UK Data Protection Bill Published

In line with the EU General Data Protection Regulation (GDPR), the UK has now published a Data Protection Bill, which is intended to “make our data protection laws fit for the digital age…” The Overview Factsheet for this Bill may be found here.  This legislative initiative parallels that of several other EU Member States that have introduced similar bills to implement the GDPR.

What does this mean for data protection laws in the UK and the impending GDPR, which is due to come into force throughout the EU on 25 May 2018?

Aim of the Bill

The draft Bill (which will come into force on the same date as the GDPR) is designed to replace the Data Protection Act 1998 (DPA) in the UK, implement the GDPR and transpose the EU Law Enforcement Directive into UK law.  As of May next year, the GDPR will become directly enforceable in the UK as in all other EU Member States, and this will remain the case until the UK’s withdrawal from the EU. The guidance published by the UK’s Department for Digital, Culture, Media & Sport explains the relationship between the GPDR and the Bill, following its enactment, as follows:

 The​ ​Bill​ ​adopts​ ​the​ ​GDPR​ ​standards​ ​for​ ​all​ ​general​ ​data​ ​in​ ​the​ ​UK.​ ​Until exit​ ​negotiations​ ​are​ ​concluded,​ ​the​ ​UK​ ​remains​ ​a​ ​full​ ​member​ ​of​ ​the​ ​EU and​ ​all​ ​the​ ​rights​ ​and​ ​obligations​ ​of​ ​EU​ ​membership​ ​remain​ ​in​ ​force.​ ​Until the​ ​UK​ ​leaves​ ​the​ ​EU,​ ​therefore,​ ​the​ ​GDPR​ ​will​ ​operate​ ​in​ ​tandem​ ​with the​ ​Bill.​ ​When​ ​the​ ​UK​ ​leaves​ ​we​ ​will​ ​restore​ ​a​ ​wholly​ ​domestic​ ​basis​ ​to our​ ​data​ ​protection​ ​laws​ but​ ​the​ ​Bill​ ​allows​ ​for​ ​the​ ​continued​ ​application​ ​of GDPR​ ​standards.​ ​These​ ​standards​ ​were​ ​shaped​ ​with​ ​significant involvement​ ​of​ ​the​ ​UK,​ ​and​ ​combine​ ​support​ ​for​ ​innovative​ ​use​ ​of​ ​data with​ ​robust​ ​protections.​ ​The​ ​standards​ ​will​ ​also​ ​help​ ​open​ ​up​ ​trade​ ​and investment.


The Bill reinforces the message that businesses in the UK should continue to prepare for GDPR compliance, as the rights and obligations are largely the same.

However, one key purpose of the Bill is to provide additional detail where the GDPR leaves it up to Member States to add to or to vary certain provisions. The UK has made the most of these derogations to align the Bill with the current data UK protection rules, where possible. The Bill aims to:

 Preserve existing tailored exemptions that have worked well in the Data Protection Act, carrying them over to the new law to ensure that UK businesses and organisations can continue to support world leading research, financial services, journalism and legal services.

The Bill is complex and runs over 200 pages. Key points to note include:

  • Penalties – The maximum fine mirrors the GDPR at £17m (Euro 20 million) or 4% of global turnover. The ICO is also given powers to bring criminal proceedings where a controller or processor alters records with intent to prevent disclosure following a subject access request;
  • Special Categories – The Bill allows for special categories of personal data and criminal offence data to be processed without consent in certain situations including the following:
    • To allow employers to fulfil obligations under the employment law;
    • To allow historic or scientific research;
    • To prevent unlawful acts and fraud; and
    • To support processing for insurance or occupational pensions purposes.
  • DPO – The obligation to appoint a Data Protection Office (DPO), where relevant, applies only to controllers, unlike in the GDPR which imposes this obligation on both controllers and processors.
  • Children – The Bill sets the threshold for requiring parental consent to provide an information society service to a child at 13.

Law Enforcement

The Bill creates a privacy regime for the processing of personal data for law enforcement purposes by the police, prosecutors and other criminal justice agencies. This part of the Bill transposes the EU’s Law Enforcement Directive into national law. The Bill also covers additional privacy rules for the processing of personal data by intelligence services.


