Photo of Gail Crawford

Gail Crawford, Global Chair of Latham’s Data & Technology Transactions Practice, helps clients navigate complex data privacy and security matters, as well as to license, develop, and exploit disruptive technology. Ms. Crawford advises many of the world’s leading global technology companies on multifaceted and precedent-defining data privacy and security matters. Her work in the data privacy and security space encompasses advising on compliance programs, product counseling, responding to data breaches and regulatory inquiries, advising on optimal organizational structures, and supporting large, strategic alliances and M&A transactions. Highlighted in the market for combining an impressive technology practice with an in-depth understanding of data protection laws, Ms. Crawford is highly sought after by tech giants for her knowledge of compliance in technology sectors.

The English High Court has declared that UK legislation which expanded government powers to require communication providers to retain communication traffic data is incompatible with human rights, and is unlawful.

The legislation is seen by the government as a key power to ensure that such data is accessible by law enforcement and security services to investigate serious crime and issues of national security.

The Data Retention and Investigatory Powers Act 2014 (DRIPA) reinstated the requirements that existed in the UK under the Data Retention (EC Directive) Regulations 2009 which had to be replaced after the European Court of Justice in Digital Rights Ireland declared the data retention provisions of the Data Retention Directive (2006/24/EC) (which the 2009 Regulations implemented) invalid in April 2014.

This week the Court of Justice of the European Union (‘CJEU’) heard a case that could destabilise data flows between the US and EU under the EU-US Safe Harbor Decision. In Schrems v Data Protection Commissioner(C-362/14), the same court that last year approved the “right to be forgotten” online heard evidence about the adequacy of US data protection regulations for EU citizens’ data and considered whether recent revelations about the NSA and PRISM programmes should affect determinations

On July 17th, the Data Retention and Investigatory Powers Act (DRIPA) came into effect in the United Kingdom reinstating the Government’s powers to require communication providers to retain traffic data (also known as metadata) and enabling the Government to serve warrants to intercept communications data on companies outside of the United Kingdom to the extent they were providing services to UK users.  DRIPA became law following emergency “fast-tracked” procedures on the basis that its enactment was essential to ensure continued

Recently Jan Philipp Albrecht, rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee, the lead committee considering the proposed draft General Data Protection Regulation, published the committee’s suggested amendments to the original draft regulation.  The reports runs to over 200 pages and contains over 350 separate amendments.

Since the original draft regulation was published in January of last year, businesses, industry bodies and regulators have been lobbying the European Commission, Council and Parliament to try and change some

By Gail Crawford and Amy Taylor

It seems somewhat fitting to blog about the USA Patriot Act on this Fourth of July. On the second day of the annual Privacy Laws & Business conference in Cambridge, Peter McLaughlin, senior counsel at Foley & Lardner, took to the floor with the aim of “distinguishing fact and fiction about the scope of the law and its impact on companies outside the United States” for a predominantly European audience.

In the last slot of the

By Gail Crawford and Amy Taylor

Privacy professionals from more than 20 countries are gathered in Cambridge, England, to discuss privacy challenges in today’s world at the 25th annual Privacy Laws & Business conference.

Professor Michael Birnhack, Professor of Law at Tel Aviv University and Visiting Associate Fellow at the Institute of Advanced Legal Studies, University of London, kicked off the conference on Monday–day one of the three-day event–aptly setting the scene with a session on the

European Union Justice Commissioner Viviane Reding has confirmed that we can expect to see a draft of the eagerly awaited new Data Privacy Directive in January.

The new rules are likely to significantly strengthen the rights of individuals. According to a press release issued jointly last week by Reding and Germany’s Federal Minister for Consumer Protection, Isle Aigner, “consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in

Thumbnail image for Thumbnail image for Thumbnail image for Thumbnail image for iStock_Lock.jpgBy Gail Crawford and Amy Taylor

At the end of 2010, the UK Government raised the national threat level for cyber security risk to Tier One (the same tier as the terrorism threat) and announced it was allocating £650 million (around US $1 billion) to governmental cyber security measures and resilience developments.

A recent report by Chatham House in association with Detica indicates that many private organizations are well behind the government in how they evaluate and defend against these

iStock_000005643842XSmall.jpgA court in the United Kingdom has cast doubt on whether IP addresses can be used to identify infringement of copyright by a specific individual. In this post, we ask whether this case impacts the generally accepted view in Europe that IP addresses should be treated as personal data under applicable data privacy laws. 

The case of Media CAT Limited v Adams & Ors [2011] EWPCC 6 involved allegations that a number of defendants had infringed copyright in pornographic films

iStock_globe.jpgOn 31 January 2011, Israel became the most recent addition to the European Commission’s list of non-EEA countries offering ‘adequate protection of personal data’, joining Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Jersey and Switzerland (and the US’s Safe Harbor regime). The finding of adequacy issued by the Commission is limited to automated data transfers to Israel, and non-automated transfers of data which are then subject to automated processing once in Israel (but may well be expanded to