James Lloyd

James engages across jurisdictions with data protection and cyber regulators, including:

• The UK Information Commissioner’s Office (ICO)
• Ireland’s Data Protection Commission (DPC)
• France’s Commission nationale de l’informatique et des libertés (CNIL)
• Italy’s Garante per la protezione dei dati personali (Garante)

His recent experience includes representing:

Regulatory Investigations

• A global technology company in investigations by EU CSIRTs and national data protection authorities following a major cybersecurity incident
• A leading social media platform on regulatory inquiries by the UK Information Commissioner’s Office (ICO) and Ireland’s Data Protection Commission (DPC) relating to its launch and use of AI-powered functionality
• A data analytics firm in an ICO investigation into its data processing activities and a subsequent monitorship addressing broader compliance practices
• A China-based AI communications provider in responding to an ICO investigation into its UK-facing privacy operations
• A fintech and crypto services provider during a DPC enforcement action regarding data security and privacy governance
• A consumer goods company in an ICO-led investigation into its direct marketing and customer engagement practices
• A major social media company in parallel ICO and DPC investigations examining its privacy-by-design approach

Privacy Litigation

• An online dating company in defending claims brought by individuals affected by cybersecurity breach*
• A technology company in pursuing a claim against cyber attackers that led to the misappropriation of funds*
• Individuals in pursuing a claim arising out of a campaign of harassment*
• An identity verification company in a dispute with supplier over a breach of licensing terms*
• A property investment company in defending a claim brought by a client in connection with a personal data breach*

Cybersecurity and Privacy Investigations & Enforcement

• An international charity in a ransomware attack affecting thousands of individuals and coordinating responses to regulatory investigations*
• A medical equipment manufacturer in a ransomware attack affecting records of individuals in Europe*
• A major consumer goods company in a network intrusion affecting records of individuals in Europe, Africa, and the Middle East*
• An identity verification company in assessment notice (data protection audit) process and subsequent monitorship*
• A China-based electronics manufacturer in an internal investigation into data protection practices and potential ICO investigation*
• An e-commerce platform in a cyberattack involving theft of hundreds of thousands of records, including ensuing notifications to regulators and individuals in Europe, Asia, and Africa*
• A major university in a ransomware attack that compromised records worldwide*
• A financial institution in a security breach affecting thousands of records in Europe, including ensuing notification to regulator*
• An IT service management company in a security breach brought about by a “white hat” hacker affecting thousands of records in Europe*
• An identity verification company in a security breach at a third-party supplier that affected thousands of sensitive records*
• A management software vendor in a security breach affecting North America and Europe*

*Matter handled prior to joining Latham