GDR 100 2021

Morrison & Foerster

Morrison & Foerster

Professional notice

Practice profile

West Coast-headquartered Morrison & Foerster brings together practitioners who can handle the full data lifecycle, spanning advisory, compliance, transactional and contentious matters. Partners Miriam Wugmeister in New York and Alex van der Wolk in Brussels lead the MoFo privacy and data security practice, which rivals frequently cite as being among the best in the world. The firm boasts more than 60 data lawyers in offices in the US, Europe and Asia.

The firm has particular expertise in guiding clients through the EU binding corporate rules process. The complex international transfer mechanism is notoriously burdensome for companies and their advisers alike; that MoFo has bagged several such mandates demonstrates its sophistication and ability to handle large volumes of work. It has recently leveraged its global presence to advise companies as they deal with complex data issues linked to the covid-19 outbreak, and has assisted multiple clients with the legality of employee and workplace tracking in various jurisdictions. While the firm’s list of key clients cannot be disclosed, it contains household names in hospitality, insurance, manufacturing, software, energy and healthtech.

Leading individuals

Miriam Wugmeister in New York and Alex van der Wolk in Brussels lead the MoFo privacy and data security practice. Washington, DC-based John Carlin, who focuses on cybersecurity, Kristen Mathews in New York, Julie O’Neill in Boston, Nathan Taylor in Washington, DC, Christine Lyon in Palo Alto, Annabel Gilham in London, Hanno Timner in Berlin and Brussels-based senior of counsel Lokke Moerel are other key names.

Work highlights

MoFo represented United Internet during a German federal investigation that resulted in a €9.5 million fine. Berlin partner Hanno Timner led that case, which is now subject to an appeal. The firm is defending a company in the first-ever CCPA class action following a data security incident. It also represents a technology company in the first-ever Dutch privacy class action – impressive work for a firm that lacks an office in the Netherlands, and is running the case out of Brussels. A MoFo team is also involved in a UK data class action.

On the non-contentious side, the firm has handled multiple binding corporate rules applications, and advises on laws as diverse as the CCPA and Chinese Cybersecurity Law. Brussels-based senior counsel Lokke Moerel and London partner Annabel Gillham guided Visa Europe as it set up its open banking platform across the EU. The Visa advice needed to take the EU’s PSD2 open banking framework into account and analyse relationships with stakeholders such as banks and merchants to resolve data storage, sharing and access issues. In deals, it acted for Salesforce on the IP and privacy aspects of the company's US$15.7 billion acquisition of data visualisation leader Tableau, and acted for Japanese pharmaceutical company Taisho in transferring employee data in the context of its US$1.6 billion acquisition of French pharmaceutical company UPSA.

Client feedback

A software client praises the firm for providing “practical, risk-based approaches”, and highlights practice co-chair Miriam Wugmeister as “very impressive and a pleasure to work with”. Another client, this time in the banking sector, says the firm distinguishes itself by “having the right people on the phone at the right time". 

Morrison & Foerster's highly respected global privacy and data security group is a cross-disciplinary team of more than 60 lawyers across the United States, Europe and Asia, providing creative and practical advice on all stages of the information life cycle, from privacy compliance to incident response. Our extensive experience with data protection laws and our geographic reach uniquely positions us to handle virtually any privacy or data security issue anywhere in the world.

With a reputation for being straightforward and practical, we have become the privacy counsel of choice for hundreds of organizations, from ambitious startups to global industry leaders, including nearly half of the FORTUNE 50, as well as leading companies across all sectors. Our skills are particularly valued by companies that operate in highly-regulated sectors (such as financial services, healthcare and pharmaceuticals), those with an online presence, and those operating internationally. Organizations in these areas face multiple layers of regulation and appreciate the timely, knowledgeable and realistic advice that our attorneys are able to provide around the clock.

Over 100 countries now have their own data protection laws regulating the collection, use, disclosure and security of personal information. The complex and sometimes conflicting obligations imposed by these laws can be challenging for companies seeking to comply. Our extensive experience coordinating multijurisdictional privacy programs and strategies allows us to advise clients effectively on compliance with these new privacy laws. We have advised extensively on the legal and operational challenges presented by the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the Schrems II decision, as well as the Cyber Security Law of the People’s Republic of China, the Personal Data (Privacy) Ordinance of Hong Kong, Japan’s Personal Information Protection Act, and a variety of other global privacy laws. We’ve also done more Binding Corporate Rules (BCR), a form of corporate self-regulation designed to facilitate global inter-company data transfers in compliance with EU Data Protection Law, than any other firm worldwide.

While we advise on a broad range of privacy compliance and data protection matters, we also offer unparalleled expertise when cybersecurity incidents occur, having handled more major breaches than any other firm. Our interdisciplinary global risk and crisis management team includes former federal prosecutors and regulators, internationally recognized cybersecurity experts, and officials at the Department of Justice, in the Intelligence Community, and at the Securities and Exchange Commission, among others. We draw on these diverse experiences to help identify potential risks to our client’s business and develop a comprehensive response that cuts across traditional practice areas, allowing our clients to hit the ground running in the event of a cyber-incident. In fact, another pillar of our practice is designing and leading customized table top exercises for global incident response teams, executive leadership teams, and Boards of Directors to enhance their cyber resilience.

Morrison & Foerster's truly integrated team works across the globe and across disciplines, including life sciences, financial services, employment, healthcare, technology transactions and privacy litigation. Our privacy litigators work seamlessly with our regulatory and compliance teams to develop a defense plan before any litigation arises. We coordinate across offices, continents, and practice groups, all with deep insights into the latest developments related to new legislation and how it impacts each case, to provide a cost‐effective and comprehensive response to litigation and the overall risk posed by data breaches and other privacy risks.

Our deep bench works to develop compliance programs, respond to security incidents, and defend high-stakes litigation that may threaten a company’s bottom line, in a way that is efficient, nimble, and well-equipped to pivot often, and swiftly, to meet the needs of our clients in any situation and in any jurisdiction. We welcome an opportunity to work with you.

Unlock unlimited access to all Global Data Review content