Your binder contains too many pages, the maximum is 40.
We are unable to add this page to your binder, please try again later.
This page has been added to your binder.
Our specialist team in Brussels and London has been advising multinational companies on national and regional data privacy laws in the EU since the current EU Directive 95/46/EC was enacted nearly 20 years ago. We provide practical advice that is informed by deep knowledge of various local requirements and experience of dealing with regulators across Europe. Our multi-lingual team, which consists of experts in national Member State laws—including the UK, Belgium, France, Germany, the Netherlands and Spain—provides a “one-stop shop” solution.
We also maintain an established network of local counsel that we can use to advise on privacy and data security issues in a multitude of international markets, if needed.
We have particular expertise in advising companies in the software, technology, pharmaceutical, manufacturing and publishing sectors, and regularly advise in the following areas:
Advising numerous clients on the possible implications of the proposed General Data Protection Regulation.
Advising a large social network on compliance with U.S., EU and international data privacy laws in relation to its launch of new services and functionality, including geotargeting, facial recognition and targeted advertising.
Designed a compact worldwide privacy compliance program for a U.S. multinational company.
Advising Microsoft on a broad range of privacy and data security issues impacting its services in Europe and at a global level.
Worked directly with, and appeared before national and regional privacy authorities, such as the European Commission, the EU Article 29 Working Party, and the Council of Europe, both to address emerging policy issues in the data privacy field, such as data retention, radio frequency identification (RFID), Big Data, facial recognition, security breach legislation and biometrics, and to defend individual clients.
Advising Abbott Laboratories in relation to all privacy aspects of its global de-merger, involving the division of the company into a research-based business, AbbVie.
Managing a privacy audit of a U.S.-based multinational in the oil and gas industry in preparation for its BCR approval with the Dutch data protection authority as the lead authority, including reviewing and providing advice on the BCRs and the implementation strategy and assisting this client in the preparation and roll-out of various compliance tools in the framework of the BCRs.
Advising numerous companies on Binding Corporate Rules (BCRs), including Processor Rules. We help develop the BCR corpus and manage the entire approval process before the lead data protection authorities in several EU Member States including Belgium, Germany, Luxembourg and the UK.
Representing Merck in one of the first “test” cases involving interoperability between BCRs and APEC’s Cross-border Privacy Rules (CBPR). The case will establish a precedent for cross-border transfers of personal data for both the EU and Asia-Pacific Region.
Assisting a multinational manufacturer of machinery in the developing of BCRs.
Assisting a multinational manufacturer of heavy equipment in the adoption of BCRs.
Assisting a multinational manufacturer of products for the aerospace and building industries in developing BCRs.
Assisting a global e-commerce company in preparing and filing BCRs with the Luxembourg data protection authority.
Advising a multinational chemicals company on international data transfers.
Conducted a pan-European and selective U.S. survey of laws and regulations affecting an employer’s right to monitor employee’s Internet use and review electronic communications. We have also advised numerous clients on the law governing call recording and access to (and disclosure of) employee e-mail, including in connection with several personal crises and actions.
Advice on European geo-location data issues for major international service provider.
Conducted a detailed review of the human resources operations of a large pharmaceutical company to assess compliance with data protection and privacy laws and regulations in both the U.S. and EU, in anticipation of possible certification under the U.S.-EU Safe Harbor regime. Our extensive written report described potential compliance issues and recommended specific remedial actions.
On behalf of one of the world’s leading consumer electronics and technology companies, we completed a comprehensive global privacy audit under the laws of the United States, the European Union, and China, including an assessment of the data
collection, use, and sharing practices of numerous business units (including HR data), cross-border data transfers, and adopting a going-forward privacy governance and risk-management approach and corresponding policies and procedures.
Advised pharmaceutical companies in the United States and Europe on data privacy issues, including questions relating to genetic testing programs and the development of genomics databases, the sourcing and handling of human tissue and biological samples for research purposes, patient outreach, and marketing activities.
Serving as global privacy and data security counsel to a global e-commerce business, including advising on financial services privacy and information security-related aspects of certain mobile payments and mobile wallet services and international data transfers
Assisted pharmaceutical companies in developing global comprehensive privacy policies aligned with federal (HIPAA, Food & Drug Administration, and National Institutes of Health) regulations, state and European law, and best practices.
