Use of cookies by
Norton Rose Fulbright
We use cookies to deliver our online services. Details and instructions on how to disable those cookies are set out at By continuing to use this website you agree to our use of our cookies unless you have disabled them.

Data protection, privacy and cybersecurity


Meet the team

An increasingly complex web of data protection, privacy and cybersecurity laws, self-regulatory frameworks, best practices and business contracts govern the processing and safeguarding of information around the world, as well as the protection of critical industrial infrastructure.

Our global group of dedicated data protection and cyber lawyers represents clients from across industries that operate in many corners of the world, each facing a unique set of data protection, privacy and cybersecurity concerns, ranging from business strategy issues to transactions, and from cyber incidents to government investigations and litigation. Advising clients across the globe affords us a 360-degree view of cyber issues that we leverage to provide advice that is holistic, informed and practical, and reflects industry- and region-specific risks.

We advise multinational clients on complex issues associated with both personal and sensitive business data, including its collection, use, storage, disclosure, transfer and destruction. We also counsel clients on the cybersecurity of critical infrastructure. We regularly handle public policy, data protection, privacy and cybersecurity issues across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. Our lawyers collaborate and share knowledge across regions, enabling us to provide clients with seamless and risk-based advice around the world. We have acted for a wide range of clients including, but not limited to, the following industry sectors: financial services, pharmaceuticals, retail and leisure, insurance, energy and utilities, technology and innovation and food and beverages.

We deliver

  • legal compliance and business strategy, including privacy and security risk management and cybersecurity programs
  • technology transactions, including outsourcing and M&A
  • cyber-incident preparedness and response, including investigation, mitigation, and remediation
  • investigations and dispute resolution, including litigation, and regulatory proceedings and enforcement

Our areas of work include

  • data protection, privacy and cybersecurity audits, compliance risk assessment and remediation
  • data protection program development, including supporting consumer engagement activities such as marketing and advertising
  • strategic regulatory compliance advice
  • data security and privacy best practices
  • development of security and privacy policies and procedures
  • vendor management program development and implementation
  • cybersecurity and privacy contract development and negotiation
  • technology and M&A transactions
  • bankruptcy proceedings involving personal information
  • proactive incident response planning
  • security incident investigation, response, and remediation
  • cross-border data flow requirements, including Safe Harbor certification, EU Binding Corporate Rules and other solutions
  • management of employee information and patient medical records
  • restrictions on collection and use of consumer information
  • mobile privacy issues
  • mobile medical apps and Internet of Things
  • leveraging personal information for advertising and marketing
  • privacy policies for organizations and their websites
  • data security, privacy and technology regulatory response and litigation
  • cloud services and computing
  • data hub relocation projects

Our recent work

  • representing a number of financial institutions in respect to serious data breaches and their consequent correspondence and settlement negotiations with the UK FCA and ICO
  • advising a big data analytics company on IP and data protection issues in the US and selected Asian and European jurisdictions arising from its web scraping activities
  • advising a financial services company on the implications and policy considerations arising from the cross-border rollout of its BYOD program
  • advising a global insurance company on the employment and data protection issues arising from the rollout of a consolidated HR system across 25 jurisdictions
  • advising a client on an information security breach affecting facilities and individuals in over 100 countries
  • advised a medical device company concerning security and privacy compliance and “privacy by design” issues associated with Internet of Things strategy for medical devices connected wirelessly to the Internet
  • advising a global pharmaceutical company on the implementation of e-signatures in several Latin American jurisdictions
  • advising a global oil company on the requirements regarding employee monitoring and company web traffic inspections with respect to servers in Brazil
  • advising a global telecommunications company on its provision of cloud computing services in eight Asian jurisdictions (China, Japan, South Korea, Philippines, India, Thailand, Indonesia and Malaysia) as well as the UK and US, including advising on data privacy laws of each jurisdiction and reviewing cloud computing service terms in compliance with local data privacy laws
  • advising a multinational banking and financial services company on the data privacy and regulatory aspects relating to the outsourcing of its securities processing services in several jurisdictions in Asia
  • advising an Australian software subsidiary on issues relating to off-shore data transfers; assisting with production of a number of customer-facing documents and government submissions
  • assisting over 80 clients with ensuring compliance with Australia’s revised data privacy regulatory regime
  • advising a Saudi Arabian petroleum company on social media account hacking and cyber crime violations
  • representing and advising a major international insurance carrier on back up tape loss and future avoidance strategies related to one of the largest data privacy losses in the history of South Africa, involving the leak of over a million UK and South African policy holders’ private information
  • advising South African National Treasury on legislation and policy regarding the interface between technology, telecommunications and the banking sector with regard to fraud detection, breach prevention and new financial inclusion technologies