Sue is a commercial lawyer with extensive experience advising clients regarding EU privacy regulations as well as life sciences and technology transactions. Sue is based in the UK, and her work is frequently international in nature. Sue is qualified in England & Wales and California, as well as being a Certified Information Privacy Professional/Europe. Start-ups to global companies seek her counsel on European data protection matters. For her life sciences clients, she helps structure large-scale drug development and marketing collaborations, licensing deals, spin-offs, and other agreements involving healthcare IT, consulting, R&D, manufacturing, and distribution arrangements.
Susan is qualified in England and Wales as well as California, and has experience practicing law in both the United States and the United Kingdom. She has been based in Mintz's London office since September 2007, and worked in the United Kingdom for another international law firm from 2001 to 2004. Susan is a Certified Information Privacy Professional/Europe (CIPP/E).
Susan works with clients primarily on European data protection compliance and licensing, collaborations, and commercial matters in the fields of clean tech, high tech, mobile media, and life sciences. She has represented a broad range of clients, from start-up companies to international industry leaders, and has significant experience with cross-border transactions.
Within the life sciences, Susan has assisted biotech, pharmaceutical, diagnostic, and medical device companies with licenses, collaborations, spin-offs, and agreements relating to consulting services, R&D, manufacturing, and distribution.
Within the high-tech and mobile media fields, Susan has advised clients on deals involving the sale and licensing of intellectual property rights; multi-tier distribution arrangements; OEM and value-added reseller arrangements; research, development, and consulting activities; and the provision and outsourcing of technology services. She has assisted mobile media and Internet services clients with service agreements and content licenses, including user-generated content and web-to-mobile deals.
Susan’s clean tech experience includes advising on a joint venture for the development and marketing of electric cars and various agreements relating to the development and sale of fuel cells.
She has spoken on data protection, open source software, European antitrust and technology transfer law, and other intellectual property and technology law issues at a number of webinars and conferences in the United States and the United Kingdom.
During law school, Susan was on the executive board for the Stanford Technology Law Review.
Education
- Stanford University (JD)
- Cornell University (PhD)
- Cornell University (MA)
- Princeton University (BA)
Recognition & Awards
- Phi Beta Kappa
Recent Insights
Viewpoints
New UK International Data Transfer Agreement and a New Approach to UK Data Transfers
February 7, 2022 |Alert
The New UK International Data Transfer Agreement Is Ready To Go From March 21, 2022
February 1, 2022 |Blog
News & Press
In an article published by Lexology, Mintz Member Susan L. Foster was quoted on how companies should assess their cybersecurity risk with the global increase in telework to slow the spread of COVID-19.
Mintz Member Susan L. Foster was quoted in an article published by Lexology on General Data Protection Regulation (GDPR) obligations for companies, particularly with respect to ongoing investigations or enforcement actions, as well as requirements for data sharing with other European Union data protection authorities during the coronavirus (COVID-19) pandemic.
Events
Sue Foster is a panelist on "Conducting a Data Protection Impact Assessment (DPIA): Best Practices" during the PrivSec Global conference. The panel will explore DPIAs in detail: When is a DPIA required? What are the steps to carry it out? How can you make the process efficient and effective?
Viewpoints
New UK International Data Transfer Agreement and a New Approach to UK Data Transfers
February 7, 2022 | Alert | By Susan Foster
This alert covers the UK’s new international data transfer agreement and the implications for parties that transfer or receive personal data from the United Kingdom.
Read more
The New UK International Data Transfer Agreement Is Ready To Go From March 21, 2022
February 1, 2022 | Blog | By Susan Foster
The UK Information Commissioner’s Office (ICO) has just published the final form of its much-anticipated new International Data Transfer Agreement (IDTA), along with a separate addendum to the EU SCCs (SCCs Addendum). The IDTA and the SCCs Addendum offer important alternative ways to ensure that UK personal data is adequately protected when exported from the UK. They have been laid before Parliament and, assuming there are no objections from MPs, will go into effect on March 21, 2022.
