Signatories of joint statement, including Mozilla, Tor and Open Rights Group, call on ministers to address root causes of online harm rather than pursue blanket access restrictions.

A group of tech companies and civil society organisations has urged UK policymakers to reconsider their approach to online safety legislation, warning that proposed age-gating measures and access restrictions threaten to fragment the open internet and erode the rights of all users.

The statement comes as ministers consult on which online platforms and features should be placed behind age verification systems. Proposals under consideration include curfews for young users and sweeping restrictions on access to internet services ranging from video games and VPNs to static websites.

Such proposals would in practice require all internet users to verify their ages, creating significant privacy and data security risks, including to young people, as shown by the serious breaches of UK users’ government ID data.

The expansion of age verification risks entrenching the dominance of major app stores and platform gatekeepers, turning the web into “a patchwork of age-gated jurisdictions” rather than a globally accessible resource.

The statement urges UK policymakers to adopt ‘thoughtful policy interventions’ that address the root cause of online harms – the business models of large platforms, which are built on extensive data collection, behavioural targeting, and engagement-maximising design.

Open Rights Group has warned that new powers agreed by MPs in the Children and Schools Wellbeing Bill to expand age identification across online platforms risk creating a system of digital checkpoints.

As age identification expands, millions more people may be required to hand over personal data to access everyday services. Open Rights Group has already warned that current systems pose “serious privacy and security risks”, including weak safeguards, data reuse, and fraud vulnerabilities.

James Baker, Platform Power Programme Manager at Open Rights Group, said:

“In less than a year, we’ve gone from proposals to check ID for porn to the prospect of checking ID to access social media or unlock everyday features such as livestreams or feeds. These online ID systems put both children and adults’ sensitive data at risk.”

“Evidence coming out of Austrialia where a ban is in place suggests that many young people are seeking to avoid these blanket bans, and they aren’t effective.

“MPs should look at other policy options that change the underlying business models of social media platforms so we can build better online spaces rather than imposing blanket restrictions.”

Open Rights Group reiterated its call for stronger regulation of the age assurance industry, alongside robust data protection safeguards.

The group also warned that when details of the regulations to impose bans emerge they must not sweep up low-risk community forums and small services, which are already being forced offline due to the burden of complying with the Online Safety Act.

Free expression online

Fix the Online Safety Act

Find Out More

A cross party group of MPs has called for the government to publish classified documents that detail the “chronic risks” to the UK from our reliance on digital platforms and services, the dominance of global tech and the impact of AI. Digital rights campaigners, the Open Rights Group, have also requested the release of the classified documents through a freedom of information request.

The publication of these risks is crucial to enable a proper public and parliamentary debate about the UK’s dependence on foreign tech companies for its critical infrastructure.

The MPs’ letter follows analysis in a recent report by ORG, which highlighted that national debate on digital sovereignty is being hampered by secrecy, preventing Parliament and the public from debating whether the government understand the scale of the challenge.

The report showed that the UK’s over-reliance on mostly US companies is a national security issue, due to US legal powers. During the previous parliament, MPs recognised the risks of using foreign tech companies when they took action over potential state interference from using Huawei equipment. However, there needs to be an urgent parliamentary and public debate about the UK’s reliance on mostly US companies in light of recent geopolitical uncertainty. Were the UK’s relationship with the US to deteriorate over Iran or Greenland, the US could use legal powers compel tech companies to discontinue services or carry out surveillance. Companies such as Palantir, recently contracted to deliver core components of the Ministry of Defence’s data systems, have openly championed US military dominance.

The letter calls for the National Risk Register to be updated so that it addresses the risk of foreign states using legal powers in this way. It also asks that the government “lead a national debate on the nature of our digital dependence, from both a security and economic perspective”.

Read the letter signed by Sian Berry MP (Green Party), Clive Lewis MP (Labour), Victoria Collins MP (Liberal Democrats) and Ben Lake MP (Plaid Cymru).

EU shift to Open Source

EU countries, including France, Germany, the Netherlands and Denmark are taking steps to end their reliance on US Big Tech by moving to Open Source and collaborative solutions.

