Lucy Tucker advises clients on data privacy, cybersecurity, and commercial contracts, with a particular focus on Middle East and EU/UK privacy laws.

Ms. Tucker’s Middle East-focused advice covers existing and upcoming data privacy laws, cybersecurity requirements, cybercrimes and content standards, data localization requirements, and consumer protection requirements.

Ms. Tucker advises a broad range of clients, from startups to technology giants, on a wide range of privacy matters, including in relation to the launch of new products and services, M&A transactions, regulatory investigations, the privacy risks of new technologies, data processing agreements, international data transfers, data protection impact assessments, direct marketing, and transparency requirements.

Ms. Tucker was previously based in Latham & Watkins’ London office, where she specialized in EU and UK privacy laws.

Ms. Tucker is a Certified Information Privacy Technologist (CIPT), awarded by the International Association of Privacy Professionals (IAPP), and also holds a Practitioner Certificate in Data Protection, awarded by BCS, The Chartered Institute for IT.

Ms. Tucker’s experience includes advising: 

  • An international technology company on the launch of new digital services across the Middle East, including AI-based services
  • Numerous Kingdom of Saudi Arabia (KSA) and international companies on KSA localization requirements, including for cloud services and critical infrastructure and systems
  • A United Arab Emirates-based healthcare provider on carrying out a data protection impact assessment for the processing of patient data
  • Meta (formerly Facebook) on data privacy issues in relation to its services and strategic acquisitions, including its acquisitions of the game developer Ready at Dawn, the Gif provider Giphy Inc., and customer service CRM platform Kustomer Inc.
  • A sovereign wealth fund on multiple ultra-high-tech megaprojects on the development of its data privacy and cybersecurity laws
  • A multinational corporation on the privacy implications of the EU Digital Markets Act
  • A multinational professional services firm on its “best-in-class” global Privacy Impact Assessment program
  • A significant social media company in matters before international regulatory bodies in connection with data protection compliance and other issues relating to privacy and security
  • A global conversation technology company on its data protection model, relationships with third parties, ads profiling, and how it uses and trains AI/ML
  • A global media group on the territorial scope of GDPR, including in relation to joint controllership and processor requirements
  • A number of international companies on the review and sharing of EU and UK employee correspondence and documentation in relation to US litigation matters
  • Numerous companies on data protection matters ahead of stock market listings

Bar Qualification

  • England and Wales (Solicitor)


  • Legal Practice Course, Kaplan Law School, 2015
  • LLM in European and International Tax Law, Lund University, 2014
  • LLB Bachelor of Law, University of Birmingham, 2013

Languages Spoken

  • English