Andy Burnham’s opposition to a mandatory digital identity scheme could derail the UK government’s e‑ID rollout if he replaces Keir Starmer as prime minister. The article explains the legal framework (GDPR, UK DPA, eIDAS), the potential fines for non‑compliance, and what the policy shift would mean for users, businesses and civil‑rights groups.
Burnham Backlash: UK Digital ID Plans in Peril if Manchester Mayor Becomes Prime Minister
Andy Burnham outside during a rally in Manchester
[Credit: R Heilig/Shutterstock]
What happened
The Labour Party’s digital‑identity programme – a government‑backed, mandatory "digital ID" that would link citizens’ personal data to a single online credential – is now a political flashpoint.
During the Labour conference in Manchester last autumn, Greater Manchester Mayor Andy Burnham publicly rejected the scheme, recalling the failed national ID‑card project of 2005‑2010.
Since then Burnham has been selected to contest the Makerfield by‑election, a seat that could catapult him into Westminster and, if Labour’s leadership contest ends in his favour, into the prime‑minister’s office.
If Burnham becomes prime minister, his earlier criticism suggests the digital‑ID agenda could be shelved or radically re‑shaped.
The stakes are high: the policy is already embedded in the UK Government’s Digital Strategy, with a budget of £1.2 billion and a target rollout to public‑service users by 2028.
Legal basis for a digital ID in the UK
| Regulation | Core requirement | Relevance to digital ID |
|---|---|---|
| UK GDPR (the UK’s version of the EU GDPR) | Lawful, fair, transparent processing; data‑minimisation; purpose limitation; strong security | Any centralised credential that stores personal data must have a lawful basis (e.g., public‑task) and meet the GDPR’s strict security and rights obligations. |
| Data Protection Act 2018 | Supplements UK GDPR, adds specific provisions for law‑enforcement and intelligence data | Governs how the digital‑ID system can share data with public bodies and private service providers. |
| eIDAS Regulation (EU) | Mutual recognition of electronic identification across EU member states | If the UK wishes its e‑ID to be accepted for cross‑border services, compliance with eIDAS (or a UK‑EU equivalence agreement) will be required. |
| UK Digital Economy Act 2017 (section 13) | Enables the Secretary of State to create a ‘digital identity verification’ framework | Provides the statutory footing for the current digital‑ID proposal. |
Potential penalties
- UK GDPR fines – up to £17.5 million or 4 % of global annual turnover, whichever is higher, for breaches such as unlawful processing or inadequate security.
- Civil‑rights actions – individuals can claim compensation for damages caused by unlawful data handling, and the Information Commissioner’s Office (ICO) can issue enforcement notices.
- Cross‑border implications – non‑compliance with eIDAS could block UK citizens from using the e‑ID for EU services, undermining trade and travel facilitation.
Impact on users and companies
For citizens
- Loss of a unified credential – If the scheme is abandoned, users will continue to rely on fragmented verification methods (passport scans, utility‑bill checks, two‑factor apps). This can increase friction when accessing online public services such as NHS appointments, benefits portals, or tax filings.
- Data‑privacy reassurance – Burnham’s stance may reassure privacy‑focused citizens who fear a single point of failure for their identity data. However, without a regulated framework, the market may fill the gap with commercial “digital‑ID wallets” that lack strong oversight.
For businesses
- Compliance uncertainty – Companies that have already begun integrating the government’s API (e.g., fintechs, health‑tech firms) will need to re‑engineer authentication flows, incurring costs estimated at £30‑£50 million across the sector.
- Risk of fines – If a mandatory digital ID is rolled out without meeting GDPR standards, firms that process the ID data could face the hefty fines outlined above.
- Competitive landscape – A government‑backed ID can level the playing field for smaller providers; its removal could give larger tech firms an advantage as they roll out proprietary identity solutions.
What changes could we see
- Policy pause or repeal – A Burnham‑led administration may issue a statutory instrument to suspend the Digital Economy Act’s section 13 powers, effectively halting the rollout.
- Shift to a voluntary framework – Instead of a mandatory credential, the government could promote a voluntary e‑ID standard that meets GDPR and eIDAS but leaves adoption to citizens and businesses.
- Strengthened oversight – Pressure from civil‑rights groups may force the ICO to issue a binding code of practice for any digital‑ID solution, tightening security and data‑subject rights.
- Regional pilots – Burnham could champion a devolved approach, allowing England, Scotland, Wales and Northern Ireland to experiment with their own identity schemes under the umbrella of the UK GDPR.
Why it matters for digital rights
A mandatory digital ID sits at the intersection of state surveillance, commercial data‑harvesting, and citizen convenience.
If the scheme proceeds without robust legal safeguards, the UK could face a wave of GDPR enforcement actions similar to the €50 million fine imposed on a European telecom operator for inadequate consent mechanisms.
Conversely, scrapping the plan without an alternative could leave vulnerable populations without reliable, low‑cost ways to prove their identity online, deepening the digital divide.
The debate therefore isn’t just about politics; it’s about whether the UK will build a rights‑respecting digital infrastructure or revert to a patchwork of ad‑hoc solutions that expose citizens to higher fraud risk and privacy loss.
What activists can do now
- Monitor ICO publications – The ICO regularly releases guidance on biometric data and identity verification; staying up‑to‑date helps spot non‑compliant implementations.
- Demand a public impact assessment – Under the UK GDPR, a Data Protection Impact Assessment (DPIA) is mandatory for high‑risk processing. Activists should press the government to publish the DPIA for the digital‑ID scheme.
- Support legislative scrutiny – Encourage MPs to raise the issue in Commons committees, especially the Digital, Culture, Media and Sport (DCMS) Committee, which has jurisdiction over the Digital Economy Act.
- Engage with the e‑IDAS dialogue – If the UK seeks EU recognition for its e‑ID, civil‑society groups can submit comments during the European Commission’s consultation periods.
Bottom line
Andy Burnham’s opposition to a mandatory digital ID could either halt a controversial state‑run credential or create a vacuum that private actors will rush to fill.
Either outcome will hinge on how the government aligns the scheme with the UK GDPR, the Data Protection Act, and, where relevant, eIDAS.
For users, the key question is whether their personal data will be protected by strong legal safeguards or left exposed in a fragmented, market‑driven identity ecosystem.
Related reading:
Comments
Please log in or register to join the discussion