ORG has called for the UK to develop a digital sovereignty strategy to protect the UK’s independence and grow its economy. Digital sovereignty is defined as the ability of a country to have control over its digital infrastructure, data, and technology. Greater investment in Open Source could also drive UK economic growth, supporting domestic innovation and a more competitive technology sector. It can modernise critical government systems, strengthen control over public technology infrastructure, reduce dependence on proprietary vendors and restore public sector control.

Jim Killock, Executive Director of Open Rights Group said:

“For years, Big Tech has used its power to lobby parliament, gain control of the UK’s digital infrastructure and influence government policy. It is known within government that our dependence on foreign companies is a national security risk but the details are being kept from the public.

“We have a right to know what the consequences of years of pandering to Big Tech mean for the UK. The Government must be transparent about the risks and show how it is taking steps to make the UK’s more resilient to foreign interference.”

Siân Berry MP said:

“Cross-party MPs are urging the Government to address the glaring risks to our citizens from the choices made for our critical digital infrastructure. Our over-reliance on foreign tech giants for the digital systems that keep the country running, combined with temperamental Trump in the White House, leaves us open to the very real possibility of foreign interference or even service withdrawal. 

“With my fellow MPs, I am sounding the alarm and urging Ministers to update the risk register, while continuing to push for a digital sovereignty strategy that would build up homegrown tech resilience and protect our national security.”

Clive Lewis MP said:

“The UK’s dependence on Big Tech has left us dangerously vulnerable, particularly against a backdrop of increased geopolitical uncertainty as a result of US and Israeli military actions.

With the government actively considering triggering the break clause in Palantir’s Federated Data Platform contract, ministers seem to be waking up to the risks of allowing these corporation free rein in our public institutions.

It’s vital that work starts urgently on alternatives to Big Tech dominance.”

Demand UK Digital Sovereignty

Find Out More

Growing the economy through digital sovereignty

The report urges the UK Government to follow the lead of EU countries, including Germany, France, Netherlands and Denmark, who are actively pursuing digital sovereignty through strategic investments in open technologies and international collaboration.

Greater investment in Open Source can also drive UK economic growth, supporting domestic innovation and a more competitive technology sector. It can also modernise critical government systems, strengthen control over public technology infrastructure, reduce dependence on proprietary vendors and restore public sector control.

Demand UK Digital Sovereignty

Find Out More

Our new report asks a profound question: just how dependent is the UK on US technology, and what could that mean for the UK’s sovereignty? It is an enormous question, but as our report shows, there are real and beneficial answers if the UK shifts from one way dependence on US tech giants to shared technology, based on a Digital Commons, including Open Source, open standards and open hardware.

Our report surveys the mess that is the UK’s digital dependence, mostly on US tech giants but also in some cases Chinese technologies. Starting with the risks, we identify:

• Security risks: including threats of service withdrawals and sanctions, or even the use of technologies to launch attacks on government systems.

• Surveillance risks: including foreign powers compelling companies to provide access to UK government data.

• Economic risks: such as extractive economic behaviour, including tax avoidance, structuring of profits overseas, and depletion of economic value of government spending.

• Policy and democratic risks: through lobbying, threats of withdrawal of ‘investment’, and techno-solutionism; alongside centralised control of social media driving public discourse through the preferences of tech oligarchs.

Each of these is a big topic. The security risks have become pretty clear, as US President Donald Trump has made significant use of sanctions against individuals, resulting in them being cut out of European banking systems, as well as American tech platforms. However, the mere existence of potential leverage is also a threat, as it reduces the maneuverability of any government to resist pressure from the US in the event of a foreign policy or trade disagreement. Surveillance risks have a similar profile.

The UK’s digital policies are looking the other way

The report goes into the details of the UK’s current policy position, showing a remarkable absence of thinking about these risks in public policy documents. Reliance on US tech and the apparent faith of the government that AI will deliver significant benefits for the UK’s economy is in fact driving the other way. This strategy is made plain in the UK’s Tech Sectoral Plan. The inevitable result will be greater economic extraction and less value to the UK. This approach will drive the tax-ability of the tech sector downwards, relocate high value jobs outside of the UK, and result in ever greater pressure on public spending. Weakening regulation of data protection and competition policy only makes the situation worse.