Represent an ad hoc consortium of U.S. and European pharmaceutical and medical device companies concerned about data privacy issues in Europe, including the Eastern European Member States such as Hungary, Poland, and the Czech Republic.
Advising numerous companies on data subjects’ right of access and right to be forgotten.
Conducted privacy “health checks” for clients to assess their compliance with privacy and data security laws, particularly those in the 28 Member States of the European Community; where appropriate, we have designed remediation programs that include, for example, filing notifications to local privacy regulators, fulfilling obligations to furnish notice, and ensuring compliance with local data security regulations.
Advised a European telecommunications client on data retention matters, and on strategy and compliance relating to new services using customer data.
Advised a global pharmaceutical company on the data breach notification requirements in more than 80 countries, following a security breach affecting employees in Europe, Asia and the Americas.
December 2, 2016, Inside Privacy
Yesterday, the European Parliament voted to approve the EU-U.S. Umbrella Agreement, a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S. As we previously explained, negotiations on this Agreement have been underway for quite some time, with the European Parliament first calling for it back ...
October 27, 2016, Inside Privacy
On September 16, 2016, Digital Rights Ireland (“DRI”), a digital rights advocacy group, lodged an action with the EU General Court for annulment of the European Commission’s Decision on the EU-U.S. Privacy Shield arrangement. While the existence of the application has only recently become public knowledge, it was widely-expected that the Privacy Shield would ...
October 20, 2016, Inside Privacy
On August 31, 2016, a bill was presented to the Luxembourg Parliament (the “Bill”) to amend the Law of August 2, 2002, on the Protection of Persons with regard to the Processing of Personal Data. The Bill aims to reduce the current administrative burden and anticipates the application of the General Data Protection Regulation (“GDPR”) … Continue Reading
October 19, 2016, Inside Privacy
On Wednesday October 19, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Case C-582/14, Patrick Breyer v Germany. The CJEU held that a “dynamic” IP address constitutes personal data (agreeing with the Opinion of the Advocate General from May this year). Dynamic IP addresses qualify as personal data, even if … Continue Reading
October 6, 2016, Inside Privacy
On October 5, 2016, the UK Information Commissioner’s Office (“ICO”) fined telecoms company TalkTalk a record £400,000 for failing to put in place appropriate data security measures and allowing a cyber-attacker to access TalkTalk customer data “with ease.” The ICO highlighted several technical and organizational deficiencies as justification for issuing its ...
By Phil Bradley-Schmieg and Gemma Nash On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint. Commission Regulation … Continue Reading
October 4, 2016, Inside Privacy
Last week, the European Data Protection Supervisor (the “EDPS”), in collaboration with European consumer organisation BEUC, hosted a joint conference on Big Data: individual rights and smart enforcement in Brussels (for the conference agenda, see here). The conference brought together leading regulators and experts in the areas of competition, data protection ...
September 27, 2016, Inside Privacy
As announced last week, the European Data Protection Supervisor (“EDPS”) released on September 23, 2016 an opinion on “coherent enforcement of fundamental rights in the age of big data.” This opinion follows an earlier Preliminary Opinion on privacy and competitiveness in the age of big data, published in 2004 (see our previous blog post here). … Continue ...
September 20, 2016, Inside Privacy
On September 19, 2016, PaRR reported that the European Data Protection Supervisor (“EDPS”) is working on guidelines to increase coordination on the interface between data protection and competition law. The guidelines would be released later this month. According to the report, the EDPS will recommend the creation of a “digital clearing house” in which ...
August 16, 2016, Inside Privacy
The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful. With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services. European healthcare is particularly affected by such restrictions. This ...
August 11, 2016, Inside Privacy
A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data. To find out more about the proposals and the consultation, please click here.… Continue Reading
July 12, 2016, Inside Privacy
At a joint press conference in Brussels this morning (July 12, 2016), EU Commissioner Jourová and the U.S. Secretary of Commerce, Penny Pritzker, presented the new EU-U.S. data transfer mechanism (see press release here, adequacy decision text here, annexes here and Q&A factsheet here). The press conference followed the approval of the underlying adequacy ...
