Photo of Kelly McMullon

Kelly McMullon

Subscribe to Kelly McMullon's Posts

Kelly M. McMullon is special international labor, employment & data protection counsel in the Labor & Employment Law Department and member of the Firm’s International Labor & Employment, Privacy & Cybersecurity and Sports Groups. Kelly has been recommended in Legal 500 UK for her “responsiveness and practicality.”

Kelly assists clients in a variety of sectors including financial services, asset management, life sciences, fintech, consultancy, retail, sports, leisure and manufacturing in a wide range of contentious and non-contentious matters.

In her employment practice, she provides general day-to-day counselling and advice on all employment-related issues, including hires, terminations, grievances and redundancies, as well as the employment aspects of transactions.

In her data protection practice, Kelly provides strategic advice as well as practical support and guidance on all aspects of data protection compliance, including international transfers of personal data, data breaches, direct marketing and employee data protection concerns. She also provides advice on the data protection aspects of transactions.

Kelly also has experience working with businesses on CSR and ESG initiatives, human rights and modern slavery issues.

Kelly is a contributor to Proskauer’s International Labor and Employment Law and Proskauer on Privacy blogs and is the Editor for Proskauer on Privacy’s “International Data Privacy” chapter. She regularly provides training and speaks on employment and data protection issues.

Her pro bono experience includes counselling not-for-profit organizations on data privacy and employment-related issues.

Contact: Read more about Kelly McMullon

A new legal mechanism to allow for transfers of personal data between the EU and the U.S. is now advancing after an October 7th, 2022 Executive Order was issued by U.S. President Biden (the “Executive Order”). The new mechanism is referred to as the EU-U.S. Data Privacy Framework

The UK Supreme Court handed down its much-anticipated decision in the Lloyd v Google LLC [2021] UKSC 50 case on 10 November 2021 restricting claimants’ ability to bring data privacy class actions in the UK under the (now repealed) Data Protection Act 1998 (DPA 1998). This decision will be persuasive (though not binding) with respect to similar class actions brought under the (in-force) UK General Data Protection Regulation and the Data Protection Act 2018 (collectively, the UK GDPR). This decision will not directly impact litigation brought under the EU General Data Protection Regulation in EU member states.

The final version of the new standard contractual clauses (“SCCs”) were published by the European Commission on June 4, 2021. Many organizations that transfer or receive personal data originating in the European Economic Area (“EEA”) outside the EEA will be required to implement these SCCs with their customers, suppliers and affiliates by December 2022 to comply with the EU General Data Protection Regulation (“GDPR”). This is perhaps the most significant GDPR development since the passage of the GDPR. We had foreshadowed this impending development last week.

It has been reported that European Commission will publish the final versions of new forms of Standard Contractual Clauses (“SCCs”) shortly (even potentially within the next few days). The Commission published draft versions of these SCCs and the implementing Commission Decisions in December 2020. These new SCCs are, arguably, the most significant development in European data protection law since the coming into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, which was three years ago this month.  These new SCCs will replace prior versions of the SCCs, some of which date back to 2001 and pre-date the GDPR. We are closely monitoring developments in this area and will report on the new SCCs as soon as these are published. We expect the impact of these SCCs to be significant on organizations which are directly subject to the GDPR or which receive personal data from organizations that are subject to the GDPR.

This alert focuses on the ongoing and developing privacy issues that have arisen for employers and healthcare providers communicating about the 2019 novel coronavirus (COVID-19).  Specifically, we will discuss the steps that employers and healthcare companies need to consider when communicating to its employees, the media and general public, and government officials when an individual has been diagnosed with the coronavirus or may have been exposed to the coronavirus.

With less than a month to go until the UK is due to leave the EU (at 11pm GMT/12pm CET on 29 March 2019), there is still much uncertainty as to whether, and if so how, the UK will exit the EU (commonly dubbed “Brexit”). In light of this uncertainty we outline what will happen, and what should be considered, depending on how things play out especially given the important votes due to take place within the UK Parliament this week.