Related to this, the UK also has a woeful record in allowing tech companies to be acquired by US and other overseas owners. Two of the biggest example include DeepMind, now owned by Google, and ARM chips, owned by a Japanese investment company and mostly US shareholders. Acquisitions of this kind make the UK tech sector wholly dependent on US tech. This stands in contrast to similar firms in European countries, which are regarded as strategic assets, and not sold on.

The UK’s failures regarding outsourced IT systems date back decades, whether these rely on US corporations such as Oracle, Microsoft, and IBM, or UK, Japanese and European vendors such as Capita, Accenture, Fujitsu and CapGemini. The Post Office scandal and the current debacle with civil service pensions did not come out of nowhere. Nor did the bankruptcy of Birmingham City Council, the victim of spiralling costs during a transition to an Oracle management system. Cloud dependence on Microsoft Azure and Amazon Web Services is just another chapter in vendor lock-in leading to over-charging.

Democracy is at risk

The democratic and policy risks of digital dependence are profound. They include lobbying, interference in trade agreements, promoting digital restrictions and producing e-waste. Techno-solutionism can also be a result of digital dependency, as vendors promote their way of doing things. The risks are profound, as Big Tech shapes what we do as a country. As Siân Berry MP describes in her foreword:

“Some of the practices of these not-so-friendly giants we rely on sit very uncomfortably with the ethics and values our country holds dear. For example, I have watched in horror as Palantir has crafted data-analytics software to facilitate ICE’s fascist deportations, sharing data between government departments to surveil and track migrants. While its CEO, Alex Karp is free to joke about its mission, saying chillingly in 2025: “Palantir is here to disrupt… and, when it’s necessary, to scare our enemies and, on occasion, kill them.”

The dominance of Big Tech in social media is itself a risk to democracy, as an EU study Fractured Reality also concluded this month. Yet the government is supporting Big Tech monopolies with ad spending and content, without publishing on the alternatives. The government complains about Big Tech’s failures, while only giving users the opportunity to engage with government through Big Tech. Clive Lewis MP writes in his foreword:

“Data and algorithms do not merely power economic activity. They increasingly mediate how citizens encounter information, interpret events and form political opinions. The systems that curate what we read and watch now have the power to shape public debate itself. We have already seen how foreign-owned platforms can promote, suppress or algorithmically amplify particular viewpoints — sometimes reflecting the preferences of their owners. Control over digital infrastructure therefore extends beyond markets and innovation into something more fundamental: who shapes the public sphere, and on whose terms.”

But there is a way forward

We also present the potential solutions. On these, the picture is much more encouraging. We show that many European governments are learning to collaborate and escape Big Tech, for reasons of economic and political sovereignty. France, Germany, the Netherlands and Denmark are making great strides in reducing dependence on US tech giants. As Lord Clement-Jones writes in his foreword:

“What gives me hope is the evidence assembled here that alternative approaches work. The economic case is overwhelming: open source generates £4 for every £1 invested and has created 2-3% of global GDP. France’s Open Source preference has driven 9-18% annual growth in tech start-ups. The sovereignty case is equally clear: when you control the code, you control your destiny.”

The key is having clear institutional leadership to promote the alternatives to Big Tech, and secondly, by using shared, Open Source technologies the route to Digital Sovereignty. Rather than just asking to “Buy British”, we need to ask, “how do we collaborate with our neighbours and reduce costs for everyone?” There should not be a proprietary “British Office Suite” and a “British Operating System”, owned by some company that may well be bought up by Microsoft, Amazon or Oracle in the future. Rather, Open Source allows multiple partners and governments to develop the tools they need. Indeed, using US companies where useful becomes entirely manageable if the products are Open Source.

These principles can equally apply for cloud providers, and especially for AI, where transparency, control and understanding of the fundamental technology is even more necessary. Europe has made significant investments in commercial and academic AI research and modelling. France has developed methods to control deployment and swapping in and out of AI models.

