Photo of Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." It was noted that "he is very good at calibrating and helping to gauge risk."

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing

On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a

On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers.  These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.

These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework.  The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.

Continue Reading European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers

On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics.  The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools

On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for  the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”).  However, the CJEU also decided that the PNR Directive limits the way in which Member State laws transpose some of its provisions, particularly in relation to the collection of passenger information for intra-EU flights.  Its decision will require Belgium to amend its law transposing the PNR Directive, mainly in relation to the PNR data competent authorities may receive and how they can process this data.  It is likely to indirectly impact air carriers and tour operators operating in Belgium, as it will reduce the amount of data they need to share with competent authorities under such a revised legal framework.

The CJEU decision also considers, as well, Member State laws transposing (1) the Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (API Directive) and (2) Directive 2010/65/EU on reporting formalities for ships arriving in and/or departing from ports of the Member States.

The case was lodged on October 31, 2019, by the non-profit organization Ligue des Droits Humainsbefore the Belgian courts in relation to the Belgian law transposing the PNR and API Directives.  The Belgian Constitutional Court referred certain questions to the CJEU.

Continue Reading Court of Justice of the EU Decides that the Passenger Name Record Directive is Compatible with EU Law

On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here).  These recommendations are based on relevant requirements

On April 28, 2022, the Court of Justice of the EU (“CJEU”) decided that consumer protection associations may bring collective claims without a mandate from the affected consumers, including for violations of the GDPR, relying on national consumer law provisions.  The words “without a mandate” refers to the fact that the organization is not representing a particular consumer or group of consumers, rather, it is representing the collective interests of those whose personal data have been processed in a manner contrary to the GDPR, without naming particular data subjects.

Continue Reading Court of Justice of the EU Greenlights GDPR Collective Claims Without a Mandate

On May 4, 2022, the General Court of the EU handed down a decision that helps clarify the standard of proof required to demonstrate that information that does not identify someone by name constitutes “personal data” under EU data protection law.  The court also clarifies that the burden of proof falls on the entity alleging that the information is personal data.

The case concerns an online press release published by the European Anti-Fraud Office’s (“OLAF”) announcing that it had determined that a Greek scientist had committed fraud using EU funds intended to finance a research project.  Among other things, the scientist alleged that the press release contained “personal data” about her and, therefore, OLAF breached data protection law because it did not have a legal basis to disseminate her “personal data”.  She also alleged that OLAF’s press release had enabled two journalists to identify her and write each an article mentioning her by name.

The court disagreed with the position taken by the scientist, holding that the she was not able to demonstrate that the published information enabled her identification and, therefore, it had not demonstrated that the information was “personal data”.  It also decided that OLAF was not responsible for the news articles that identified the scientist by name.

Continue Reading General Court of the EU Finds that Individual was Unable to Prove that Information Published Online Constitutes “Personal Data”

On April 23, 2022, the European Parliament and Council of the EU announced that they reached a provisional political agreement on the Digital Services Act (“DSA”) during their final trilogue meeting.  The news comes roughly one month after the provisional political agreement on the Digital Markets Act (“DMA”).

Both acts are part of the European