July 8, 2016, Inside Privacy
On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here). That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11). Once translated and published in the Official … Continue Reading
April 12, 2016, Law360
March 11, 2016, Inside Privacy
On March 3, 2016, the UK’s Information Commissioner’s Office (“ICO”) released new guidance on encryption. The guidance aims to provide advice to organizations on protecting personal data (such as customer and employee data) through the use of encryption. There is no legally-binding requirement under UK data protection law to encrypt data, either when static or ...
March 1, 2016, Inside Privacy
The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds. This is the highest fine issued by the ICO to date. The ICO investigated the marketing ...
March 2016, eHealth Law & Policy
February 1, 2016, The Guardian
Henriette Tielemans is quoted by The Guardian in an article discussing the missed Safe Harbor deadline. According to Tielemans, companies faced “enormous uncertainty” about what European regulators would deem adequate privacy protection.
January 27, 2016, Covington Alert
December 8, 2015, Law360
Mark Young is quoted in a Law360 article discussing the EU Network and Information Security Directive, which sets a cybersecurity and breach reporting baseline for both critical infrastructure operators, as well as digital service providers. This directive, which is the first of its kind, comes after two years of negotiations. According to Young, “There’s going ...
November 24, 2015, The Register
Dan Cooper is quoted by The Register in an article discussing the uncertainty and complications continuing to surround the Schrems decision that derailed Safe Harbour. Cooper stated that his business clients were both “surprise[d] and shock[ed]” by the European Court’s decision. “Businesses felt like the rug had been pulled out from under them,” said Cooper. ...
October 13, 2015, Bloomberg BNA
Henriette Tielemans is quoted in this BNA article that explores the idea of finding alternative means for the transfer of data with the elimination of Safe Harbor. Countries that require national data protection authority approval may find even more issues arise when trying to formulate new ways to navigate data transfer laws. Tielemans notes that the process ...
October 6, 2015, Fortune
Brussels-based partner Henriette Tielemans is quoted in this Fortune article that discusses the effects of the highest E.U. court eliminating the U.S.-E.U. data transfer agreement known as the Safe Harbor Act. “Hindsight is a beautiful thing,” said Tielemans. “We must all remember that in 2015 things are different than they were in 2000.”
October 6, 2015, Covington Alert
October 2, 2015, Inside Privacy
The UK Information Commissioner’s Officer (“ICO”) has issued its largest fine to date in connection with using an automated calling system to make direct marketing calls. The ICO found that Home Energy & Lifestyle Management Ltd (“HELM”), a green energy company that made millions of automated marketing calls in relation to “free” solar panels, recklessly … ...
September 17, 2015, Inside Privacy
The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system. The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. Acording to recent press releases, CareCERT will: “Provide ...
September 8, 2015, Inside Privacy
By Megan L. Rodgers What information is being collected by mobile apps and websites directed at kids? With whom is that information shared? What notice is provided to parents? Regulators in the U.S. and abroad continue to focus on these issues. The FTC recently released a follow-up report on privacy notices in mobile apps directed … Continue Reading
August 2015, Data Protection Law & Policy
August 2015, Privacy Laws & Business International Report
July 30, 2015, Inside Privacy
The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors  EWCA Civ 311. Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking practices) and the significant consequences of … Continue Reading
July 10, 2015, Covington Alert
June 5, 2015, Inside Privacy
May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention. The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier. In parallel, the French data protection authority announced … ...
April 2015, Covington Newsletter
November 27, 2013, Covington E-Alert
October 24, 2013, Covington E-Alert
April 2013, World Data Protection Report
January 2012, Covington E-Alert
May 2010, Privacy Law & Business
March 29, 2010, Covington Advisory
March 1, 2010, Covington Advisory
January/February 2010, The Privacy Advisor
January 2010, World Data Protection Report
October 26, 2009, Covington Advisory
September 2009, Privacy & Data Protection Journal
December 10, 2004, Covington E-Alert
November 1, 2004, Covington E-Alert
October 14, 2004, Covington E-Alert
August 13, 2004, Covington E-Alert
July 23, 2004, Covington E-Alert
July 15, 2004, Covington E-Alert
May 21, 2004, Covington E-Alert
December 8, 2003, Covington E-Alert