In the Queen’s Speech on 10 May 2022, the UK Government set out its legislative programme for the months ahead. This includes: reforms to UK data protection laws (no details yet); confirmation that the government will strengthen cybersecurity obligations for connected products and make it easier for telecoms providers to improve the UK’s digital infrastructure; and new rules to enable the use of self-driving cars on public roads. In addition, the government confirmed its plans to move forward with the Online Safety Bill. As part of the government’s broader agenda to “level up” the UK and provide a post-Brexit economic dividend, many of the legislative initiatives referenced in the Queen’s Speech are presented as seeking to encourage greater use of data and technology to support innovation and enable growth.

We summarize below the key digital policy announcements in the Queen’s Speech and how they fit into wider developments in the UK’s regulatory landscape.

Data Reform Bill

Last year, the government consulted on plans to amend the UK’s data protection regime post-Brexit, focusing on areas where it sees opportunities to reduce compliance burdens on businesses (see our previous blog here). Whilst we continue to await the government’s response to that consultation and further details of what the reforms entail, the government has now confirmed its intention to proceed with a Data Reform Bill over the next parliamentary year. According to information published alongside the Queen’s Speech, the government considers the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 to be “highly complex and prescriptive” encouraging “excessive paperwork, and creat[ing] burdens on businesses with little benefit to citizens”. The government aims to change the law to require companies to focus on the outcomes of their practices “rather than ‘tick box’ exercises”, and intends to restructure the Information Commissioner’s Office.

Draft Digital Markets, Competition and Consumer Bill

A Draft Digital Markets, Competition and Consumer Bill was also announced with the aim of creating new competition rules for digital markets and the largest digital firms. This will include giving statutory powers to the Digital Markets Unit within the Competition and Markets Authority (CMA) to designate “a small number of firms who are very powerful in particular digital activities, such as social media and online search” and impose legally enforceable rules and obligations on them “to ensure they cannot abuse their dominant positions at the expense of consumers and other businesses.” The EU institutions recently finalized similar rules through the EU Digital Markets Act (see our blogs here and here for further details).

Online Safety Bill

On 17 March 2022, the UK Government introduced the Online Safety Bill (OSB) before Parliament, which contains several additions and amendments to the version first proposed in May 2021. The OSB places obligations on “user-to-user” services—essentially, content-sharing services—and search services that “have links” to the UK. The OSB imposes duties of care on services in relation to illegal content as well as content that is legal but “harmful”, as defined in the OSB. In the Queen’s Speech, the government confirmed its intention to move forward with the OSB in the forthcoming Parliamentary session. The bill is currently in the Committee Stage before the House of Commons. Some provisions could come into force as early as the final quarter of 2022.

Transport Bill

The government’s planned Transport Bill anticipates technological innovation in the automotive sector. Among other things, the Bill will include “new laws that safely enable self-driving and remotely operated vehicles and vessels, [and] support the roll-out of electric vehicle charge points”. This follows last month’s announcement that the government is seeking to amend the Highway Code to facilitate the use of self-driving vehicles on public roads in the UK.

Product Security and Telecommunications Infrastructure Bill

At the end of last year, the UK Government published its National Cyber Strategy 2022 policy paper, which  updates the 2016 – 2021 National Cyber Strategy. The new Cyber Strategy introduces a focus on “cyber power” and the “ability of a state to protect and promote its interests in and through cyber space”. It seeks to elevate cyber from a purely security issue to a “whole of society” concern, noting that collaboration between businesses, the public sector and citizens will be key to the UK’s success. The strategy is centred around five key pillars, including strengthening the UK cyber ecosystem, building a resilient and prosperous digital UK by reducing cyber risks, and taking the lead in the technologies vital to cyber power. Two action items the government will be taking to ensure cyber risks to UK critical infrastructure are effectively managed are launching a consultation on reforms to the Network and Information Systems (NIS) Regulations and implementing a new security framework for UK telecommunications providers. (As readers may be aware, the European Parliament and EU Member States announced a political agreement on NIS2 in the small hours of May 13; we will be monitoring UK proposals and the extent to which they mirror or diverge from the new EU law.)

As part of the broader drive to strengthen the UK’s cybersecurity, the Queen’s Speech includes plans to impose new baseline security requirements for the sale of internet-connected “smart” products through the Product Security and Telecommunications Infrastructure Bill. The Bill seeks to grant the Secretary of State the power to specify cybersecurity requirements relating to “internet-connectable” and “network-connectable” products. This is working its way through Parliament and is due to proceed to the House of Commons Report Stage during the 2022-23 session.

Consultation on Improving Security and Privacy for Apps and App Stores

Against the backdrop of driving the UK’s cyber resilience, on 4 May 2022, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on ensuring apps are developed with appropriate security and privacy protections, and that app stores implement processes to verify this. The consultation sets out DCMS’s proposed interventions, including a voluntary code of practice for app store operators designed to address privacy and security concerns. The government may also consider developing technical standards for app store operators and putting the code of practice on a regulatory footing in the future. The consultation closes on 29 June 2022, with a view to DCMS potentially publishing a final version of the code of practice later in the year. Companies operating in this space should consider contributing to the public consultation.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Marianna Drake

Marianna Drake is a Trainee Solicitor who attended King’s College London.

Shona O'Donovan

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying…

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying with data protection laws in the EU. In particular, she represents organizations in regulatory investigations and inquiries, advises on children’s privacy issues and provides strategic advice on incident response. Shóna also advises clients on policy developments in online content and online safety.

In her current role, Shóna has gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Tomos Griffiths

Tomos Griffiths is a Trainee who attended Durham University