European Data Protection and Privacy

Data protection and privacy risks affect every business. Our integrated team offers assistance on all aspects of European data protection law, including the GDPR, data breaches, international data transfers and BCRs, privacy risk management and cross-border compliance.

In Europe, data protection rights are fundamental human rights regulated by a comprehensive legal framework. The specific requirements of European data protection law can be challenging for organizations, especially because of variations in local laws across EU Member States. Organizations seeking to comply with European data protection requirements need thoughtful, yet pragmatic, advice that is informed by deep knowledge of local law requirements. Our European data protection lawyers have extensive experience organizing, managing and coordinating compliance projects with both national and international dimensions, allowing our clients to efficiently manage their multijurisdictional needs.

The EU General Data Protection Regulation (GDPR) came into force on May 25, 2018, and our lawyers have worked extensively with global companies on devising and implementing strategies for compliance with the new requirements under the Regulation. We also have provided extensive thought leadership on some of the most difficult aspects of the GDPR. Our UK-based team regularly hosts seminars exploring the impact of specific aspects of the GDPR on both non-EU and EU businesses.

We provide counsel on a wide range of areas, including:

  • Advising on compliance with data protection law in the UK and across the EU, including the GDPR;
  • Creating strategies for international data transfers, including Binding Corporate Rules (BCRs), model clauses and the EU-US Privacy Shield and the Swiss-US Privacy Shield;
  • Handling all aspects of complex cybersecurity incidents and data breaches;
  • Developing proactive, breach-readiness solutions for clients, including the development of incident response plans and conducting tabletop exercises;
  • Assisting clients facing regulatory enquiries and enforcement actions;
  • Conducting privacy impact assessments and data protection and privacy audits covering a range of privacy governance and compliance issues;
  • Conducting privacy and data security due diligence in connection with corporate transactions;
  • Addressing challenges raised by social networking services and related technologies, for both providers and corporate users;
  • Advising on the use of cookies and the compliance challenges posed by the amended e-Privacy Directive;
  • Complying with e-discovery requests on a pan-EU basis;
  • Advising on the cross-border implementation of employee monitoring and whistle-blowing schemes; and
  • Working with senior management to develop comprehensive information governance strategies that assist in managing risk and encouraging innovation.

Lawyers in our Brussels and London offices are fluent in many European languages, and they have studied law or been admitted to practice in several jurisdictions, including Belgium, France, Germany, Greece and the UK. Our European lawyers are often assisted on projects by privacy lawyers in our Asian and US offices.

We have established a network of specialized privacy and data protection lawyers in Europe and beyond, with whom we often work on projects. This approach allows us to call on the services of highly knowledgeable privacy law specialists from all over the world, while coordinating the work so that our clients deal with only a single point of contact. Our "one-stop shop" approach allows us to promote efficiency, and thus value, to our clients.

Our clients are based in jurisdictions across the globe. They represent numerous sectors including advertising, consumer goods, financial services, information technology, manufacturing, new media, pharmaceuticals, medical devices, publishing, retail, software and many others.

Augmenting our core data protection and privacy practice is the Centre for Information Policy Leadership (CIPL), a privacy think tank associated with the law firm. CIPL provides strategic consulting services and helps clients develop global privacy and data security strategies for today’s digital economy. It also provides clients with a forum for developing privacy solutions and brings together companies, consumer leaders and senior policy makers to develop next-generation privacy principles to facilitate global, digital information flows. CIPL is also leading a GDPR project examining best practices and challenges in the implementation of the key GDPR requirements.

Legislative and Policy Practice

Our data protection lawyers maintain strong relationships with officials at the European Commission, national data protection authorities, the Article 29 Working Party and the European Data Protection Supervisor. Our team is closely involved in helping organizations implement the new requirements of the EU GDPR. Our data protection lawyers also frequently work with international organizations, such as the Council of Europe and the Organization for Economic Cooperation and Development.

Relevant Experience

We have assisted clients on a wide range of data protection and privacy compliance matters across Europe. Some recent projects we have worked on include:

  • Advise a large technology and Internet company on numerous aspects of EU privacy law, including compliance with new and existing EU rulings, corporate restructuring, monitoring and mobile issues. We also work extensively with the company on the impact of the GDPR, advising on policy issues and on preparation for GDPR implementation.
  • Advise a large British media company on preparing for compliance with the GDPR, including conducting a gap analysis and strategic remediation plan.
  • Advise a multi-level marketing company on its certification to the EU-US Privacy Shield, and assisting with compliance with the GDPR.
  • Assisted a global financial institution on global privacy compliance, including advising the most senior executives on the group’s information governance structure.
  • Advised a Fortune 500 company on a significant EU data protection law compliance project at a pan-European level involving 27 European Member States. We have assisted the company on the launch of multiple information products in jurisdictions throughout the world, as well as Internet-related projects.
  • Assisted a major French company concerning implementation of a strategy for its global data transfers, including BCRs. We advised in detail on the entire BCR process, including drafting BCRs and associated documents.
  • Represented a Fortune 500 company on various global data protection compliance initiatives, including the company’s framework for cross-border transfer of personal data.
  • Counseled an association on various data protection issues related to online copyright enforcement and, in particular, on its strategy for global data protection compliance.
  • Advised a large multinational corporation on its international data transfer strategy, including BCRs.
  • Advised a social network provider on its data protection compliance strategy for Europe.
  • Assisted a major Belgian retailer with respect to its strategy for implementation of a whistle-blowing hotline in several European countries.
  • Advised one of the world’s leading manufacturers and marketers of cosmetic products in connection with their online privacy policy, terms and conditions, and use of online marketing technologies across Europe.

Insights