Our Website Uses Cookies
We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website.
For more information, please contact us or consult our Privacy Notice.
Your binder contains too many pages, the maximum is 40.
We are unable to add this page to your binder, please try again later.
This page has been added to your binder.
- Home
- Practices and Industries
- Regulatory and Public Policy
- Data Privacy and Cybersecurity
Covington has an industry-leading data privacy and cybersecurity practice. Described by Chambers and Partners as an “accomplished group of privacy and data security practitioners” that “provides dynamic, practical, real-world advice,” we specialize in helping clients address complex, cutting-edge challenges to managing data privacy and cybersecurity risk. We regularly draw upon our cross-disciplinary expertise to provide efficient and effective counseling and representation. Our work ranges from assisting large, multinational clients in conducting privacy and security audits—to assess the ways in which they collect, handle, and protect their customers’ and employees’ personal information—to providing regulatory compliance advice in connection with specific business practices.
Our practice provides exceptional coverage of all of the substantive areas of privacy and data security, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions. Our client list contains a broad range of leading companies across numerous sectors, including consumer products, banking and financial services, health care, Internet services, pharmaceuticals, and telecommunications.
With global data privacy and cybersecurity attorneys based in Washington, New York, San Francisco, London, Brussels, and Beijing, our multi-lingual team has represented clients worldwide on a full range of legal, regulatory, and legislative matters involving privacy and cybersecurity issues.
Liaison for group of U.S. multinationals with BCRs
Managing and acting as the liaison for a group of U.S. based multinationals that have put BCRs in place and exchange their BCR experience.
Abbot Laboratories - AbbVie de-merger
Advising Abbott Laboratories in relation to all privacy aspects of its global de-merger, involving the division of the company into a research-based business, AbbVie.
Advising a Leading U.S. Cloud Service Provider
Advising a leading U.S. cloud service provider on a number of EU and Member State regulatory matters, including the proposed EU Terrorist Content Regulation, the proposed EU E-Evidence Directive and Regulation, and the UK Online Harms White paper.
Represent BSA | The Software Alliance as Intervenor Before European Court of Justice
Represent BSA | The Software Alliance as formal intervenor in litigation before the European Court of Justice assessing the validity of the European Commission’s Standard Contractual Clauses under the GDPR.
Represent Trade Group Intervenor Before European Court of Justice
Represent BSA | The Software Alliance as formal intervenor in litigation before the European Court of Justice in response to a challenge to the EU-US Privacy Shield.
Representation of Microsoft in Landmark Case Involving Data Stored Abroad
Successfully challenged U.S. government warrant seeking data stored in Ireland. After a favorable decision from the Second Circuit—and while the Supreme Court was reviewing the case—Congress enacted the CLOUD Act, a modernized framework for cross-border data requests. See United States v. Microsoft Corporation, No. 17-2 (U.S.).
Advising global chemicals company on international data transfers
Advising a multinational chemicals company on international data transfers.
Advising on Safe Harbor framework
Helping numerous companies self-certify under the Safe Harbor framework.
Advice on the collection and use of employee data
Advised a major pharmaceutical client on the collection and use of its employees’ biometric information and social security numbers for internal purposes.
Advice on the monitoring of employee communications
Conducted a pan-European and selective U.S. survey of laws and regulations affecting an employer’s right to monitor employee’s Internet use and review electronic communications. We have also advised numerous clients on the law governing call recording and access to (and disclosure of) employee e-mail, including in connection with several personal crises and actions.
BCRs for global heavy equipment manufacturer
Assisting a multinational manufacturer of heavy equipment in the adoption of BCRs.
BCRs for global heavy machinery manufacturer
Assisting a multinational manufacturer of machinery in the developing of BCRs.
BCRs for multinational conglomerate
Assisting a multinational manufacturer of products for the aerospace and building industries in developing BCRs.
BCRs for multinational e-commerce company
Assisting a global e-commerce company in preparing and filing BCRs with the Luxembourg data protection authority.
Binding Corporate Rules for global pharmaceutical company
Assisting GSK plc in its adoption of Binding Corporate Rules (BCRs) in order to permit the company to transfer personal data globally. We helped develop GSK’s privacy compliance program, obtain the UK data protection authority’s approval and continue assisting GSK during the subsequent implementation.
Data breach notification requirements
Advised a global pharmaceutical company on the data breach notification requirements in more than 80 countries, following a security breach affecting employees in Europe, Asia and the Americas.
Data retention matters
Advised a European telecommunications client on data retention matters, and on strategy and compliance relating to new services using customer data.
Addressing Regulatory Enforcement Actions
We have addressed regulatory investigations and enforcement actions from regulators in the United States, Europe, and Asia following data breaches. These have included investigations or formal enforcement proceedings brought by the Federal Trade Commission, State Attorneys General, and the Securities and Exchange Commission in the United States, and by data protection authorities and sector-specific regulators across Europe and Asia.
Geo-location data issues
Advice on European geo-location data issues for major international service provider.
Global compliance
Conducted a detailed review of the human resources operations of a large pharmaceutical company to assess compliance with data protection and privacy laws and regulations in both the U.S. and EU, in anticipation of possible certification under the U.S.-EU Safe Harbor regime. Our extensive written report described potential compliance issues and recommended specific remedial actions.
