last year, the UK Government published its National Cyber Strategy 2022 policy paper, which  updates the 2016 – 2021 National Cyber Strategy. The new Cyber Strategy introduces a focus on “cyber power” and the “ability of a state to protect and promote its interests in and through cyber space”. It seeks to elevate cyber from a purely security issue to a “whole of society” concern, noting that collaboration between businesses, the public sector and citizens will be key to the UK’s success. The strategy is centred around five key pillars, including strengthening the UK cyber ecosystem, building a resilient and prosperous digital UK by reducing cyber risks, and taking the lead in the technologies vital to cyber power. Two action items the government will be taking to ensure cyber risks to UK critical infrastructure are effectively managed are launching a consultation on reforms to the Network and Information Systems (NIS) Regulations and implementing a new security framework for UK telecommunications providers. (As readers may be aware, the European Parliament and EU Member States announced a political agreement on NIS2 in the small hours of May 13; we will be monitoring UK proposals and the extent to which they mirror or diverge from the new EU law.)

As part of the broader drive to strengthen the UK’s cybersecurity, the Queen’s Speech includes plans to impose new baseline security requirements for the sale of internet-connected “smart” products through the Product Security and Telecommunications Infrastructure Bill. The Bill seeks to grant the Secretary of State the power to specify cybersecurity requirements relating to “internet-connectable” and “network-connectable” products. This is working its way through Parliament and is due to proceed to the House of Commons Report Stage during the 2022-23 session.

Consultation on Improving Security and Privacy for Apps and App Stores

Against the backdrop of driving the UK’s cyber resilience, on 4 May 2022, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on ensuring apps are developed with appropriate security and privacy protections, and that app stores implement processes to verify this. The consultation sets out DCMS’s proposed interventions, including a voluntary code of practice for app store operators designed to address privacy and security concerns. The government may also consider developing technical standards for app store operators and putting the code of practice on a regulatory footing in the future. The consultation closes on 29 June 2022, with a view to DCMS potentially publishing a final version of the code of practice later in the year. Companies operating in this space should consider contributing to the public consultation.

Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Marianna Drake Marianna Drake

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating…

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating to AI and data. She also advises clients on matters relating to children’s privacy, online safety and consumer protection and product safety laws.

Her practice includes defending organizations in cross-border, contentious investigations and regulatory enforcement in the UK and EU Member States. Marianna also routinely partners with clients on the design of new products and services, drafting and negotiating privacy terms, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of AI technologies.

Marianna’s pro bono work includes providing data protection advice to UK-based human rights charities, and supporting a non-profit organization in conducting legal research for strategic litigation.

Photo of Shona O'Donovan Shona O'Donovan

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies…

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies on complying with EU and UK data protection and e-privacy rules. She regularly defends clients in regulatory investigations and inquiries, and provides strategic advice on incident response. She advises clients on existing and emerging online content laws, including those affecting intermediary services and audiovisual media services. In this context, she regularly advises clients on the intersection between online content and privacy rules.

Shóna also counsels clients on policy developments and legislative proposals in the technology sector, and the impacts of these developments for their business.

In her current role, Shóna gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Photo of Tomos Griffiths Tomos Griffiths

Tomos Griffiths is an associate working across the technology regulatory and competition groups in London.

Tomos joined the firm as a trainee solicitor in 2021, qualifying in 2023. His practice covers technology regulation, competition law, and regulation that spans the two. His recent…

Tomos Griffiths is an associate working across the technology regulatory and competition groups in London.

Tomos joined the firm as a trainee solicitor in 2021, qualifying in 2023. His practice covers technology regulation, competition law, and regulation that spans the two. His recent experience includes advising clients on data protection compliance, foreign direct investment screening, and competition law litigation.

As a trainee solicitor, Tomos also gained experience in capital markets and commercial litigation for clients in the technology and life sciences sectors.