Read more
Personal Data Transfers: Bye-bye, old SCCs – don’t forget the September 27th deadline! And the new UK International Data Transfer Agreement is knocking at the door . . .
September 16, 2021 | Blog | By Susan Foster
Organizations that use the European Union’s Standard Contractual Clauses (SCCs) to govern their transfers of personal data from the European Economic Area (EEA) to other countries should have September 27, 2021 circled in red in their calendars (or the virtual equivalent).
Read more
News Roundup
August 27, 2021 | Blog | By Susan Foster
The United Kingdom has been busy in the past couple of weeks starting to chart its independent course on data protection and privacy matters. Here’s a quick round-up of the some interesting and important developments.
Read more
EU Data Protection Regulators Adopt Guidance on Personal Data Transfers
June 22, 2021 | Blog | By Susan Foster
Many organizations around the world – and particularly companies in the United States – are directly affected by the EU Court of Justice’s July 2020 Schrems II decision casting doubt on the lawfulness of transferring personal data from the EU to countries where national security laws might permit authorities to gain access to the personal data. (The Schrems II decision is discussed below; click here for a longer discussion of the case.) The European Data Protection Board (EDPB) has just published the final form of its guidance as to what it expects organizations to do to assess risks and bolster protections for transfers of personal data.
Read more
European Commission Adopts New Service Providers Standard Agreement (Controller-Processor SCCs)
June 8, 2021 | Blog | By Susan Foster
The new standard agreement for service providers (which we’ll refer to as the Controller-Processor SCCs) adopted by the European Commission on June 4th was understandably a bit overshadowed by the release on the same date of the Standard Contractual Clauses for data transfers. But the new Controller-Processor SCCs, which organizations can use with their service providers to meet their GDPR Article 28 obligations, is another welcome addition to the EU’s small but growing library of standard documents.
Read more
Transferring Personal Data from Europe – Working with the New Standard Contractual Clauses and Getting to Grips with Your Schrems II Assessment
June 4, 2021 | Advisory | By Susan Foster, Cynthia Larose
This alert covers the European Commission’s updated Standard Contractual Clauses (SCCs), the most commonly used legal mechanism for transferring personal data from the European Union to non-EEA countries
Read more
European Commission Adopts Final Version of New Data Transfer Agreement (SCCs)
June 4, 2021 | Blog | By Susan Foster
The European Commission has adopted (at long last) an updated version of the Standard Contractual Clauses (SCCs), bringing this popular data transfer mechanism in line with the GDPR – and, we hope, the Schrems II decision. The SCCs are the most commonly used legal mechanism for transferring personal data from the EEA to non-EEA countries (known as “third countries”), so the new SCCs are very big news for organizations that transfer or receive personal data from the EEA (that is, the European Union plus Norway, Iceland and Liechtenstein).
Read more
European Commission Publishes Draft Adequacy Decision for Transfers of Personal Data from the EU to the UK
February 19, 2021 | Blog | By Susan Foster
In a solid step forward for EU to UK personal data transfers, the European Commission has published its draft adequacy decision that will (if finally adopted) permit personal data to flow freely from the EU to the UK.
Read more
Webinar Recording: How to Assess US National Security Laws and Explain Them to Your EU Data Exporters: Satisfying the New Due Diligence Requirements After Schrems II
February 2, 2021 | Webinar | By Cynthia Larose, Susan Foster
Watch this webinar by Cynthia Larose and Susan Foster as they explore the key US national security laws that need to be taken into account, how to evaluate whether those laws potentially affect the personal data in question, potential risk mitigation measures, and how European data exporters and US data importers can work together to address these issues.
Read more
News & Press
COVID-19: Top Tips From Regulators on Cybersecurity
April 9, 2020
In an article published by Lexology, Mintz Member Susan L. Foster was quoted on how companies should assess their cybersecurity risk with the global increase in telework to slow the spread of COVID-19.
COVID-19 and GDPR Obligations for Companies
April 6, 2020
Mintz Member Susan L. Foster was quoted in an article published by Lexology on General Data Protection Regulation (GDPR) obligations for companies, particularly with respect to ongoing investigations or enforcement actions, as well as requirements for data sharing with other European Union data protection authorities during the coronavirus (COVID-19) pandemic.
