About me
As a hybrid, who has degrees in both law and computing science and has benefited from pen testing training, I focused initially on data protection/privacy/cyber laws and other data and technology-related matters, including in the context of cloud computing (all flavours): EU/UK GDPR, ePrivacy, NIS, NIS2, etc. However, I'm fascinated by the legal issues thrown up by new or emerging technologies, and increasingly I've advised on AI/machine learning (including under the EU AI Act), and also on the broader regulation of technology, technology platforms and digital data, under developments like the EU P2B Regulation, Digital Markets Act, Digital Services Act, Data Act, and in the UK the Product Security and Telecommunications Infrastructure Act, Online Safety Act, and Digital Markets, Competition and Consumers Act.
Lawyers and scientists/technologists tend to take very different approaches to technology and tech law. Partly this is because of differences in mindsets/culture, and partly it's because unanticipated communications gaps may arise from their sometimes using the same words for different concepts, and different words for the same concepts. I'd very much like to help bridge that divide, and to encourage a multi-disciplinary, collaborative approach to both technology and law, including law-making: please now see my book on tech/security for lawyers/others. I'm also passionate about bridging the divide between theory and practice that can occur too often in law. An impossible task? - it might seem so, but one reviewer noted that my first solo book brought '...an unrivalled level of accessibility to the table, whereby explanations are technical enough to satisfy those in academia and practice, but also, are succinct enough to take it beyond the niche of specialists. It is a text which exerts a key quality often missed in books of this nature and it is refreshing to see that intellectual stimulation and practical accessibility are two compatible concepts which can coexist...' (Daniel Davenport, European Journal of Law & Technology (EJLT), Vol 10, No. 2, 2019).
Below my contact details please find my summary bio.
- Invited to join the DIFC Regulation 10 Advisory Committee ('autonomous systems', effectively AI), Feb 2025.
- My 2024 book on Technology and Security for Lawyers & Other Professionals: the Basics and Beyond (leaflet with more info) has been reviewed positively: please see Publications for links to and extracts from reviews.
- Mentioned in Legal 500's rankings for Data protection, privacy and cybersecurity, London, Nov 2022 as a 'crucial member' of Dentons' tier 1 team and as a key lawyer in that area; and as a key lawyer in its rankings for Artificial intelligence, London, Nov 2024 (Dentons tier 3) and in its Oct 2025 rankings). Client testimonial:
- 'Kuan Hon is clearly very knowledgeable about all things AI and developments in the space - both on a regulatory level but also on a technical level. This is hugely appreciated and she has been able to highlight and give examples of some of the common pitfalls with generative AI'.
- Previously mentioned in Legal 500's 2021 rankings for data protection, privacy and cybersecurity practice area in London, Sept 2021, as a key lawyer at Fieldfisher. Client testimonials:
- 'Kuan Hon is an outstanding lawyer, with a PhD-level of technical knowledge of the products and services that our company develops and sells'.
- 'Kuan Hon has provided a seasoned and
subject-matter
expert level of legal guidance'.
- Other client comments while working at Fieldfisher:
- 'Kuan is an extremely knowledgeable privacy lawyer. The advice she has provided to us has been very helpful and we have a great working relationship. We consider ourselves very fortunate to have a counsel like Kuan.' Large AsiaPac-headquartered technology group with global operations.
- 'Kuan Hon is extremely knowledgeable and always
very
helpful. In working with Kuan, we highly appreciate
her responsiveness
and pragmatic advice. Kuan always offers clear
guidance, which is well
explained and supported. It is a great pleasure to
work with Kuan, who
is our trusted and very reliable counsel for all
GDPR matters.' Large
North
American-headquartered industrial equipment group
with global operations.
- Shortlisted for the PICCASO Privacy Awards Europe 2023, in the Privacy Writer/Author category, Jul 2023.
- Guest lecturer for AI MSc students, Imperial College London, 2019-2023.
- Invited to join the All-Party Parliamentary Group (APPG) on Cyber Security and Business Resilience and the All-Party Parliamentary Group (APPG) on Digital ID, Apr 2023.
- Invited to give oral evidence to the UK's Intelligence and Security Committee of Parliament (ISC) for its inquiry into cloud technologies, Feb 2022.
- Appointed to the UK government's first International Data Transfer Expert Council, 2022-2025, whose report Towards a Sustainable, Multilateral, and Universal Solution for International Data Transfers was published in Nov 2023.
- Reached rank no. 7 in OWASP London's Capture the Flag (CTF) Nov 2021 event (ethical hacking challenge) - screenshot, with uncommon names or handles redacted!
- Letter: Amazon's spy agency deal should leave no clues in the cloud, published in the Financial Times, Nov 2021.
- Invited member, United Nations' (UN) Privacy Preserving Techniques Task Team and Legal Subgroup, 2020-2021.
- "...brought about legal change in Ireland through a single GDPR blog post..." [Feb 2021], at least according to the one and only Phil Lee!
- Answers to IT leaders' GDPR questions featured on the front page of Computing on Data Protection Day, Jan 2021.