Stopping Big Tech’s control of social media can be achieved. The powers to open up social media already exist in competition law. Users on BlueSky and Mastodon can switch from providers they do not like, and choose the moderation values that they want. EU users no longer have to use Meta’s WhatsApp to talk to WhatsApp users. Once you can escape Big Tech, without the downsides of losing your networks, any exodus of users will push platforms to think hard about their toxic online environments.

What we believe is needed next is for digital rights, safety and tech accountability campaigners to come together around the opportunities that the growing debate on Digital Sovereignty offers. It is a means to create a wide debate on the nature of our dependence on Big tech, and how we exit coercion and control.

There is growing political interest. Chi Onwurah MP is leading work at the Science and Technology Committee to press for answers. Liberal Democrat, Labour and Green Parliamentarians have kindly provided help with this report. A growing number of MPs that have signed the Parliamentary ‘Early Day Motion’ calling for a Digital Sovereignty strategy, and debates on the topic have highlighted its pressing need during the Cyber Security Bill. It will take political courage to end our digital dependency on powerful companies but the risks of not acting are greater.

Demand UK Digital Sovereignty

Find Out More

Executive Summary

Reclaiming Digital Sovereignty

• Digital Sovereignty is critical for the UK’s economic and national security.
  It is defined as the ability of a country to have control over its digital infrastructure, data, and technology.

• The UK is currently facing a crisis of digital dependency.
  The country is overly reliant on a small number of tech giants for its critical digital infrastructure, which poses significant economic, security, legal, and policy risks, including to democracy and public debate.

• A strategic shift to using and growing the Digital Commons — that is, open technologies — provides the most effective path to Digital Sovereignty.
  This includes shared Open Source software, open standards, and open hardware, which can foster a more competitive and innovative domestic tech sector, reduce costs, and enhance security.

The high cost of digital dependency

In Part I The Digital Sovereignty challenge we find:

• Economic risks.
  The dominance of a few tech giants leads to vendor lock-in, inflated costs for government and businesses, and the extraction of value from the UK economy through tax avoidance and profit repatriation.

• Security risks.
  Reliance on foreign proprietary technology creates vulnerabilities to surveillance, espionage, and cyber attacks. These risks are produced by foreign legal frameworks, which govern both US and Chinese technology companies.

• Surveillance risks.
  The UK is exposed to the extra-territorial jurisdiction of other countries, such as the US Clarifying Lawful Overseas Use of Data (CLOUD) Act and China’s National Intelligence laws, which can compel tech companies to hand over data.

• Policy Risks.
  The immense lobbying power of Big Tech distorts policy-making, leading to weaker regulation, anti-competitive practices, and a centralised, abusive and anti-democratic digital information environment.

The UK’s current position

Part II Current UK policy position shows that:

• The UK lacks a coherent Digital Sovereignty strategy.
  Current policies are designed to reinforce dependency on foreign tech giants.

• The Government’s analysis of the ‘chronic’ risks is classified, precluding public debate of its approach.

• Government IT procurement is dysfunctional.
  It is characterised by a lack of competition, vendor lock-in, and a series of high-profile project failures and cost overruns. Like other areas of government procurement, there is not a functioning market, so government cannot expect good procurement while it is a passive recipient of software services. There is insufficient focus on known solutions to resolving this dysfunction. Solutions include: leadership in development and ownership of custom software; requirements for interoperability; preferencing Open Source; and leveraging competition policy in the cloud market.

• Competition and data protection enforcement have been weakened.
  This invites tech giants to further consolidate their market power and continue to engage in anti-competitive practices. It appears to be a response to dependence, seeking to attract further inward investment that will build economic extraction rather than reduce it.

Digital Sovereignty reduces costs and grows the digital economy

We show in Part III Beyond the UK how other countries are benefiting from prioritising Digital Sovereignty.

• Building the economy.
  Germany, France, Netherlands, Denmark and other European nations are actively pursuing Digital Sovereignty through strategic investments in open technologies and international collaboration.

