Our Website Uses Cookies
We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website.
For more information, please contact us or consult our Privacy Notice.
Your binder contains too many pages, the maximum is 40.
We are unable to add this page to your binder, please try again later.
This page has been added to your binder.
- Home
- Practices and Industries
- Regulatory and Public Policy
- Data Privacy and Cybersecurity
- EU Data Protection
Our specialist team in Brussels, Frankfurt, and London has been advising multinational companies on national and regional data privacy laws in the EU since the current EU Directive 95/46/EC was enacted nearly 20 years ago. We provide practical advice that is informed by deep knowledge of various local requirements and experience of dealing with regulators across Europe. Our multi-lingual team, which consists of experts in national Member State laws—including the UK, Belgium, France, Germany, the Netherlands, and Spain—provides a “one-stop shop” solution.
We also maintain an established network of local counsel that we can use to advise on privacy and data security issues in a multitude of international markets, if needed.
We have particular expertise in advising companies in the software, technology, pharmaceutical, manufacturing, and publishing sectors, and regularly advise in the following areas:
- International data transfers – including transfers of personal data from the EU using Binding Corporate Rules (BCRs), the U.S. Safe Harbor, model contracts and taking advantage of exemptions.
- Online compliance and cookies – including drafting privacy policies and compliance materials, and advising on using social features, cookies and the implementation of the ePrivacy Directive 2002/58/EC across the EU.
- Cloud based processing services – advising on processing contracts, security issues and other related cloud compliance challenges.
- Data breaches – advising on and assisting with data breach notification requirements, including liaising with regulators and managing reputational risks.
- New uses of data – advising telecommunications, pharmaceutical and other companies in relation to new services that involve increased use of personal data and analysis of “Big Data.”
- Employee issues – advising on the cross-border implementation of employee monitoring and whistle-blowing schemes.
- Customers and marketing – advising on collecting and using customers’ data and on complying with marketing rules.
- Legislative and regulatory advocacy – including advising on the EU GDPR Regulation as well as on the growing number of data privacy laws in the Asia-Pacific and Latin American regions.
Abbot Laboratories - AbbVie de-merger
Advising Abbott Laboratories in relation to all privacy aspects of its global de-merger, involving the division of the company into a research-based business, AbbVie.
Advising a Leading U.S. Cloud Service Provider
Advising a leading U.S. cloud service provider on a number of EU and Member State regulatory matters, including the proposed EU Terrorist Content Regulation, the proposed EU E-Evidence Directive and Regulation, and the UK Online Harms White paper.
Represent BSA | The Software Alliance as Intervenor Before European Court of Justice
Represent BSA | The Software Alliance as formal intervenor in litigation before the European Court of Justice assessing the validity of the European Commission’s Standard Contractual Clauses under the GDPR.
Represent Trade Group Intervenor Before European Court of Justice
Represent BSA | The Software Alliance as formal intervenor in litigation before the European Court of Justice in response to a challenge to the EU-US Privacy Shield.
Advising global chemicals company on international data transfers
Advising a multinational chemicals company on international data transfers.
Advice on the monitoring of employee communications
Conducted a pan-European and selective U.S. survey of laws and regulations affecting an employer’s right to monitor employee’s Internet use and review electronic communications. We have also advised numerous clients on the law governing call recording and access to (and disclosure of) employee e-mail, including in connection with several personal crises and actions.
BCRs for global heavy equipment manufacturer
Assisting a multinational manufacturer of heavy equipment in the adoption of BCRs.
BCRs for global heavy machinery manufacturer
Assisting a multinational manufacturer of machinery in the developing of BCRs.
BCRs for multinational conglomerate
Assisting a multinational manufacturer of products for the aerospace and building industries in developing BCRs.
BCRs for multinational e-commerce company
Assisting a global e-commerce company in preparing and filing BCRs with the Luxembourg data protection authority.
Data breach notification requirements
Advised a global pharmaceutical company on the data breach notification requirements in more than 80 countries, following a security breach affecting employees in Europe, Asia and the Americas.
Data retention matters
Advised a European telecommunications client on data retention matters, and on strategy and compliance relating to new services using customer data.
Geo-location data issues
Advice on European geo-location data issues for major international service provider.
Global compliance
Conducted a detailed review of the human resources operations of a large pharmaceutical company to assess compliance with data protection and privacy laws and regulations in both the U.S. and EU, in anticipation of possible certification under the U.S.-EU Safe Harbor regime. Our extensive written report described potential compliance issues and recommended specific remedial actions.
