CHILDREN’S WELLBEING AND SCHOOLS BILL: ORG ANALYSIS OF AMENDMENT 38 B

•March 19, 2026

Open Rights Group — Blog —•Mar 19, 2026

Key Takeaways

•Grants SoS authority to mandate age‑verification tools.
•Allows blanket changes to UK GDPR via statutory instruments.
•Risks breaching ECHR proportionality and child privacy safeguards.
•Could jeopardize EU data‑adequacy, costing billions.
•ORG recommends rejecting amendment, supporting proportionality alternative.

Summary

Amendment 38 b would create a new Article 8ZA giving the Secretary of State power to set age‑verification requirements for information society services and to amend any provision of UK data‑protection law for that purpose. The proposal would let the government mandate specific verification tools, potentially overriding existing GDPR safeguards and the Information Commissioner’s guidance. Open Rights Group argues the amendment lacks clear scope, threatens child privacy, and could endanger the UK’s EU data‑adequacy status. It urges the Lords to reject the amendment and back Liberty’s proportionality‑focused alternative.

Pulse Analysis

The UK’s Children’s Wellbeing and Schools Bill introduces Amendment 38 b, a controversial measure that would embed a new Article 8ZA into the data‑protection framework. Under current UK GDPR rules, information society service providers already must verify that users are at least 13 years old before obtaining consent, with the Information Commissioner’s Office issuing guidance on reasonable verification methods. By granting the Secretary of State the ability to prescribe specific age‑verification tools and to amend any GDPR provision, the amendment seeks to supersede established regulatory practice and judicial oversight, raising immediate legal questions about its necessity and proportionality.

Beyond legal nuance, the amendment’s broad discretion threatens fundamental privacy rights protected by the European Convention on Human Rights. Mandating particular verification technologies—potentially including mandatory digital identities—could expose children and adults to intrusive data collection, violating the proportionality test that balances consent risks against verification intrusiveness. Moreover, allowing the executive to rewrite core data‑protection principles without parliamentary scrutiny undermines the independent regulator’s role, creating a precedent for politically driven privacy erosion. Stakeholders warn that such overreach could trigger challenges in UK courts and erode public trust in digital services.

The economic stakes are equally significant. The UK’s EU adequacy decision hinges on maintaining data‑protection standards comparable to the EU. Unchecked statutory changes to GDPR could jeopardise that status, prompting the European Commission to suspend adequacy and force costly compliance measures on UK businesses—estimates suggest up to £1.6 billion in direct costs, not counting broader trade disruptions. For sectors reliant on seamless data flows, from fintech to research collaborations, the risk is material. Open Rights Group therefore recommends rejecting Amendment 38 b and supporting Liberty’s proportionality amendment, which would preserve regulatory balance while safeguarding both privacy and the UK’s vital economic links with the EU.