Global privacy assessment
On behalf of one of the world’s leading consumer electronics and technology companies, we completed a comprehensive global privacy audit under the laws of the United States, the European Union, and China, including an assessment of the data collection, use, and sharing practices of numerous business units (including HR data), cross-border data transfers, and adopting a going-forward privacy governance and risk-management approach and corresponding policies and procedures.
BBVA in Acquisition of Simple
Representation of Banco Bilbao Vizcaya Argentaria, an international financial group based in Spain, in its acquisition of financial technology company Simple. The $117 million acquisition is part of BBVA's strategy to lead the technology-driven change that is transforming the financial services industry. According to Francisco González, Chairman and CEO of BBVA, Simple will reinforce BBVA’s “global digital transformation while BBVA will provide the means to help Simple maximize its outstanding growth potential.”
Comprehensive privacy policies
Assisted pharmaceutical companies in developing global comprehensive privacy policies aligned with federal (HIPAA, Food & Drug Administration, and National Institutes of Health) regulations, state and European law, and best practices.
Cross-border trade, anti-corruption, and data compliance
Advising a major petrochemical company regarding its establishment of an integrated compliance program, with particular focus on the areas of U.S. and European trade controls, anti-corruption, and data privacy. Our representation includes assistance with establishing a corporate compliance office, assessing risks in these areas, drafting the necessary policies and procedures tailored to company risks and operations, and implementing the program through training and assessment.
Emerging policy issues
Worked directly with, and appeared before national and regional privacy authorities, such as the European Commission, the EU Article 29 Working Party, and the Council of Europe, both to address emerging policy issues in the data privacy field, such as data retention, radio frequency identification (RFID), Big Data, facial recognition, security breach legislation and biometrics, and to defend individual clients.
European data privacy
Represent an ad hoc consortium of U.S. and European pharmaceutical and medical device companies concerned about data privacy issues in Europe, including the Eastern European Member States such as Hungary, Poland, and the Czech Republic.
Gramm-Leach-Bliley Act (GLBA) and State Financial Privacy Laws
We have advised the largest and most sophisticated banks, consumer reporting agencies, and financial services companies on the collection, use and disclosure of nonpublic personal information under GLBA, that California Financial Information Privacy Act, and similar laws, including the development and implementation of privacy notices.
Harley-Davidson global employee code of conduct
Drafted and implemented a global code of conduct and policies for Harley-Davidson addressing privacy, harassment, discrimination, the use of electronic communications and anti-corruption.
HR operations audit for multinational pharmaceutical client
Conducted a detailed review of the human resources operations of a large pharmaceutical company to assess compliance with data protection and privacy laws and regulations in both the US and EU, in anticipation of possible certification under the US-EU Safe Harbor regime. Our extensive written report described potential compliance issues and recommended specific remedial actions.
Management of entire BCR approval process
Advising numerous companies on Binding Corporate Rules (BCRs), including Processor Rules. We help develop the BCR corpus and manage the entire approval process before the lead data protection authorities in several EU Member States including Belgium, Germany, Luxembourg and the UK.
Privacy audit for oil and gas multinational in preparation for BCR approval
Managing a privacy audit of a U.S.-based multinational in the oil and gas industry in preparation for its BCR approval with the Dutch data protection authority as the lead authority, including reviewing and providing advice on the BCRs and the implementation strategy and assisting this client in the preparation and roll-out of various compliance tools in the framework of the BCRs.
Privacy training for employees
Prepared extensive privacy training materials and participated in training sessions for employees of European subsidiaries of a U.S.-based company.
Representing global pharmaceutical company in “test” case involving BCR and CBPR interoperability
Representing Merck in one of the first “test” cases involving interoperability between BCRs and APEC’s Cross-border Privacy Rules (CBPR). The case will establish a precedent for cross-border transfers of personal data for both the EU and Asia-Pacific Region.
Reviewing and amending Binding Corporate Rules
Reviewing and amending BCRs for a Swiss-based pharmaceutical company with the French data protection authority acting as the lead authority.
General Data Protection Regulation (GDPR)
Advising numerous clients on compliance with the General Data Protection Regulation (GDPR).
Global compliance advice for new products
Advising a large social network on compliance with U.S., EU and international data privacy laws in relation to its launch of new services and functionality, including geotargeting, facial recognition and targeted advertising.
Global compliance
Serving as global privacy and data security counsel to a global e-commerce business, including advising on financial services privacy and information security-related aspects of certain mobile payments and mobile wallet services and international data transfers
Global health privacy advice
Advised pharmaceutical companies in the United States and Europe on data privacy issues, including questions relating to genetic testing programs and the development of genomics databases, the sourcing and handling of human tissue and biological samples for research purposes, patient outreach, and marketing activities.
Global policies and procedures
Advising Microsoft on a broad range of privacy and data security issues impacting its services in Europe and at a global level.
Global Privacy Audit for Leading Consumer Electronics and Technology Companies
On behalf of one of the world’s leading consumer electronics and technology companies, we completed a comprehensive global privacy audit under the laws of the United States, the European Union, and China, including an assessment of the data collection, use, and sharing practices of numerous business units (including HR data), cross-border data transfers, and adopting a going-forward privacy governance and risk-management approach and corresponding policies and procedures.
Global privacy compliance programs
Designed a compact worldwide privacy compliance program for a U.S. multinational company.
Litigated Successful Constitutional Challenge
On behalf of Microsoft, successfully challenged a gag order statute that allows courts to forbid technology companies from telling their customers about demands for their data under the Electronic Communications Privacy Act (ECPA). The lawsuit resulted in nationwide reform of the government's practices under the statute. See Microsoft Corporation v. United States Department of Justice, No. 2:16-cv-00538-JLR (W.D. Wash.).
