Skip to main content

The “make data protection laws fit for the digital age” Bill

Bill Passed




The Bill implements a commitment in the 2017 Conservative Party manifesto to repeal and replace the UK’s existing data protection laws to keep them up to date for the digital age in which ever increasing amounts of personal data are being processed. It sets new standards for protecting personal data, in accordance with recent EU data protection laws, giving people more control over use of their data. 

The Data Protection Bill will:

  • Empower people to take control of their data, including the ability for individuals to ask businesses (including social media companies) to erase data relating to them before they were 18 - or “the right to be forgotten”.
  • Implement the EU’s General Data Protection Regulations so the UK will still be consistent with Europe after Brexit.
  • Reverse the consent on websites that issue mailouts to assume that the individual does not want their data used, as opposed to requiring them to have to opt out of receiving communications.
  • Give the Information Commissioner greater powers to punish organisations that do not abide by data protection laws and increase the levels of fines they can impose from £500,000 to £18 million.


Personal data is increasingly stored, processed and exchanged on the internet and often exists in an international environment. It is therefore necessary for data protection standards to be consistent at an international level. Next year the EU will implement its General Data Protection Regulations across all member states. However, with Brexit on the horizon the UK needs to make sure it will still be in line other European countries.

Many of the rules relating to data protection that exist at the moment do not take into account that most data held on record by businesses and organisations is now digital. This Bill will also expand the definition of what constitutes personal data to include things like IP addresses and web cookies.


This Bill is being introduced by Lord Ashton from the Department for Culture, Media and Sport.

Other Arguments

Some people have said that businesses are unprepared for the new rules coming into force. The clause about individuals asking for data to be removed could be difficult if a business or organisation does not have its data stored digitally. Although fines are unlikely to all reach £18m, some companies may be penalised before they have organised their data properly.

The Government has said there will be exemptions to the “right to be forgotten” clause in some cases to maintain freedom of speech, allow for criminal and anti-terrorist investigations, and allow anti-doping organisations to try and catch cheats. However the details of the exemptions are not all clear, and will no doubt be subject to debate in Parliament.

Campaigners have also criticised the Government for not allowing privacy groups to make “super complaints” against companies, in the same way that consumer organisations can. These complaints were made an option under the GDPR but ministers have not taken it up. Privacy groups say consumers often find it difficult to understand complex data issues so campaigners should be able to act on their behalf.

How to get involved

You can contact your MP or the Department for Culture, Media and Sport.

If I don’t act, will it go through?

This is a Government Bill so you can expect this to become law, however the Government does not have a majority at the moment so nothing can be that certain.