Use of cookies by
Norton Rose Fulbright
We use cookies to deliver our online services. Details and instructions on how to disable those cookies are set out at By continuing to use this website you agree to our use of our cookies unless you have disabled them.

Data protection, privacy and cybersecurity


An increasingly complex web of data protection, privacy and cybersecurity laws, self-regulatory frameworks, best practices and business contracts govern the processing and safeguarding of information around the world, as well as the protection of critical industrial infrastructure.

Our global group of dedicated data protection and cyber lawyers represents clients from across industries that operate in many corners of the world, each facing a unique set of data protection, privacy and cybersecurity concerns, ranging from business strategy issues to transactions, and from cyber incidents to government investigations and litigation. Advising clients across the globe affords us a 360-degree view of cyber issues that we leverage to provide advice that is holistic, informed and practical, and reflects industry- and region-specific risks.

We advise clients on complex issues associated with both personal and sensitive business data, including its collection, use, storage, disclosure, transfer and destruction. We also counsel clients on the cybersecurity of critical infrastructure. We regularly handle public policy, data protection, privacy and cybersecurity issues across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. Our lawyers collaborate and share knowledge across regions, enabling us to provide clients with seamless and risk-based advice around the world.

Our practice addresses data protection, privacy and cybersecurity issues in connection with:

  • Legal compliance and business strategy, including privacy and security risk management and cybersecurity programs
  • Technology transactions, including outsourcing and M&A
  • Cyber-incident preparedness and response, including investigation, mitigation, and remediation
  • Investigations and dispute resolution, including litigation, and regulatory proceedings and enforcement

We act for a wide range of multinational clients across the following industry sectors:

  • Financial services
  • Pharmaceuticals
  • Life sciences and healthcare
  • Retail and leisure
  • Insurance
  • Energy and utilities
  • Consumer products
  • Technology and innovation
  • Data analytics
  • New media
  • Food and beverages

Our areas of work include

  • Data protection, privacy and cybersecurity audits, compliance risk assessment and remediation
  • Data protection program development, including supporting consumer engagement activities such as marketing and advertising
  • Strategic regulatory compliance advice
  • Data security and privacy best practices
  • Development of security and privacy policies and procedures
  • Vendor management program development and implementation
  • Cybersecurity and privacy contract development and negotiation
  • Technology transactions
  • M&A transactions
  • Bankruptcy proceedings involving personal information
  • Proactive incident response planning
  • Security incident investigation, response, and remediation
  • Cross-border data flow requirements, including Safe Harbor certification, EU Binding Corporate Rules and other solutions
  • Management of employee information and patient medical records
  • Restrictions on collection and use of consumer information
  • Mobile privacy issues
  • Leveraging personal information for advertising and marketing
  • Privacy policies for organizations and their websites
  • Data security, privacy and technology regulatory response and litigation
  • Cloud services and computing
  • Data hub relocation projects

Our recent work


  • Representing a global retailer in a dispute with a vendor arising from a payment card breach
  • Representing a number of financial institutions in respect to serious data breaches and their consequent correspondence and settlement negotiations with the UK FCA and ICO
  • Advising a big data analytics company on IP and data protection issues in the US and selected Asian and European jurisdictions arising from its web scraping activities
  • Advising a financial services company on the implications and policy considerations arising from the cross-border rollout of its BYOD program
  • Advising a global insurance company on the employment and data protection issues arising from the rollout of a consolidated HR system across 25 jurisdictions

United States

  • Developing a global data protection, privacy and cybersecurity compliance program for a multinational industrial company, addressing local compliance, cross-border data transfer, incident preparedness, vendor management, employee privacy, and infrastructure security
  • Advising a client on an information security breach affecting facilities and individuals in over 100 countries
  • Advising a financial services company on the acquisition of a data analytics company, including privacy and information security due diligence, data mapping, and global post-merger compliance strategy and implementation
  • Advised a medical device company concerning security and privacy compliance and “privacy by design” issues associated with Internet of Things strategy for medical devices connected wirelessly to the Internet


  • Drafting and reviewing privacy policies (including policies covering websites, mobile apps and general operations) for over 13 technology, cloud based, and consumer product companies operating in Canada
  • Representing a retail client in a claim concerning online exposure of credit card numbers

Latin America

  • Advising a multinational corporation on privacy law, habeas data and de-identification matters in relation to information gathered by medical equipment in Venezuela
  • Advising a global pharmaceutical company on the implementation of e-signatures in several Latin American jurisdictions
  • Advising a global oil company on the requirements regarding employee monitoring and company web traffic inspections with respect to servers in Brazil


  • Advising on the implementation of a global health information repository for employees of a large multinational energy company, including the proper use and implementation of employee education programs, privacy impact assessments, consents, notices and data security measures
  • Advising a global telecommunications company on its provision of cloud computing services in eight Asian jurisdictions (China, Japan, South Korea, Philippines, India, Thailand, Indonesia and Malaysia) as well as the UK and US, including advising on data privacy laws of each jurisdiction and reviewing cloud computing service terms in compliance with local data privacy laws
  • Advising a multinational banking and financial services company on the data privacy and regulatory aspects relating to the outsourcing of its securities processing services in several jurisdictions in Asia


  • Advising an Australian software subsidiary on issues relating to off-shore data transfers; assisting with production of a number of customer-facing documents and government submissions
  • Assisting over 80 clients with ensuring compliance with Australia’s revised data privacy regulatory regime
  • Advising a multinational bank on data privacy regulatory issues arising from the outsourcing of its technology functions across Asia Pacific
  • Advising a major loyalty rewards programme on data privacy issues associated with data aggregation and commercialisation

Middle East

  • Advising a global telecommunications company on BYOD policies concerning local privacy, information security, cybersecurity crime and labor laws
  • Advising a government entity on a proposed government data sharing and open data project, including advice on related privacy issues, drafting enabling legislation and benchmarking against global standards
  • Advising a Saudi Arabian petroleum company on social media account hacking and cyber crime violations


  • Representing and advising a major international insurance carrier on back up tape loss and future avoidance strategies related to one of the largest data privacy losses in the history of South Africa, involving the leak of over a million UK and South African policy holders’ private information
  • Advising South African National Treasury on legislation and policy regarding the interface between technology, telecommunications and the banking sector with regard to fraud detection, breach prevention and new financial inclusion technologies