ReportTitle_CS.jpg

Q&A: Data privacy disputes

June 2021  |  SPECIAL REPORT: INTERNATIONAL DISPUTE RESOLUTION

Financier Worldwide Magazine

June 2021 Issue

FW discusses data privacy disputes with Sophie Dawson, Bryony Hurst, Ariane Mole, Johan Polet and Lennart Schuessler at Bird & Bird.

FW: To what extent have you seen a rise in data privacy disputes in recent years? What is driving this trend?

Polet: The Netherlands has seen a significant rise in data privacy disputes in recent years, notably caused by a growing awareness of the actual scope and working of the General Data Protection Regulation (GDPR), but also to a large extent as a consequence of some high profile data privacy incidents. The Data Protection Authority (DPA) in The Netherlands, although seen as being somewhat understaffed and not as active as authorities in other jurisdictions, has imposed fines which have attracted huge interest. Notably, the fines imposed on Uber and Booking following data breaches and the Royal Dutch Lawn Tennis Federation for selling its members’ data have caught the public’s attention. A recent mass claim against Oracle and Salesforce over their real-time bidding practices is another prime example. Other private enforcement matters include individual cases in data privacy incidents for which the DPA has yet to take action.

Hurst: In the UK, we have seen a particularly noticeable rise in data privacy disputes in recent years. In addition to the general ‘GDPR effect’ – greater rights-awareness and increased activity by data protection authorities – UK-specific drivers for this trend include court decisions which have expanded the types of recoverable damages and opened up the possibility that class actions can be brought on an opt-out basis. Data breaches and misuse impact large numbers of individuals, so litigation funders are also paying intense interest in this space. Increased availability of litigation funding in turn made this area more attractive to claimant law firms, as they can now put together class actions at no upfront cost to claimants and safe in the knowledge that, no matter the outcome, they will get at least some of their costs paid.

Mole: In France there is a long history of data privacy litigation, and the trend has increased since the introduction of the GDPR for various reasons. Data privacy disputes are common in the context of employer-employee relationships, because, according to the French Supreme Court, the processing of personal data cannot be used against an employee if it does not comply with data protection rules. As a consequence, dismissals which result from the monitoring of employees’ activity are often challenged in court on data protection grounds. Such cases have increased post-GDPR for two main reasons. First, because the GDPR has put the existence of data protection rules into the spotlight and so employees are more aware that they can be used in disputes. Secondly, because there are now more rules, it is harder for companies to be compliant and to win cases in court when they are challenged on such grounds. In addition, the GDPR has brought new types of litigation. For example, individuals are exercising rights which existed before the GDPR but were not really used previously, such as the right to access personal data, the right to opt out from receiving marketing materials and the right to delete personal data, and also new rights created by the GDPR, such as the right to the portability of personal data. Another trend is the increasing number of collective actions brought to courts or to the CNIL by associations, such as France’s main consumer association and the Human Rights League. In 2016, the French Data Protection Act gave consumer and privacy associations and trade unions the right to represent individuals in courts in data protection collective actions, and in 2018 the GDPR increased these rights. This trend is playing a large part in the new data protection landscape.

Schuessler: Since the GDPR’s entry into force, companies in Germany have been most concerned about sanctions, in particular administrative fines, imposed by DPAs – but there is also a steady increase in court cases, especially on non-material damages. Recent decisions in which data subjects prevailed have of course increased other plaintiffs’ chances of success and thus encouraged them to sue. This development is further boosted by greater involvement of consumer advocates and litigation funders. More and more data subjects take legal action because they are increasingly aware of data protection issues, but feel obliged to obtain redress through a route alternative to, or in addition to, the often overworked DPAs. Furthermore, the German Federal Constitutional Court recently held that the threshold for rejecting damage claims needs to be interpreted by the Court of Justice of the European Union (CJEU). Therefore, the question has been referred to the CJEU, which will certainly have a material impact on damage claims. While there are data protection class action suits in other EU member states and the US, this is not yet the case in Germany because the country lacks a comparably comprehensive class action system.

