Photo of Mark Young

Mark Young

Subscribe to Mark Young's Posts

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as "a trusted adviser - practical, results-oriented and an expert in the field;" "fast, thorough and responsive;" "extremely pragmatic in advice on risk;" and having "great insight into the regulators."

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Contact: Read more about Mark YoungEmail

An Expert Q&A with Mark Young of Covington & Burling LLP on the EU Cybersecurity Act and its new cybersecurity certification schemes for information and communication technology (ICT) products, services, and processes, especially internet of things (IoT) devices. It also discusses how the Act supports the EU Directive on the Security of Network and Information Systems (Directive 2016/1148/EC) (NIS Directive), the expanded role for the EU Agency for Cybersecurity (ENISA), and what companies need to know about timelines and enforcement.
Continue Reading IoT Update: Expert Q&A on the EU Cybersecurity Act

On June 3, 2019, the UK Information Commissioner’s Office (“ICO”), released an Interim Report on a collaboration project with The Alan Turing Institute (“Institute”) called “Project ExplAIn.” The purpose of this project, according to the ICO, is to develop “practical guidance” for organizations on complying with UK data protection law when using artificial intelligence (“AI”) decision-making systems; in particular, to explain the impact AI decisions may have on individuals. This Interim Report may be of particular relevance to organizations considering how to meet transparency obligations when deploying AI systems that make automated decisions that fall within the scope of Article 22 of the GDPR.

Continue Reading AI Update: ICO’s Interim Report on Explaining AI

On May 1, 2019, the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) launched a public consultation (“Consultation”) regarding plans to pursue new laws aimed at securing internet connected devices. The Consultation follows the UK’s publication of its final Code of Practice for Consumer IoT Security (“Code of Practice”) last October (the subject of another Covington blog available here) and is targeted at device manufacturers, IoT service providers, mobile application developers, retailers and those with a direct or indirect interest in the field of consumer IoT security.

Continue Reading IoT Update: The UK Announces Plans for New Connected Device Laws

Earlier this month, the UK’s Information Commissioner’s Office published a draft code of practice (“Code”) on designing online services for children. The Code  is now open for public consultation until May 31, 2019. The Code sets out 16 standards of “age appropriate design” with which online service providers should comply when designing online services (such

The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”). The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here). It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.

Continue Reading IoT Update: EU Commission Issues Recommendation on Cybersecurity in the Energy Sector

The Court of Justice of the EU (‘CJEU’) has held that an exclusive choice of forum clause can validly be imposed by so-called “click-wrap” contracts in online B2B transactions (see Case C‑322/14, El Majdoub v. CarsOnTheWeb.Deutschland GmbH).   The ruling will make it easier for online businesses in the EU to impose a favorable choice of forum in their online B2B contracts, ensuring that they can sue defendants in courts of their own choosing, rather than the defendants’ local courts.

The general EU-wide rule for B2B contractual disputes is that a defendant must be sued in its local courts only (see “Brussels I” Regulation (Regulation (EC) No 44/2001)).  However, parties can waive the default rule by agreement “in writing” (Article 23(1)).

To deal with contracts concluded electronically, Article 23(2) states – in the English version of the law – that any “electronic communication” that “provides” a durable record of the agreement is equivalent to “writing”; the French and German versions refer to the mere “possibility” of a durable record being formed.

There has been some uncertainty as to whether mere hyperlinking to terms and conditions is a “communication”.  The case before the Court focused on this point, with the claimant arguing that the relevant terms and conditions should at least have been displayed (automatically) before they placed their order.

Taking a pragmatic view, the CJEU stated that the requirements of Article 23 are met if it is possible to print and save the text of online terms and conditions before a contract is concluded – even if the contractual terms are never actually displayed to the person accepting them.  Providing a hyperlink to a printable version suffices.

Although the Brussels I Regulation has been phased out (as of January 10th, 2015, in favor of the ‘recast’ “Brussels Ia” Regulation (Regulation (EU) No 1215/2012)), it is likely that the CJEU’s ruling in El Majdoub will equally apply to the new law, given that the relevant provisions of the new law (now contained in Article 25) are in effect identical to those in Article 23 of the original.

Continue Reading Court of Justice of the EU Upholds Exclusive Jurisdiction Clauses in B2B ‘Click-wrap’ Contracts