• International collaboration.
  Provides a model for governments to create and control key technologies for common problems, including in health, data and procurement.

The opportunity of the Digital Commons

• Growing the Digital Commons with Open Source software offers a major opportunity for the UK in modernising critical government systems and strengthening control over public technology infrastructure.

• It can repair the relationship between government and the technology it relies on, by reducing dependence on proprietary vendors and restoring public sector control.

• Greater investment in Open Source can also drive UK economic growth, supporting domestic innovation and a more competitive technology sector.

• Despite underpinning much of the global digital economy, Open Source remains underrecognised in UK government strategy.

• National economies would be 2–3% smaller without Open Source software.

• Open Source is present in over 95% of proprietary software systems, making up around 70% of their codebase on average.

• EU research suggests every £1 invested in Open Source returns around £4 in economic value.

• The Linux Foundation estimates 2–5x return on investment for organisations contributing to Open Source, rising to around 6x for leading contributors.

• France’s government preference for Open Source procurement helped generate 9–18% annual growth in IT startups, while also creating globally valuable Open Source assets.

• In the UK, OpenUK estimates Open Source contributes around £13 billion annually, representing 27% of the technology sector.

• A 2024 Harvard study estimates the global demand-side value of Open Source at $8.8 trillion, noting firms would need to spend 3.5x more on software without it.

• European Commission research suggests a 10% increase in Open Source contributions could add 0.4–0.6% to annual European economic growth.

The way forward: a roadmap to Digital Sovereignty

See Part IV Recommendations for a Digital Sovereignty strategy.

• Embrace the Digital Commons of Open Source: The UK should adopt a “Public Code for Public Money” policy, where software developed for the public sector is made available under an open source license.

• Strengthen competition and regulation: The UK must empower its regulators to challenge the market dominance of tech giants and enforce pro-competitive measures, such as interoperability and data portability.

• Build digital leadership in Government: The UK needs to rebuild its in-house technical expertise to reduce its reliance on external consultants and make smarter procurement decisions.

• Foster international collaboration: The UK should actively participate in international initiatives to develop open standards and digital public goods, and collaborate with other countries on strategic technologies like AI and cloud computing.

Key Recommendations for the UK Government

For the full recommendations, see A Roadmap for Digital Sovereignty.

• Reset UK digital policy to make Digital Sovereignty a central strategic goal.

• Drive competition and effective regulation to create a more level playing field for UK businesses.

• Deliver ‘Public Code for Public Money’ to build a commons of publicly-owned software.

• Invest in the UK’s Open Source ecosystem through procurement, tax incentives and skills development.

• Build digital leadership within government to drive the transition to open technologies.

• Protect democracy by promoting a more diverse and open social media landscape.

Demand UK Digital Sovereignty

Find Out More

Last minute amendments to the Children’s Wellbeing and Schools Bill will have huge implications for freedom of expression and privacy in the UK, Open Rights Group has warned. The digital rights campaigners have raised concerns that MPs and peers are not being given sufficient time to scrutinise the amendments which could have far reaching consequences if powers are abused by the current and future governments.

The Bill returns to the Lords in its final stages on Wednesday 25 March.

James Baker, Platform Power Programme Manager at Open Rights Group said:

“Amendments with far-reaching consequences for freedom of expression and privacy are being rushed through without proper time for political scrutiny.

“We could be forced to hand over personal data as part of a digital ID age check to access parts of the Internet and anyone under 18 could be completely banned from other platforms – all at a ministers’ discretion.

“We urge parliamentarians to think twice about giving current and future ministers such vast, far-reaching and changeable powers.”

Changing data protection law

Amendment 38B could give Ministers the powers to force anyone over 13 to use unsafe and unregulated age-ID services to access certain Internet services. It could be used to write new regulations that require people use particular methods of proving their age online such as a Government issued Digital ID.

Government ministers will be able to override what Ofcom or the ICO consider to be a suitable way to establish a users age online as they will no longer have to determine whether it is proportionate for a 13 year old’s data to be processed compared with the risks posed by age-gating, or whether there are less invasive means to achieve this.