Dawson: Australia’s legislators and regulators have recognised the central importance of data in the modern economy. This has resulted in more data privacy disputes and is likely to result in a further increase in such disputes in the coming years. In the last year, the Privacy Commissioner has taken action against Facebook, and the Australian Competition and Consumer Commission (ACCC) has recently successfully sued Google. In Australian Competition and Consumer Commission v. Google LLC, the ACCC successfully argued that aspects of Google’s location data settings were likely to mislead some consumers and were, on that basis, in breach of certain Australian consumer law provisions. The Privacy Commissioner has brought proceedings against Facebook and was recently successful in obtaining a Federal Court ruling that there is a prima facie case that Facebook carries on business in Australia and is subject to the Australian Privacy Act. In addition, Australia’s privacy regulator, the Office of the Australian Information Commissioner, continues to resolve thousands of minor disputes each year. Proposed reforms to the Australian Privacy Act may introduce a direct right of action for individuals for breaches of privacy. Currently, individuals can complain to the Privacy Commissioner, and to enforce a determination by the Privacy Commissioner can seek a hearing de novo in a court. The changes would enable complainants to commence court proceedings directly. If a direct right of privacy is introduced, then it is likely to increase the number of privacy disputes.

Since the GDPR’s entry into force, companies in Germany have been most concerned about sanctions, in particular administrative fines, imposed by DPAs – but there is also a steady increase in court cases.
— Lennart Schuessler

FW: Which countries are experiencing the greatest boom in data privacy litigation?

Hurst: The UK is developing a particularly active data litigation market, particularly in respect of class actions. Claimants are taking advantage of one of two civil procedures which permit groups of individuals to bring a collective action if they have either ‘the same interest’ in a claim, or ‘common or related issues’. Factors helping to drive this trend in the UK include an intense interest in this area from litigation funders willing to finance class actions where the numbers ‘work’, a growth in claimant law firms that are able to take advantage of the funding market to pursue these claims, and the case of Lloyd v. Google. The significance of this case really cannot be overstated – we are awaiting the UK Supreme Court’s decision, but as things currently stand, it permits claimants, in certain circumstances, to claim damages for ‘loss of control’ of personal data, meaning no need for them to prove financial or emotional loss, and to bring an opt-out class action – by claiming a uniform sum for these ‘loss of control’ damages – hence satisfying the ‘same interest test required to prove that a class exists.

Schuessler: Collective actions in countries like The Netherlands or the UK are indicators for similar cases elsewhere in the future. In Germany, the expected litigation boom has not yet fully materialised, but the number of proceedings continues to rise. The German legal system has processes that facilitate the assertion of certain claims – assigning the claims of several persons to one plaintiff or having certain violations pursued by consumer associations or competitors. However, it is unclear and disputed whether these apply to data protection infringements. German courts have also been quite restrictive in awarding damages so far, but we see more and more decisions where damages are being granted, particularly in an employee-employer context. We are yet to see any really successful data protection-related model determination proceedings – so-called ‘Musterfeststellungsverfahren’ – through which a court can determine in a model case the existence of prerequisites for comparable consumer claims against a company. Many proceedings are pending.

Polet: The Netherlands has seen the beginnings of private enforcement cases, such as the mass claim brought in 2020 against Oracle and Salesforce. For a long time, the Netherlands has been regarded as one of the go-to jurisdictions for mass claims in investor claims, notably because of the Dutch Collective Settlements Act, also known internationally as WCAM. This image is further strengthened by the recently introduced act on Redress of Mass Damages in a Collective Action – also known internationally as WAMCA – and the introduction of the Netherlands Commercial Court (NCC), which provides for a modern and effective manner of dispute resolution in complex international litigation in the English language. Furthermore, the Netherlands hosts a large number of headquarters of international companies, many of which are very active in the area of personal data. Finally, the Netherlands courts have a fairly liberal view on the involvement of third party litigation funders in these types of cases.

FW: What types of data privacy disputes appear to be most common? Do recent cases highlight any recurring themes of note?