Global privacy assessment
On behalf of one of the world’s leading consumer electronics and technology companies, we completed a comprehensive global privacy audit under the laws of the United States, the European Union, and China, including an assessment of the data collection, use, and sharing practices of numerous business units (including HR data), cross-border data transfers, and adopting a going-forward privacy governance and risk-management approach and corresponding policies and procedures.
Comprehensive privacy policies
Assisted pharmaceutical companies in developing global comprehensive privacy policies aligned with federal (HIPAA, Food & Drug Administration, and National Institutes of Health) regulations, state and European law, and best practices.
Emerging policy issues
Worked directly with, and appeared before national and regional privacy authorities, such as the European Commission, the EU Article 29 Working Party, and the Council of Europe, both to address emerging policy issues in the data privacy field, such as data retention, radio frequency identification (RFID), Big Data, facial recognition, security breach legislation and biometrics, and to defend individual clients.
European data privacy
Represent an ad hoc consortium of U.S. and European pharmaceutical and medical device companies concerned about data privacy issues in Europe, including the Eastern European Member States such as Hungary, Poland, and the Czech Republic.
Management of entire BCR approval process
Advising numerous companies on Binding Corporate Rules (BCRs), including Processor Rules. We help develop the BCR corpus and manage the entire approval process before the lead data protection authorities in several EU Member States including Belgium, Germany, Luxembourg and the UK.
Privacy audit for oil and gas multinational in preparation for BCR approval
Managing a privacy audit of a U.S.-based multinational in the oil and gas industry in preparation for its BCR approval with the Dutch data protection authority as the lead authority, including reviewing and providing advice on the BCRs and the implementation strategy and assisting this client in the preparation and roll-out of various compliance tools in the framework of the BCRs.
Representing global pharmaceutical company in “test” case involving BCR and CBPR interoperability
Representing Merck in one of the first “test” cases involving interoperability between BCRs and APEC’s Cross-border Privacy Rules (CBPR). The case will establish a precedent for cross-border transfers of personal data for both the EU and Asia-Pacific Region.
General Data Protection Regulation (GDPR)
Advising numerous clients on compliance with the General Data Protection Regulation (GDPR).
Global compliance advice for new products
Advising a large social network on compliance with U.S., EU and international data privacy laws in relation to its launch of new services and functionality, including geotargeting, facial recognition and targeted advertising.
Global compliance
Serving as global privacy and data security counsel to a global e-commerce business, including advising on financial services privacy and information security-related aspects of certain mobile payments and mobile wallet services and international data transfers
Global health privacy advice
Advised pharmaceutical companies in the United States and Europe on data privacy issues, including questions relating to genetic testing programs and the development of genomics databases, the sourcing and handling of human tissue and biological samples for research purposes, patient outreach, and marketing activities.
Global policies and procedures
Advising Microsoft on a broad range of privacy and data security issues impacting its services in Europe and at a global level.
Global privacy compliance programs
Designed a compact worldwide privacy compliance program for a U.S. multinational company.
Privacy “health checks”
Conducted privacy “health checks” for clients to assess their compliance with privacy and data security laws, particularly those in the 28 Member States of the European Community; where appropriate, we have designed remediation programs that include, for example, filing notifications to local privacy regulators, fulfilling obligations to furnish notice, and ensuring compliance with local data security regulations.
Right to be forgotten
Advising numerous companies on data subjects’ right of access and right to be forgotten.
Advising Major Multinational Technology and Ecommerce Company
Advising major American multinational technology and ecommerce company on EU data privacy and cybersecurity issues relating to new products and services.
Assist a Multinational Technology Company with an Internal Audit
Assist a U.S. multinational technology company with an internal audit of their practices relating to user data and the extent to which these practices complied with their contractual and GDPR commitments.
Advising Multinational Technology Companies and Associations on Proposed E-evidence Regulation
Advising a number of multinational technology companies and trade associations on the European Commission's proposed Electronic Evidence Directive and Electronic Evidence Regulation, which would facilitate the ability of EU law enforcement authorities to compel U.S.-based online service providers to disclose user data in criminal investigations.
Advising a Multinational Technology Company on Compliance with EU Accessibility Directive
Advising a U.S. multinational technology company on compliance with the EU Accessibility Directive, which harmonizes EU rules on making products and services accessible to people with disabilities.
