Careers

Diversity

With 18 offices, from New York to Los Angeles and Seattle to Orlando, we live and work in communities all over the U.S., collaborating across locations, disciplines and even borders. Our experienced, highly ranked lawyers serve businesses wherever they are and wherever they want to go.

Offices

About Us

Pages

Professionals

Thought leadership: blogs, podcasts, videos, publications, events and news

Insights

Practices & Industries

Pro Bono

Am Law 100 firm with practices in Business, Digital Assets and Data Management, Intellectual Property, Labor & Employment, Litigation and Tax.

Home | BakerHostetler

IP Intelligence Report

All Roads to IPR & PGR Institution Now Run Through the USPTO Director

BakerHostetler Garners Mid-Market Deal of the Year at TMT Finance Awards USA 2025 for CleanArc Data Centers Transaction

Data Counsel

California AB-2426: The Ephemeral Nature of In-Game Assets

BakerHostetler Deals Chosen as Finalists for 24th Annual M&A Advisor Awards

BakerHostetler’s Digital Assets and Data Management Group works with clients to manage their data seamlessly throughout the data life cycle. Our teams regularly provide compliance counseling, develop data protection programs and design risk mitigation strategies to help businesses manage international data protection obligations. Leveraging existing business practices and internal processes, we take a pragmatic, holistic and results-oriented approach to meeting data protection compliance challenges. Clients value our experience, practical advice, budget consciousness and local counsel relationships when it comes to achieving their global data protection compliance aims.

core/paragraph

Whether your business is looking to comply with new or changing laws, expand into new countries or harmonize privacy compliance across multiple jurisdictions, we can help. Our team collaborates with clients to both design comprehensive data protection programs and adapt legacy privacy compliance. We also review established data protection programs to identify gaps and risks, including those related to business growth, evolving regulatory guidance, innovative uses of personal data and artificial intelligence (AI) integrations. In addition, we can help your business effectively react to consumer complaints, regulatory inquiries and security incidents spanning multiple jurisdictions.

core/heading

core/list-item

Policies, Procedures and Documentation

Agreements, Contracts and Transactions

Security Incident and Regulatory Response

core/list

Multijurisdictional Data Protection Compliance

Global business means compliance with non-U.S. data protection rules – either directly or as a result of contractual commitments. Working with overseas vendors or partners, engaging foreign employees and serving foreign customers or clients all require a clear strategy to manage compliance obligations. BakerHostetler’s Privacy Governance and Technology Transactions team guides businesses through thorny global privacy landscapes, identifying legal obligations associated with different types and uses of personal data and advising on risk-based controls.

We are adept at navigating conflicting compliance obligations across jurisdictions, strengthening existing data protection programs to align with new or evolving regulations and facilitating international expansion. Our team creates and supports the implementation of comprehensive global privacy policies and procedures. We maintain long-term relationships with respected foreign law firms to provide our clients with jurisdiction-specific legal experience.

Counseled multinational media and advertising brands on the compliant use of tracking technologies, including data sharing, adtech vendor contracting and development of cookie banners and notices.

Counseled a major Chinese mobile app developer on privacy issues associated with global rollout, including development of an internal data protection program and advice on jurisdictional concerns related to data storage and access.

Advised a global food manufacturer and retailer on AI policy and procedures in conjunction with planned third-party AI use and internal AI development, supporting relevant contract negotiations and partnership planning.

Developed and coordinated data protection impact assessment (DPIA) program for a multinational retailer, working with business stakeholders and the in-house legal team on risk analysis conclusions and mitigation measures.

Worked with a multinational sporting goods company and a large multinational technology company to update data subject request procedures after regulatory inquiries, aiming to streamline intake, fulfillment and response processes and to implement enhanced options for self-service deletion and access (DSAR) requests.

Advised an international manufacturing conglomerate on the revision of a global employee privacy policy covering dozens of countries, including engaging with foreign local counsel to address labor law issues and emerging data protection legislation.

Aided a private-sector government cybersecurity contractor with assessing potential exposure to foreign data protection laws and associated compliance requirements, including with respect to personal data acquired from foreign governments.

Data Sharing, Transfer and Localization Requirements

Cross-border data uses involve complexity regardless of direction. Data transfers to the U. S. face a maze of international restrictions and ongoing scrutiny. At the same time, U.S. regulators are increasingly regulating data exports. Our Privacy Governance and Technology Transactions team routinely helps businesses manage data sharing and cross-border personal data transfers with confidence. With extensive experience advising on data use strategies, sharing arrangements and data brokerage, we support business growth and expansion objectives.

