Data privacy and data protection

A&O Shearman’s global data protection team advises leading corporations and financial institutions on their compliance with data privacy laws across the world.

Green Progress logo

We are renowned as a world leader in data issues related to the use of generative artificial intelligence and other cutting-edge technologies. 

With an increasing volume of data-related legislation globally, including the EU AI Act, NIS2, DORA, and DPDI, business require guidance from international teams with experience and insight.

We have trusted relationships with data protection authorities and a nuanced understanding of their expectations and enforcement approaches, ensuring we can provide our clients with risk-based analysis.

Our team includes a former chief privacy officer, former federal prosecutors who worked in various U.S. attorneys' offices, seasoned transactional and CIPP privacy certified lawyers, and a former deputy information commissioner at the UK Information Commissioner's Office.

End-to-end data compliance advice 

We have extensive experience helping clients develop and implement multijurisdictional compliance strategies, including designing, drafting, reviewing and updating internal policies and third-party contracts at group level (taking into account specific national requirements), as well as conducting data privacy surveys, audits and impact assessments.  

We help our clients structure their innovations to ensure privacy by design, as well as handling issues relating to data collection and consents; data governance; cross-border data transfers; data monetization and ethics; liability and penalties; automated data processing and profiling; and engagement with data protection authorities.  

We advise on the implications of freedom of information legislation, including the potential to use it for competitive advantage. 

Our privacy lawyers work alongside attorneys from our global employment and compensation, financial services, intellectual property, outsourcing, regulatory, litigation, public company advisory and corporate governance, M&A, and tech transaction teams to provide integrated solutions to our clients' data privacy needs.  

Data investigations 

We regularly handle regulatory and internal investigations into data-related issues. Many business models are reliant on sophisticated data processing and monetization activities amid an evolving technology environment, rising regulatory scrutiny and intensifying societal concerns. Further, regulators are becoming ever more concerned to ensure that they supervise the proper implementation of core data subject rights.  

Multinational companies across all sectors are therefore subject to enforcement actions, sometimes undertaken by several data protection authorities at the same time, or, in case of the EU, by a lead authority where the company has its headquarters in an EU member state.  

These enforcement actions can result in high fines and burdensome corrective measures to address any shortcomings identified by the authorities.  

We have extensive experience advising clients how best to minimize enforcement risk, how to prepare for enforcement actions by one or more authorities, how to navigate investigations (which includes having a litigation strategy from day one), and on the best strategy for challenging a regulatory decision through the courts.

We understand how regulators work and how to approach engagement and enforcement proceedings from a practical and strategic perspective. 

Integrated cybersecurity risk management 

Our dedicated cybersecurity group also helps our clients identify, manage and mitigate cyber threats.

Representative matters

  • A number of leading UK retail companies on how best to lawfully maximize and share their customer data among various business units or to drive new product offerings.  
  • A global information services company on several AI projects, including advising on data protection impact assessments of AI projects (chatbots and HR analytics) and on the application of AI in HR analytics projects.  
  • An electronics manufacturer on its rollout of cameras that use facial and body-shape recognition systems in the UK and EU markets. 
  • A range of clients on their responses to DSARs, including in the context of high-profile employment disputes and in some cases significant enforcement action where whistleblowers are involved. 
  • A global bank on a range of digital/data initiatives including its use of cookies across Europe and its approach to Adtech. 
  • A prominent retailer in respect of its use of biometrics in its retail outlets to consider how that technology could be used in compliance with the strict rules on the use of special purpose data. 
  • A global tech company on an investigation by an EU DPA on its online targeted advertising. We assisted the company throughout the whole investigation and litigation phases and (successfully) took summary proceedings to obtain the suspension of the fine and the corrective measures. The appeal procedure is still ongoing. 
  • An international US software and cloud provider on an investigation by a DPA on the processing of telemetry data. The investigation was closed with the software and cloud provider implementing corrective measures. 
  • A global payments services platform on the compliance program in relation to the Digital Services Act and the Digital Markets Act.  
  • A US fast food company on both day-to-day data compliance and on complex, strategic matters for the group. We also advised on an investigation by the French data protection authority, no fine was given.  

Find an advisor

We have nearly 4,000 lawyers and consultants globally with outstanding expertise and industry knowledge. Use the filters to find the right one for you.