August 2020, Privacy Laws & Business
Summer 2020
Covington's European privacy team offers insights on the current state of play with respect to the intersection of European data privacy laws, and the transition around Europe and further abroad as government lockdown restrictions are lifted and companies begin to plan their return-to-work programs. In this on-demand briefing, we cover the guidance and positions ...
July 17, 2020, Legaltech News
Kristof Van Quathem is quoted in Legaltech News regarding the continuation of shared data between the EU and the United States after the invalidation of the Privacy Shield. Mr. Van Quathem says companies are exploring encryption and other technical safeguards for EU data transferred to the U.S. He added that more organizations are also considering prohibiting ...
July 16, 2020, The Guardian
Lisa Peets spoke with The Guardian about the European Court of Justice’s decision to invalidate the EU-U.S. Privacy Shield, in which social media companies could be prevented from sending data to the United States from Europe. Ms. Peets says the ruling is not a total halt on data transfers between the EU and U.S. The court upheld the use of “standard contractual ...
Schrems II sparks data transfer chaos and confusion
July 16, 2020, Global Data Review
Lisa Peets is quoted in Global Data Review regarding the European Court of Justice’s decision to invalidate the EU-US Privacy Shield. Ms. Peets, who represented software trade body BSA as an intervening party, says companies are unlikely to immediately stop their SCCs – saying that “halting existing transfers would be all but impossible from a practical ...
Top EU Court Strikes Down Popular Data Transfer Tool
July 16, 2020, Law360
Lisa Peets spoke with Law360 about European Court of Justice’s invalidation of the EU-U.S. Privacy Shield. Ms. Peets, who represented the Software Alliance, says the decision to reject the Privacy Shield without holding arguments on the merits of the tool — an issue that wasn't directly before the high court in this dispute — was “disappointing to many.” She ...
May 19, 2020, Bloomberg
Daniel Cooper spoke with Bloomberg about new wearable technology devices that alert users when they are within close proximity of someone with COVID-19. Mr. Cooper notes that businesses are walking a fine line between keeping people safe and protecting their privacy. The absence of clear guidance from European regulators is forcing companies -- who could also be ...
Morrisons Ruling Leaves Door Open For Data Breach Suits
April 2, 2020, Law360
Mark Young spoke with Law360 about a UK Supreme Court case involving the intentional breach of customer data information by an employee at Morrisons. The court ruled Morrisons will no longer have to pay a fine. Mr. Young says this is the “dual-edged result” of the Supreme Court judgment. Although a company is off the hook if an employee “goes off the deep end” ...
Morrisons not liable for rogue employee data breach
April 1, 2020, Global Data Review
Daniel Cooper spoke with Global Data Review about a UK high court case involving the deliberate breach of personal information by a supermarket employee from Morrisons. The court ruled that the supermarket was not liable for the actions of the employee. Mr. Cooper described the decision as “dual-edged” and said that “when coupled with the Lloyd Court of Appeal ...
January 31, 2020, Covington Alert
This evening, at 11:00 p.m. GMT, the UK will leave the European Union. Brexit day marks a beginning, not an end. The UK today embarks on a complex process of negotiating new arrangements for trade and cooperation with the EU and partners around the world. Regulatory divergence seems inevitable, given that the UK will want to make its own decisions on existing ...
January 31, 2020, Covington Alert
At 11 p.m. tonight, the UK will officially leave the EU. Although this is a significant milestone in the development of the UK’s data protection framework, the UK will remain very closely linked to the EU in the short term at least, and for many the change may be imperceptible.
ICO hits electronics retailer with maximum pre-GDPR fine
January 10, 2020, Global Data Review
Daniel Cooper is quoted in Global Data Review regarding the UK ICO’s decision to fine DSG Retail £500,000 under pre-GDPR data protection law. The fine stems from the company being compromised by a cyberattack affecting at least 14 million people. Mr. Cooper says, “the ICO's imposition of a maximum fine appears due, in part, to the fact that it felt DSG should ...
January 9, 2020, Global Data Review
Daniel Cooper spoke with Global Data Review about the European Commission’s recommended changes to artificial intelligence liability rules. Mr. Cooper says the commission is keen to stress that the conclusions drawn from the report remain those of the expert group only. “One has to assume that the commission wants to be careful to test the waters first and gauge ...
December 20, 2019, Covington Alert
On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case.
July 17, 2019, Covington Alert
On July 9, 2019, the European Court of Justice (“ECJ”) heard oral argument in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The primary question before the ECJ is whether the European Commission’s standard contractual clauses (“SCCs”) are valid for transfers of personal data to the United States.1 Given ...
