2023 will bring with it updates and reforms in relation to data protection and cybersecurity in the UK. The proposed changes are expected to place tighter restrictions on digital content; increase protection around the internet of things and connected products; and, to the delight of some, lighten compliance burdens with respect to personal data. A few highlights to watch out for are set out below:

1. The Online Safety Bill

Pitched as providing a “triple shield” of online protection, the Online Safety Bill is the UK’s step towards policing the digital world by imposing a new duty of care requirement on companies that offer services for user-generated content or online communication including large online platform services (such as social networks, search engines, hosting service providers, etc.). In-scope entities will be required to (i) remove illegal content (similar to the EU Digital Services Act that is also currently being considered); (ii) take down material that breaches its own terms of service; and (iii) provide more choice over content that is seen. The regime will be regulated by Ofcom, which will also be responsible for publishing codes of practice and guidance in due course.

Progress: The Online Safety Bill is working its way through the House of Commons, with a third reading expected by the end of 2022 before it then proceeds to the House of Lords. Royal Assent is expected during 2023, after which Ofcom’s powers will come into force two months later, and documentation will be published on the intended approach to online safety regulation, which will provide an early indication of the further requirements of the regime. Ofcom’s intentions for the first 100 days after receiving power include publishing draft codes on illegal content harms, providing various draft guidance and targeting the highest-risk services to start engagement.

2. The Digital Protection and Digital Information Bill

The Digital Protection and Digital Information Bill provides data protection reform, but in many ways, does not stray too far from the familiar EU measures we are accustomed to under the GDPR. Aiming to update, amend and simplify the UK’s data protection framework, instead of replacing the GDPR and UK Data Protection Act 2018, a key takeaway of the Bill is that if you are required to comply with the GDPR then you will remain compliant with the new UK regime, however, where you only need to comply with the UK regime you may benefit from a reduction of compliance burdens. Proposals include the replacement of the data protection officer with a “senior responsible individual” to oversee compliance; the ability to reject “vexatious or excessive” data subject requests more simply; extending the soft opt-in for direct marketing to non-commercial organizations; reducing the requirements around the use of cookie banners; and amending the ICO notification in instances of unmitigable high risk processing to a more voluntary regime. For more information on this, see a previous overview on this topic that we published.

Progress: The Digital Protection and Digital Information Bill was scheduled for a second reading on 5 September 2022, however this was delayed, and there is now talk of a further type of consultation, therefore we expect movement in 2023 but do not expect the legislation to fully progress until later in 2023 (or perhaps even 2024) at the earliest.

3. Product Security and Telecommunications Infrastructure Act 2022

On 15 September 2022, the European Commission published a Proposal for a Cyber Resilience Act (“CRA”) which sets out new obligations and responsibilities for hardware and software products and their remote data processing solutions. Like the CRA, a key focus point in the Product Security and Telecommunications Infrastructure Act 2022 is the creation of a regulatory scheme to enhance security from threats in relation to consumer connectable products. Connectable products divide into “internet-connectable products” (i.e. a product that is capable of connecting to the internet) and “network-connectable products” (i.e. a product that can connect to an internet-connectable product). In short this covers “smart devices” or the “Internet of Things”, such as smartphones, connectable children’s toys, baby monitors, smart home assistants and connected appliances, such as fridges or washing machines. The compliance obligations fall on manufacturers, importers and distributors and will apply to all relevant connectable products offered to UK consumers. Key duties and obligations include the duty to comply with security requirements; requirement for statements of compliance; and a duty to take steps towards compliance and investigate non-compliance. The Secretary of State will be responsible for enforcement under this legislation, however, the Secretary of State also has the authority to delegate this enforcement function, including those of investigatory powers.

Progress: The Product Security and Telecommunications Infrastructure Bill recently became the Product Security and Telecommunications Infrastructure Act 2022 after receiving Royal Assent on 6 December 2022, which made the Bill an Act of Parliament (i.e. law). While certain provisions are in force with immediate effect, such as the key background functions like the power by the Secretary of State to make regulations under this Act and the ability to delegate enforcement functions and the territorial scope of the Act, the remaining provisions will only come into force in accordance with the provisions contained in regulations made by the Secretary of State. Further updates on these regulations are expected during 2023.