Our Website Uses Cookies
We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website.
For more information, please contact us or consult our Privacy Notice.
Your binder contains too many pages, the maximum is 40.
We are unable to add this page to your binder, please try again later.
This page has been added to your binder.
Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.
He has been recognized in Chambers UK as "a trusted adviser - practical, results-oriented and an expert in the field." Recent editions note that he is "deeply knowledgeable in the area of privacy and data protection," "fast, thorough and responsive," and has "great insight into the regulators."
Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.
For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.
In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.
- Counsel to several major technology companies on GDPR and global data privacy compliance, particularly in relation to new features, products and services that involve cutting edge issues (e.g., AI, biometric data, Internet of Things devices, etc.).
- Advises several pharmaceutical, biotech and healthcare companies on GDPR compliance; international transfers of data and the development, implementation and authorization of Binding Corporate Rules (BCRs); clinical trials and pharmacovigilance; cloud computing and service contracts; digital health products and services, including in relation to data analytics and rights; and internal investigations.
- Advises a major cloud computing provider on compliance with security and incident reporting obligations that apply to digital service providers under the EU Network and Information Systems (NIS) Directive.
- Counsel to multiple clients who have experienced a cyber / data security incident, including supervising technical investigations, advising on notification obligations and other legal risks, and representing clients before regulators around the world.
- Coordinated an EU and ex-U.S. team as part of a 24/7 global incident response effort over several weeks in relation to a multifaceted systems and controls issue.
Pro Bono
- Advising Privacy International, the privacy-rights NGO, with respect to emerging EU and other privacy and data retention laws (2007-2012).
Memberships and Affiliations
- IAPP
- Society for Computers and Law
Previous Experience
- Trained with and qualified into the IP department of a leading City of London law firm
- First Data International, seconded to the in-house legal team
- BBC, Vodafone, the Times newspaper, legal internships
- PricewaterhouseCoopers, IT Management Consultant
Managing the GDPR After a Data Breach
September 24, 2020, Incident Response Forum Europe 2020
June 8, 2020, Covington Alert
On 19 May 2020, easyJet announced that personal data of approximately 9 million customers worldwide had been unlawfully accessed by third parties in a “highly sophisticated cyber-attack”. Data stolen by the cyber-attackers includes credit card details of 2,000 of the affected customers and, for most other customers, travel details such as departure and arrival ...
January 31, 2020, Covington Alert
At 11 p.m. tonight, the UK will officially leave the EU. Although this is a significant milestone in the development of the UK’s data protection framework, the UK will remain very closely linked to the EU in the short term at least, and for many the change may be imperceptible.
What does the GDPR mean for FCPA Investigations and International Practice Webcast
April 17, 2018
Closing Bell
October 6, 2015, CNBC Europe
Mark Young discussed a ruling from the highest court in the EU that invalidated a key EU-US data sharing agreement.
March 2021
As the legal, regulatory, and commercial implications of coronavirus COVID-19 continue to evolve, our lawyers and advisors are helping clients navigate the complex considerations that companies around the world are facing and develop plans and strategies in response. Reach out to our COVID-19 task force at COVID19@cov.com. Below is a compendium of resources ...
Brexit Task Force
March 2021
Since the beginning of the Brexit process in 2016, Covington’s Brexit Task Force–comprised of over 40 lawyers and former senior diplomats and policymakers, in London, Brussels, Frankfurt, Dublin, and Washington–has advised clients in a wide range of industries on the challenges and opportunities created by this historic event. While the EU-UK negotiations have ...
February 10, 2021, Inside Privacy
In this blog post, we look at a recent decision by the UK Court of Appeal and a separate prosecution brought by the Information Commissioner’s Office (“ICO”; the UK data protection authority), which together serve as a cautionary tale for employees and prospective future employers of the risks of civil liability and criminal conviction for...… Continue Reading
February 10, 2021, Covington Alert
In this alert we look at a recent decision by the UK Court of Appeal and a separate prosecution brought by the Information Commissioner’s Office (“ICO”; the UK data protection authority), which together serve as a cautionary tale for employees and prospective future employers of the risks of civil liability and criminal conviction for confidential information ...
February 1, 2021, Inside Privacy
On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here). The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws ...
January 15, 2021, Inside EU Life Sciences
In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key ...