July 2, 2019, Thomson Reuters Regulatory Intelligence
Expert Q&A on the EU Cybersecurity Act
June 4, 2019, Thomson Reuters
Mark Young participated in a Q&A with Thomson Reuters about the EU Cybersecurity Act and its new cybersecurity certification schemes for information and communication technology products, services, and processes, especially internet of things devices. The interview also discusses how the Act supports the EU Directive on the Security of Network and Information ...
June 2019, Pharmind
February 2019, Privacy Laws & Business International Report
January 2019, GCR Insight - E-Commerce Competition Enforcement Guide
Irish Regulator To Eye Transparency In GDPR Enforcement
March 29, 2018, Law360
Henriette Tielemans spoke at an IAPP event and is quoted in a Law360 article regarding the Irish privacy authority's focus once GDPR takes effect. According to Tielemans, while “the GDPR has 150 articles, and businesses are worried about all 150 of them,” companies are most concerned about the regulators’ ability to issue massive fines of up to 4 percent of ...
GDPR drives global privacy compliance now, but still unclear whether it will become de facto global standard, experts say
March 23, 2018, MLex
Lindsey Tonsager recently spoke at the BCLT Privacy Law Forum in Silicon Valley is quoted in an mLex article discussing whether GDPR will automatically become a global privacy standard. Tonsager said that working with companies that depend on AI technology to become compliant with the GDPR “is incredibly, incredibly challenging." Commenting on modifications to ...
October 18, 2017, Covington Alert
The European Commission published its Report today on the first-annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).
August 10, 2017, The Wall Street Journal
Mark Young is quoted in The Wall Street Journal's "Morning Risk Report" in an article regarding the Network and Information Systems directive. According to Young, “This is another data-related compliance requirement and it carries heavy penalties for failure to have in place appropriate network security measures."
May 24, 2017, Covington Alert
On May 25, 2018, employers located or with staff in the European Union (“EU”) will have to comply with a new data protection law—Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data—commonly referred to as the General Data Protection Regulation (“GDPR”). This will ...
GDPR Planning and Preparation Conference for Employers
March 30, 2017, Business Forums International Ltd.
Banks Face Cybercrime Wave As Tougher Regulations Loom
January 24, 2017, Law360
Mark Young and Ian Hargreaves are quoted in a Law360 article regarding the high level of cyberattacks on the financial services industry and the resulting regulatory pressures. According to Young, “The GDPR [General Data Protection Regulation] is a massive text with groundbreaking change in the data privacy area, in terms of compliance requirements and the new ...
February 1, 2016, The Guardian
Henriette Tielemans is quoted by The Guardian in an article discussing the missed Safe Harbor deadline. According to Tielemans, companies faced “enormous uncertainty” about what European regulators would deem adequate privacy protection.
December 21, 2015, Covington Alert
On December 15, the EU institutions finally agreed the text of the new EU data protection law, the General Data Protection Regulation (“GDPR”), completing a process that began in January 2012. The LIBE committee has published the consolidated version of the GDPR text. The GDPR heralds a new era of data protection. It replaces the existing data protection ...
December 8, 2015, Law360
Mark Young is quoted in a Law360 article discussing the EU Network and Information Security Directive, which sets a cybersecurity and breach reporting baseline for both critical infrastructure operators, as well as digital service providers. This directive, which is the first of its kind, comes after two years of negotiations. According to Young, “There’s going ...
November 24, 2015, The Register
Dan Cooper is quoted by The Register in an article discussing the uncertainty and complications continuing to surround the Schrems decision that derailed Safe Harbour. Cooper stated that his business clients were both “surprise[d] and shock[ed]” by the European Court’s decision. “Businesses felt like the rug had been pulled out from under them,” said Cooper. ...
E.U. Court Declares Data-Transfer Pact With U.S. Invalid
October 13, 2015, Bloomberg BNA
Henriette Tielemans is quoted in this BNA article that explores the idea of finding alternative means for the transfer of data with the elimination of Safe Harbor. Countries that require national data protection authority approval may find even more issues arise when trying to formulate new ways to navigate data transfer laws. Tielemans notes that the process ...
October 6, 2015, Fortune
Brussels-based partner Henriette Tielemans is quoted in this Fortune article that discusses the effects of the highest E.U. court eliminating the U.S.-E.U. data transfer agreement known as the Safe Harbor Act. “Hindsight is a beautiful thing,” said Tielemans. “We must all remember that in 2015 things are different than they were in 2000.”
October 6, 2015, Covington Alert