Our team works with businesses to evaluate global data flows and organizational practices to guide compliance with international data transfer restrictions and localization requirements. We implement cross-border transfer mechanisms, such as standard contractual clauses and the EU-U.S. Data Privacy Framework, and advise on compliance with U.S. data transaction restrictions, including the Department of Justice’s (DOJ) Data Security Program. We regularly draft and negotiate multi-jurisdictional data processing agreements, conduct transfer impact assessments and advise on vendor due diligence to help safeguard third-party sharing arrangements and onward transfers. We also counsel clients on handling requests for personal data by public authorities and for use in U.S. legal proceedings.

Advised a multinational consultancy on developing data protection provisions for client service agreements, including risk-specific security measures tailored to address varying data risk profiles.

Created situation-specific versions of data processing and transfer agreements along with drafting instructions and negotiation guidance for a Fortune 20 healthcare services company, allowing in-house management of complex vendor contracting.

Worked with several global insurance companies to develop and execute strategic data sharing and licensing initiatives.

Negotiated complex services agreements with a large financial services firm and a global consultancy to enable ongoing use of AI initiatives in service offerings.

Counseled a global hospitality company on subcontractor risk, due diligence and onward data transfer agreements.

Advised a multinational data broker on personal data transfer safeguards to protect data produced in U.S. litigation and in response to regulatory inquiries.

Evaluated and documented a global insurance company’s cross-border data transfer assessments and created policies for responding to public authority requests.

Worldwide Data Security Incidents and Regulatory Response

Global businesses facing data security incidents must quickly address legal requirements across multiple jurisdictions, often within days of becoming aware of the incident. Our Digital Risk Advisory and Cybersecurity team brings unrivaled breach response experience, managing considerably more than 1,000 data security incidents annually, many involving non-U.S. personal data. Our team is uniquely positioned to help companies navigate complex global data incidents. We deliver end-to-end support, from proactive digital risk consulting or first client data breach outreach through regulatory inquiry and privacy litigation resolution.

We serve as your single, coordinated point of contact for managing global data security incidents, balancing international response efforts with U.S. litigation and regulatory risk to support your business’s swift return to normal. Proactively, we advise on legal obligations and regulatory risks under international data protection laws and develop tailored incident response strategies. In the event of a data security incident, clients can depend on our 24-hour hotline and skillful guidance to provide immediate and effective support from the outset. We leverage our extensive international experience and comprehensive local counsel network to efficiently optimize jurisdiction-specific notification processes. Additionally, our experience interacting with foreign regulators lets us effectively help our clients respond to data protection regulatory inquiries.

Managed simultaneous regulatory notifications across every EU Member State following a personal data breach involving an e-commerce website.

Handled global notification and regulatory response efforts worldwide for a vendor incident involving a cryptocurrency exchange.

Advised a global data analytics company on European lead supervisory authority designation and responded to inquiries challenging the designation.

Determined no notification was required for a worldwide security incident following a comprehensive assessment of international data protection laws, including a review of applicability, personal data breach notification triggers and data elements involved.

Assisted a food delivery platform in its data breach response, including addressing repeated foreign regulatory inquiries.

Supported several popular websites regarding regulatory response in the UK during the data protection authority’s cookie compliance sweeps.

Coordinated with foreign local counsel to plan and execute a global data breach notification strategy for a multinational hospitality company.

contentpilot/expand-more

Andreas T. Kaltsounis

Melinda L. McLellan

Nichole L. Sterling

Seattle

Partner

New York

CFTC Issues Foreign Board of Trade Advisory to Provide Regulatory Clarity for Crypto Asset Trading on Non-US Exchanges

The Data Stream

The Data Stream – Episode 1 with Ted Kobus

Paul Karlsgodt Presents Data Privacy Class Actions Updates at 2025 European Class Actions Forum

Australia’s New Ransomware Payment Reporting Law Takes Effect, Covering Both Critical Infrastructure and Other Entities

AI Audit Best Practices for Building User and Global Trust

Paul Karlsgodt Attends The Perfect Law: Global Class Actions and Mass Torts Conference, Chairs Panel

DOJ Implements Bulk Personal Data Transfer Restrictions

BakerHostetler launches 2025 Data Security Incident Response Report

Year-End Review – Data Privacy Insights to Take into 2025

DSIR Deeper Dive – The Worst Cookie Recipe

Nichole Sterling Speaks at ABA International Law Section Fall Conference

IAPP’s DACH and Luxembourg Joint KnowledgeNet: More Zombie Technologies in Time for Halloween!

James Sherer Presents at In-Person DACH and Luxembourg Joint KnowledgeNet

ADventures in Law

The Great British Infant Formula? Or Does the Made in USA Standard Apply to European Imports?

Dark Patterns Go International: FTC and International Consumer Protection Networks Conduct Sweep of ‘Deceptive Design Practices’ Related to Subscription Services, Privacy

Global Data Protection

Insights and News

Featured Insights

Related Services

Insights and News

Featured Insights