Edward Machin is an associate in the data, privacy and cybersecurity group, based in London. He provides clear and business-focused advice on a wide range of legal and regulatory issues in the rapidly evolving areas of privacy, data protection and security, e-commerce and marketing, and information law. Secondments at data-rich businesses in the life sciences and market research sectors have given Edward a deep understanding of what clients want – and these experiences inform his approach to providing practical legal and commercial solutions to organisations across Europe, the U.S. and Asia.
Edward’s practice encompasses regulatory compliance, advisory and transactional work for founders, start-ups, corporates, venture capitalists and asset managers across the technology, life sciences and healthcare, financial and professional services, food and beverage, consumer goods, entertainment and media sectors. He regularly advises on the development and operationalisation of global compliance programmes, new products and services, complex international data transfer issues, and emerging technologies and regulatory trends (such as the use of alternative data and COVID-19-related compliance).
In addition, Edward has particular expertise in crisis and incident management. He helps clients respond to requests from law enforcement agencies and data protection authorities, and frequently advises on personal data breaches, security events and contentious subject rights requests. He also works closely with colleagues across the firm on the data protection aspects of internal investigations and litigation matters.
Edward writes widely on privacy, data protection and security issues, and has been quoted in the Financial Times, the Wall Street Journal, the Daily Telegraph, the Irish Times and various industry publications. Before his legal career, Edward worked for six years as an award-winning financial journalist.
Counselling and Compliance
- Providing day-to-day counsel to high-profile clients in the food and beverage, financial services, lead generation and data analytics sectors on a wide range of complex data protection, security, e-marketing and information law issues.
- Advising businesses on their return to office plans, including the use of contact tracing technologies and collecting vaccination data from staff and visitors.
- Counselling medical centres, universities and life sciences companies on the application of the GDPR to their research and health care operations, including on the design of their consent forms and associated data protection disclosures.
- Assisting clients create and operationalise global compliance programmes to address the requirements of national and extra-territorial data protection laws.
- Advising on complex international data transfer questions, including to address Schrems II and national localisation and notification requirements.
- Providing training to clients’ legal and compliance, HR, marketing and product design teams on the GDPR, the ePrivacy Directive, Brexit and related issues.
Crisis Management and Incident Response
- Counselling multinational technology companies in their responses to personal data breaches and cybersecurity incidents, including making notifications to regulators and affected individuals across the EU and UK.
- Advising multiple financial institutions and private capital providers on responding to U.S. and UK law enforcement requests for information, including under the Investigatory Powers Act, the Data Protection Act and the Securities and Exchange Commission’s books and records rule.
- Representing ultra-high-net-worth individuals in challenging their World-Check designations as politically exposed persons.
- Counselling clients in the UK and EU on dozens of contentious data subject rights requests, including before supervisory authorities and in pre-litigation correspondence.
- Representing a former senior executive at a global energy provider in an investigation by the Serious Fraud Office, with a focus on the naming of the client in public court proceedings.
- Regularly advising on the data protection aspects of internal and external investigations, including on issues relating to whistleblowing, device collection and review, U.S. disclosure requirements and international data transfers.
Transactions and Fund Management
- Advising private equity companies in Europe, the U.S. and Asia on the data, privacy and cybersecurity issues arising in pre-acquisition diligence and post-acquisition remediation.
- Drafting and negotiating the data protection aspects of asset management and fund formation documentation (including PPMs, subscription documents, administration agreements and related contracting advice).