- Invited peer reviewer for the 5th edition of Rosemary
Jay's
seminal book Data
Protection
Law and Practice, 2020.
- i100 volunteer (part-time) at the UK National Cyber Security Centre, 2019-2020.
- Volunteer (part-time) at the UK Information
Commissioner's
Office, 2018-2019.
- Invited presentation to the UK
Cabinet
Office on the EU NIS Directive / UK NIS
Regulations,
Nov 2018.
- Contributed to ENISA's
report
on Distributed Ledger Technology & Cybersecurity:
Improving information security in the financial sector,
Jan
2017.
- Invited by the Cloud Security Alliance to present a keynote at SecureCloud 2016, May 2016.
- Interviewed by BBC World News on the EU-US Privacy Shield, Apr 2016.
- Invited to join the judging panel for the UK Cloud Awards, Apr 2016.
- Invited by the British Computer Society's Information Risk Management & Assurance Group (IRMA) to speak on data protection law issues at its 50th anniversary conference, Nov 2015.
- Selected to participate in the UK Cyber Security Challenge's pen testing camp, Aug 2015 - photographic proof!
- Invited by ENISA to speak on data protection law aspects of cloud security, including the draft General Data Protection Regulation, at its cloud security conference, June 2015.
- Invited by CERN to present on cloud contracts, and also on the UK G-Cloud programme, May 2014.
- Yes, I did manage to take the Large Hadron Collider tour!
- Quoted in Mapping the cloud maturity curve - the fundamental five, a briefing paper for The Economist Intelligence Unit, Dec 2014.
- Invited by DC4420 (Defcon London) to speak on legal issues in cloud security, Oct 2012.
Contact details (or scan the QR code
Email: send email to my first initial only (not surname)
at
this domain name
Blog: https://blog.kuan0.com
LinkedIn: https://www.linkedin.com/in/wkhon
Twitter: @kuan0
(though I rarely tweet these days)
Mastodon: @[email protected]
Summary bio
- I am a data/tech regulation expert. I qualified as an English solicitor and (resigned in 2026) New York attorney; BA (Hons) in Law (Trinity College), MA (Hons), Cantab; LLM, University of Pennsylvania, USA; MSc in Computing Science, Imperial College London; LLM in Computer & Communications Law, Queen Mary University of London; joint law/computer sciencePhD, QMUL. My work as a senior technology lawyer with Pinsent Masons (Consultant Lawyer), Fieldfisher (Direector) then Dentons (Of Counsel) focused initially on data protection/security/information law (notably the General Data Protection Regulation, NIS Directive/Regulations, NIS2 Directive, ePrivacy, including international transfers & data localisation laws, and security/other privacy law breaches), and cloud computing legal issues (including cloud contracts/policies and compliance with data protection regulation). However, in recent years I have been advising far more on the regulation of AI/machine learning and, more broadly, the regulation of tech platforms/digital services.
- Formerly I was a banking/debt capital markets and corporate insolvency lawyer in the City of London, with both English and US law firms (Sidley Austin, Dentons, CMS and Slaughter and May).
- Editor, Sweet & Maxwell's Encyclopedia of Data Protection and Privacy, since Jan 2017.
- Member, DIFC Regulation 10 Advisory Committee, since Feb 2025.
- Member, All-Party Parliamentary Group (APPG) on Cyber Security and Business Resilience and the All-Party Parliamentary Group (APPG) on Digital ID, since Apr 2023.
- Other memberships: IAPP (International Association of Privacy Professionals); Tech Industry Forum (formerly Cloud Industry Forum), honorary lifetime professional membership awarded in Jan 2017 for my contributions to cloud computing law; OWASP (Open Web Application Security Project); SASIG (Security Awareness Special Interest Group); Internet Society; Data Protection Finance Group.
- During a break between jobs in Dec 2021 I took these courses... yes, a year before ChatGPT was released!: Google Cloud Big Data and Machine Learning Fundamentals, Reinforcement Learning: Qwik Start, Managing Machine Learning Projects with Google Cloud, Managing Security in Google Cloud, Security Best Practices in Google Cloud, Using Asylo to Protect Secret Data from an Attacker with Root Privileges, Essential Google Cloud Infrastructure: Foundation, Google Cloud Fundamentals: Core Infrastructure, Hands-On Labs in Google Cloud for Networking Engineers.
Previous roles
- Advisory Board member (formerly Media Board, then Editorial Advisory Board), Society for Computers & Law, 2012-2026.
- Of Counsel, Privacy & Cybersecurity team, Dentons in London, UK, 2022-2025.
- Member, UK government's first International Data Transfer Expert Council, 2022-2025; the Council's report Towards a Sustainable, Multilateral, and Universal Solution for International Data Transfers was published in Nov 2023.
- Guest lecturer, Imperial College London (Department of Computing), 2018-2021 for 2nd year undergraduates on law/GDPR; 2019-2023 for AI MSc students on law/GDPR in the AI context.
- Director,
Privacy, Security & Information Law, Fieldfisher,
2017-2021.
