Photo of Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." It was noted that "he is very good at calibrating and helping to gauge risk."

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.

Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement

On March 4, 2023, the European Court of Justice (”CJEU”) issued its judgment on case C-300/21, UI v Österreichische Post AG. The CJEU held that the mere infringement of the GDPR does not, alone, give rise to a right to compensation for individuals.  In the Court’s view, Article 82 requires establishing: (i) “damage”, either material or non-material; (ii) an actual infringement of the GDPR; and (iii) a causal link between the two. However, the CJEU also ruled that the right to compensation in the GDPR cannot be made contingent upon individuals satisfying a certain “seriousness” threshold, which is the case under Austrian law at present.

Continue Reading CJEU Clarifies the GDPR’s Right to Compensation

There is a flurry of new EU initiatives to regulate the metaverse. Last week, the European Commission launched a public consultation (open until May 3, 2023) to “develop a vision for emerging virtual worlds (e.g. metaverses), based on respect for digital rights and EU laws and values” such that “open, interoperable and innovative virtual worlds … can be used safely and with confidence by the public and businesses.”

Continue Reading Regulating the Metaverse in Europe

On March 24, 2023, the Italian data protection authority (“Garante”) approved a Code of conduct (“Code”) on telemarketing and telesales activities.  The Code was promoted by various Italian industry and consumer associations, pursuant to Article 40 of GDPR. 

The Garante notes that the Code reflects broad industry consensus, and welcomes it as an important step to ensuring the lawful performance of the covered activities.  The Garante have been historically active in regulating telemarketing and telesales companies, and has applied some of its largest fines to this sector. We provide below an overview of the Code’s key provisions and obligations.

Continue Reading Italian Garante Approves Code of Conduct on Telemarketing and Telesales

On March 24, 2023, the Austrian Supervisory Authority (“Austrian SA”) held that a credit referencing agency (“Agency”) breached the GDPR by unlawfully processing personal data obtained from a third party in order to process it to conduct credit assessments.  It decided that the Agency breached the GDPR’s principle of lawfulness because it did not have a valid legal basis to process the personal data.  This case will be relevant for organizations assessing their lawful basis for processing personal data.

Continue Reading Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency

The UK Information Commissioner’s Office (“ICO”) recently published detailed draft guidance on what “likely to be accessed” by children means in the context of its Age-Appropriate Design Code (“Code”), which came into force on September 2, 2020. The Code applies to online services “likely to be accessed by children” in the UK. “Children” are individuals under the age of 18. In order to determine whether an online service is “likely to be accessed” by children, companies must assess whether the nature and content of the service has “particular appeal for children” and “the way in which the service was accessed”. This new draft guidance provides further assistance on how to make this assessment, and is undergoing a public consultation until May 19, 2023.

Continue Reading UK ICO Provides Guidance On When A Service Is “Likely To Be Accessed By Children” And Needs To Comply With Its Age-Appropriate Design Code

The EU’s AI Act Proposal is continuing to make its way through the ordinary legislative procedure.  In December 2022, the Council published its sixth and final compromise text (see our previous blog post), and over the last few months, the European Parliament has been negotiating its own amendments to the AI Act Proposal.  The European Parliament is expected to finalize its position in the upcoming weeks, before entering into trilogue negotiations with the Commission and the Council, which could begin as early as April 2023.  The AI Act is expected to be adopted before the end of 2023, during the Spanish presidency of the Council, and ahead of the European elections in 2024. 

During negotiations between the Council and the European Parliament, we can expect further changes to the Commission’s AI Act proposal, in an attempt to iron out any differences and agree on a final version of the Act.  Below, we outline the key amendments proposed by the European Parliament in the course of its negotiations with the Council.

Continue Reading A Preview into the European Parliament’s Position on the EU’s AI Act Proposal

Regulators in Europe and beyond have been ramping up their efforts related to online safety for minors, through new legislation, guidance, and by promoting self-regulatory tools.  We discuss below recent developments in the EU and UK on age verification online.

Continue Reading Age Verification: State of Play and Key Developments in the EU and UK

On February 28, 2023, the European Data Protection Board (“EDPB”) released its non-binding opinion on the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”).  The adequacy decision, once formally adopted, will establish a new legal basis by which organizations in the EU (as well as the three EEA states of Iceland, Liechtenstein, and Norway) may lawfully transfer personal data to the U.S., provided that the recipient in the U.S. certifies to and abides by the terms of the DPF (see our previous blogpost here). 

The Commission sought the EDPB’s opinion pursuant to Article 71(1)(s) of the GDPR.  The EDPB welcomes the fact that elements of the DPF represent a substantial improvement over the Privacy Shield, which was annulled by the EU Court of Justice (“CJEU”) in Schrems II (see our previous blogpost here).  Nonetheless, the EDPB notes some concerns and seeks clarification on certain aspects of the DPF from the Commission.  For example, the EDPB welcomes the establishment of a specific mechanism by which non-U.S. persons may seek redress for certain U.S. government surveillance of their personal data, but calls on the Commission to closely monitor the implementation of this mechanism in practice.

Continue Reading EDPB Releases its Opinion on the Proposed EU-U.S. Data Privacy Framework

On February 22, 2023, the European Data Protection Board (“EDPB”) released its Work Program for 2023-2024 (“the Program”), outlining the key priority areas for the next two years.  The Program is divided into four pillars, which largely reflect the priorities already set out in its Strategy 2021-2023.

Continue Reading EDPB Releases its 2023-2024 Work Program