Mintz Recognized by Chambers USA 2019
April 26, 2019
What To Watch As Privacy Shield Data Pact Scrutiny Heats Up
August 22, 2018
Member Sue Foster, part of the firm’s Privacy & Cybersecurity group, provides commentary in this feature article discussing the Privacy Shield data transfer mechanism which is facing a new, series test in the form of a second review from U.S. and European officials.
Is Trump Doing Enough To Keep This Major Privacy Agreement Alive?
October 23, 2017
Susan Foster, a Member in the Mintz London office, primarily works with clients on European data protection compliance and licensing in the fields of clean tech, high tech, mobile media, and life sciences.
Mintz advised biotechnology company BeiGene, Ltd. on a collaboration with Celgene Corporation to develop and commercialize BeiGene’s investigational anti-programmed cell death protein 1 inhibitor, BGB-A317.
EU's New E-Privacy Rules Expand Its Authority Over Tech Cos.
January 10, 2017
This Law360 feature article focuses on a draft of Regulation on Privacy and Electronic Communications that would impose stricter privacy rules on electronic communications to tech companies outside the traditional telecom space.
EU watchdogs temporarily green-light Privacy Shield
July 27, 2016
Member Susan Foster provides commentary in this Compliance Week article on how the European Union data protection authorities adopted a final version of the EU-U.S. Privacy Shield (WP29).
This article notes that Europe’s privacy regulators are backing the new EU-U.S. Privacy Shield data transfer deal. Authorities, according to the article, qualified that while they still carry some concerns about the framework, they will not challenge the Shield further for at least one year.
Brexit fallout spreads to privacy
July 3, 2016
Member Susan Foster provides commentary in this article on how though fears of global market fallout resulting from the Brexit vote have largely gone unrealized, companies handling personal data are now facing similar concerns with regards to privacy regulation.
Member Sue Foster, a Certified Information Privacy Professional, provides commentary in this Business Insider article discussing the potential Brexit vote and the potential impact this could have on the European technology industry.
Companies Await Fate of Data Sharing Deal
April 25, 2016
Member Sue Foster provides commentary in this The Hill article on the long-awaited Privacy Shield – a data-sharing deal between the United States and the European Union. The deal would allow tech companies to legally handle European citizens’ data.
US, EU Face Blowback on Data Deal
February 29, 2016
Member Susan Foster provides commentary in this article on the Privacy Shield agreement between the United States and the European Union.
Distrust of US Surveillance Threatens Data Deal
February 7, 2016
Member Susan Foster provides commentary in this article on how the transatlantic data exchange deal stands to be seriously threatened unless the U.S. “overhauls its national security laws.”
Tuesday Deadline Looms over US-EU Privacy Pact
January 29, 2016
Member Susan Foster is quoted in this article on the upcoming deadline for the transatlantic Privacy Shield agreement, which will ensure the viability of data transfers between the U.S. and the European Union.
EU Court Draws Fine Line for Employee Monitoring Programs
January 15, 2016
Member Susan Foster is quoted in this Law360 article on the importance for employers in the European Union to follow their surveillance policies and protocols carefully when monitoring their employees’ online activities.
Events
Panelist
Speaker
Jun
24
2021
PrivSec Global 2021
What Do The New Standard Contractual Clauses (SCCs) Mean for Data Transfers Post-Schrems II?
Speaker
Speaker
Jul
20
2020
Privacy Shield Shattered & the SCCs in Peril: Understanding the Schrems II Decision (and What to Do Next)
View the Webinar Recording
Speaker
Mar
30
2020
Coronavirus (COVID-19): Managing the Privacy & Cybersecurity Risks
View the Webinar Recording
Speaker
Speaker
Speaker
Speaker
Speaker
Speaker
Panelist
Speaker
Speaker
Speaker
Speaker
Speaker
Panelist
Speaker
Speaker
Speaker
May
8
2016
Speaker
Speaker
Speaker
Speaker