data protection

The challenges arising from data are countless and inescapable in our maturing technological landscape. To future-proof your organisation, and unlock opportunity from your data, you need alert and experienced lawyers who will deliver practical advice. Our team of experts includes former regulators who have been right at the heart of the development of the legal landscape in this critical area.


Clients turn to CMS to advise on global data privacy, protection and information security projects. Leading multinational companies, many of which hold large amounts of sensitive data and are heavily regulated, instruct us to advise on multi-jurisdictional projects.

Global AND local

Our teams are flexible in that they handle both large multinational projects but can also deep-dive for niche, country-specific advice. The teams are on the ground in over 40 countries, speak the local language and understand the local laws – but crucially in a global context.

Pragmatism and business acumen

CMS has a knack for turning legal advice into practical solutions that make sense not just to your legal teams, but to your other employees, such as the HR function, or software engineers.

Please reach out to any of our Technology, Media and Communications and data protection lawyers should you have an issue to explore. to find out more about data protection and data regulation offerings.

For the very latest legal updates delivered directly to your inbox, sign up to the Law-Now subscription service now.

GDPR En­force­ment Track­er Re­port 2021
The GDPR En­force­ment Track­er Re­port aims to provide you with valu­able in­sights...
Data Law Nav­ig­at­or
Use the Data Law Nav­ig­at­or for a quick look at data pro­tec­tion laws in...
CMS Breach As­sist­ant app
A head start dur­ing the first crit­ic­al hours of a data breach


