Photo of Dan Cooper

Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." It was noted that "he is very good at calibrating and helping to gauge risk."

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

The upcoming date of December 27, 2022, marks the end of the roughly one year and a half-long transition period that companies had to replace any the old versions of the standard contractual clauses for international transfers of personal data by the new standard contractual clauses, which the European Commission adopted on June 4, 2021.  As of December 27, 2022, EU Supervisory Authorities may start GDPR enforcement proceedings against any companies that still on to the old version of the standard contractual clauses.

Covington is well placed to assisting clients in amending their contracts to take into account the new standard contractual clauses and, more generally, to ensure compliance with the GDPR rules on international data transfers.Continue Reading Countdown for Implementing the New EU Data Transfer Contracts and Overview of other EU Transfer Developments

On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under the new EU-U.S. Data Privacy Framework.  The framework was announced by the U.S. and the EU Commission in March 2022, after reaching a political agreement in principle (see our blog post

On September 28, 2022, the European Commission published its long-promised proposal for an AI Liability Directive.  The draft Directive is intended to complement the EU AI Act, which the EU’s institutions are still negotiating.  In parallel, the European Commission also published its proposal to update the EU’s 1985 Product Liability Directive.  If adopted, the proposals will change the liability rules for software and AI systems in the EU.

The draft AI Liability Directive establishes rules applicable to non-contractual, fault-based civil claims involving AI systems.  Specifically, the proposal establishes rules that would govern the preservation and disclosure of evidence in cases involving high-risk AI, as well as rules on the burden of proof and corresponding rebuttable presumptions.  If adopted as proposed, the draft AI Liability Directive will apply to damages that occur two years or more after the Directive enters into force; five years after its entry into force, the Commission will consider the need for rules on no-fault liability for AI claims.

As for the draft Directive on Liability of Defective Products, if adopted, EU Member States will have one year from its entry into force to implement it in their national laws.  The draft Directive would apply to products placed on the market one year after it enters into force.Continue Reading European Commission Publishes Directive on the Liability of Artificial Intelligence Systems

On October 4, 2022, the EU adopted the Digital Services Act (“DSA”), which imposes new rules on providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces).  The DSA will enter into force on November 16, 2022 — although it will only fully apply as of February 17, 2024. Continue Reading EU Adopts Digital Services Act

This post is the first of a series of blog posts about the Digital Markets Act (“DMA”), which was adopted on July 18, 2022, and it deals specifically with those provisions of the DMA that are relevant to organizations’ privacy programs.Continue Reading The Digital Markets Act for Privacy Professionals

Update: On January 12, 2023, the Court of Justice of the European Union sided with the Advocate General’s opinion, confirming that a data subject can lodge a complaint with a Supervisory Authority and, concurrently, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

More specifically, the CJEU held that the remedies provided for in Article 77(1) and Article 78(1) GDPR, on the one hand, and Article 79(1) GDPR, on the other, can be exercised in parallel and are independent of each other.  Concerning the material outcome of the case, the referring court must determine how to implement the remedies, in line with national procedural law.

*                             *                             *

On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting.  The company provided the shareholder only with extracts of his/her interventions.  Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings.  The Supervisory Authority rejected the complaint.  As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.Continue Reading CJEU Advocate General Finds That Data Subjects May in Parallel Lodge a Complaint with a Supervisory Authority and Start Proceedings Before a Court

The EU is in the process of adopting the Digital Markets Act and the Digital Services Act.  Both acts include rules applying to online-targeted advertising, commonly understood as the conveyance of messages over the Internet directed at a particular group of people who are perceived to be interested in the message in order to advance commercial or other interests.  This blog post provides an overview of the existing and soon to be adopted EU data related rules applying to online-targeted advertising.  It does not cover rules relating to ranking systems.Continue Reading EU Rules on Online Targeted Advertising

On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing

On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a