Vishnu Shankar

Vishnu represents clients in high-stakes EU and UK privacy and cybersecurity advisory, compliance, enforcement defense, crisis management, data breach and incident response, and litigation matters. The Legal 500 UK has noted that Vishnu has “excellent attention to detail, an amazing work ethic and tremendous research skills.” Vishnu is also a member of Morgan Lewis’s AI Task Force, Global Conflicts Task Force, and India initiative, where he serves as a strategic counsellor in a variety of industries.

Vishnu represents clients in multiple industries and sectors, including financial services (banking, payments, and fintech); life sciences, medical devices, and pharmaceuticals; transportation and travel; technology and telecommunications; retail and ecommerce; asset management and private equity; and sports, media, and entertainment. Notably, in private practice, he has defended clients in GDPR enforcement actions involving artificial intelligence and machine-learning (AI/ML) technologies in an EU member state.

As the ICO’s former head of Legal (Regulatory Enforcement) and a member of its legal leadership team, Vishnu helped drive certain of the ICO’s key investigations and enforcement actions involving the GDPR, the Privacy and Electronic Communications Regulations (PECR), and cybersecurity. Vishnu’s experiences, including with multi-regulator enforcement actions via the UK Digital Regulatory Cooperation Forum (DRCF), which brings together the ICO, CMA, OfCom, and FCA, and as a liaison with government and law enforcement agencies such as the UK NCSC and NCA, inform his practice.

He is regularly invited to speak at industry and academic conferences and provides commentary to the media about privacy, cybersecurity, AI/ML, and other technology regulatory law issues. Prior to joining the ICO, Vishnu practiced (including as a partner) for more than a decade at leading law firms in London, New York, and Dublin, where he focused on technology, data privacy, and cybersecurity law as well as intellectual property transactional matters.

EU/UK Data Protection and Digital Regulation Counseling

• Acting for airlines and transportation and online travel companies on complex GDPR, digital regulatory, and technology and IP issues
• Representing asset managers/private equity sponsors (including relating to nonperforming loans) in GDPR compliance and GDPR “parental liability” risk mitigation
• Representing consumer, apparel, and online retail brands with respect to GDPR, ePrivacy, electronic marketing, and technology regulatory matters
• Representing food industry platform on data scraping issues, including GDPR, EU/UK database rights, and associated criminal liability matters
• Acting for life sciences, Big Pharma, and innovative pharmaceutical companies on GDPR issues relating to clinical trials and “real world evidence” platforms
• Representing PRC-headquartered company in relation to complex privacy and cybersecurity matters relating to its payments apps and online marketplace
• Representing Silicon Valley technology company in relation to children’s privacy matters in an EU member state and public policy matters in relation to data protection law
• Representing Silicon Valley technology company in relation to product-level “privacy by design” GDPR advice relating to “Internet of Things” consumer devices
• Representing sports industry “wearables” and medical device manufacturer in product-level GDPR “privacy by design” matters
• Representing telecom giant in GDPR matters, including roaming telephony, connected vehicles and devices, “privacy by design,” and international data transfers
• Representing US trade association in relation to NIS and related European cybersecurity matters
• Representing video game company in online content takedown (relating to alleged data protection and IP infringements) on a “rapid reaction” basis

EU/UK Cybersecurity Incident Response and Remediation

• Representing asset manager in relation to a cybersecurity incident arising from an “advanced persistent threat” (state-sponsored threat actor)
• Leading global US-headquartered consumer retail company to update its global incident response plan to reflect ransomware threats
• Leading investment bank in remediating a complex cybersecurity incident involving both personal data and market sensitive information
• Leading medical device company on compromise of EU/UK health data and threatened litigation in EU member state and United Kingdom
• Representing operator of transport and travel IT platform that had been compromised by a ransomware attack on GDPR, sanctions, anti-money laundering, and terrorism financing issues
• Representing Silicon Valley technology giant in relation to cybersecurity vulnerabilities relating to its consumer device and third-party apps

EU/UK Regulatory Defense and Litigation

• Leading medical device company in relation to UK and EU member state data protection customer and data subject claims
• Leading medical device company on using the GDPR as a “sword” and a “shield” in discovery proceedings in multijurisdictional US litigation
• Representing prominent global delivery platform in high-profile AI/ML-related GDPR litigation arising in an EU member state
• Representing Silicon Valley technology company in relation to international data transfer–related litigation