Privacy and data security

In a nutshell

Privacy and data securityThe issue of privacy and data security is one of the most pressing and controversial in our digital age – so naturally it’s a growth area for lawyers. The law in this area is still relatively new, but nonetheless it struggles to keep up with rapid technological advances. Lawyers advise clients on the collection, use and transfer of personal information. Multinational companies, developers of products and public bodies are all under pressure to comply with ever-changing regulation that protects the consumer. 

Cybersecurity is going to be a hot button issue.” - Mary Ellen Callahan.


Attorneys might focus on compliance and take a proactive approach, ensuring clients adhere to their obligations to protect personal information either from outside attack or from misuse by employees. Alternatively, lawyers might assume a more reactive role and deal with data breaches, as well as contentious matters and investigations conducted by data protection authorities. This part of the practice is also known as the enforcement side. 

The rise of social media companies, smart technology and data transmission means that lawyers in this field are increasingly relevant. A growing awareness of what is being shared between organizations has prompted the need to protect not only personal data but intellectual property too. “Cybersecurity is going to be a hot button issue,” according to ex-head and founder of Jenner & Block's privacy team Mary Ellen Callahan. “There is more interest than ever in keeping information protected.” 

What lawyers do

  • Advise companies on data transfer and storage. 

  • Advise companies on risk factors that make them vulnerable to cyber attacks. 

  • Negotiate settlements for clients accused of neglecting their legal obligations. 

  • Litigate on behalf of clients whose data has been breached. 

  • Are sometimes employed on a 'just in case' basis to take action in tricky situations. 

  • Work with engineers and developers to ensure that software adheres to regulatory obligations. 

Realities of the job

  • Given that this area affects all types of businesses, you’ll“work with a whole range of clients,” Callahan tells us. Her practice covers everything from “the entertainment industry to government contracts. I like the variety and the fact that I deal with six to 12 clients a day.” 

  • On the reactive side of the practice, the pressure can be high. “The matters that arise are a really big deal for the client; it's like heart surgery,” says Doug Meal of Orrick. “Dealing with a major security breach feels truly life threatening for the client so it's really rewarding when, first of all, you get engaged by a client who needs help in this scary and stressful situation.” However, this can also “put significant stress on you; the clients are really counting on you and you feel tremendous responsibility for them.” 

  • This burgeoning area of law provides plenty of hands-on experience for young lawyers. Callahan tells us: “I have a woman working on international data transfers and another on mobile data protections. They will work somewhere between one and four hours and then meet to talk about the issues. They might participate once a week in client calls to follow up on aspects and do a status check. When we are in reactive mode we need a more rapid pace, perhaps with hourly calls. On a breach, for example, we need to be all hands on deck.” 

  • With new territory comes the need for creativity. “This body of law barely existed 10 years ago,” says Meal. “On every matter you're dealing with legal issues that have never been dealt with before. There are not enough prior decisions out there to provide all the answers for issues that might arise. As a lawyer you have an opportunity as you're not bound by a whole body of established law.; you have the ability to argue and have a role in making the law.” 

  • Although a technical background “can be useful and give you some credibility,” it is not necessarily required according to Callahan. Meal agrees: “Prior experience in computer technology is valuable but certainly not essential.” 

  • Variety is key in the beginning, says Meal: “I would want the opportunity to do both compliance and enforcement for some period of time. I would be looking hard for a law firm that would give you a chance to do this in the area – it's quite important.” 


The matters that arise are a really big deal for the client; it's like heart surgery.” Doug Meal, Orrick.


Current Issues

June 2023

  • In September 2022, the EU signed the Digital Services Act(DSA) into law. The Act is an attempt to reign in the wild west of the internet and better protectthe swathes of user’s data amassed by these companies.The DSA limits the ability for companies to use sensitive personal data for things such as targeted advertising.  

  • Biden signed an Executive Order in October 2022 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, this implements an agreement entered ‘in principle’ in March between the US and the EU over aData Privacy Framework.The White House explained this is will “re-establish an important legal mechanism for transfers of EU personal data to the US.” Effectively, it will curtail the way US national security collect data andorganizations sending personal data between the EU and US will now have a method to appeal if there is a privacy violation. It also establishes a brand-newData Protection Review Court. 

  • The White House laid out its National Cyber Security Strategy in March 2023. They hope to redefine ransomware attacks as a “threat to national securityand aim to use “all elements of national power” to combat such attacks. Should this proposal make its way into law, tech companies could quickly see themselves liable for website deficiencies that allow a cyber attack through. This comes off the back of the US Marshals service suffering a ransomware attack in February 2023, where sensitive law enforcement information was compromised 

  • As artificial intelligence (AI) gathers pace in the form of Chat GPT and Google Bard, so does its threat to cybersecurity.However,AI laws are beginning to the surface,starting with the EU and their proposed Artificial Intelligence Act. This Act is shaping up to be the worlds first AI legislation and is edging closer to adoption. The US has remained pretty tight lipped thus far, though it has started to put some plans in motion. In April 2023, the US Commerce department announced it was seeking comments from the public on how to make AI more accountable.  

  • With many companies navigating the world of remote working, the use of online cloud data storage has hit an all-time high. As a result, protecting data both inside cloud infrastructures as well as outside cloud parameters has become even more vital. Recent stats from Statistica show that in just 2022 alone 422 million records were exposed by data compromises in the US. 

  • Whilst the US is without its own nationwide GDPR-style legislation, States have taken matters into their own hands. For example, California have just amended their 2018 California Consumer Privacy Act (CCPA) with the 2023 California Consumer Privacy Rights Act (CPRA). The original Actgives Californians more control over their personal data and it makessure there is transparency when companies handle their data and the subsequentAct expands and strengthens these provisions. Other states with their own extensive data privacy laws are Virginia with their Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) which both came into force in 2021. Utah and Connecticut are also following suit with their own set of data laws set to be enacted mid-2023. 

  • A recent congressionalhearing with TikTok CEO Shou Zi Chew saw US lawmakers raise concerns over data security.Some accused China of spying on Americans as Chinese company Byte Dance owns the social media network and thus hasaccess to the personal data ofmany US Citizens. Chew highlighted to Congress that the company has spent $1.5 billion on so called “Project Texasto store US user data safely. Despite this, the House plans toproceed with legislation against TikTok. In fact, the State of Montana has recently banned the app altogether, with TikTok filing a federal lawsuit in response.