- Co-author, “Data Protection and Digital Information Bill: Key Proposals For Reform of the UK’s Data Protection Framework,” Entertainment Law Review (November 11, 2022)
- Author, “Government’s post-Brexit agenda will affect the ICO’s structure and powers,” Privacy Laws & Business (November 7, 2022)
- Quoted, “Civil Liberties Group Threatens Tesco Over Data Collection,” Financial Times (October 25, 2022)
- Quoted, “President Biden signs executive order aimed at legal reboot of EU-US data flows,” TechCrunch (October 7, 2022)
- Quoted, “TikTok Faces Possible Fine Over Child Data Breaches,” Law360 (September 26, 2022)
- Quoted, “TikTok could face fine over children’s privacy allegations,” City A.M. (September 26, 2022)
- Quoted, “The Merge: A Blockchain Revolution or Just More Hype?” Financial Times (September 12, 2022)
- Quoted, “UK government introduces data reforms legislation to Parliament,” Computer Weekly (July 21, 2022)
- Quoted, “Legal Experts Concerned Over New UK Digital Reform Bill,” InfoSecurity (July 20, 2022)
- Quoted, “CJEU Judgement on Data Retention,” Computing Security (June 28, 2022)
- Co-author, “Walking the line: Conflicting US disclosure requirements and European privacy rules,” Privacy Laws & Business United Kingdom Report (May 2022)
- Quoted, “ICO Fines Clearview AI £7.5m for Collecting UK Citizens’ Data,” Infosecurity Magazine (May 23, 2022)
- Quoted, “New U.K. Privacy Regulator Plans Quick Action Against Privacy Violators,” The Wall Street Journal (April 11, 2022)
- Quoted, "Top court rules against data misuse," Computing Security (April 7, 2022)
- Quoted, “Ongoing Saga Over Data Retention in Europe Likely to Continue, Says Senior Lawyer,” Computing Security (April 2022)
- Quoted, “New EU Data Transfer Pact Hinges on US Privacy Pledges,” Law360 (March 25, 2022)
- Quoted, “EU, US Agree On Data Transfer Tool to Replace Privacy Shield,” Law360 (March 25, 2022)
- Author, “TOPIC: The publication by the ICO of an enforcement order requiring the Ministry of Justice to respond to nearly 8,000 outstanding data subject access requests by the end of 2022,” Edward Fennell's Legal Diary (January 21, 2022)
- Quoted, “This week’s opinion for the UK Information Commissioner’s Office regarding data protection and privacy expectations for online advertising,” Edward Fennell's Legal Diary (December 17, 2021)
- Quoted, “ICO may fine Clearview AI Inc over £17 million,” Privacy Laws & Business (November 30, 2021)
- Author, “The ICO is right to push back against government meddling,” Computer Weekly (November 11, 2021)
- Quoted, “The UK and Europe may diverge on police facial recognition,” Tech Monitor (October 8, 2021)
- Co-author, “Cyber Trends and Investigations in Europe: A Practitioner’s Perspective,” The Guide to Cyber Investigations, second edition (2021)
- Co-author, “EU aims to rein in AI with proposed law,” IFLR (May 7, 2021)
- Quoted, “Irish data regulator under fire over dated software,” Financial Times (February 9, 2021)
- Quoted, “GDPR Fines Rise 40% Last Year, Research Shows,” Digital Privacy News (February 5, 2021)
- Quoted, “Sue Ireland over poor GDPR enforcement, MEPs say,” Global Data Review (February 4, 2021)
- Quoted, “First hint of UK-EU data divergence appears,” Global Data Review (January 22, 2021)
- Quoted, “European Consumer Groups Begin Suing Over Data Breaches,” Wall Street Journal (November 6, 2020)
- Quoted, “Post-Brexit Digital Economy at Risk After EU Court Ruling,” InfoSecurity Magazine (October 7, 2020)
- Quoted, “EU's top court blocks states from gathering user data for surveillance,” Financial Times (October 6, 2020)
- Quoted, “Class action filed against Marriott in High Court of England and Wales,” Privacy Laws & Business (August 19, 2020)
- Quoted, “British Airways and Marriott Expect Drastically Reduced Fines From U.K. Privacy Regulator,” Wall Street Journal (August 12, 2020)
- Quoted, “BA expects to pay just £20m for data breach,” The Telegraph (August 2, 2020)
- Co-author, “Schrems II: the data protection community reacts,” Global Data Review (July 17, 2020)
- Quoted, “Court Ruling Leaves Companies Scrambling for New Ways to Move Data From Europe to the U.S.,” Wall Street Journal (July 17, 2020)
- Co-author, “Cyber Trends and Investigations in the European Union: A Practitioner’s Perspective,” The Guide to Cyber Investigations, first edition (2019)
- Quoted, “Warnings over GDPR effect on compliance investigations,” Ignites Europe (May 13, 2019)
- Quoted, “GPEN Report Highlights Key Areas for Data Privacy Improvement,” The Cybersecurity Law Report (April 17, 2019)
- Co-author, “5 UK Privacy And Data Protection Predictions For 2019,” Law360 (February 25, 2019)
DisclaimerRopes & Gray International LLP is a limited liability partnership registered in Delaware, United States of America and is a recognised body regulated by the Solicitors Regulation Authority (with registered number 521000).
- LLB (Law), First Class, University of Liverpool, 2008
- LLM (Law), Merit, London School of Economics and Political Science, 2014
- LPC, Distinction, BPP University, London, 2015
Admissions / Qualifications
- England and Wales, Solicitor, 2017