January 15, 2021, Covington Digital Health
In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key ...
January 15, 2021, Inside Privacy
In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key ...
December 22, 2020, Inside Privacy
On December 15, 2020, the Irish Data Protection Commission (“DPC”) fined Twitter International Company (“TIC”) EUR 450,000 (USD 500,000) following a narrow investigation into TIC’s compliance with obligations to (a) notify a personal data breach within 72 hours under Article 33(1) GDPR; and (b) document the facts of the breach under Article 33(5) GDPR. The...… ...
December 3, 2020, Inside Privacy
On 25 November 2020, the European Commission published a proposal for a Regulation on European Data Governance (“Data Governance Act”). The proposed Act aims to facilitate data sharing across the EU and between sectors, and is one of the deliverables included in the European Strategy for Data, adopted in February 2020. (See our previous blog...… Continue ...
December 3, 2020, Covington Digital Health
On 25 November 2020, the European Commission published a proposal for a Regulation on European Data Governance (“Data Governance Act”). The proposed Act aims to facilitate data sharing across the EU and between sectors, and is one of the deliverables included in the European Strategy for Data, adopted in February 2020. (See our previous blog...… Continue ...
October 5, 2020, Inside Privacy
On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg. This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”),...… ...
September 29, 2020, Inside Privacy
On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”). The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO. The Framework will help those ...
September 14, 2020, Covington Alert
The English High Court has recently awarded damages in a data privacy case, with two features of particular interest1. First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation. Secondly, the damages awarded (perhaps influenced by the nature of the ...
September 2, 2020
BRUSSELS–Covington has named Dan Cooper to lead its European data protection practice as co-chair of the firm’s global Data Privacy & Cybersecurity Practice, and he has relocated to Brussels to be closer to the institutions and courts that govern the European data privacy landscape. The firm has more than 100 lawyers focused on data privacy and cybersecurity ...
May 27, 2020, Inside Privacy
On May 4, 2020, the European Data Protection Board (“EDPB”) updated its guidelines on consent under the GDPR. An initial version of these guidelines was adopted by the Article 29 Working Party prior to the GDPR coming into effect, and was endorsed by the EDPB on May 25, 2018. The revisions do not amount to...… Continue Reading
April 2, 2020, Inside Privacy
On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12. The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee. The judgment is significant in that it overturned the decisions of the two lower...… Continue Reading
Morrisons Ruling Leaves Door Open For Data Breach Suits
April 2, 2020, Law360
Mark Young spoke with Law360 about a UK Supreme Court case involving the intentional breach of customer data information by an employee at Morrisons. The court ruled Morrisons will no longer have to pay a fine. Mr. Young says this is the “dual-edged result” of the Supreme Court judgment. Although a company is off the hook if an employee “goes off the deep end” ...
December 5, 2019, Covington Digital Health
The UK’s Information Commissioner’s Office (“ICO”) has issued and is consulting on draft guidance about explaining decisions made by AI. The ICO prepared the guidance with The Alan Turing Institute, which is the UK’s national institute for data science and artificial intelligence. Among other things, the guidance sets out key principles to follow and steps to ...
December 5, 2019, Inside Privacy
The UK’s Information Commissioner’s Office (“ICO”) has issued and is consulting on draft guidance about explaining decisions made by AI. The ICO prepared the guidance with The Alan Turing Institute, which is the UK’s national institute for data science and artificial intelligence. Among other things, the guidance sets out key principles to follow and steps...… ...
October 10, 2019, Covington Alert
On October 2, 2019, the English Court of Appeal handed down a landmark judgment in Lloyd v Google LLC [2019] EWCA Civ 1599 (“Lloyd”) concerning Google’s alleged misuse of the personal data of over 4 million iPhone users via cookies placed on the Safari browser.
August 6, 2019, Covington Digital Health
On July 25, 2019, the UK’s Information Commissioner’s Office (“ICO”) published a blog on the trade-offs between different data protection principles when using Artificial Intelligence (“AI”). The ICO recognizes that AI systems must comply with several data protection principles and requirements, which at times may pull organizations in different directions. ...