Teenagers could be forced to complete checks that:

• Scan their faces, or other biometric data, to guess their age; or

• Track and profile their behaviour on a given online platform, and sharing these profiles with commercial data brokers, to guess who they are and how old they are;

• Involve submitting identity documents.

• Use Government Digital ID

The Government has refused to regulate the ever-growing age assurance industry despite market leader Yoti being fined by the Spanish data protection authority for the way in which it handles personal data.

Open Rights Group is calling for MPs to support Amendment (e) — Proportionality Requirement for Regulations under sections 214A and Article 8ZA, proposed by human rights organisation Liberty. This amendment would, at least, address some of the most pressing concerns surrounding proportionality of placing the internet between an age based ID checkpoint.

Restricting children’s access to the Internet

Amendment 37(a) gives Ministers the powers “to require internet service providers to restrict access by children to certain internet services”.

This will give ministers huge powers to restrict the Internet without having to pass new legislation. They will not even have to demonstrate harm to children, effectively ripping up work carried out by Ofcom to assess services according to the risks and harms they pose.

This mean that the current or future governments could restrict content they are ideologically opposed to. For example, a Reform government could force ID checks to access LGBTQ content as part of their manifesto commitment “to end trans ideology” in schools.

ORG calls on MPs to focus on the root causes of online harm by addressing engagement-driven design and data-fuelled advertising business models, while supporting digital literacy, resilience among young people, and the growth of safer, more responsible platform alternatives.

Summary

Amendment 38 b would introduce a new power for the Secretary of State, enshrined in new Article 8ZA, to make provisions that a data subject who has given consent for the provision of an information society service is at least of the age specified by Article 8(1) of the UK GDPR. Currently, this age is set at 13 years old.

To this end, the Secretary of State would also have the power

• To make “*provision imposing requirements on” *an information society service (ISS), including* “provision about the steps that must or may be taken by [the ISS provider] for the purposes of complying with*” such age requirements.

• To “make provision amending, repealing, revoking or applying (with or without modifications) any provision of the data protection legislation (within the meaning given by section 3(9) of the Data Protection Act 2018)”.

Open Rights Group urges the House of Lords to reject this amendment. Alternatively, we urge the House to support Amendment (e) — Proportionality Requirement for Regulations under sections 214A and Article 8ZA, as proposed by Liberty in their briefing.

As we explain in this briefing, amendment 38 b:

• Lacks a clear, and perhaps a useful, scope. UK data protection law already requires providers of ISS to verify the age of users to determine the validity of their consent.

• Would allow the Secretary of State to mandate age verification tools that violate the privacy of children and users whose age is verified. There is no clear rationale for granting, nor is desirable to give, discretion to the government to mandate the use of unsafe age assurance tools.

• Gives the Secretary of State an overly broad power to change any provision in UK data protection law. Providing such a broad discretion for the purpose of verifying users’ age is irrational, and introduces an unnecessary risk of jeopardising UK adequacy and the free flow of data with the EU.

The scope of this amendment is unclear

Article 8 of the UK GDPR already requires that information society service (ISS) providers must verify that users who have given consent are above the age specified by article 8(1), or by a person who holds parental responsibility over the child. Taken at face value, the regulations made under new Article 8ZA(1) would only remove parental authority to provide consent on behalf of the child. The rationale for this change is not stated.

This power allows the Secretary of State to override ECHR proportionality for age verification purposes

According to Article 8(1) of the UK GDPR, information society service (ISS) providers must take “reasonable steps” to verify that a user is old enough to provide consent. Reasonableness is anchored to the necessity and proportionality tests under the UK GDPR and the European Convention of Human Rights. Reasonableness ensures that the right to privacy and data protection of a child (or an adult users) going to age verification is not violated or disproportionately affected in the process.

In practice, what is “reasonable” to verify a user age under Article 8(1) of the UK GDPR is determined by a balancing act between the risk of data processing for which a user is consenting, and, on the other hand, the risk of data processing for age verification purposes, the state of the art of the technology, the effectiveness of the age verification method, the existence of a less invasive mean to achieve the same goal, etc. This balance is currently determined by the Information Commissioners’ Office, via regulatory guidance. Such determinations can be scrutinised and overridden by UK Courts.