Tencent in $8.6 Billion Acquisition of Clash of Clans Developer
Represented Tencent Holdings Limited in its $8.6 billion acquisition of a majority stake in Supercell Oy, developer of Clash of Clans, Clash Royale, Boom Beach and Hay Day, from SoftBank.
Privacy “health checks”
Conducted privacy “health checks” for clients to assess their compliance with privacy and data security laws, particularly those in the 28 Member States of the European Community; where appropriate, we have designed remediation programs that include, for example, filing notifications to local privacy regulators, fulfilling obligations to furnish notice, and ensuring compliance with local data security regulations.
Review of the right to monitor Internet and electronic communications
Conducted a pan-European and selective US survey of laws and regulations affecting an employer’s right to monitor employee’s Internet use and review electronic communications. We have also advised numerous clients on the law governing call recording and access to (and disclosure of) employee e-mail, including in connection with several personal crises and actions.
Right to be forgotten
Advising numerous companies on data subjects’ right of access and right to be forgotten.
Advising Europe's Largest Purchasing and Marketing Association
Advising Europe’s largest purchasing and marketing association in industrial B2B, E/D/E (Einkaufsbüro Deutscher Eisenhändler GmbH) on the implementation of an electronic marketplace for tool-supply (www.toolineo.de), including complex data protection and electronic payment services issues.
Advising Major Multinational Technology and Ecommerce Company
Advising major American multinational technology and ecommerce company on EU data privacy and cybersecurity issues relating to new products and services.
Assist a Multinational Technology Company with an Internal Audit
Assist a U.S. multinational technology company with an internal audit of their practices relating to user data and the extent to which these practices complied with their contractual and GDPR commitments.
Advising Multinational Technology Companies and Associations on Proposed E-evidence Regulation
Advising a number of multinational technology companies and trade associations on the European Commission's proposed Electronic Evidence Directive and Electronic Evidence Regulation, which would facilitate the ability of EU law enforcement authorities to compel U.S.-based online service providers to disclose user data in criminal investigations.
Advising a Multinational Technology Company on Compliance with EU Accessibility Directive
Advising a U.S. multinational technology company on compliance with the EU Accessibility Directive, which harmonizes EU rules on making products and services accessible to people with disabilities.
Significant Privacy Case Before the Irish High Court
The Irish High Court referred the validity of the Standard Contractual Clauses used as a basis to transfer data and specifically whether they are compatible with the EU treaties to the EU Court of Justice. This is an amicus brief where we will appear on behalf of our client alongside the U.S. Government in making submissions before the EU Court of Justice.
Advising Global Electronics Company on Data Privacy
Advising a global electronics company on data privacy aspects of IoT products, including smart TVs and voice assistants.
Advising Industry Association on Data Privacy
Advising a European industry association on data privacy issues related to programmatic advertising.
January 2021
Recapture of Excess COVID-19 Payroll Tax Credits Addressed in New Regs As the legal, regulatory, and commercial implications of coronavirus COVID-19 continue to evolve, our lawyers and advisors are helping clients navigate the complex considerations that companies around the world are facing and develop plans and strategies in response. Reach out to our ...
January 2021, Covington Guide
The EU-UK Trade and Cooperation Agreement (EUTCA) reached on December 24th is a wide-ranging and complex agreement. Our Brexit Task Force offers these "bite-sized" recordings to give a snapshot of what you need to know in each area. Though the EUTCA provides the overall architecture of the future relationship in a number of areas, much of the detail must still ...
September 14, 2020, Covington Alert
The English High Court has recently awarded damages in a data privacy case, with two features of particular interest1. First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation. Secondly, the damages awarded (perhaps influenced by the nature of the ...
September 2, 2020
BRUSSELS–Covington has named Dan Cooper to lead its European data protection practice as co-chair of the firm’s global Data Privacy & Cybersecurity Practice, and he has relocated to Brussels to be closer to the institutions and courts that govern the European data privacy landscape. The firm has more than 100 lawyers focused on data privacy and cybersecurity ...
August 2020, Privacy Laws & Business
Summer 2020
Covington's European privacy team offers insights on the current state of play with respect to the intersection of European data privacy laws, and the transition around Europe and further abroad as government lockdown restrictions are lifted and companies begin to plan their return-to-work programs. In this on-demand briefing, we cover the guidance and positions ...
July 16, 2020
BRUSSELS-- Today, the European Court of Justice (“CJEU”) issued a landmark decision striking down the EU-U.S. Privacy Shield — an agreement between EU and U.S. authorities authorizing transfers of EU personal data to the United States — but upholding the validity of standard contractual clauses (“SCCs”), another mechanism that EU-based organizations use to ...
July 16, 2020, The Guardian
Lisa Peets spoke with The Guardian about the European Court of Justice’s decision to invalidate the EU-U.S. Privacy Shield, in which social media companies could be prevented from sending data to the United States from Europe. Ms. Peets says the ruling is not a total halt on data transfers between the EU and U.S. The court upheld the use of “standard contractual ...
Schrems II sparks data transfer chaos and confusion
July 16, 2020, Global Data Review
Lisa Peets is quoted in Global Data Review regarding the European Court of Justice’s decision to invalidate the EU-US Privacy Shield. Ms. Peets, who represented software trade body BSA as an intervening party, says companies are unlikely to immediately stop their SCCs – saying that “halting existing transfers would be all but impossible from a practical ...
