CyberUp reacts to new amendment tabled to Data (Use and Access) Bill

In an exciting update, an amendment to the Data (Use and Access) Bill has been tabled by Lord Holmes proposing to update the CMA and introduce ‘a statutory defence’. This is a key ask of the CyberUp Campaign. The amendment will hopefully be raised at Grand Committee Stage on Monday 16th December.

The Data (Use and Access) Bill introduces new powers to expand the access, use, and regulation of data, marking a significant step toward modernising the UK’s data protection framework. With cybercrime and online fraud on the rise it is key that we use the opportunity of the Bill to raise reform of the CMA.

The introduction of a ‘statutory defence’ for legitimate activities could protect cyber professionals and increase the UK’s ability to combat cybercrime, fraud, and foreign interference, whilst unlocking further growth for our already successful British tech industry. We are very grateful to Lord Holmes for tabling this amendment and to Lord Clement-Jones for sponsoring it.

Rob Dartnall, CEO of SecAlliance, Chair of CREST UK and representative of the CyberUp Campaign, commented:

“We are delighted to see an amendment tabled that could bring the Computer Misuse Act into the 21st century by introducing a statutory defence. Updating this Act would represent a landmark moment for UK cyber security legislation, which is outdated when compared to the cyber threat landscape we face.

The UK’s outdated cyber laws are preventing our cyber security professionals from defending organisations effectively. In no other sector do security professionals face risks of breaking the law for simply doing their jobs. Campaign research shows that nearly two-thirds of cyber professionals say the CMA hinders their ability to safeguard the UK—an untenable situation as cyber threats grow.

 The last two years have seen unprecedented levels of critical vulnerabilities, ransomware breaches and third party system breaches, all of which have had a massive effect on people’s data privacy and the UK’s economy.

By introducing a statutory defence, the UK could protect legitimate cybersecurity professionals, strengthen its cyber defences, and reinforce its place as a cybersecurity leader. It is time we updated the law to fit with the digital age. With support from across parliament, we believe this amendment could be a catalyst for a change that would better protect the country."

The full amendment can be viewed here and here, and below:

Amendment 156A and 156B

After Clause 107

insert the following new Clause—

“Data use: definition of unauthorised access to computer programs or data
In section 17 of the Computer Misuse Act 1990, at the end of subsection (5) insert—

“(c) they do not reasonably believe that the person entitled to control access of the kind in question to the program or data would have consented to that access if they had known about the access and the circumstances of it, including the reasons for seeking it, and
(d) they are not empowered by an enactment, by a rule of law, or by order of a court or tribunal to access of the kind in question to the program or data.””

After Clause 107

insert the following new Clause—

“Data use: defences to charges under the Computer Misuse Act 1990

(1)The Computer Misuse Act 1990 is amended as follows.

(2)In section 1, after subsection (3) insert—

“(4)It is a defence to a charge under subsection (1) to prove that—

(a)the person’s actions were necessary for the detection or prevention of crime, or
(b)the person’s actions were justified as being in the public interest.”

(3)In section 3, after subsection (6) insert—

“(7)It is a defence to a charge under subsection (1) in relation to an act carried out for the intention in subsection (2)(b) or (c) to prove that—

(a)the person’s actions were necessary for the detection or prevention of crime, or
(b)the person’s actions were justified as being in the public interest.””