The power introduced by amendment 38 b would allow the Secretary of State (SoS) to mandate what age verification methods or procedures must be taken in order to comply with regulations issued via its new rule-making power. This power gives the SoS ample discretion to override proportionality considerations, as choices made by regulation could mandate age verification methods that violate or have a disproportionate impact on the privacy of ISS users.

Furthermore, this power would allow the government to use and designate a digital identity as a mandatory mean to verify users’ age. It appears inappropriate to enact legislation in this regard before the ongoing government consultation is done. Either way, allowing government rule-making to disregard proportionality criteria under ECHR would be even more concerning in a circumstance as such.

It is not desirable to give the SoS powers to mandate age verification methods that violate the privacy of children and adults, and the government has not explained why it seeks such power. Likewise, the case for allowing the government to override, without meaningful parliamentary scrutiny, determinations made by independent regulatory authorities, has not been made. There is clear value in leaving the choice of what age verification methods and tools are best to an expert regulator subject to judicial oversight, rather than to the whims of the government of the day.

This power confers excessive discretion to change UK data protection law, which potentially threatens the free flow of data to and from the EU

The UK enjoys adequacy status under EU law. This is the result of a determination, made by the European Commission, that the UK provides an adequate level of protection to personal data compared to the EU. Thus, data can be transferred between the EU and the UK without additional safeguards or hindrance. Maintaining adequacy status is considered fundamental to protect the UK economy and for EU-UK relationships.

Amendment 38 b provides a power for the Secretary of State to amend, repeal, revoke or apply any provision of the UK GDPR or the Data Protection Act. The government would be given this authority without any significant condition or restriction to their discretion, beyond such power having to be exercised for age verification purposes. This power would also allow the government to amend foundational elements of data protection law, including data protection principles, data subjects’ rights, or international data transfers provisions.

Giving the government such an unconditional blank cheque appears inappropriate. The breadth of such power is also unjustified. It is not clear what age verification purposes would benefit from the government power to change foundational elements of UK data protection law. The government has also not explained why changes with such relevance should be made with Statutory Instruments, thus bypassing substantive parliamentary scrutiny.

The Data Use and Access Act has already given wide discretion to the government to change UK data protection law via rule-making powers. Such powers have been identified, in the UK adequacy decision, as a major factor that could affect the level of protection afforded to data transferred to the UK. To address these concerns, the UK adequacy decision clarifies that “special attention should be paid to such additional specifications” introduced by the SoS via rule-making power. The adequacy decision also provides an unprecedented mechanism whereby the Commission could, in reaction to the use of such powers by the UK government, formally require UK authorities to introduce changes to UK data protection law within a three months period, or else proceed to repeal, suspend or amend the adequacy decision.

The introduction of a new, almost boundless mandate for the Secretary of State to amend any data protection provision is an pre-announced car crash. It introduces the substantial risk that poorly thought out changes introduced by Statutory Instruments could inadvertently jeopardise UK adequacy. Introducing such a risk appears inconsiderate, and ultimately unnecessary, for the purpose of pursuing age verification policies.

Conclusion and recommendations

Amendment 38 b would grant the UK Secretary of State new powers under Article 8ZA to introduce new age verification requirements for giving consent to the provision of information society services (ISS). Such a provision already exists under Article 8 of the UK GDPR, and the scope to give the government powers to introduce a requirement that already exists is elusive.

On the other hand, this new powers introduces new risks, and upsets existing and well-established legal safeguards. The Secretary of State would have the power to mandate specific age verification methods, which could potentially breach proportionality considerations dictated by UK data protection law and the European Convention of Human Rights. This power could also be used to pre-empt the outcome of the ongoing government consultation on digital identity, which could be designated as a mandatory mean to verify users’ age.

Finally, the amendment confers unusually broad authority to amend, repeal, or modify any provision of UK data protection legislation—including foundational elements like data protection principles, data subject rights, and international transfer provisions—for age verification purposes. Introducing such expansive and unfettered powers is unnecessary for age verification purposes, and could inadvertently jeopardise UK adequacy and the free flow of data with the EU.