Top EU Court Strikes Down Popular Data Transfer Tool
July 16, 2020, Law360
Lisa Peets spoke with Law360 about European Court of Justice’s invalidation of the EU-U.S. Privacy Shield. Ms. Peets, who represented the Software Alliance, says the decision to reject the Privacy Shield without holding arguments on the merits of the tool — an issue that wasn't directly before the high court in this dispute — was “disappointing to many.” She ...
Chinese law may require companies to disclose cyber-security preparations outside China
July 3, 2020, Computer Weekly
Yan Luo is quoted in Computer Weekly regarding China’s new draft data security law. Ms. Luo says, “China is considering allowing the law to have an extra-territorial effect that we have not seen before. They want to counteract the extra-territorial effect of U.S. law.” She adds that the law may require a technical audit of a company’s cyber security and to ...
June 27, 2020
WASHINGTON—Covington represented Piramal Enterprises Limited (PEL) in the sale of a 20% stake in Piramal Pharma Limited (Piramal Pharma), a wholly owned subsidiary of PEL that will contain its pharmaceutical businesses, to CA Clover Intermediate II Investments, an affiliated entity of CAP V Mauritius Limited, an investment fund managed and advised by affiliated ...
Spring 2020, Covington Guide
As businesses across Europe prepare to reopen following the COVID-19 lockdown, Covington is providing practical resources and guidance on the broad array of issues companies face as employees return to the workplace, including employment, privacy, competition, policy, environmental and regulatory considerations at the EU level, with a focus on Germany and the ...
May 19, 2020, Bloomberg
Daniel Cooper spoke with Bloomberg about new wearable technology devices that alert users when they are within close proximity of someone with COVID-19. Mr. Cooper notes that businesses are walking a fine line between keeping people safe and protecting their privacy. The absence of clear guidance from European regulators is forcing companies -- who could also be ...
Morrisons Ruling Leaves Door Open For Data Breach Suits
April 2, 2020, Law360
Mark Young spoke with Law360 about a UK Supreme Court case involving the intentional breach of customer data information by an employee at Morrisons. The court ruled Morrisons will no longer have to pay a fine. Mr. Young says this is the “dual-edged result” of the Supreme Court judgment. Although a company is off the hook if an employee “goes off the deep end” ...
Morrisons not liable for rogue employee data breach
April 1, 2020, Global Data Review
Daniel Cooper spoke with Global Data Review about a UK high court case involving the deliberate breach of personal information by a supermarket employee from Morrisons. The court ruled that the supermarket was not liable for the actions of the employee. Mr. Cooper described the decision as “dual-edged” and said that “when coupled with the Lloyd Court of Appeal ...
April 2020, Privacy Laws & Business
January 31, 2020, Covington Alert
This evening, at 11:00 p.m. GMT, the UK will leave the European Union. Brexit day marks a beginning, not an end. The UK today embarks on a complex process of negotiating new arrangements for trade and cooperation with the EU and partners around the world. Regulatory divergence seems inevitable, given that the UK will want to make its own decisions on existing ...
January 31, 2020, Covington Alert
At 11 p.m. tonight, the UK will officially leave the EU. Although this is a significant milestone in the development of the UK’s data protection framework, the UK will remain very closely linked to the EU in the short term at least, and for many the change may be imperceptible.
ICO hits electronics retailer with maximum pre-GDPR fine
January 10, 2020, Global Data Review
Daniel Cooper is quoted in Global Data Review regarding the UK ICO’s decision to fine DSG Retail £500,000 under pre-GDPR data protection law. The fine stems from the company being compromised by a cyberattack affecting at least 14 million people. Mr. Cooper says, “the ICO's imposition of a maximum fine appears due, in part, to the fact that it felt DSG should ...
January 9, 2020, Global Data Review
Daniel Cooper spoke with Global Data Review about the European Commission’s recommended changes to artificial intelligence liability rules. Mr. Cooper says the commission is keen to stress that the conclusions drawn from the report remain those of the expert group only. “One has to assume that the commission wants to be careful to test the waters first and gauge ...
December 20, 2019, Covington Alert
On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case.
European Countries Reluctant To Challenge FATCA
November 27, 2019, Law360
Atli Stannard is quoted in Law360 regarding the U.S. Department of the Treasury’s claims of European Union banks violating privacy and anti-discrimination laws when they share customer information with the IRS. EU countries may negotiate with the Treasury Department, but only if they receive larger cross-border effort against tax avoidance. Mr. Stannard says, ...
October 22, 2019, Legaltech News
Trisha Anderson spoke with Legaltech News about a bilateral data access agreement, a new mechanism of the CLOUD Act and its effect on law firms. A year after the CLOUD Act, the first data-sharing agreement is most relevant to U.K. law enforcement agencies having access to the vast data held by U.S.-based tech companies, says Ms. Anderson. She adds, “The most ...
October 10, 2019, Covington Alert
On October 2, 2019, the English Court of Appeal handed down a landmark judgment in Lloyd v Google LLC [2019] EWCA Civ 1599 (“Lloyd”) concerning Google’s alleged misuse of the personal data of over 4 million iPhone users via cookies placed on the Safari browser.