The Bill is still in draft form and has yet to be debated in Parliament. The Bill was introduced to the House of Lords on 13 September 2017. The next stage, scheduled for 10 October 2017, will be a second reading in the House of Lords with a general debate on all aspects of the Bill.

Our global Data Privacy & Cybersecurity team will be closely following the progress of the Bill and will provide further updates as the legislative process progresses.

ICO’s consultation on the draft GDPR guidance on contracts and liabilities between controllers and processors

On 13 September 2017, the UK Information Commissioner’s Office (ICO) published draft guidance on contracts and liabilities between controllers and processors under the GDPR.

The draft guidance does not add substantial detail to the provisions of the GDPR but is a useful reminder of the key points. For example, it highlights the requirement for a written contract between the controller and any of its processors and summarises the provisions that the GDPR states must be included in the contract, specifically: Continue Reading

European Commission issues a new EU Cybersecurity Strategy

On 13 September 2017, the President of the European Commission, Jean Claude Juncker, announced during his State of the Union address the intention to propose new legislative measures that will boost the cybersecurity resilience within the EU. Following the President’s speech, the European Commission published the following initiatives:

Overall, these initiatives seek to remedy the current fragmentation of Member States’ policies and cybersecurity approaches by increasing the capabilities, preparedness and available resources for Member States and businesses.

Continue Reading

European Commission issues a Proposal for Regulation on Free Flow of Non-Personal Data

On 13 September 2017, in the context of the Digital Single Market Initiative, the European Commission (“Commission”) issued a draft proposal to regulate the framework for the free flow of non-personal data in the EU (“draft proposal”). The highly anticipated draft proposal aims at establishing a framework of free cross-border data flow within the EU.

In an attempt to build a European data economy, the draft proposal seeks to create a competitive market for data storage and processing services and activities by, among other things, limiting the scope of data localization requirements currently imposed by Member States. In summary, the draft proposal puts forward measures which:

  • Reduce the range of restrictions for data localization;
  • Enhance legal certainty;
  • Facilitate the availability of data on a cross-border level;
  • Improve the conditions to switch data storage for users or port data back to IT systems for service providers; and
  • Reinforce the trust and security of cross-border data storage and processing.

Continue Reading

Autonomous Vehicle Technology: Future Patent War Battleground?

Please join Squire Patton Boggs for the next session in our Autonomous Driving Series.

The automotive industry is the third largest research and development (R&D) spender in the US, with car and truck manufacturers and component makers being the traditional sources of such investments. As the importance of electronic and battery technology to the automotive industry has grown, however, R&D investment from the technology sector has increased in parallel. The past couple of years have likewise seen automakers, suppliers and technology companies entering into collaborative partnerships at a level previously unforeseen. Connected and autonomous vehicles (CAV) in some ways necessitate cross-industry alliances and research partnerships.

These increasing levels of R&D investment in CAV technology have naturally led to surges in patent applications from both the automotive and technology industries. Some of these patents may no doubt prove to be fundamental building blocks. As with other nascent technology – think telecommunications, IT and smart phones – the rush to patent new innovations has led to patent wars. Is the CAV arena next? If so or even if only a possibility, how can such wars be avoided?

Our panel of experts from various sectors of the CAV industry will discuss:

  • Who are the early leaders in CAV technology patents and patent applications?
  • In the absence of broad CAV industry participation in one or more standard setting organizations (SSOs) that require participants’ commitments to FRAND licensing, what are companies doing to ensure freedom to operate?
  • How are businesses assessing whether to license technology in or out from/to others who are, or who may become, competitors?
  • Will the absence of broad adoption of standards impact the usefulness of CAV technology? For example, will vehicles claimed to be “connected” truly be connected?

Panelists include:

  • Dr. Sven Beiker, Managing Director, Silicon Valley Mobility
  • Alex Fishkin, General Counsel, Luminar Technologies
  • Stefan Heck, CEO, Nauto
  • Chris Storm, Senior Counsel, Intellectual Property, Uber

David S. Elkins, chair of our global Intellectual Property & Technology Practice, will moderate the panel.


