Photo of Paul Maynard

Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Contact:Read more about Paul MaynardEmail

On 24 June 2025, the European Commission published its “roadmap” for ensuring lawful and effective access to data by law enforcement (“Roadmap”). The Roadmap forms a key part of the Commission’s internal security strategy, which was announced in April, and follows on from the November 2024 recommendations of the High-Level Group on Access to Data for Effective Law Enforcement.

Of most immediate relevance to electronic communications service (“ECS”) providers, the Commission intends to propose new data retention requirements, is considering changes to better enable cross-border live interception of communications, and will support the development of tools enabling law enforcement authorities (“LEAs”) to access encrypted data. We describe these proposals, and other elements of the Roadmap, in more detail below.Continue Reading European Commission publishes its plan to enable more effective law enforcement access to data

This blog was prepared in collaboration with, and was originally published by, the UK BioIndustry Association, here. We are grateful to the UK BioIndustry Association for collaborating on this blog, and for the opportunity to post it here.

What are the UK’s plans to reform data protection law?

After an extended period of legislative back and forth, the Data (Use and Access) Bill has now received Royal Assent, becoming the Data (Use and Access) Act (we will therefore refer to it as the “Act” in this blog). The Act addresses various matters related to the use of data, and will to an extent distinguish the UK’s approach to data protection from that set out in the EU’s General Data Protection Regulation (“GDPR”). The European Commission will, therefore, assess whether these changes warrant stripping the UK of its adequacy status for data transfers, with a decision due by 27 December 2025. While the Commission is unlikely to withdraw its finding of adequacy, it is possible that a challenge to this finding could be brought before the Court of Justice of the EU, which could reach a different conclusion.

In summary, the Act is not a complete overhaul of data protection law in the UK; instead, it is more a package of targeted amendments. Of the changes most relevant to biotechs, the most significant is the more permissive regime for the use of personal data for scientific research – although, companies must still meet a number of requirements to fall within scope. More significant changes may take place in the future, as key parts of the Act enable the UK Government to pass secondary legislation in areas that may be relevant to biotechs.Continue Reading The UK’s new Data Legislation – What does it mean for the Life Science sector?

The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”

Online advertising is one of the ICO’s current areas of strategic focus (others areas of focus include AI and children’s privacy). The ICO has identified four key areas of concern—all of which the ICO states mean that individuals do not have sufficient control over their personal data:

  • “deceptive or absent choice” regarding non-essential cookies and tracking technologies;
  • “uninformed choice,” which refers to organizations not providing appropriate information to individuals;
  • “undermined choice,” where individuals’ choices are not respected and they are surprised about how their data is used; and
  •  “irrevocable choice,” meaning that individuals cannot effectively change their minds after they have made a choice over how their personal data is processed.

Having identified these areas of concern, the ICO states that it will take the following actions in 2025:Continue Reading ICO announces its online tracking strategy for 2025

In the final quarter of 2024, there have been significant developments in the EU cybersecurity legal landscape. Most prominently, the EU institutions adopted the Cyber Resilience Act and mid-October marked the deadline for Member States to transpose the NIS2 Directive into national law. Most Member States failed to meet the NIS2 transposition deadline, which resulted in the European Commission sending a formal notice to 23 Member States, urging them to transpose the Directive. These 23 Member States have been given two months to respond. (For more information on the Cyber Resilience Act and NIS2 Directive, see our blog posts here and here.)Continue Reading Three Recent Developments in the EU Cyber Landscape

On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.Continue Reading EDPB adopts draft guidelines on requirements when responding to requests from non-EU public authorities

The UK Government has announced that it intends to introduce the Cyber Security and Resilience Bill (the “Bill”) to Parliament in 2025. Formally proposed as part of the King’s Speech in July, this Bill is intended to strengthen the UK’s cross-sectoral cyber security legislation to better protect the UK’s economy and infrastructure. This Bill will update the existing NIS Regulations, which derive from EU law. Part of the UK Government’s motivation seems to be to keep pace with updates to EU law in this area, specifically relating to the NIS2 Directive that starts to apply this month (see our blog post on this, here).Continue Reading What to expect from the UK’s Cyber Security and Resilience Bill (and when)

Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents

On April 25, 2024, the UK’s Investigatory Powers (Amendment) Act 2024 (“IP(A)A”) received royal assent and became law.  This law makes the first substantive amendments to the existing Investigatory Powers Act 2016 (“IPA”) since it came into effect, and follows an independent review of the effectiveness of the IPA published in June 2023.Continue Reading Changes to the UK investigatory powers regime receive royal assent

In six months’ time, on 17 October 2024, Member State laws that transpose the EU’s revised Network and Information Systems Directive (“NIS2”) will start to apply.  As described in more detail in our earlier blog post (here), NIS2 significantly expands the categories of organizations that fall within scope of EU cybersecurity legislation. This new, cross-sector law imposes additional and more granular security and incident reporting rules, enhanced governance requirements that apply to organizations’ “management bodies,” and creates a stricter enforcement regime.Continue Reading NIS2 implementation enters the final stretch – six months to deadline