惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
J
Java Code Geeks
H
Help Net Security
B
Blog RSS Feed
G
Google Developers Blog
博客园 - 司徒正美
MongoDB | Blog
MongoDB | Blog
量子位
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
P
Proofpoint News Feed
小众软件
小众软件
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
V
V2EX
月光博客
月光博客
C
Check Point Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
Arctic Wolf
Help Net Security
Help Net Security
Schneier on Security
Schneier on Security
D
DataBreaches.Net
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
T
Tenable Blog
L
LangChain Blog
Attack and Defense Labs
Attack and Defense Labs
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
F
Fortinet All Blogs
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
大猫的无限游戏
大猫的无限游戏
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Y
Y Combinator Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
NISL@THU
NISL@THU
GbyAI
GbyAI
博客园 - Franky
S
Secure Thoughts
有赞技术团队
有赞技术团队
PCI Perspectives
PCI Perspectives
U
Unit 42

Open Rights Group

Wanted: Government to fix the ICO Joint Letter: Protect VPNs Open letter for an investigation into the ICO over eVisas Civil society organisations call for ICO to be investigated over eVisas The end is nigh for US data transfers How AI in asylum decision-making drives failure and cost Dear Andy, we need a complete reset on digital policy John Edwards resignation is opportunity to appoint a regulator with teeth AI in Asylum Decisions: Transparency and Accountability Failures Stop Killing the Internet: New global movement launches MPs urged to vote for a Digital Sovereignty strategy The social media policy ratchet Starmer’s social media ban fails to address root causes of online harms This refugee week, take courage! The rise of copyright trolling Growing up in an online world: ORG Consultation Response Reset the ICO The ICO isn’t doing its job – why the data watchdog needs an overhaul The ICO isn’t doing its job – why the data watchdog needs to be reset ORG response to ICO call for views on our approach to regulating online advertising ORG response to Consultation on the ICO’s approach to data protection complaint handling Companies and civil society warn that UK is undermining open web Papers Please! MPs back mass online digital ID checkpoints MPs call for publication of secret documents that outline chronic risks from UK’s dependence on Big Tech New report: UK needs digital sovereignty strategy to address threats from reliance on big tech The case for Digital Sovereignty and the Digital Commons After the LA Court verdict, the UK must disrupt surveillance capitalism business models 13 year olds could be compelled to use unregulated age verification ICO must investigate Reform ‘competition’ for data protection breaches Break privacy to make privacy? Age verification isn’t the answer Home Office use of AI in asylum cases likely to be unlawful, legal opinion finds Legal Opinion: The use of Artificial Intelligence tools in asylum cases MPs give ministers powers to restrict entire Internet Board Election Results Palestine Action ruling: Human rights organisations call for Ofcom to issue guidance on content takedowns
Children’s Wellbeing and Schools Bill: Analysis of Amendment 38b
Mariano delli Santi · 2026-03-19 · via Open Rights Group

Summary

Amendment 38 b would introduce a new power for the Secretary of State, enshrined in new Article 8ZA, to make provisions that a data subject who has given consent for the provision of an information society service is at least of the age specified by Article 8(1) of the UK GDPR. Currently, this age is set at 13 years old.

To this end, the Secretary of State would also have the power

  • To make “*provision imposing requirements on” *an information society service (ISS), including* “provision about the steps that must or may be taken by [the ISS provider] for the purposes of complying with*” such age requirements.
  • To “make provision amending, repealing, revoking or applying (with or without modifications) any provision of the data protection legislation (within the meaning given by section 3(9) of the Data Protection Act 2018)”.

Open Rights Group urges the House of Lords to reject this amendment. Alternatively, we urge the House to support Amendment (e) — Proportionality Requirement for Regulations under sections 214A and Article 8ZA, as proposed by Liberty in their briefing.

As we explain in this briefing, amendment 38 b:

  • Lacks a clear, and perhaps a useful, scope. UK data protection law already requires providers of ISS to verify the age of users to determine the validity of their consent.
  • Would allow the Secretary of State to mandate age verification tools that violate the privacy of children and users whose age is verified. There is no clear rationale for granting, nor is desirable to give, discretion to the government to mandate the use of unsafe age assurance tools.
  • Gives the Secretary of State an overly broad power to change any provision in UK data protection law. Providing such a broad discretion for the purpose of verifying users’ age is irrational, and introduces an unnecessary risk of jeopardising UK adequacy and the free flow of data with the EU.

The scope of this amendment is unclear

Article 8 of the UK GDPR already requires that information society service (ISS) providers must verify that users who have given consent are above the age specified by article 8(1), or by a person who holds parental responsibility over the child. Taken at face value, the regulations made under new Article 8ZA(1) would only remove parental authority to provide consent on behalf of the child. The rationale for this change is not stated.

This power allows the Secretary of State to override ECHR proportionality for age verification purposes

According to Article 8(1) of the UK GDPR, information society service (ISS) providers must take “reasonable steps” to verify that a user is old enough to provide consent. Reasonableness is anchored to the necessity and proportionality tests under the UK GDPR and the European Convention of Human Rights. Reasonableness ensures that the right to privacy and data protection of a child (or an adult users) going to age verification is not violated or disproportionately affected in the process.

