Mark Young

Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.

Subscribe to all posts by Mark Young

Proposed New EU Cyber Rules Introduce More Onerous Requirements and Extend to More Sectors

In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key points … Continue Reading

Twitter Fine: a View into the Consistency Mechanism, and “Constructive Awareness” of Breaches

On December 15, 2020, the Irish Data Protection Commission (“DPC”) fined Twitter International Company (“TIC”) EUR 450,000 (USD 500,000) following a narrow investigation into TIC’s compliance with obligations to (a) notify a personal data breach within 72 hours under Article 33(1) GDPR; and (b) document the facts of the breach under Article 33(5) GDPR. The … Continue Reading

The European Commission publishes a proposal for a Regulation on European Data Governance (the Data Governance Act)

On 25 November 2020, the European Commission published a proposal for a Regulation on European Data Governance (“Data Governance Act”).  The proposed Act aims to facilitate data sharing across the EU and between sectors, and is one of the deliverables included in the European Strategy for Data, adopted in February 2020.  (See our previous blog … Continue Reading

H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), … Continue Reading

UK Information Commissioner’s Office Publishes Draft Accountability Framework Tool

On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”).  The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO. The Framework will help those within organisations who … Continue Reading

UK Supreme Court Rules That Supermarket Is Not Vicariously Liable For Data Breach Committed By Employee

On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower … Continue Reading

UK ICO and The Alan Turing Institute Issue Draft Guidance on Explaining Decisions Made by AI

The UK’s Information Commissioner’s Office (“ICO”) has issued and is consulting on draft guidance about explaining decisions made by AI.  The ICO prepared the guidance with The Alan Turing Institute, which is the UK’s national institute for data science and artificial intelligence.  Among other things, the guidance sets out key principles to follow and steps … Continue Reading

ICO publishes blog post on AI and trade-offs between data protection principles

On July 25, 2019, the UK’s Information Commissioner’s Office (“ICO”) published a blog on the trade-offs between different data protection principles when using Artificial Intelligence (“AI”).  The ICO recognizes that AI systems must comply with several data protection principles and requirements, which at times may pull organizations in different directions.  The blog identifies notable trade-offs … Continue Reading

ICO Updates Guidance on Cookies and Similar Technologies

Back in 2013, we published a blog post entitled, “European Regulators and the Eternal Cookie Debate” about what constitutes “consent” for purposes of complying with the EU’s cookie rules.  The debate continues…  Yesterday, the ICO published new guidance on the use of cookies and a related “myth-busting” blog post.  Some of the “new” guidance really … Continue Reading

Privacy Shield Ombudsperson Confirmed by the Senate

On June 20, 2019, Keith Krach was confirmed by the U.S. Senate to become the Trump administration’s first permanent Privacy Shield Ombudsperson at the State Department.  The role of the Privacy Shield Ombudsperson is to act as an additional redress avenue for all EU data subjects whose data is transferred from the EU or Switzerland … Continue Reading

ICO Publishes Report on Impact of GDPR

On 30 May 2019, the United Kingdom’s ICO released a report, “GDPR: One Year On”, discussing the impact of the GDPR and its associated learnings after one year following its implementation (the “Report”), which provides valuable insight into the enforcement practices, EU-wide cooperation, support functions, innovative practices and further growth plans of the ICO. The … Continue Reading

ICO’s Interim Report on Explaining AI

On June 3, 2019, the UK Information Commissioner’s Office (“ICO”), released an Interim Report on a collaboration project with The Alan Turing Institute (“Institute”) called “Project ExplAIn.” The purpose of this project, according to the ICO, is to develop “practical guidance” for organizations on complying with UK data protection law when using artificial intelligence (“AI”) … Continue Reading

ICO issues draft code of practice on designing online services for children

Earlier this month, the UK’s Information Commissioner’s Office published a draft code of practice (“Code”) on designing online services for children. The Code  is now open for public consultation until May 31, 2019. The Code sets out 16 standards of “age appropriate design” with which online service providers should comply when designing online services (such … Continue Reading

EU Commission Issues Recommendation on Cybersecurity in the Energy Sector

The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”).  The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here).  It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics … Continue Reading

UK Issues Regulations on Post-Brexit Data Protection Law

Two sets of regulations aimed at readying UK data protection law for a post-Brexit world have been promulgated in recent weeks.  These regulations, which were made pursuant to the EU (Withdrawal) Act 2018 (EUWA), will only come into force in most respects upon the UK’s withdrawal from the EU.  Broadly speaking, these regulations are intended … Continue Reading

European Parliament Approves EU Cybersecurity Act

Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here). In addition to reinforcing the mandate of ENISA — now to … Continue Reading

UK Regulators Publish Joint Discussion Paper on Operational Resilience in the UK Financial Sector

By Mark Young and Gemma Nash The UK Financial Conduct Authority (“FCA”) published on July 5 a joint Discussion Paper with the Prudential Regulation Authority (“PRA”) and the Bank of England (“BoE”) on “Building the UK financial sector’s operational resilience.” The Discussion Paper focuses on the ability of regulated firms and financial market infrastructures (“FMIs”) … Continue Reading

UK Government Consults on EU Cybersecurity Plans

As we summarized last fall, the EU Commission published a new Cybersecurity Communication in September that, among other things, sets out proposals for an EU cybersecurity certification framework as part of ‎an EU “Cybersecurity Act” (see our post here and a more detailed summary here).  Just before the holidays, on December 20, 2017, the UK Government published a consultation on these proposals, which the … Continue Reading

EU Regulators Provide Guidance on Notice and Consent under GDPR

The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”).  We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers … Continue Reading

EU Announces Major New Cybersecurity Plans

Last week, in his annual State of the European Union Address, the President of the European Commission Jean-Claude Juncker called out cybersecurity as a key priority for the European Union in the year ahead.  In terms of ranking priorities, President Juncker placed tackling cyber threats just one place below the EU leading the fight against … Continue Reading

UK Government Proposes Cybersecurity Law with Serious Fines

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading

CJEU Confirms Dynamic IP Addresses To Be Personal Data

On Wednesday October 19, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Case C-582/14, Patrick Breyer v Germany.  The CJEU held that a “dynamic” IP address constitutes personal data (agreeing with the Opinion of the Advocate General from May this year).  Dynamic IP addresses qualify as personal data, even if … Continue Reading

Inherited Infrastructure, Outdated Software, And Other Failings That Led To TalkTalk’s Record Fine

On October 5, 2016, the UK Information Commissioner’s Office (“ICO”) fined telecoms company TalkTalk a record £400,000 for failing to put in place appropriate data security measures and allowing a cyber-attacker to access TalkTalk customer data “with ease.”  The ICO highlighted several  technical and organizational deficiencies as justification for issuing its largest fine to-date.  Many … Continue Reading
LexBlog