The cost of loosing adequacy has been estimated to £1.6 billion for business compliance, which excludes the reduction in trade and exchange of services with the EU that would inevitably result. Major EU-UK cooperation initiatives, such as the Trade and Cooperation Agreement, the Windsor Framework, and the UK participation to Horizon and Erasmus+, all depend on continued adequacy status.

Taken as a whole, this amendment appears to be a rushed-out exercise which lacks clear benefits, but introduces significant risks instead. Thus, Open Rights Group recommend to vote against a proposal that was drafted poorly and in haste.

Alternatively, we urge the House to support Amendment (e) — Proportionality Requirement for Regulations under sections 214A and Article 8ZA, as proposed by Liberty in their briefing. This amendment would, at least, address some of the most pressing concerns surrounding proportionality of age verification methods.

The ICO must investigate a Reform UK ‘competition’ which asks the public to hand over details of their voting preferences in order to be eligible to win their energy bills being paid for a year. Digital campaigners, Open Rights Group have outlined a number of ways that the supposed competition breaches data protection law.

Mariano delli Santi, Legal and Policy Officer at Open Rights Group said:

“Reform are asking the public to hand over sensitive data about their voting habits without being transparent about how it will be used. This is a clear breach of transparency obligations under UK data protection law. Nothing in their privacy policy suggests they are not acting unlawfully in many other ways.”

“Political opinions are among the most sensitive types of personal data, and voters must be able to engage in campaigns without feeling pressured to trade their privacy for the chance of material benefit. The ICO must investigate and take a stand against political parties exploiting data in this way.

“Aside from the potential breach of data protection law, offering financial incentives in exchange for people’s political views risks turning democratic participation into a data-harvesting exercise. Free and fair elections depend on trust, transparency, and genuine consent not competitions that blur the line between campaigning and profiling.”

Reacting to the ICO suggestion that concerned members of the public should raise a complaint with Reform UK, Mariano delli Santi, Legal and Policy Officer at Open Rights Group, said:

“The ICO statement is unacceptable. Reform UK has already stated, publicly, that they do not think they’re doing anything wrong, despite all evidence of the contrary. By asking people to contact Reform, the ICO are sending the public off a dead track.

There is clear evidence that the law is been breached. The ICO have a statutory duty to monitor and ensure compliance with UK data protection law. Instead of doing their job, the ICO are telling to the public to “go figure it out themselves”.

Abusing personal data for electoral purposes can erode the integrity of the electoral process. The ICO refusal to fulfill their duty and carry out much needed oversight marks yet another institutional failure, which risks affecting the May elections.”

How Reform is breaching data protection law

There is no specific privacy policy for the price draw, only a link to Reform’s general privacy policy. This policy does not explain how Reform uses personal data or comply with the law, but only states that they promise to be compliant.

There is no way to know what they will do with the data they collect beyond adjudicating the draw. This is a breach of transparency, and may be an indication that they’re also unlawfully repurposing the data collected for other electoral purposes.

Reform UK doesn’t explicitly identify a legal basis for processing data given via the draw. Its an educated guess that they are relying on contractual obligations for most of the data collection, and on consent for direct marketing. At the very least, it’s a failure to comply with transparency obligations, and it’s potentially a breach of the requirement to process data lawfully as well.

Reform are asking people who enter the competition to provide special category data. Specifically, information about how they voted in the past and how they expect to vote in the future. They do not identify a legal basis for asking this. They may argue that they are asking for explicit consent, but entrants have to hand over this information in order to enter the competition so there isn’t really a choice, explicit or otherwise.

In their T&Cs, they give entrants the right to object to their name being published if they win the draw, but they ask them to do so before the price is adjudicated. This makes the freedom to exercise this objection questionable, as entrants could fear that they will be disadvantaged if they do so. The T&Cs also give full discretion to Reform UK to decide how to adjudicate the price.

Data and Democracy

Data and Democracy

Find Out More