Dawson: In Australia, most privacy disputes are small disputes concerning alleged breaches of the Australian Privacy Principles. There are also now some much bigger disputes involving regulators.

Mole: Privacy disputes in the context of employer-employee relationships are common in France. Some employees who have been dismissed and then enter into a dispute with their employer are now making use of their right to access their personal data held by the company. This represents a huge amount of data, creating hard work for companies. But it also means that the GDPR right of access is used for ‘fishing expeditions’ or pre-trial discovery, even when not necessarily linked to a data protection purpose – which may represent abuse of GDPR rights, so companies must be careful when they receive such requests. Another new trend is the use of the GDPR by consumer associations to challenge in court the lawfulness and fairness of website terms of use and privacy policies. The main grounds for litigation concern the validity of consent given by consumers and the transparency, clarity and completeness of the information provided to consumers. We are also seeing data protection disputes arise in new contexts. The coronavirus (COVID-19) pandemic, for example, gave rise to litigation concerning body temperature checks performed via thermal cameras in schools or on other premises, checks which were judged disproportionate by the Conseil d’Etat, France’s highest court. The ability of employers to collect data on their employees’ state of health, vaccinations or possible COVID-19 symptoms, is also a subject of intense debate.

Schuessler: There are a variety of data privacy disputes in Germany. On the one hand, we see many cease-and-desist claims and proceedings, particularly in relation to marketing and cookies. On the other hand, proceedings on valid consent – through consumer protection agencies – and employment-related proceedings are rather common. In the latter case, courts often deal with data subjects rights, particularly Article 15 GDPR (Data Subject Access Requests). Such requests are made by almost all lawyers involved in termination proceedings and are usually not aimed at getting the information, but at getting a better deal. We have also seen multiple decisions in cases where the plaintiff sued for damages because their personal data was unlawfully disclosed to third parties, including in data breach cases.

Polet: Originally, the most common data privacy disputes focused on exposure of personal data due to data breaches. Many of those matters were resolved in individual cases in which the recurring theme was the availability of damages for non-material harm or personal distress. Dutch courts have been known to award amounts of several hundred euros to claimants in such cases. Because the actual damages for each individual person in most cases are relatively low, and often not worth litigating over, it is expected that there will be an increase in mass claims and mass settlement actions, brought by representative organisations on behalf of a group, or groups, of individuals affected.

Hurst: In the UK, there are two main themes emerging around data privacy class actions. The first is groups of data subjects pursuing damages following on from a high-profile data breach. Defendants in these actions could, in theory, be any type of organisation, but claimant lawyers and particularly funders are typically focusing on those with deep pockets who have already been the subject of ICO enforcement action as a result of the breach. The second trend is class actions based on allegations of sustained unlawful data practices, often relating to use of AdTech or transparency in user terms.

Because the actual damages for each individual person in most cases are relatively low, and often not worth litigating over, it is expected that there will be an increase in mass claims and mass settlement actions.
— Johan Polet

FW: Once a data privacy dispute or claim has emerged, how should companies go about assessing their response? How important are early case evaluation and potential settlement discussions, for example?

Polet: As with any significant dispute, early case evaluation is important. This is even more the case in data privacy disputes, as they tend to affect a great number of people and thus – although the damages for each individual person may be relatively low – usually give rise to potentially huge amounts of damages and a lot of media attention. There is expected to be a rise in mass claims and mass settlement actions related to data privacy incidents as the Netherlands provides for well-known and highly effective mechanisms such as the WCAM and the WAMCA. These mechanisms are used by representative organisations – foundations and associations, well-established or formed on an ad-hoc basis – which gives companies the option to enter into settlement discussions with these bodies, where appropriate.

Schuessler: It is very important that companies take these kinds of proceedings, and in particular cease-and-desist letters, seriously and react quickly. In many cases, companies forward claims to the legal department or outside counsel too late or do not respond at all if the claim is sent to the general company email address. The strategy needs to be assessed on a case-by-case basis but again, time is often of the essence. Whether settlements are advisable depends on the nature of the proceeding. In an employee termination proceeding, settlements are very common. For damages claims, the risk of copycat cases needs to be considered.

