Privacy and Data Security


Arnold & Porter is a leading international law firm with nearly 1000 lawyers working in nine offices across the US and in Europe. Lawyers in our Data and Information Security practice in London and Brussels:

  • counsel clients on public policy issues and legislative developments relating to issues such as surveillance, access to communications data and data privacy;
  • engage on behalf of clients with decision-makers such as the European Commission to help clients shape public policy outcomes on issues of strategic importance to them;
  • work with clients on developing and implementing appropriate cybersecurity standards, drafting data security incident plans, and responding to data security breaches;
  • litigate data security breach cases;
  • represent  government contractors in procurement-related cybersecurity matters; and
  • advise on a full range of compliance, regulatory, and liability issues.

We also have the necessary expertise to navigate issues surrounding submission of data to overseas jurisdictions in cross border investigations.

Our experts in these fields combine their respective in-depth knowledge of their specialisms to provide a seamless service, providing practical advice and counseling.

National Security, Law Enforcement, and Access to Communications Data

The advent of the Internet, the pervasive use of social media, and the proliferation of smart phones and similar devices have all contributed to important changes in the way in which individuals use communications services. Legislators, regulators, communications service providers, users, and the public at large have become engaged in a debate about how access to and use of communications data should be regulated. Arnold & Porter has assisted telecommunications carriers, social media companies, and national regulators on understanding the implications of these developments. We advise on the interpretation and application of relevant EU and UK legislation including the EU Data Retention Directive 2006 and the UK Regulation of Investigatory Powers Act 2000, Data Retention and Investigatory Powers Act 2014, and draft Investigatory Powers bill published in 2015.

Recent Achievement:

  • Advising a social media company on the application of the Regulation of Investigatory Powers Act to personal data stored by it in another jurisdiction.

Data Protection and Privacy

Rapid changes in information technology have created an array of new means to collect, use, and disseminate personal information, and the risks of abuse of such information have risen exponentially. Legislatures, regulators, and courts worldwide have responded with new restrictions on the collection, retention, use, and disclosure of personal information. Arnold & Porter's Privacy practice assists businesses in a wide range of industries, from e-commerce start-ups to global companies. We help clients understand and meet their obligations with respect to applicable requirements and restrictions. We have extensive experience dealing with cross-border data privacy issues. Our experience includes the co-ordination of data privacy projects involving multiple countries, covering all forms of personal data (such as employee and customer data). We are regularly called upon to draft and/or advise on data transfer agreements, data privacy and confidentiality agreements for data processors, data security policies, and the implementation of procedures that allow for the transfer of data from the EU to the US. These include EU model contracts, binding corporate rules and, what was, the US/EU Safe Harbor Program (now ruled by the European Court as ineffective). We also provide advisory support on this legislation and are working with clients to monitor and assess the impact of the terms of the new General Data Protection Regulation (which will likely be approved early in 2016 and take effect in 2018) and the ongoing discussions concerning the so-called US/EU Safe Harbor Program 2.0.

Highlights of Recent Achievements:

  • Assisting a North American telecommunications carrier to devise a strategy permitting international movement of personal data by a social media company in compliance with data protection laws in the EU, US and Latin American countries.
  • Advising an international call center operator on the application of EU and US data protection laws .
  • Advising an Asian regulatory authority on the design and drafting of national data protection legislation; and, on an on-going basis, on issues of international policy and practice.
  • Counseling US companies seeking to transfer HR and customer data from the EEA to the US on the application of EU Model Data Transfer Agreements, US Safe Harbor registration, and binding corporate rules, and drafting the relevant documentation.
  • Acting for a pharmaceutical company on a review of their pan-EU website privacy policies and personal data collection.
  • Counseling a US-headquartered client on the launch and roll-out of its e-reader range. The matter specifically concerns the collection and sharing of customer data within the EU and data transfers back to the US.
  • Advising Digital Entertainment Content Ecosystem (DECE) on the application of EU data protection laws to its UltraViolet digital film service. This included advising on EU-US data transfers, the flow of personal information within DECE and others who participate in the UltraViolet service, and drafting DECE's European privacy policy.
  • Advising a global hotel chain on the data protection aspects of the use of off-shore call centers and IT services for centralized booking systems.
  • Advising the global-leading electric car manufacturer on their EU data protection obligations concerning the processing and international transfer of telemetry data.

Email Disclaimer