EU Cookie Ruling Tightens Leash On Ad Tech Staple
October 9, 2019, Law360
Kristof Van Quathem is quoted in Law360 regarding a European Court of Justice’s decision to increase web cookie consent measures. Mr. Van Quathem says, “It’s unfortunate that the court didn’t address that point because it’s commercially and politically a very sensitive topic, on which there is a lot of uncertainty right now, and it’s a question that could have ...
August 27, 2019
FRANKFURT—WirtschaftsWoche, Germany’s leading business weekly news magazine, has named Covington as the top law firm for IT law and Dr. Lars Lensdorf, a partner in Covington’s Frankfurt office, to its list of top IT lawyers in Germany. Dr. Lensdorf focuses his practice on IT law, outsourcing, digitalization and industry 4.0, IT related bank regulatory matters, ...
July 17, 2019, Covington Alert
On July 9, 2019, the European Court of Justice (“ECJ”) heard oral argument in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The primary question before the ECJ is whether the European Commission’s standard contractual clauses (“SCCs”) are valid for transfers of personal data to the United States.1 Given ...
Covington Represents BSA in Landmark Data Protection Case Before Europe's Highest Court
July 9, 2019
BRUSSELS—Today, a team of Covington lawyers argued before the European Court of Justice in a landmark data protection case, Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The case has significant ramifications for any organization that relies on the standard contractual clauses (“SCCs”) to transfer personal ...
July 2, 2019, Thomson Reuters Regulatory Intelligence
Expert Q&A on the EU Cybersecurity Act
June 4, 2019, Thomson Reuters
Mark Young participated in a Q&A with Thomson Reuters about the EU Cybersecurity Act and its new cybersecurity certification schemes for information and communication technology products, services, and processes, especially internet of things devices. The interview also discusses how the Act supports the EU Directive on the Security of Network and Information ...
June 2019, Pharmind
February 2019, Privacy Laws & Business International Report
January 22, 2019, Covington Alert
On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here).
January 2, 2019, Covington Alert
The past year was a particularly significant one for the development of Chinese privacy law. During 2018, the Chinese government systematically established the country’s regulatory requirements for cybersecurity and data privacy and continued to implement the Cybersecurity Law, which took effect on June 1, 2017.
January 2019, GCR Insight - E-Commerce Competition Enforcement Guide
October 23, 2018, The Law Society Gazette
Daniel Cooper spoke with The Law Society Gazette regarding a UK Court of Appeal decision that could make employers vicariously liable for employees’ actions even if they had taken preventative steps and bore no criminal responsibility. Mr. Cooper said the employer should bear the enterprise risk and assume liability for the actions of its employees, as long as ...
Disputes Eye: Hunting krakens – As finance and Russian work slows veteran litigators look to key trends and opportunities
September 13, 2018, Legal Business
Louise Freeman spoke with Legal Business regarding the latest trends in disputes. She highlights the growing potential for litigation from the rise in cyberattacks impacting major companies. Ms. Freeman observed ‘The UK courts are increasingly adapting to deal with this kind of litigation,’ and points to the Clarkson v Person or Persons Unknown High Court case ...
August 17, 2018
LONDON—Covington has advised Sensyne Health on medical device regulatory and data protection matters in connection with its £60 million IPO on London’s AIM market. The firm also represented Sensyne Health in negotiating strategic research and data processing agreements with the Chelsea and Westminster Hospital NHS Foundation Trust, the Oxford University ...
August 17, 2018
WASHINGTON— Law360 named Covington lawyers Alexander Berengaut, Michael Nonaka, and Ursula Owczarkowski to its list of “2018 Rising Stars.” This annual recognition honors top attorneys under 40 “whose legal accomplishments transcend their age.” Alex Berengaut represents clients in civil litigation, international arbitrations, and government enforcement ...
July 30, 2018
SILICON VALLEY—Covington advised GlaxoSmithKline on its multi-year collaboration with and $300 million equity investment in 23andMe. GSK will become 23andMe’s exclusive collaborator for drug target discovery programs. The collaboration will focus on research and development of innovative new medicines and potential cures using human genetics as the basis for ...
How Can We Make Best Use of Health Data?
June 14, 2018, Financial Times
Kristof Van Quathem participated in a Financial Times podcast to discuss the impact of the General Data Protection Regulation on medical research and health technology companies. According to Van Quathem, "One of the main concerns I think that we see in the research circle is the uncertainty that is being created by the GDPR, and in particular, when it comes to ...
GDPR Has Companies Big and Small Racing to Comply
May 24, 2018, The Wall Street Journal
Henriette Tielemans is quoted by The Wall Street Journal in an article regarding the upcoming deadline for companies to comply with the General Data Protection Regulation. “Companies are struggling with the concrete deliverables—the record of processing activities, the transfer agreements, the notices, the website—because of the sheer volume,” says Tielemans. ...
April 18, 2018, Thomson Reuters Regulatory Intelligence
What will happen on May 26? We asked Helen Dixon
April 3, 2018, IAPP
Henriette Tielemans participated in a session at the Global Privacy Summit and is quoted in an IAPP article regarding what happens once GDPR goes into effect. "For a lead regulator for the one-stop shop, you need a mean establishment. You lose a lot of the benefits of the GDPR if you're unable to come up with what your main establishment is," Tielemans said.