Hurst: The correct response depends on the nature of the claim. If it arises in a post-data breach context, typically companies first start receiving individual claims in a piecemeal manner. It can take time to realise the potential for this to snowball. Although these may appear to be low-value individual claims, companies need to step back and consider the risk of a group action developing and adopt an appropriate strategy which takes account of this. For example, settlement might be the answer, but only if you can ensure this won’t trigger further claims. This can be hard to guarantee given the practical difficulties of enforcing confidentiality obligations in settlement agreements. Conversely, if a company is presented with a class action from the get-go, it will need to attempt early to assess the worst-case exposure and take a view on whether it is worth the fight. This assumes the company will get the choice on whether to fight – settlement may not be an option if what is driving the class action is, for example, a privacy activist’s or NGO’s own agenda rather than financial goals.

Dawson: Companies need to think strategically and consider not only the current complaint, but also whether they need to refine their practices or policies to minimise the risk of similar complaints in the future. In relation to major matters, companies should consider whether any insurance responds. They should also think about strategic responses to the dispute to achieve the best long-term outcomes.

Some employees who have been dismissed and then enter into a dispute with their employer are now making use of their right to access their personal data held by the company.
— Ariane Mole

FW: Depending on the circumstances, what methods can companies use to calculate the extent of damages connected to a data privacy claim?

Schuessler: German courts have generally been reluctant to award non-material damages as they apply a significance threshold which stems from their general restrictive approach toward non-material damages. Nowadays, more courts are deviating from this position and have awarded damages from €300 to €5000. In a class action type of claim, this can, in the case of a data breach, add up to a substantial total. Courts determine the amount of damages on a case-by-case basis, taking all circumstances into account. When doing so, they often rely on the criteria set out in Article 83 (2) of the GDPR. Among these criteria, an intentional infringement by the controller is considered particularly detrimental. Furthermore, courts take into consideration whether the controller made commercial gains from the infringement, the importance of the infringed right, the respective controller’s financial strength and any contributory negligence of the data subject. In a few cases, claims for compensation for legal costs were awarded but in our experience material damages are often difficult to prove.

Hurst: The most important step to take is to ask a lawyer who has been following the caselaw closely. Assuming we are talking about a group of data subjects bringing a claim, the level of damages awarded will depend upon the type of loss suffered. Financial loss is generally compensated pound-for-pound. Damages for distress are harder to quantify; claimants typically need to adduce persuasive medical evidence to obtain a significant award. If a claim is made for damages for loss of control only, assuming a claimant can persuade a court to hear the claim, which is not a given, one would expect the level to be only a few hundred pounds at most.

Dawson: Where there is actual loss, then the amount of that loss should be considered. Where the loss claimed is only hurt to feelings, it is worth checking determinations in relation to similar circumstances, and relevant Commissioner and court guidance.

Polet: In recent years, a distinction has become apparent between damages for non-material harm or personal distress caused by a data incident and financial harm on the other. Damages for non-material harm are not easily calculated, given that they will for a large part depend on the circumstances surrounding the person affected. According to Dutch case law, courts will usually award amounts of several hundred euros, often depending on the sensitivity of the data that has been compromised. There has not yet been a huge number of cases that have resulted in damages for financial harm being awarded but there is a growing awareness that damages connected to a data privacy claim, to a large extent, will be dependent on the actual value of the personal data in question. Various methods of assessing that value have been suggested, such as the average market price, the gains per user of the data, user damages or what value an affected person would give to his or her personal data.

FW: What additional challenges do cross-border, multinational data privacy disputes tend to bring? What general steps can companies take to manage these obstacles?

Polet: One of the obvious challenges of cross-border, multinational data privacy disputes is the risk that the company will be embroiled in long, complex and expensive litigation in a number of jurisdictions. In general, this makes it difficult for a company to reach settlements with individual and groups of claimants. A settlement in one jurisdiction may set an example and may even spark new litigation against the company in other jurisdictions. Companies facing such data privacy disputes are generally advised to explore more global approaches. The Dutch WCAM may prove useful in that regard and has proven its use in a number of investor-claims cases, including the mass claims on the Shell oil reserves, Converium and Fortis. In these and other cases, global settlements were reached and endorsed by the Amsterdam court of appeals, with hardly any residual litigation in other jurisdictions.

