is a Managing Associate in our Cyber, Privacy and Data Innovation practice,
based in London.
with clients particularly in the technology and data-rich sectors, Colin
advises on data privacy and cybersecurity matters including cross-border transfers;
data breach, cyber-incident response and regulatory investigations; privacy
impact assessments and audits; global compliance strategies; and data
particular, Colin regularly advises clients with their commercial activities which
involve utilizing and exploiting data, and personal data, on a large scale.
This includes drafting and negotiating agreements, including data processing
and data sharing agreements and identifying and advising on legal and
helps clients address their privacy and consumer protection obligations as they
relate to direct marketing activities, profiling, online behavioural
also has experience in M&A and capital markets transactions, assisting deal
teams by advising on privacy, data protection and other deal-related
to joining Orrick, Colin worked for a U.S. regulatory consulting firm,
supporting clients with regulatory issues relating to data privacy, cybersecurity
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.
The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).