Weekly Data Privacy Alert – 4 September 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Protection & Cybersecurity team. This week’s alert covers news from: 4 September 2017.


  • The European Court of Human Rights (ECtHR) Finds That Monitoring and Accessing an Employee’s Electronic Communications is in Violation of Article 8 of the European Convention


  • The CNIL Publishes the List of Registration Formalities Completed Since 1979


  • Brexit: The EU Data Protection Package

For more information on any of these items, or data privacy issues generally, please feel free to call any of the following individuals:

Stephanie Faber (France)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

FTC Settles Three Privacy Shield False Claims Charges


Though the Federal Trade Commission (FTC) remains low on Commissioners (there remain only two out of five), the FTC is still actively enforcing privacy matters. On September 8, 2017 the FTC announced its first cases addressing the EU-U.S. Privacy Shield. In three separate actions, the FTC settled charges against three companies for falsely claiming participation in the EU-U.S. Privacy Shield. (   One of the companies also claimed participation in the Swiss-U.S. Privacy Shield.

The FTC previously settled similar charges against dozens of companies for falsely claiming participation in the U.S.-EU Safe Harbor framework (Privacy Shield’s predecessor) in their website privacy statements without actually having completed the certification process or failing to recertify compliance through the U.S. Department of Commerce (Commerce), which administers the frameworks.  In all three of the settlements announced today, the companies allegedly initiated applications to Commerce for Privacy Shield certification, but did not complete the steps necessary to participate in the framework.

The previous Safe Harbor settlements taught us that companies wishing to enjoy the benefits of the data transfer frameworks must be certain to avoid stating compliance with the programs without actually completing the certification process through Commerce. The important lesson from today’s cases is that it is equally risky to start and then abandon an application with Commerce or fail to respond to follow up requests from Commerce all the while maintaining public privacy statements which claim Privacy Shield compliance.

Weekly Data Privacy Alert – 28 August 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Privacy & Cybersecurity team. This week’s alert covers news from France and the UK.


  • Changes to Rules on Whistleblowing in France


  • ICO Fines Nottinghamshire County Council for Exposing Personal Information Online
  • NHS Staff Warned That Unlawfully Accessing Patient Records Is an Offence

For more information on any of these items, or data privacy issues generally, please feel free to call any of the of the following individuals:

Stephanie Faber (France)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

Changes to the CNIL’s blanket authorization for whistleblowing in France

Red Whistle

By a decision of June 2017, the CNIL has modified its blanket authorization for whistleblowing with a view to adapting it to recent changes introduced by the so-called “Sapin 2” law (the law relating to “transparency, the fight against corruption and modernization of business life”).

Under Sapin 2, there is an obligation on business to implement reporting schemes as follows:

(i) for business having more than 50 employees, a whistleblowing scheme (this obligation takes effect in January 2018);

(ii) for many companies, an internal reporting system as part of an anti-bribery compliance program; and

(iii) for companies providing financial services, a reporting scheme for breaches of EU or French financial market regulation.

Blanket authorization

Whistleblowing schemes currently require prior approval by the CNIL.  Given the historical sensitivity around whistleblowing in France, obtaining this approval can be time consuming.  In light of this, the CNIL has published a blanket authorization (autorisation unique “AU-004”).  AU-004 describes the permitted processing activities relating to whistleblowing, including what data can be collected, with whom, to what extent it can be shared or disclosed, what confidentiality measures have to be taken, how long data can be retained and what information has to be provided to data subjects.  To the extent that a company’s whistleblowing scheme for France complies with AU-004, it can self-certify compliance and be authorised immediately. The CNIL has now amended AU-004 to allow implementation of the Sapin 2 requirements.

Continue Reading

Weekly Data Privacy Alert – 21 August 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Privacy & Cybersecurity team. This week’s alert covers news from the EU, France and the UK.


  • European Commission Addresses Free Movement of Health Data


  • The CNIL Sanctions Two Data Breaches


  • Home Logic UK Ltd Fined for Making Nuisance Calls

For more information on any of these items, or data privacy issues generally, please feel free to call any of the of the following individuals:

Stephanie Faber (France)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)