Dawson: Coordination is key when it comes to cross-border disputes. It is important to have contact details for relevant people, such as businesspeople, lawyers and forensics experts, in each relevant jurisdiction.

Hurst: We have not seen many of these yet. But the EU’s new Collective Redress Directive has mechanisms built in to facilitate cross-border class actions, and certain jurisdictions already permit foreign claimants to participate in collective claims, so it seems likely companies will receive more of these sorts of claims going forwards. Claimants are certainly beginning to coordinate actions in different countries, which increases pressure on the defendant company, both financially but also reputationally, as such claims tend to attract greater publicity. Clearly, if a company is being sued in multiple countries, the key is coordination and consistency. You do not want to be running contradictory arguments in different courts or adopting strategies which cut across one another.

Schuessler: Challenges in cross-border, multinational data privacy disputes are diverse, and each case is unique. From a litigation point of view, the main challenge is that litigation concepts and procedures and data protection rules differ considerably from jurisdiction to jurisdiction. From a US discovery proceeding point of view, for example, European data protection rules are burdensome since they restrict access to information. From an EU data protection point of view, discovery proceedings may threaten individual privacy rights. Finding a common approach is often challenging, particularly since Schrems II. However, if parties are aware of these challenges and address them at an early stage, there are usually good workarounds to satisfy both legal systems. For discovery carried out in the EU, data should be provided in a step-by-step manner, anonymised, pseudonymised and privacy friendly.

If a company is presented with a class action from the get-go, it will need to attempt early to assess the worst-case exposure and take a view on whether it is worth the fight.
— Bryony Hurst

FW: In your opinion, at what point in a data privacy dispute should companies seek expert external advice? What benefits can this bring?

Dawson: It is worth obtaining advice from the beginning. Taking the right steps early can often prevent a dispute from escalating. This is particularly important in relation to data breaches, as legislation in many jurisdictions requires prompt notification of breaches. It is important for the legal team to have as much time as possible to assess and respond to a breach.

Hurst: If there has been no public regulatory finding on liability, the question of liability data privacy claims is often far from straightforward. For example, in post-data breach claims where there have been failings by multiple parties in the supply chain, or if evaluation of GDPR compliance is difficult due to the complex technology involved, then there is plenty of scope for argument. We would always advise getting expert data privacy lawyers involved as soon as you see potential for claims to be brought – which may well be in the immediate aftermath of a data breach incident. Never respond substantively to a threatened or actual claim without seeking advice first.

Schuessler: Expert advice should preferably be sought right from the start in nearly all cases. This is the only way to come up with a well-thought-out strategy for dealing with a dispute from the beginning. That is crucial for a successful outcome in a data privacy dispute, or to reduce the risk of litigation. Often, a company’s response to an initial complaint contains mistakes which could have been avoided. Experts can assess the legal situation and offer initial assistance to potentially defuse the situation.

Polet: Companies facing a data privacy incident should seek expert external advice as early as possible, because any such incident has the capacity to grow into a dispute. Even if damage to those affected is relatively small, which is not uncommon in these types of cases, and the threat of large numbers of individual court cases against the company is limited, this will, in most cases, not stop representative organisations from bringing mass claims. Early external advice on the in- and out-of-court options and the damages that could be awarded will always help in effectively resolving the issue. Furthermore, companies affected by data privacy incidents are well advised to review their insurance policies, seek advice on when, how and to whom to report the occurrence of a data privacy incident and to manage parallel proceedings.

FW: How can companies proactively mitigate potential data privacy disputes and reduce litigation risks?