July 2, 2019, Thomson Reuters Regulatory Intelligence
Cybersecurity and Cyber Insurance - Strategic Imperatives
June 19, 2019, Life Sciences Counsel Seminar & Dinner
June 7, 2019, Covington Digital Health
On June 3, 2019, the UK Information Commissioner’s Office (“ICO”), released an Interim Report on a collaboration project with The Alan Turing Institute (“Institute”) called “Project ExplAIn.” The purpose of this project, according to the ICO, is to develop “practical guidance” for organisations on complying with UK data protection law when using artificial ...
Expert Q&A on the EU Cybersecurity Act
June 4, 2019, Thomson Reuters
Mark Young participated in a Q&A with Thomson Reuters about the EU Cybersecurity Act and its new cybersecurity certification schemes for information and communication technology products, services, and processes, especially internet of things devices. The interview also discusses how the Act supports the EU Directive on the Security of Network and Information ...
How to maintain credibility after a hack with multiple stakeholders
October 15, 2018, FT Cyber Security Summit, London
Global Privacy Training and GDPR
March 5, 2018, Client Presentation, Tokyo, Japan
Global Cyber-Incidents: EU, US, and Beyond
February 27, 2018, International Privacy + Security Forum, George Washington University
Law360 Names Attys Who Moved Up The Firm Ranks In Q4
January 30, 2018, Law360
Law360 highlights the promotion of Covington's newest partners, including John Balzano, Lindsay Burke, Bradley Chernin, Christopher DeCresce, Guy Dingley, Matthew Dunn, Laura Flahive Wu, Pamela Forrest, Alexa Hansen, Megan Keane, Sam Pyun, Kyle Rabe, Ansgar Simon, Andrew Soukup, Emily Ullman, and Mark Young.
December 26, 2017
SILICON VALLEY—The Financial Times has recognized Covington among the most innovative firms in 2017 in the category of "Enabling Business Growth," for advising "Tencent in its acquisition of a $8.6bn majority stake in Supercell, the Finnish gaming company, while maintaining Supercell’s creative culture and retaining its employees by introducing incentive ...
November 2017, Pratt's Privacy & Cybersecurity Law Report
Covington Promotes 16 New Partners
October 2, 2017
WASHINGTON—Covington has promoted 16 lawyers to its partnership. “It’s a great tribute to the firm’s vibrancy that we’re continuing to build an exceptional pipeline of new partners from within our ranks,” said Timothy Hester, Covington’s chair. “We’re confident that all 16 will add importantly to the firm’s strengths and will drive further expansion of core ...
The EU Gets Serious About Cyber: The EU Cybersecurity Act and Other Elements of the "Cyber Package"
September 18, 2017, Covington Alert
Last week, in his annual State of the European Union Address, the President of the European Commission Jean-Claude Juncker called out cybersecurity as a key priority for the European Union in the year ahead. In terms of ranking those priorities, President Juncker placed tackling cyber threats just one place below the EU leading the fight against climate change, ...
August 10, 2017, The Wall Street Journal
Mark Young is quoted in The Wall Street Journal's "Morning Risk Report" in an article regarding the Network and Information Systems directive. According to Young, “This is another data-related compliance requirement and it carries heavy penalties for failure to have in place appropriate network security measures."
EU Public Policy Trends and the EU Cybersecurity Directive
June 22, 2017, API-IOGP Cybersecurity Europe Conference for the Oil and Natural Gas Industry
May 24, 2017, Covington Alert
On May 25, 2018, employers located or with staff in the European Union (“EU”) will have to comply with a new data protection law—Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data—commonly referred to as the General Data Protection Regulation (“GDPR”). This will ...
May 17, 2017, Covington Alert
Last Friday may mark the start of a new era in cyber crime. The first worldwide ransomware attack, commonly dubbed “WannaCry,” emerged on May 12. The malware is believed to have infected more than 300,000 computers in 150 countries to date. A cyber criminal or ring of criminals, taking advantage of an exploit made available by the ShadowBrokers hacker group that ...
Recent Developments and Future Changes to Internet Privacy Rules in the EU the UK and the US
March 2017, Computer Law Review International
Banks Face Cybercrime Wave As Tougher Regulations Loom
January 24, 2017, Law360
Mark Young and Ian Hargreaves are quoted in a Law360 article regarding the high level of cyberattacks on the financial services industry and the resulting regulatory pressures. According to Young, “The GDPR [General Data Protection Regulation] is a massive text with groundbreaking change in the data privacy area, in terms of compliance requirements and the new ...
