Photo of Dan Cooper

Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." It was noted that "he is very good at calibrating and helping to gauge risk."

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP's European Advisory Board, Privacy International and the European security agency, ENISA.

Contact:Read more about Dan CooperEmail

On April 20, 2026, the Spanish Data Protection Agency (AEPD) has published new guidance on how to comply with the GDPR when using AI‑powered voice transcription tools. The guidance builds on earlier AEPD guidance on this topic from January 2026. This blog post sets out the key takeaways of both guidance documents, which are only available in Spanish.

The AEPD’s guidance confirms a risk‑based approach to AI‑powered voice transcription. Organizations using these tools should not treat transcription as a purely technical feature, but as a processing activity that requires continuous governance, clear transparency, and proactive safeguards. Given the widespread and growing use of transcription tools across business functions, this guidance is likely to be relevant well beyond Spain.

Continue Reading Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice Transcription

On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.

Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific Research

On 18 March 2026, the European Parliament’s Committee on the Internal Market and Consumer Protection (“IMCO”) and the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) adopted their joint negotiating position on the European Commission’s proposed Digital Omnibus on AI (which we previously analysed here). The position will

Continue Reading MEPs Adopt Joint Position on Proposed Digital Omnibus on AI

On March 2, 2026, the UK Department for Science, Innovation and Technology (“DSIT”) launched its consultation, titled “Growing up in the online world: a national conversation”. The consultation is open until 26 May 2026, after which the government will publish a summary of responses and its proposed approach. DSIT has indicated that it intends to move quickly on the consultation’s findings, drawing on newly granted powers that allow for accelerated implementation of online safety measures.

The consultation seeks views on a wide range of potential measures to strengthen children’s safety and wellbeing online, including more robust age‑assurance mechanisms, a statutory minimum age for social media, raising the UK’s age of digital consent, restrictions on certain features (such as livestreaming and disappearing messages), and new obligations for AI chatbots and generative‑AI services.

DSIT’s proposals could significantly expand regulatory expectations beyond the Online Safety Act 2023 (“OSA”)—including potential age‑based access limits (including differing safeguards as between teens and younger children), feature‑level restrictions, and enhanced duties for AI‑enabled services. Early engagement will be important to ensure that the government takes account of the views of affected service providers and understands the operational and technical implications of the measures proposed.

Continue Reading UK Government Launches Consultation on Children’s Online Experiences, Including New Obligations for AI

In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog

Continue Reading Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR Compliance

On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.

The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.

Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.

Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws

As 2026 gets underway, the European Union enters a pivotal year for data protection, AI governance, and cybersecurity regulation, among other matters. EU institutions and national authorities are expected to progress a number of significant digital‑policy files, roll‑out new cyber‑resilience obligations, and make transparency in the privacy space a top priority. Below is an overview of the key developments to monitor.

Continue Reading What to Watch in 2026: Key EU Privacy & Cybersecurity Developments

On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the

Continue Reading European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms

On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.

The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.

With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.

Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.

Continue Reading European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2