Irish Regulator To Eye Transparency In GDPR Enforcement
March 29, 2018, Law360
Henriette Tielemans spoke at an IAPP event and is quoted in a Law360 article regarding the Irish privacy authority's focus once GDPR takes effect. According to Tielemans, while “the GDPR has 150 articles, and businesses are worried about all 150 of them,” companies are most concerned about the regulators’ ability to issue massive fines of up to 4 percent of ...
Covington Opens Frankfurt Office
March 28, 2018
LONDON—Covington will open an office in Frankfurt, Germany on April 3 led by eight partners. Frankfurt will be the firm’s third European office and will work closely with the firm’s five offices in the United States, its three offices in Asia, and its offices in the Middle East and Africa. “Covington will offer German companies a unique capability to help them ...
March 27, 2018
BRUSSELS—Henriette Tielemans, co-chair of Covington’s global Data Privacy and Cybersecurity practice, has today received the IAPP Privacy Vanguard Award, the industry's top honor, for her lifelong services to the data privacy community. The International Association of Privacy Professionals (IAPP) is the world’s largest and most comprehensive global information ...
March 27, 2018, IAPP
Henriette Tielemans was the recipient of the 2018 IAPP Privacy Vanguard Award, a recognition reserved for individuals who display “exceptional leadership, knowledge, and creativity in the field of privacy and data protection.”
March 27, 2018, Covington Alert
On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide.
GDPR drives global privacy compliance now, but still unclear whether it will become de facto global standard, experts say
March 23, 2018, MLex
Lindsey Tonsager recently spoke at the BCLT Privacy Law Forum in Silicon Valley is quoted in an mLex article discussing whether GDPR will automatically become a global privacy standard. Tonsager said that working with companies that depend on AI technology to become compliant with the GDPR “is incredibly, incredibly challenging." Commenting on modifications to ...
The five-minute management idea: wearable tech
March 2, 2018, Chartered Management Institute
Daniel Cooper is quoted in a Chartered Management Institute article regarding wearable technology. Providing the legal perspective, Cooper says, "Any employer processing personal information is subject to a range of obligations–this includes making sure they’re very transparent about what they collect, ensuring they have a legal basis for processing that data. ...
January 22, 2018
WASHINGTON—Covington advised Bacardi Limited in its definitive agreement to acquire Patrón Spirits International AG and its PATRÓN® brand, the world’s top-selling ultra-premium tequila, from John Paul DeJoria, a founder of Patrón. The transaction reflects an enterprise value for Patrón of $5.1 billion. The transaction follows the successful relationship the ...
5 Cybersecurity And Privacy Policies To Watch In 2018
January 1, 2018, Law360
Kristof Van Quathem and Yan Luo are quoted in a Law360 article regarding cybersecurity and privacy policies to watch in 2018. Commenting on the General Data Protection Regulation (GDPR), Van Quathem says that although one of the legislation's aims is to harmonize a splintered set of national data privacy laws within Europe, it may end up causing companies aiming ...
Cybersecurity & Privacy Predictions For 2018
January 1, 2018, Law360
Kurt Wimmer and John Buchanan are quoted in a Law360 article providing cybersecurity and privacy predictions for 2018. Wimmer says, once Europe's General Data Protection Regulation (GDPR) is in force, non-EU countries around the world will begin looking at privacy regimes based on the 1995 Directive [which the GDPR will replace] and think about whether they ...
December 26, 2017
SILICON VALLEY—The Financial Times has recognized Covington among the most innovative firms in 2017 in the category of "Enabling Business Growth," for advising "Tencent in its acquisition of a $8.6bn majority stake in Supercell, the Finnish gaming company, while maintaining Supercell’s creative culture and retaining its employees by introducing incentive ...
October 18, 2017, Covington Alert
The European Commission published its Report today on the first-annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).
The EU Gets Serious About Cyber: The EU Cybersecurity Act and Other Elements of the "Cyber Package"
September 18, 2017, Covington Alert
Last week, in his annual State of the European Union Address, the President of the European Commission Jean-Claude Juncker called out cybersecurity as a key priority for the European Union in the year ahead. In terms of ranking those priorities, President Juncker placed tackling cyber threats just one place below the EU leading the fight against climate change, ...
September 5, 2017, Bloomberg
Helena Milner-Smith is quoted in a Bloomberg article regarding the European Court of Human Rights ruling on employee privacy in a case brought by Bogdan Mihai Barbulescu. According to Milner-Smith, the ruling should remind employers not to "go beyond what is necessary for a legitimate purpose." She adds, "However, the Grand Chamber’s ruling will have very little ...
September 5, 2017, The Law Society Gazette
Helena Milner-Smith is quoted by The Law Society Gazette in an article regarding the European Court of Human Rights ruling on employee privacy in a case brought by Bogdan Mihai Barbulescu. According to Milner-Smith, "The decision serves as a reminder for employers who monitor workplace communications to ensure their monitoring practices do not go beyond what is ...
EU Court Reverses Ruling On Employee Chat Surveillance
September 5, 2017, Law360
Helena Milner-Smith is quoted in a Law360 article regarding the European Court of Human Rights ruling on employee privacy in a case brought by Bogdan Mihai Barbulescu. "The decision serves as a reminder for employers who monitor workplace communications to ensure their monitoring practices do not go beyond what is necessary for a legitimate purpose, that ...
China Seeks Comments on Updated Draft of Cross-Border Data Transfer Security Assessment Standard
August 31, 2017, Covington Alert
On August 31, 2017, China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released an updated draft of the Information Security Technology - Guidelines for Data Cross-Border ...