General Data Protection Regulation Workshop Series - HR Issues under the GDPR
October 19, 2016, Webinar
Medical Technology in the Digital Age: Managing Cybersecurity and Other Legal Risks with Connected Medical Devices
August 10, 2016, Webinar
UK Votes to Leave the EU
June 24, 2016, Covington Alert
The UK has voted to leave the European Union in an advisory referendum. 52% leave - 48% remain. Were the UK to leave the EU, this would have significant implications for the UK and for international businesses operating in the UK. The longer term impact of the decision on the regulatory framework for the UK will depend, in part, on the relationship that the UK ...
Insider Threats to Cybersecurity—Prevent, Prepare, and React Webinar
June 21, 2016, Webinar
Covington Represents Tencent in $8.6 Billion Acquisition
June 21, 2016
SILICON VALLEY—Covington advised Tencent Holdings Limited, a leading provider of internet service in China, in connection with its acquisition of a majority stake in Supercell from SoftBank. A consortium established by Tencent will acquire up to 84% of Supercell for $8.6 billion in a transaction valuing Supercell at approximately $10.2 billion. Supercell is a ...
General Data Protection Regulation Workshop Series: The Impact on the Life Sciences Industry
May 26, 2016, Webinar
General Data Protection Regulation (GDPR) Workshop Series
April 21, 2016, Webinar
General Data Protection Regulation Workshop Series - Workshop 1
February 25, 2016, Webinar
State of Play – the past, present and future of Data Protection
February 23, 2016, Employment Lawyers Association
5 Ways To Keep Cybersecurity Risk From Derailing A Deal
February 19, 2016, Law360
Mark Young and Libbie Canter are quoted in this Law360 article offering tips on how deal makers can mitigate cybersecurity risks. According to Young, any discovered incidents can give buyers pause on how — and if — they want to move forward. “We’ve dealt with at least a couple examples where deals were at least delayed if not reconsidered because of ...
The EU General Data Protection Regulation: Key Elements for Business
January 21, 2016, Covington Webinar
December 21, 2015, Covington Alert
On December 15, the EU institutions finally agreed the text of the new EU data protection law, the General Data Protection Regulation (“GDPR”), completing a process that began in January 2012. The LIBE committee has published the consolidated version of the GDPR text. The GDPR heralds a new era of data protection. It replaces the existing data protection ...
December 8, 2015, Law360
Mark Young is quoted in a Law360 article discussing the EU Network and Information Security Directive, which sets a cybersecurity and breach reporting baseline for both critical infrastructure operators, as well as digital service providers. This directive, which is the first of its kind, comes after two years of negotiations. According to Young, “There’s going ...
December 8, 2015, InsidePrivacy Blog
December 2015, E-Commerce Law and Policy
October 6, 2015, Covington Alert
September 23, 2015, InsidePrivacy Blog
September 17, 2015, InsidePrivacy Blog
The EU General Data Protection Regulation: What’s Next and What It Means For Your Business
July 1, 2015, Webinar
June 12, 2015, InsidePrivacyBlog
Data Protection, Social Media and Flexible Working
May 13, 2015, Employment Lawyers Association Annual Conference (Leeds)
May 2015, Privacy Laws & Business UK Report
HR-Related International Privacy Compliance
April 17, 2015, Global In-House Employment Lawyers' Society (Cliveden)
February 28, 2015, InsidePrivacy Blog
The Challenges of Online Versus Bricks and Mortar for Luxury Brands
February 5, 2015, Covington and China Luxury Advisors (London)
Privacy and Security Considerations for the Adoption of Cloud Services in the Health Sector
December 9, 2014, Microsoft eHealth Conference (Brussels)
Data Protection in the Employment Context
October 15, 2014, Employment Lawyers Association (London)
October 6, 2014, Covington E-Alert
August 5, 2014
LONDON, 5 August, 2014 — Covington & Burling advised Illumina on its partnership with Genomics England to provide infrastructure and expertise for a four-year project that aims to make the UK the world leader in genetic research into cancer and rare diseases, through funding research to decode 100,000 human genomes - a patient's personal DNA code. The deal is ...
May 14, 2014, InsidePrivacy Blog
In the Era of Big Data, Is the Biggest Question ‘Who Owns It’?
