The Convergence of Control: How Secondary Legislation Is Expanding State Surveillance in the United Kingdom

British Democratic Alliance – Policy Division

Interim Policy Briefing (7 October 2025)

The Convergence of Control: How Secondary Legislation Is Expanding State Surveillance in the United Kingdom

Executive Summary

This briefing examines the accelerating convergence of surveillance powers across multiple strands of UK legislation, including the Criminal Justice Bill (2024–25), the Online Safety Act 2023, the Child Wellbeing and Schools Bill (2025), and recent amendments to the Money Laundering Regulations and Police Act 1997.

Individually, these measures appear limited in scope and are often justified by reference to child protection, anti-terrorism, or efficiency. Collectively, they form an architecture of control that vastly extends the State’s capacity to monitor, profile, and intervene in citizens’ private and digital lives.

Drawing on academic work that has already identified “authoritarian innovations” in post-Brexit UK governance (Smismans, 2024; Harcourt, 2023; Zamani & Rousaki, 2024), this paper argues that recent legislative activity demonstrates a sustained pattern of surveillance expansion through secondary legislation, coupled with declining judicial and parliamentary oversight.

Key Findings

• The Criminal Justice Bill expands government access to “communications data” to cover non-serious offences (Clause 84) and introduces “lawful device interference” authorisations without judicial sign-off (Clause 92 / Schedule 9).
• The Child Wellbeing and Schools Bill (CWS), still progressing through Parliament, creates a statutory framework for a Digital Identity Register of minors (Clauses 23–31) and amends the Education Act 2002 to mandate continuous monitoring of children’s attendance, health, and welfare.
• The Online Safety Act 2023 empowers Ofcom to demand access to encrypted communications and user data (Sections 110–116) with only ministerial oversight.
• Recent amendments to the Money Laundering Regulations (2023/1267) and DWP Data-Matching Regulations 2024 enable continuous access to citizens’ bank accounts for benefit-fraud detection and “financial behaviour analytics”.
• New Statutory Instrument 2024 No. 511 expands Police Act 1997 Part II powers to include live facial recognition and ANPR integration across public-facing camera networks.
• Together, these developments amount to de facto universal data linkage between identity, finance, education, and movement tracking—without any unified statutory oversight framework.

1. Background: A Legislative Drift toward Surveillance Governance

Since the Regulation of Investigatory Powers Act 2000 (RIPA), the UK’s surveillance regime has evolved from targeted interception to mass data acquisition. The Investigatory Powers Act 2016 (IPA) introduced “bulk powers” but at least required Judicial Commissioner authorisation.

The current wave of legislation dismantles those guard-rails through a strategy of secondary legislation creep—incremental amendments to existing Acts, often via Statutory Instruments (SIs) that receive minimal parliamentary scrutiny.

Scholars such as Smismans (2024) describe this pattern as part of the UK’s “authoritarian innovations” since Brexit, where governance reforms favour executive flexibility and data-driven control. Harcourt (2023) and Zamani & Rousaki (2024) similarly note the fusion of digitalisation and securitisation in British policy style—a trajectory now reaching maturity.

2. Legislative Analysis

2.1 Criminal Justice Bill (2024–25)

• Clause 84 redefines “relevant crime” for communications-data acquisition to include any indictable or summary offence, a direct departure from the “serious crime” threshold in IPA 2016 Part 3.
• Clause 92 / Schedule 9 authorises “lawful device interference” by public authorities without prior judicial approval, replacing independent warrants with internal authorisation and retrospective review.
• The Bill also permits cross-referencing of seized device data with other government datasets, establishing an implicit data-linkage power.

2.2 Online Safety Act 2023

• Sections 110–116 empower Ofcom to issue “information notices” requiring service providers to decrypt content or supply metadata. There is no statutory exemption for end-to-end encryption, effectively mandating technical backdoors.
• Enforcement orders are appealable only to the Secretary of State, not an independent court—contravening proportionality principles under Article 8 ECHR.

2.3 Child Wellbeing and Schools Bill (2025)

(Currently before the House of Lords; provisions subject to amendment.)

• Clauses 23–31 establish a national “Child Digital Identity Register”, ostensibly for safeguarding and education continuity.
• Data categories include health, attendance, familial relationships, and disciplinary records—cross-linked with Department for Education databases.
• Amendments to the Education Act 2002 authorise “real-time information sharing” with law enforcement and health authorities.
• These measures raise acute privacy and proportionality concerns under UK GDPR Art. 8 and ECHR Art. 8 (right to respect for private and family life).