August 10, 2017, The Wall Street Journal
Mark Young is quoted in The Wall Street Journal's "Morning Risk Report" in an article regarding the Network and Information Systems directive. According to Young, “This is another data-related compliance requirement and it carries heavy penalties for failure to have in place appropriate network security measures."
UK data laws enter Facebook era
August 8, 2017, Financial Times
Lisa Peets is quoted in a Financial Times article regarding the EU's new General Data Protection Regulation which will be introduced into UK law later this year. "Under the regulations, the definition of 'personal data' will be extraordinarily broad—any information that is related to a person," says Peets. "Companies are finding out that they are processing a ...
May 24, 2017, Covington Alert
On May 25, 2018, employers located or with staff in the European Union (“EU”) will have to comply with a new data protection law—Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data—commonly referred to as the General Data Protection Regulation (“GDPR”). This will ...
May 19, 2017, Covington Alert
On May 19, 2017, the Cyberspace Administration of China (“CAC”) invited international stakeholders to attend a seminar to discuss an updated version of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Measures”). Given that the Measures have an intended effective date of June 1, 2017, it is likely ...
April 12, 2017, Covington Alert
On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here; Covington’s translation of the Draft Measures is appended at the end of this alert).
GDPR Planning and Preparation Conference for Employers
March 30, 2017, Business Forums International Ltd.
The Long Arm of the European Privacy Regulator: Does the New EU GDPR Reach U.S. Media Companies?
Spring 2017, Communications Lawyer (American Bar Association)
February 3, 2017, Global Investigations Review
Ian Hargreaves and David Lorello are quoted in a Global Investigations Review article regarding Hargreaves’ recent arrival to Covington. According to Hargreaves, the firm’s “pre-eminence in dispute resolution, and its immense strength and global recognition as a market-leader in white-collar crime matters and investigations” fueled his decision. Lorello says, ...
January 31, 2017
LONDON—Ian Hargreaves has joined Covington as a partner in the firm’s European Dispute Resolution practice resident in London. Mr. Hargreaves’ arrival follows that of litigation partners Craig Pollack, Greg Lascelles, Elaine Whiteford, and Louise Freeman over the past six months. Mr. Hargreaves advises on major European white collar and related civil and ...
Banks Face Cybercrime Wave As Tougher Regulations Loom
January 24, 2017, Law360
Mark Young and Ian Hargreaves are quoted in a Law360 article regarding the high level of cyberattacks on the financial services industry and the resulting regulatory pressures. According to Young, “The GDPR [General Data Protection Regulation] is a massive text with groundbreaking change in the data privacy area, in terms of compliance requirements and the new ...
December 15, 2016, CCT News
Daniel Cooper is quoted by CCT News in an article regarding the use of wearable technology in the workplace. According to Cooper, the use of wearable devices is a good way, especially for insurers. However, the wearers’ privacy must be taken care of as well as their legitimate treatment concerns.
Wearable technology: gathering data from tooth to toe
November 21, 2016, Financial Times
Daniel Cooper is quoted in a Financial Times article regarding wearable technology in the workplace. According to Cooper, not everyone will welcome sharing intimate personal information with the boss, however. “Wearable devices could be a good way for insurers to get the data . . . but it’s essential to address wearers’ privacy and fair treatment concerns and ...
September 20, 2016
WASHINGTON—Global Investigations Review has named the Microsoft warrant access case as the winner of the “Most Important Court Case of the Year.” Covington served as co-counsel to Microsoft and helped secure a landmark win in the U.S. Court of Appeals for the Second Circuit. GIR also ranked Covington among the top 15 investigations practices in the world in its ...
Covington Forms Cybersecurity Incident Response Team
July 18, 2016
WASHINGTON—Covington has formed an enhanced team of lawyers and advisors to provide cybersecurity incident response services to clients, highlighted by Stephen Surdu, who formerly led the professional services group of Mandiant, joining the team as a Senior Cybersecurity Advisor. Through the formation of the Cybersecurity Incident Response Team with members on ...
July 14, 2016, Covington Alert
At a joint press conference on July 12, 2016 in Brussels, EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová and the U.S. Secretary of Commerce, Penny Pritzker, presented the Privacy Shield (see Press Release here, Adequacy Decision text here, Annexes here, Communication here, and Q&A factsheet here). The press conference followed the ...
July 2016, BNA’s World Data Protection Report
Covington Represents Tencent in $8.6 Billion Acquisition
June 21, 2016
SILICON VALLEY—Covington advised Tencent Holdings Limited, a leading provider of internet service in China, in connection with its acquisition of a majority stake in Supercell from SoftBank. A consortium established by Tencent will acquire up to 84% of Supercell for $8.6 billion in a transaction valuing Supercell at approximately $10.2 billion. Supercell is a ...
Insider Threats to Cybersecurity—Prevent, Prepare, and React Webinar
June 21, 2016, Webinar
Data Transfer Hurdles Have Companies Hedging Bets
March 24, 2016, The Wall Street Journal
Daniel Cooper is quoted in The Wall Street Journal’s “Morning Risk Report” discussing how companies should best comply with global data protection regulations. Commenting on the binding corporate rule process, Cooper said,“The one thing we know about binding corporate rules is [they tend] to have more appeal to European regulators.” He continues, “For a lot of ...