Hurst: Companies should focus on compliance to prevent claims arising in the first place. Related to this is how companies manage a data privacy incident, particularly public messaging, interactions with regulators and how they respond to customer complaints and concerns. For example, claimants will trawl through published data protection authority decisions for helpful evidence, so, when disclosing material to regulators, companies should keep one eye out for documents which might help dissuade potential claimants from bringing actions. Claimants often use data subject access requests (DSARs) at the pre-action stage to fish for information useful to any action they are considering. Any failure to comply with a DSAR is also sometimes used to beef up a list of other breaches levied against a defendant. For both these reasons, companies should approach DSARs carefully and ensure they are handled properly. If the ship has sailed on preventing a dispute, litigation-specific tactics will then come into play. European defendants to US-style class actions are starting to learn lessons from their counterparts across the pond about how to fight these claims. Useful mechanisms include challenges on the constitution of the ‘class’ and applications equivalent to a US motion to dismiss. Another line of defence likely to cause problems to groups is questioning the suitability and organisation of representative bodies bringing claims on behalf of consumers.

Schuessler: Companies should prioritise and focus on implementing data protection requirements. Having a good data management system and adapting processing operations is crucial. Companies should also follow current developments in case law, decisions by authorities and new legislation. Data protection is a dynamic area of law with frequent new requirements and stipulations. Ideally, a company should proactively identify potential weak points by searching and checking for them through defined processes. Litigation risks can be reduced by having good, comprehensive documentation. This is particularly true in Germany, where some courts reverse the burden of proof for damages in favour of the plaintiff, meaning the controller must prove it did not infringe upon a right under the GDPR.

Polet: Companies are well-advised to review their relevant contracts to determine whether they contain clauses such as indemnifications for damages caused by data privacy incidents, liability caps and an obligation to take out insurance against the risks of such incidents, including provisions on which party should do so and bear the costs of such insurance. Also, under Dutch law, directors and officers (D&O) could be at risk of being held personally liable for a failure to take reasonable steps to prevent data privacy incidents from occurring within their company. Obviously, awareness of the risks of data privacy incidents and well-tailored D&O liability insurance will to a certain extent mitigate this risk.

Dawson: It is important to have a strong privacy compliance programme in place. It is also important to foster a culture in which problems are raised proactively with the internal legal department at an early stage. That way, they can often be minimised or solved quickly. Harm from data breaches and other potential breaches can also be minimised.

Data privacy disputes are likely to increase due to the growing role that information plays in our lives and economy, and the accompanying uptick in regulation.
— Sophie Dawson

FW: What do you believe is the outlook for data privacy disputes over the coming months and years? Are there any particular trends you expect to see?

Schuessler: In Germany, there is still a lot of uncertainty regarding the scope and enforcement of GDPR rights. We expect some of these questions will be clarified in the future, as the German Federal Constitutional Court ruled at the beginning of the year that the question of how non-material damages are to be interpreted must be referred to the Court of Justice of the European Union (ECJ). Depending on the outcome of the decision, this could boost the number of lawsuits. We expect a stronger focus on international data transfer after the ECJ’s Schrems II decision, and have already seen the first related cases. With the implementation of the EU Collective Redress Directive, the collective enforcement of data protection rights should be possible in Germany, and other EU member states, by 2023 at the latest.

Mole: We see some notable trends in the short and medium term. There will be an increasing number of disputes challenging decisions from the CNIL, especially sanctions. Thanks to the GDPR, CNIL can impose sanctions up to 2 or 4 percent of a company’s worldwide turnover, so companies have greater incentives to appeal CNIL decisions to avoid a sanction or limit its amount. Several decisions have already been held invalid by the Conseil d’Etat – which can also reduce the amount of any sanction. Following the Schrems II decision by the CJEU in July 2020, which ruled that the US failed to ensure an adequate level of protection of transferred EU data, as well as declaring the US Privacy Shield null and void, we are seeing new complaints to the CNIL and in courts concerning the lawfulness of data transfers to the US. For instance, My Privacy is None of Your Business (NOYB), the association created by Max Schrems, filed 101 complaints to various European data protection authorities. So far, such complaints have been filed by associations for the protection of human rights or by data protection activists. But, going forward, we could see such disputes being initiated by consumer associations, trade unions or individuals too.

