The best data law firms in the world: key takeaways from the GDR 100

GDR’s editor reflects on what readers can take away from the inaugural GDR 100 ranking of data law firms, which will launch soon.

GDR’s news and analysis service started publishing in 2018. Since then, we’ve covered data protection and privacy (naturally), private disputes revolving around the acquisition or misuse of industrial data, antitrust barriers to the exploitation of data, companies’ data commercialisation strategies, and more.

We created the GDR 100 in order to pick out and profile the firms that can be relied on to handle data law work. We gave firms the opportunity to show us their full data practice, allowing us to peer under the hood and see how companies use data as an asset.

The full ranking – which we will reveal on 10 December – will feature 108  law firms that we recommend as being among the best in the world for providing data-related legal advice, and an elite list of 20 international firms that have a stranglehold on the global market for data work.

In advance of publication, we can reveal some of what we’ve learned from analysing the work of hundreds of firms, and what the future holds for the GDR 100.

Personal data rules

GDR covers all aspects of data law – and not just data protection. We are, after all, Global Data Review, not Global Data Protection Review (that acronym wouldn’t make for a very strong brand).

As such, we asked firms to submit details of all aspects of their data-related work – not just data protection and privacy. Ultimately, though, the GDR 100 final ranking reflects the market: most companies primarily need data protection-related services.

We did see plenty of other work too. Localisation is a big deal in certain Asian jurisdictions – especially in cloud and financial services – and data-focused companies need to have watertight IP and database rights over their assets, but the bulk of the data-focused work out there is related to personal data.

For example, there is plenty of cybersecurity and data breach work to go around, but for many companies data protection and security go hand in hand. With the exception of some US lawyers, the vast majority of cybersecurity lawyers rarely advise on ‘pure’ cybersecurity matters that are unrelated to personal data. There is a business risk to losing control of valuable data, but the regulatory risk is just as important.

Of course, that may change. The GDR 100 will track the market as it evolves.

No two lawyers are the same

The GDR 100 is based on in-depth submissions from hundreds of law firms around the world, ranging from IT-focused boutiques to sprawling international giants.

We used GDR sister publication Who’s Who Legal: Data as a starting point. The Who’s Who Legal team identifies the very best practitioners, basing their selection on votes submitted by thousands of lawyers and experts around the world. We asked firms that had nominees in the 2019 Who’s Who Legal: Data directory to submit extensive information on the make-up of their practices.

From this exercise, we saw that data lawyers come from a huge range of backgrounds.

We frequently came across lawyers with backgrounds in contentious and non-contentious IP, technology contracts, white-collar investigations, commercial disputes and more. One leading global name in data privacy is listed by his law firm as working in more than 25 practice groups. It might be down to over-eager marketing, but it illustrates the breadth of the market, and how different people can bring different skillsets to the table.

Law firms come in different shapes and sizes

If it’s hard to identify data lawyers, it’s even harder to say one team of such lawyers is better than the other: law firms also approach data in very different ways, and it’s tough to mount a fair head-to-head comparison.

Some, for example, have a small bench of data protection specialists who have spent decades doing little else. Others have retooled lawyers with backgrounds in soft IP, commercial contracts and outsourcing as it became clear that data increasingly drives technology markets, and now offer a one-stop-shop service that will handle all data-related aspects of a client’s activity – whether that data is personal or not.

We take no position on the ‘best’ way to do things. The privacy specialists make a good argument that experience trumps all, while the all-rounders can sometimes snipe that the experts can develop tunnel vision. GDR isn’t taking sides: both approaches are totally valid ways of doing business, and in reality most practitioners sit somewhere between the two extremes – if nothing else because it’s only relatively recently that the market has grown to the point where it can sustain scores of senior lawyers who only do data protection.

We’ve also been fascinated to see how different law firm models are able to gain strong market positions. On the one hand, sprawling global behemoths handle cutting-edge work and can do so in multiple locations. On the other, boutiques have a smaller geographical footprint; but their reputation and quality of work mean they deserve to be mentioned in the same breath as the bigger firms. They deserve praise for building strong practices despite having more limited opportunities for inter-departmental cross-selling.

Both are perfectly valid business models, and attract their own challenges, advantages and disadvantages. They might even compete with each other at times. But it is nearly impossible to make a like-for-like comparison of those firms – indeed, smaller firms are often close to larger international shops, as establishing a close and healthy referral relationship will generally be a safer approach.

The ranking will improve

We feel that this inaugural edition of the GDR 100 is strong, and tells you what you need to know about the legal market for data. But there’s always room for improvement.

In the next edition, we may ask for supplementary information in order to generate a richer dataset – ideally, one that we could use to generate a ranking of the top firms, rather than just a list.

We are already looking into expanding the types of firm that we consider in this ranking. There will be opportunities to identify the best non-lawyer advisers – the cybersecurity experts, the data monetisation consultants, and so on. While we have focused exclusively on law firms in this inaugural edition, that will not be the case forever.

We will also investigate how to bring other types of lawyer on board. The firms listed here almost exclusively carry out primarily defence-side work. That’s a feature of the market: outside of B2B disputes – which remain relatively rare – corporate law firms rarely represent plaintiffs against companies. Particularly in the US, you’ll most often see the Edelsons, Morgan & Morgans and Hausfelds of this world leading scores of privacy class actions, between them running cases that are worth billions of dollars. We don’t feel it would be fair to compare those specialised litigation practices with the broader firms we’ve ranked here: it just wouldn’t do either side justice. However, we may look into a separate section that names the leaders in that field.

In the meantime, keep your eyes peeled next week.


Get unlimited access to all Global Data Review content