The People’s Plan
Draft plan


Draft plans are taking shape based on your ideas. Add your views to help shape the final plan that will be presented to Parliament.
Download this draft plan
We want Britain to be the world’s most advanced digital society. But that won’t happen unless the digital world is a world of trust.

We want Britain to be the world’s most advanced digital society. But that won’t happen unless the digital world is a world of trust.

So: How do we create online spaces where citizens feel safe, especially children?  And how do we build online trust through strong data protection and proper content regulation?

A digital Britain can create more new businesses and new, better paid jobs; it can be a place where we bring people closer together; and enable them to lead better, more fulfilled lives.

But there are risks.  An unsafe internet leaves people – especially children – vulnerable to new forms of crime and new forms of abuse. Failing to provide the right environment for the digital economy to thrive leaves Britain’s economy at risk of being left behind.

That means creating effective data protection and proper content regulation. So what needs to change?

Where we want to be

We need to put trust at the heart of a new data protection system. The new General Data Protection Regulation (GDPR) is a good first step but we need to go further.  So we would like views on how to do that.  For instance:

  1. Creating a new ‘Bill of Digital Rights’ that sets out clearly legally-enforceable rights for people and corresponding obligations for those using their data.
  2. A stronger enforcement framework that provides for collective redress and representative action, making it easier for people to enforce their rights whilst maintaining their anonymity.
  3. A public body to help regulate this area that is transparent, empowered, well-resourced – and capable of helping keep reform of regulation up to speed with technology changes.

Some say we do not need more regulation; they argue the market will adjust to meet the demands of their users. We disagree. A recent survey by Edelman UK has found:

  • 64 per cent of the public worry that social media is not regulated enough;
  • 69 per cent agree that social media companies do not do enough to tackle bullying on their platforms; and
  • 70 per cent agree that there is insufficient action to stop illegal and unethical behaviour.

Where we are today

1. Trust in the online world is weak

Cybercrime is rising.  Action Fraud says that 70 per cent of all fraud is now cyber-enabled.  More and more people are being affected by data breaches, with companies failing to safeguard their information so that it risks falling into the hands of criminals.

Public services like the NHS, which hold vast quantities of highly sensitive personal data, have been hit by malware, raising concerns about the UK's resilience.  The National Audit Office says the NHS and the Department of Health must “get their act together” or suffer “far worse” than the chaos of 2017.

The recent Edelman UK survey shows that less than a quarter of the UK population trusts social media – compare that to the 61 per cent who trust traditional media. The rise of ‘fake news’ and its unknown influence has raised concerns about online bullying and the spread of extremist propaganda – 53 per cent of Brits worry about being exposed to it online. 

Children represent one in five of all internet users in the UK and one in three in the world as whole – they are not a small or marginal group of internet users. Countless reports warn of the negative impacts of social media on them; the NSPCC cites social media as a major cause of the increase in children being admitted to hospital after self-harming.

Even those in the tech industry do not have trust in their colleagues: Apple CEO Tim Cook has said that he does not want his nephew on social media and former Facebook Vice-President Chamath Palihapitiya has said, “God knows what it’s doing to our children’s brains.”

2. Children are at a huge disadvantage

In the past, too many companies would say that they did not know and could not know the age of their users.  Because there was no legal obligation to age verify users, children across the UK and millions across the world use online services that were never designed or intended for them. 

The Information Commissioner now urges the adoption of a cautious approach to data that might belong to children, including implementing up-front age verification systems. This is welcome as it means those who collect and use data can no longer plead ignorance as an excuse.

Children – and their parents – do not have a proper choice of what content is available and what data is collected when children are online. Currently, it is an all-or-nothing situation for children: they can have access to the internet and to social media with minimal control over content and data, or strong control over both but which often means all content, whether it is appropriate or not, being blocked. 

3. The Government is reluctant to act

The Government appears to recognise some of these concerns – the Prime Minister has spoken of the “additional concerns and challenges” posed to young people by the internet – but its actions have fallen short.

The Government’s proposed ‘Digital Charter’ is a good idea but it will only be voluntary.

The Data Protection Bill is now before Parliament.  It will be an essential part of any internet safety regime. However, the Bill is another example of the piecemeal, ad hoc way in which internet regulation evolves. We think it is time to go back to first principles.

Thoughts for the future


1. A ‘Bill of Data Rights’

A ‘Digital Charter’ could offer progress but it does not and will not offer citizens meaningful and enforceable rights. That's why Liam Byrne presented the Bill of Data Rights in the Digital Environment as an amendment in the Committee stage of the Data Protection Bill.

Bill of Data Rights in the Digital Environment -New Schedule 1

The UK recognises the following Data Rights:

Article 1 —Equality of Treatment Every data subject has the right to fair and equal treatment in the processing of his or her personal data.

Article 2 — Security Every data subject has the right to security and protection of their personal data and information systems. Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.

Article 3 — Free Expression Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.

Article 4 — Equality of Access Every data subject has the right to access and participate in the digital environment on equal terms. Internet access should be open.

Article 5 — Privacy Every data subject has right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.

Article 6 — Ownership and Control Every data subject is entitled to know the purpose for which personal data is being processed to exercise his or her right to ownership. Government, corporations and data controllers must obtain meaningful consent for use of people’s personal data. Every data subject has the right to own and control his or her personal data. Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.

Article 7 — Algorithms Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system. Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.

Article 8 — Participation Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.

Article 9 — Protection Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.

Article 10 — Removal Every data subject is entitled to revise and remove their personal data. Compensation Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.

Application to Children

The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child.

Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code.” 

2. Better, more effective regulators

We also need to be ambitious for the institutions that enforce new rights. The Information Commissioner’s Office is the existing enforcement agency but it is not properly resourced.

Proposed new institutions, like the Centre for Data Ethics and Innovation, risk the same flaws. From what little we know about the Centre, it would lack any power to compel answers to reasonable questions, would have a budget of less than £10 million and would have an unknown membership with an unknown remit.

These proposals risk creating something that fails to inspire faith or trust. Any public body tasked with leading reform needs to be empowered, well-resourced and transparent.  Only then can it get down to the task of helping to build digital trust.

3. Conclusion 

Data is the lifeblood of today’s economy. 

The Data Protection Bill offers the perfect opportunity to consider how we want internet regulation to evolve and, more broadly, what sort of society we want to live in. If we get data protection and content regulation right, the UK could create an internet safety regime that becomes the envy of the world.

Join the discussion

Please log in to comment.