May 1, 2014, IAPP Europe (London)
May 2014, Privacy Laws & Business
Covington Announces Seven New Counsel
April 17, 2014
WASHINGTON, DC, April 17, 2014 — Covington & Burling is pleased to announce the promotion of four lawyers to of counsel and three lawyers to special counsel, effective April 1, 2014. The new of counsel are as follows: Lindsay Burke advises U.S., international, and multinational employers on employee management issues and international HR compliance. Her ...
April 8, 2014, InsidePrivacy Blog
February/March 2014, World Trademark Review
November 27, 2013, Covington E-Alert
October 24, 2013, Covington E-Alert
August 30, 2013, Covington E-Alert
June 26, 2013
LONDON, 26 June, 2013 — The UK Information Commissioner's Office has authorised GlaxoSmithKline’s 'Binding Corporate Rules' (BCRs) – a set of internal policies and procedures used to protect personal data across GSK’s operations globally. The privacy and data security team at Covington & Burling was instrumental in the development, implementation and ...
Safer “Bring Your Own Device” Policies: New Guidance from the UK Information Commission’s Office
March 14, 2013, Inside Compensation
On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance for employers on the use of personal devices for business purposes. The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov. According to the survey, 47 percent of adults in the UK...… Continue Reading
February 7, 2013, InsidePrivacy Blog
“Data Privacy and Publishing”
September 2012, Publisher Roundtable on Data Privacy in conjunction with The Publishers Association
March 27, 2012, Covington E-Alert
December 8, 2011, Bloomberg Technology Law Report
March 8, 2011, InsidePrivacy Blog
February 15, 2011, EuroWatch
February 10, 2011, Covington Advisory
Data Transfers and Conflicts of Laws: SOX, Dodd-Frank and eDiscovery
January 2011, 5th Annual Privacy & Data Protection Conference Ireland - The Law Society of Ireland (Dublin)
May 2010, Privacy Law & Business
UK Surveillance - EU Trouble
March 2010, Westminster Legal Policy Forum and eForum Briefing Paper: Surveillance and Data Protection
October 2009, Privacy Law & Business
PLS Pilot, Recommendations and Strategies for Fighting eBook Piracy
September 2009, Digital Publishing Forum, hosted by The Publishers Association, UCL, and EDItEUR
June 24, 2009, Covington E-Alert
Tackling Book Piracy Online: Strategies and Solutions
October 2008, Frankfurt Book Fair, International Publishers Association International Publishing Update 2008
Do Rights Holders Have Any Rights on the Internet?
September 2008, ICOMP Meeting (London)
July 19, 2008, Covington E-Alert
Combating Counterfeits on the Internet
November 2007, presented at Edition Formation Entreprise (EFE) training day on e-commerce and pharmaceutical products (Paris)
Covington Boosts European Life Sciences and TMC Groups
8/6/2007
LONDON, 6 August, 2007 — Covington & Burling LLP is pleased to announce the appointment of two associates in the London office: Janet Kidd joins the European Life Sciences Group and Mark Young joins the European TMC Practice. Before qualifying as a solicitor, Janet spent 15 years in the pharmaceutical industry where she worked for household names such as Pfizer, ...
July/August 2007, Trademark World
October 2006, Computer and Telecommunications Law Review
August 2006, Entertainment Law Review
Summer 2005, International Journal of Law and Information Technology
- Chambers UK, Data Protection and Information Law (2014-2021)
- Chambers UK, Parliamentary & Public Affairs (2013-2014), recognised as “an expert on data protection law and policy”
- Legal 500 UK, Data Protection (2016) and Public Affairs (2011)
- Sports, Media and Entertainment Team of the Year (Intellectual Property Magazine Awards, 2010)

COVID-19: Legal and Business Toolkit
We are helping clients around the world navigate this evolving, complex situation.
Practices
Education
Nottingham Law School, 2008
- Postgraduate Diploma in Commercial Intellectual Property
College of Law, London, L.P.C., 2004
Glasgow Graduate School of Law, 2003
- LL.M. in Technology Law
- Distinction
University of Edinburgh, 1999
- LL.B. (Joint Hons. French)
Université Paul Cézanne Aix-Marseille III, 1998
- Erasmus Exchange