2.4 Financial-Data Legislation

• The Money Laundering and Terrorist Financing (Amendment) Regulations 2023 / 1267 extend “specified data access” to include benefit, pension, and tax records, creating continuous inter-agency data visibility.
• The DWP Data-Matching (Amendment) Regulations 2024 enable algorithmic screening of all claimants’ bank accounts for “anomalous activity”, effectively introducing automated financial surveillance.

2.5 ANPR and Facial-Recognition Expansion

• Statutory Instrument 2024 No. 511 revises Police Act 1997 Part II to permit integration of Automatic Number Plate Recognition (ANPR) and biometric facial recognition with national policing and Home Office systems.
• There is no statutory right of objection or independent auditing of algorithmic bias.

3. Secondary Legislation Creep

The increasing reliance on delegated legislation allows the executive to bypass parliamentary scrutiny for measures with significant civil-liberties implications.
This has led to what policy scholars call “governance by stealth”—small technical amendments that collectively rewrite the social contract.

Parliamentary committees rarely debate these SIs in depth; most pass “on the nod”. The public consultation process is minimal or non-existent, violating the spirit of democratic oversight envisaged by the Human Rights Act 1998 and Freedom of Information Act 2000.

4. Systemic Impact

The convergence of these measures’ yields:

• Totalised citizen profiling through linkage of identity, finance, movement, and communication data.
• Erosion of judicial oversight, as executive authorisation replaces independent approval.
• Technological enforcement of policy, where AI-driven monitoring supplants human judgement.
• Normalization of surveillance culture, conditioning citizens to accept continuous observation as a civic duty.

As Norton (2023) warns, such dynamics cultivate conformity and self-censorship—the hallmarks of authoritarian governance even within nominally democratic states.

5. Policy and Legal Risk

The aggregated powers described above may contravene:

• ECHR Articles 6 & 8 (privacy and fair trial),
• UK GDPR Articles 5–9 (lawfulness and data minimisation),
• UN Convention on the Rights of the Child Art. 16 (privacy of minors).

Without robust safeguards, the UK risks sliding into what Seifert (2020) calls “identity-based governance”—a system where digital presence equates to state surveillance.

6. BDA Policy Recommendations

1. Independent Surveillance Oversight Authority (ISOA): A statutory body answerable solely to Parliament, empowered to audit all data-access warrants and algorithmic systems.
2. Sunset Clauses: All delegated surveillance powers must lapse after five years unless re-approved by full parliamentary vote.
3. Transparency and Public Consultation: Mandatory publication of draft SIs with 12-week consultation and human-rights impact assessment.
4. Digital Identity Safeguards: Any Digital ID framework must be voluntary, decentralised, and privacy-preserving by design.
5. Judicial Oversight Restoration: Reinstate independent judicial authorisation for any data interception, device interference, or financial-data access.

BDA Position Statement

The British Democratic Alliance holds that the security of the realm cannot justify the erosion of liberty. Technological efficiency must never outrun democratic accountability. The steady accretion of executive surveillance powers through secondary legislation represents a profound constitutional risk.

The BDA will campaign for legislative reform to re-establish the primacy of Parliament and the courts in overseeing state surveillance, and to ensure that Britain remains a democracy governed by the consent—not the compliance—of its people.

Appendix A – Key Legislative References

Instrument	Relevant Clauses / Sections	Year	Primary Effect
Criminal Justice Bill	84, 92 (Sch. 9)	2024–25	Expands data access to non-serious offences; authorises device interference without judicial oversight
Online Safety Act	110–116	2023	Mandates data disclosure to Ofcom; weakens encryption protections
Child Wellbeing & Schools Bill	23–31	2025 (pending)	Creates child digital-identity register; continuous monitoring of minors
MLR Amendments	Reg. 4–6	2023	Extends data access across departments
DWP Data-Matching Regs	All	2024	Permits automated bank-account surveillance
Police Act SI No. 511	—	2024	Adds facial recognition & ANPR integration

 

References (selected)

1. Smismans (2024) Brexit and Labour Governance: Authoritarian Innovations in the United Kingdom, Industrial Relations 66(4): 538–557.
2. Harcourt (2023) Brexit and the Digital Single Market, Oxford UP.
3. Norton (2023) Anarchy, Courage, Democracy, Oxford UP.
4. Zamani & Rousaki (2024) Humanities & Social Sciences Comms. 11(1): Article 39 921.
5. Seifert (2020) Network Security (11): 17–19.
6. Allmann & Radu (2022) Global Policy 14(1): 84–94.
   Knight & Saxby (2014) Computer Law & Security Review 30(6): 617–632.
   Reay (2022) Forum 64(3): 126–139.