5 Ways To Keep Cybersecurity Risk From Derailing A Deal
February 19, 2016, Law360
Mark Young and Libbie Canter are quoted in this Law360 article offering tips on how deal makers can mitigate cybersecurity risks. According to Young, any discovered incidents can give buyers pause on how — and if — they want to move forward. “We’ve dealt with at least a couple examples where deals were at least delayed if not reconsidered because of ...
February 1, 2016, The Guardian
Henriette Tielemans is quoted by The Guardian in an article discussing the missed Safe Harbor deadline. According to Tielemans, companies faced “enormous uncertainty” about what European regulators would deem adequate privacy protection.
Cyber security: uncertain companies lack defence plans
January 25, 2016, The Lawyer
David Fagan is quoted by The Lawyer in an article discussing the continued vulnerability of companies to data breaches and targeted cyber attacks. Fagan, commenting on cyber-related litigation, states, “Up until now, in the US, there has been little cyber-related litigation because it is very difficult to quantify the level of damage done – I can imagine the ...
January 15, 2016, Law360
Henriette Tielemans is quoted in a Law360 article discussing the recent European Court of Human Rights’ decision allowing employers in the EU to monitor their employees’ online activities for business purposes. “This decision is important,” according to Tielemans. “It will bring much needed legal certainty in an area that many companies are struggling with.”
December 21, 2015, Covington Alert
On December 15, the EU institutions finally agreed the text of the new EU data protection law, the General Data Protection Regulation (“GDPR”), completing a process that began in January 2012. The LIBE committee has published the consolidated version of the GDPR text. The GDPR heralds a new era of data protection. It replaces the existing data protection ...
December 8, 2015, Law360
Mark Young is quoted in a Law360 article discussing the EU Network and Information Security Directive, which sets a cybersecurity and breach reporting baseline for both critical infrastructure operators, as well as digital service providers. This directive, which is the first of its kind, comes after two years of negotiations. According to Young, “There’s going ...
November 24, 2015, The Register
Dan Cooper is quoted by The Register in an article discussing the uncertainty and complications continuing to surround the Schrems decision that derailed Safe Harbour. Cooper stated that his business clients were both “surprise[d] and shock[ed]” by the European Court’s decision. “Businesses felt like the rug had been pulled out from under them,” said Cooper. ...
E.U. Court Declares Data-Transfer Pact With U.S. Invalid
October 13, 2015, Bloomberg BNA
Henriette Tielemans is quoted in this BNA article that explores the idea of finding alternative means for the transfer of data with the elimination of Safe Harbor. Countries that require national data protection authority approval may find even more issues arise when trying to formulate new ways to navigate data transfer laws. Tielemans notes that the process ...
October 6, 2015, Fortune
Brussels-based partner Henriette Tielemans is quoted in this Fortune article that discusses the effects of the highest E.U. court eliminating the U.S.-E.U. data transfer agreement known as the Safe Harbor Act. “Hindsight is a beautiful thing,” said Tielemans. “We must all remember that in 2015 things are different than they were in 2000.”
October 6, 2015, Covington Alert
September 23, 2015, InsidePrivacy Blog
August 2015, Privacy Laws & Business
Article written by Covington's Lisa Peets.
June 8, 2015, Financial Times
Covington's Daniel Cooper is quoted regarding the legal implications of wearables in the workplace: “Historically European regulators in the data protection area have been very sceptical you can ever get a valid employee consent — they feel that for existing employees, [the relationship] is almost inherently coercive.”
- Global Data Review 100, "20 Elite" (2020)
- Law360, “Compliance Practice Group of the Year” (2020)
- Ranked by Chambers Global as a leading Data Protection practice (2013-2020)
- Ranked by Chambers Europe as a leading Data Protection practice (2014-2020)
- Ranked by Chambers UK as a leading Data Protection practice (2013-2020)
- Ranked by Legal 500 EMEA as a leading EU Regulatory, Privacy and Data Protection practice (2013-2017)
- Ranked by Chambers USA as a leading Privacy & Data Security practice (2013-2020)
- Ranked by Legal 500 US as a leading Cyber Law (including Data Protection and Privacy) (2013-2018)
- Ranked by Legal 500 US as a leading Cyber Law (including Data Protection and Privacy) - Data Protection and Data Breach Response (2015-2017)
- Ranked by Legal 500 UK as a leading Data Protection practice (2013-2016)
- Legal 500 UK Awards, winner of the TMT: Data Protection category (2014)
- The Lawyer shortlisted our London technology and media group for its TMT Team of the Year Award (2013)
- Law360's Practice Groups of the Year, Privacy & Consumer Protection (2011-2012)

COVID-19: Legal and Business Toolkit
We are helping clients around the world navigate this evolving, complex situation.

California Consumer Privacy Act (CCPA)
We are representing clients on California Consumer Privacy Act (CCPA) compliance, including in the legislative amendment and rulemaking proceedings associated with the CCPA and in developing working plans to come into compliance with the CCPA.
Use the Menu Below to Filter Matters and News
By clicking on filters, the website automatically displays information related to specific interests.
Example: To find Covington’s representative matters, news, and insights related to product liability and mass tort defense class actions, take the following steps:
- Begin on the Product Liability and Mass Tort Defense practice page
- On the section labeled Use Menu Below to Filter Matters and Results, click the arrow next to Litigation and Investigations under the Practices heading
- On the expanded list, click on Class Actions
- Refreshed information will be displayed under the Representative Matters and News and Insights sections of the page
- To refine the information further, click on Life Sciences under the Industries heading