European Data Protection and Privacy

European Data Protection and Privacy

Data protection and privacy risks affect every business. Our integrated team offers assistance on all aspects of European data protection law, including data breaches, international data transfers and BCRs, privacy risk management and cross-border compliance.

In Europe, data protection rights are fundamental human rights regulated by a comprehensive legal framework. The specific requirements of European data protection law can be challenging for organizations, especially because of variations in local laws across EU Member States. Organizations seeking to comply with European data protection requirements need thoughtful, yet pragmatic, advice that is informed by deep knowledge of local law requirements. Our European data protection lawyers have extensive experience organizing, managing and coordinating compliance projects with both national and international dimensions, allowing our clients to efficiently manage their multijurisdictional needs.

Our European data protection and privacy practice extends beyond legal advice to integrated consulting on corporate privacy risk management, as well as legislative and strategic policy advice, and business consulting on corporate information policy and legal compliance. The European data protection and privacy practice is led by internationally recognized partners Bridget Treacy and Wim Nauwelaerts in the firm's London and Brussels offices, respectively. 

We provide counsel on a wide range of areas, including:

  • Advising on and assisting with data breach notification requirements, including mitigating and managing the risks arising from data breaches and the management of reputation;
  • Creating strategies for international data transfers, including Binding Corporate Rules ("BCRs"), model clauses and the EU-US Privacy Shield;  
  • Advising on the compliance issues raised by cloud-based data processing services;
  • Addressing challenges raised by social networking services and related technologies, for both providers and corporate users;
  • Advising on the use of cookies and the compliance challenges posed by the amended e-Privacy Directive;
  • Complying with e-discovery requests on a pan-EU basis;
  • Advising on the cross-border implementation of employee monitoring and whistle-blowing schemes;
  • Addressing data protection issues in the context of outsourced arrangements, particularly concerning global HR databases;
  • Developing tailored compliance tools and procedures (such as privacy impact assessments, checklists, notice and consent forms, data transfer and processing agreements, sample security procedures, complaint handling and dispute resolution procedures and employee training materials) for clients; and
  • Working with senior management to develop comprehensive information governance strategies that assist in managing risk and encouraging innovation.

Lawyers in our Brussels and London offices are fluent in many European languages, and they have studied law or been admitted to practice in several jurisdictions, including Belgium, France, Germany and the UK. Our European lawyers are often assisted on projects by our privacy lawyers in our Asian and US offices.

We have established a network of specialized privacy and data protection lawyers in Europe and beyond, with whom we often work on projects. This approach allows us to call on the services of highly knowledgeable privacy law specialists from all over the world, while coordinating the work so that our clients deal with only a single point of contact. Our "one-stop shop" approach allows us to promote efficiency, and thus value, to our clients.

Our clients are based in jurisdictions across the globe. They represent numerous sectors including advertising, consumer goods, financial services, information technology, manufacturing, new media, pharmaceuticals, medical devices, publishing, retail, software and many others.

Augmenting our core data protection and privacy practice is the Centre for Information Policy Leadership, a privacy think tank associated with the law firm. The Centre provides strategic consulting services and helps clients develop global privacy and data security strategies for today’s digital economy. It also provides clients with a forum for developing privacy solutions and brings together companies, consumer leaders and senior policy makers to develop next-generation privacy principles to facilitate global, digital information flows. In partnership with the University of Indiana, the Centre has recently launched a research institute to lead innovative research projects into emerging privacy issues.

Legislative and Policy Practice
Our data protection lawyers maintain strong relationships with officials at the European Commission, national data protection authorities, the Article 29 Working Party and the European Data Protection Supervisor. Our team is closely involved in policy discussions underpinning the review of the European Data Protection Directive, and our views are frequently sought by legislators and policy makers. Our team has successfully led negotiations with European data protection authorities and the Commission, such as the "adequacy" decision issued by the European Commission on the ICC Alternative Model Clauses for Data Transfer (December 2004 and February 2010) and the Guidelines for Terminated Merchant Databases endorsed by the Article 29 Working Party (January 2005). We also worked closely with the European Commission and national data protection authorities on the Article 29 Working Party's Opinion on More Harmonised Information Provisions (November 2004). Our data protection lawyers have close ties to international organizations such as the Council of Europe and the OECD.