Dawson: Data privacy disputes are likely to increase due to the growing role that information plays in our lives and economy, and the accompanying uptick in regulation. We expect that the regulatory pendulum will continue to swing toward greater choice for consumers and stronger rights, in relation to use of data. Regulators will also continue to be empowered to take swift and decisive action where breaches occur.

Polet: We expect data privacy disputes will predominantly be in the form of mass claims litigation going forward. It is also expected that there will be increasing clarity over how to assess the value of personal data and thus damages caused by data privacy incidents. In the long run, it is expected that the courts’ views in different jurisdictions on these matters will gradually converge because of the fact that most data privacy incidents will not be limited to just one single jurisdiction. As a consequence of this, it can be expected that there will be a growing interest in global settlement mechanisms such as the Dutch WCAM to resolve these issues out-of-court.

Hurst: In the UK, much is expected to turn on the Supreme Court’s decision in Lloyd. If Mr Lloyd prevails in all respects, then an increase in opt-out consumer class actions for data protection claims in the UK courts will probably follow. It seems likely that large tech platforms will continue to be targeted by claimants, with a particular focus on AdTech practices, use of children’s data and transparency and consent issues. In claims brought by data subjects arising out of data breaches, I would expect the key battlegrounds to be, in relation to liability, the question of deployment of appropriate technical and organisational measures to prevent or mitigate the breach and, in relation to quantum, where the line should be drawn in terms of permitting actions where damages claimed are minimal. Given the raised risk of class actions following on from regulatory enforcement, we are also anticipating companies challenging the decisions of regulators more than they have previously.

 

Sophie Dawson is a partner in Bird & Bird’s Sydney office and head of the firm’s dispute practice in Australia, where she specialises in media and technology advice and disputes, including data protection and publication laws. She has more than 23 years’ experience as a technology, media and telecom disputes lawyer. Ms Dawson’s particular areas of interest and expertise include defamation, media and IT intellectual property issues, privacy, surveillance and cyber security. She can be contacted on +61 2 9226 9888 or by email: sophie.dawson@twobirds.com.

Bryony Hurst is a partner in Bird & Bird’s dispute resolution group in London. She helps clients to handle complex litigation and other challenges relating to data, content and technology. Ms Hurst advises global technology and media companies, and fast-growth digital businesses, on the issues they face as they adapt or expand to keep ahead of the competition. She can be contacted on +44 (0)20 7415 6000 or by email: bryony.hurst@twobirds.com.

Ariane Mole is a partner and co-head of Bird & Bird’s international data protection group, providing innovative and practical solutions to clients around the world. In her role as co-head, she has extensive GDPR expertise and assists clients to find practical solutions. Her team also assists with compliance actions and practical implementation, such as responses to complaints and exercises of rights, security breach management and notifications, contracts, as well as GDPR-required procedures and documentation. She can be contacted on +33 (0)1 42 68 6000 or by email: ariane.mole@twobirds.com.

Johan Polet is a partner based in Bird & Bird’s Netherlands office. A seasoned expert in commercial litigation and arbitration, Mr Polet represents companies in complex, often highly technical, disputes. His specialisms include insurance litigation, mass claims and settlements, shareholder disputes, post-M&A disputes and D&O liability. He also works across the financial services and technology & communications sectors and has a lot of experience in internal investigations and the use of e-discovery platforms. He can be contacted on +31 7 0353 8898 or by email: johan.polet@twobirds.com.

Lennart Schuessler is an experienced lawyer in Bird & Bird’s privacy and data protection practice and technology & communications sector group in Frankfurt and Düsseldorf. He advises clients on all kinds of data protection, IT, online and copyright matters. Over the years, Mr Schuessler has worked with clients from the public and private sectors in life sciences and healthcare, financial services, retail, automotive and telecommunications, covering the full range of data protection matters. He can be contacted on +49 (0)69 74222 6000 or by email: lennart.schuessler@twobirds.com.

© Financier Worldwide

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.