In practice, what is “reasonable” to verify a user age under Article 8(1) of the UK GDPR is determined by a balancing act between the risk of data processing for which a user is consenting, and, on the other hand, the risk of data processing for age verification purposes, the state of the art of the technology, the effectiveness of the age verification method, the existence of a less invasive mean to achieve the same goal, etc. This balance is currently determined by the Information Commissioners’ Office, via regulatory guidance. Such determinations can be scrutinised and overridden by UK Courts.

The power introduced by amendment 38 b would allow the Secretary of State (SoS) to mandate what age verification methods or procedures must be taken in order to comply with regulations issued via its new rule-making power. This power gives the SoS ample discretion to override proportionality considerations, as choices made by regulation could mandate age verification methods that violate or have a disproportionate impact on the privacy of ISS users.

Furthermore, this power would allow the government to use and designate a digital identity as a mandatory mean to verify users’ age. It appears inappropriate to enact legislation in this regard before the ongoing government consultation is done. Either way, allowing government rule-making to disregard proportionality criteria under ECHR would be even more concerning in a circumstance as such.

It is not desirable to give the SoS powers to mandate age verification methods that violate the privacy of children and adults, and the government has not explained why it seeks such power. Likewise, the case for allowing the government to override, without meaningful parliamentary scrutiny, determinations made by independent regulatory authorities, has not been made. There is clear value in leaving the choice of what age verification methods and tools are best to an expert regulator subject to judicial oversight, rather than to the whims of the government of the day.

This power confers excessive discretion to change UK data protection law, which potentially threatens the free flow of data to and from the EU

The UK enjoys adequacy status under EU law. This is the result of a determination, made by the European Commission, that the UK provides an adequate level of protection to personal data compared to the EU. Thus, data can be transferred between the EU and the UK without additional safeguards or hindrance. Maintaining adequacy status is considered fundamental to protect the UK economy and for EU-UK relationships.

Amendment 38 b provides a power for the Secretary of State to amend, repeal, revoke or apply any provision of the UK GDPR or the Data Protection Act. The government would be given this authority without any significant condition or restriction to their discretion, beyond such power having to be exercised for age verification purposes. This power would also allow the government to amend foundational elements of data protection law, including data protection principles, data subjects’ rights, or international data transfers provisions.

Giving the government such an unconditional blank cheque appears inappropriate. The breadth of such power is also unjustified. It is not clear what age verification purposes would benefit from the government power to change foundational elements of UK data protection law. The government has also not explained why changes with such relevance should be made with Statutory Instruments, thus bypassing substantive parliamentary scrutiny.

The Data Use and Access Act has already given wide discretion to the government to change UK data protection law via rule-making powers. Such powers have been identified, in the UK adequacy decision, as a major factor that could affect the level of protection afforded to data transferred to the UK. To address these concerns, the UK adequacy decision clarifies that “special attention should be paid to such additional specifications” introduced by the SoS via rule-making power. The adequacy decision also provides an unprecedented mechanism whereby the Commission could, in reaction to the use of such powers by the UK government, formally require UK authorities to introduce changes to UK data protection law within a three months period, or else proceed to repeal, suspend or amend the adequacy decision.

The introduction of a new, almost boundless mandate for the Secretary of State to amend any data protection provision is an pre-announced car crash. It introduces the substantial risk that poorly thought out changes introduced by Statutory Instruments could inadvertently jeopardise UK adequacy. Introducing such a risk appears inconsiderate, and ultimately unnecessary, for the purpose of pursuing age verification policies.

Conclusion and recommendations

Amendment 38 b would grant the UK Secretary of State new powers under Article 8ZA to introduce new age verification requirements for giving consent to the provision of information society services (ISS). Such a provision already exists under Article 8 of the UK GDPR, and the scope to give the government powers to introduce a requirement that already exists is elusive.

On the other hand, this new powers introduces new risks, and upsets existing and well-established legal safeguards. The Secretary of State would have the power to mandate specific age verification methods, which could potentially breach proportionality considerations dictated by UK data protection law and the European Convention of Human Rights. This power could also be used to pre-empt the outcome of the ongoing government consultation on digital identity, which could be designated as a mandatory mean to verify users’ age.

Finally, the amendment confers unusually broad authority to amend, repeal, or modify any provision of UK data protection legislation—including foundational elements like data protection principles, data subject rights, and international transfer provisions—for age verification purposes. Introducing such expansive and unfettered powers is unnecessary for age verification purposes, and could inadvertently jeopardise UK adequacy and the free flow of data with the EU.

The cost of loosing adequacy has been estimated to £1.6 billion for business compliance, which excludes the reduction in trade and exchange of services with the EU that would inevitably result. Major EU-UK cooperation initiatives, such as the Trade and Cooperation Agreement, the Windsor Framework, and the UK participation to Horizon and Erasmus+, all depend on continued adequacy status.

Taken as a whole, this amendment appears to be a rushed-out exercise which lacks clear benefits, but introduces significant risks instead. Thus, Open Rights Group recommend to vote against a proposal that was drafted poorly and in haste.

Alternatively, we urge the House to support Amendment (e) — Proportionality Requirement for Regulations under sections 214A and Article 8ZA, as proposed by Liberty in their briefing. This amendment would, at least, address some of the most pressing concerns surrounding proportionality of age verification methods.