Are you ready for the new PRC Per­son­al In­form­a­tion Pro­tec­tion Law?
On 1 Novem­ber 2021, the new PRC Per­son­al In­form­a­tion Pro­tec­tion Law will come in­to ef­fect. This is Chin­a's first om­ni­bus per­son­al data pro­tec­tion law, much like the GDPR.This new law will ap­ply both to...
The Chan­ging Face of Cy­ber Claims
A cy­ber in­sur­ance loss study in Con­tin­ent­al Europe
Data pro­tec­tion and se­cur­ity
Ex­pert leg­al ad­visers
Leg­al pre­ci­sion in pri­vacy, data se­cur­ity and data pro­tec­tion - Ex­pert...
Ex­pert leg­al ad­visers in Africa
EDPB is­sues draft Guidelines on codes of con­duct for data trans­fers
The European Data Pro­tec­tion Board (EDPB) is­sued its draft Guidelines 04/2021 on the codes of con­duct to be used as a tool for fa­cil­it­at­ing data trans­fers. These guidelines are the second in a series...
The fu­ture of sports data
Worth over US$1 bil­lion in 2020 and pro­jec­ted to be worth US$5 bil­lion by 2026, it is safe to say that sports data rights is a large and grow­ing busi­ness which brings cross-in­dustry en­gage­ment from sport­ing...
GDPR 3 years on – The greatest hits (and misses)
More than three years have passed since the GDPR ap­plied and a lot has happened in the world of data pro­tec­tion dur­ing that time – fines, class ac­tions, court chal­lenges and more. We give our “playl­ist”...
The way the cook­ie crumbles: Google’s chan­ging ap­proach to third-party...
Last year, Google an­nounced the in­tro­duc­tion of its Pri­vacy Sand­box, an ini­ti­at­ive with a mis­sion to “cre­ate a thriv­ing web eco­sys­tem that is re­spect­ful of users and private by de­fault”. As part of this ini­ti­at­ive, Google has pledged to re­move sup­port for third-party cook­ies from its ad net­works and Chrome plat­form. From Google’s per­spect­ive, this is a pos­it­ive step for­ward: third party cook­ies are used to track users across the In­ter­net and their re­mov­al will make it more dif­fi­cult for ad­vert­isers to do this. In­deed, Google it­self states on its Ads and Com­merce Blog that “[p]eople shouldn’t have to ac­cept be­ing tracked across the web in or­der to get the be­ne­fits of rel­ev­ant ad­vert­ising. And ad­vert­isers don't need to track in­di­vidu­al con­sumers across the web to get the per­form­ance be­ne­fits of di­git­al ad­vert­ising”.So, what does this mean for ad­vert­isers who still want to tar­get users? Well, Google will re­place its sup­port for third-party cook­ies with an AI sys­tem called the Fed­er­ated Learn­ing of Co­horts (or “FLoC”) which (as ex­plained by the Elec­tron­ic Fron­ti­er Fed­er­a­tion):…uses your brows­ing his­tory from the past week to as­sign you to a group with oth­er "sim­il­ar" people around the world. Each group re­ceives a la­bel, called a FLoC ID, which is sup­posed to cap­ture mean­ing­ful in­form­a­tion about your habits and in­terests. FLoC then dis­plays this la­bel to every­one you in­ter­act with on the web. This makes it easi­er to identi­fy you with browser fin­ger­print­ing, and it gives track­ers a head start on pro­fil­ing you.Thus, in­stead of identi­fy­ing users in­di­vidu­ally, Chrome will place users in­to co­horts based on their brows­ing habits and al­low ad­vert­isers to tar­get their ads to these co­horts, rather than in­di­vidu­als. This means that ads will be de­livered to users in a more an­onym­ous way, without (ac­cord­ing to Google) in­hib­it­ing the abil­ity of ad­vert­isers to de­liv­er those ads in a tar­geted way. So, every­one is happy, right?Well, no - not every­one is ex­cited by this pro­pos­i­tion. In­deed, crit­ics have warned that the use of FLoC by Google still means that users will be tracked to some ex­tent while they browse on­line. Fur­ther, there is con­cern that group­ing users in­to co­horts could res­ult in dis­crim­in­a­tion again cer­tain groups if, for ex­ample, sens­it­ive at­trib­utes (such as race, sexu­al ori­ent­a­tion, dis­ab­il­ity, etc) are used as the basis for group­ing. It is also worth re­mem­ber­ing that Google has only com­mit­ted to re­move sup­port for third-party cook­ies; its sup­port for first-party cook­ies will con­tin­ue.In ad­di­tion to the pri­vacy con­cerns, the UK’s Com­pet­i­tion and Mar­kets Au­thor­ity (“CMA”) has launched an in­vest­ig­a­tion in re­la­tion to the Pri­vacy Sand­box to as­sess wheth­er the changes could cause ad­vert­ising spend to be­come even more con­cen­trated on Google’s eco­sys­tem at the ex­pense of com­pet­it­ors.  With the CMA in­vest­ig­a­tion and these oth­er cri­ti­cisms, Google has now an­nounced that it is delay­ing the full im­ple­ment­a­tion of the Pri­vacy Sand­box un­til late 2023.  In the mean­time, Google is still tri­al­ling FLoC in se­lec­ted coun­tries so we will have to wait and see how ef­fect­ive it is as a pri­vacy-pre­serving al­tern­at­ive for both users and ad­vert­isers alike.
Open Secrets? Guard­ing value in the in­tan­gible eco­nomy
Across mul­tiple in­dus­tries, busi­nesses are de­riv­ing an ever great­er pro­por­tion of their value from as­sets pro­tec­ted not by pat­ent or copy­right – but by secrecy. And from cus­tom­er data to soft­ware al­gorithms...
EDPB ap­proves first EU GDPR Code of Con­duct for Cloud Ser­vice Pro­viders
Fol­low­ing the sub­mis­sion by the Bel­gian Data Pro­tec­tion Au­thor­ity, on May 19 the European Data Pro­tec­tion Board (EDPB) ap­proved the EU Cloud Code of Con­duct with sub­sequent fi­nal ap­prov­al by the Bel­gian...
New GDPR Code of Con­duct ap­proved for Cloud In­fra­struc­ture Ser­vice Pro­viders
The European Data Pro­tec­tion Board (EDPB) and the French Data Pro­tec­tion Au­thor­ity (CNIL) ap­proved the CISPE Data Pro­tec­tion Code of Con­duct of Cloud In­fra­struc­ture Ser­vice Pro­viders in Europe (CISPE...
EDPB is­sues Re­com­mend­a­tion on cred­it card data stor­age for one-click pay­ments
The European Data Pro­tec­tion Board (EDPB) has ad­op­ted a new re­com­mend­a­tion on the leg­al basis for the stor­age of cred­it card data by e-com­merce mer­chants for the pur­pose of one-click pay­ment of fur­ther...