- Invited member, United Nations' (UN) Privacy Preserving Techniques Task Team and Legal Subgroup, 2020-2021: the updated version of The PET Guide, UN Guide on Privacy-Enhancing Technologies for Official Statistics was finally published in Jan 2023.
- i100 volunteer (part-time) with SC security clearance, UK National Cyber Security Centre, 2019-2020.
- Visiting scholar, Centre for Commercial Law Studies, Queen Mary University of London, 2019-2021.
- Invited to join the judging
panel for the UK
Cloud
Excellence Awards, 2019.
- Volunteer (part-time), Information Commissioner's Office, 2018-2019, working mainly on GDPR guidance.
- Fellow, Open Data Institute, 2017-2018.
- Invited external observer, Code of Conduct Task Force, CISPE (Cloud Infrastructure Providers in Europe), 2017-2018. CISPE's draft code was approved by the EDPB in May 2021, formally approved by CNIL in June 2021, and the first adhering IaaS providers (including Aruba, AWS (Amazon Web Services), Elogic, Leaseweb, Outscale and OVHCloud) announced in Feb 2022, with CNIL having accredited monitoring bodies EY Certifypoint B.V. in July 2021 and LNE and Bureau Veritas Italia Spa in Oct 2021.
- Comment: "It was really great to collaborate with you at a time where the European Commission was unable to understand what a #cloud infrastructure really is (and is not) to ensure proper data pretction through #GDPR. Your help was key to the success of the Cispe Data Protection Code of Conduct !"
- Adjunct research director, European Data Security & Privacy, IDC, 2017: press release, tweet (with photo!).
- Invited UK Cloud Awards judging panel member, 2016-2017.
- Consultant lawyer, Pinsent Masons, 2015-2017.
- Member of Information Privacy Expert Panel (IPEP), British Computer Society, 2015-2017.
- Invited EU PRISMACLOUD User Advisory Board member, 2015-2018.
- Senior researcher (2014-2016), Cloud Legal Project and Microsoft Cloud Computing Research Centre at the Centre for Commercial Law Studies (CCLS), Queen Mary University of London (where I was a research assistant 2010-2011 and research consultant 2011-2014, including research assistant for the A4Cloud Cloud Accountability Project during 2012-2014).
- Joint law and computer science PhD from Queen Mary University of London, entitled "Kill the Frankenrule! � the EU Personal Data Export Restriction and Cloud Computing", supervised by Prof Chris Reed and Assistant Professor Hamed Haddadi, and examined by Prof Chris Marsden and Dr Toktam Mahmoodi; passed without amendments in Oct 2015, certificate awarded in 2016.
- Cyber Scheme Associate, certificate awarded by Information Risk Management Ltd (IRM) and the Cyber Security Challenge UK following a 5-day penetration testing camp in Aug 2015.
- Ran the world's first cloud computing law university course as a module in the distance learning LLM in Computer and Communications Law at Queen Mary University of London, in Q1 2014; have presented on cloud computing and/or data protection law to LLM or MSc students at QMUL and elsewhere (see selected presentations).
- Participated in the UK G-Cloud programme's Commercial Workstream, in summer/autumn 2011.
- MSc in Computing Science from Imperial College London. My MSc dissertation was on "Digital privacy, and illustrating permission & attribute matching for preserving privacy using Drools & Java" (supervisor Prof John Darlington, then Director of the Imperial College Internet Centre - now London e-Science Centre).
- LLMs from University of Pennsylvania, USA, and (in Computer & Communications Law) Queen Mary University of London.
- Undergraduate law degree from Trinity College, Cambridge University, UK.
Tidbits
A few of the nice things that kind people have said about me or my work. See also the Presentations page for comments on some of my presentations.
I'm a high mezzo, and sing second soprano with choral and opera groups such as the BBC Symphony Chorus and London Symphony Chorus (see "Never to Forget", Howard Goodall's moving tribute to the first 122 UK health and care workers who lost their lives to Covid-19, and the beautifully assembled video of Mozart's Ave Verum Corpus involving LSC and other choirs - both works recorded by choir members and instrumentalists individually at home during lockdown). My zeniths were playing Annina in Verdi's La Traviata with Hampstead Garden Opera, Mother in HGO's Madame Butterfly, and (NODA review: "a joy to listen to") Bridesmaid duet in HGO's Marriage of Figaro, most of the Woman 1 numbers in Sondheim's Side by Side with All Star Productions, and Heidi Schiller in Sondheim's Follies with Imperial Productions. Two left feet and an inability to pick up choreographed dancing as quickly as it's demonstrated mean that I no longer attempt any musicals!
According to family lore, my surname in Chinese 韓, and a carbon copy of a handwritten book that my paternal grandfather took with him when he left China about a century ago, we're directly descended from Han Dynasty general Han Xin - a great military strategist, who was even a king for a year. I'm not sure how that's possible because, according to the public histories, when the empress ordered his execution his entire family was also executed - which unfortunately was not uncommon in those days. But if anyone has a copy of a similar book (sadly my father lost my grandfather's copy), or knows of any great escapes that weren't recorded in the public histories, I'd love to hear all about it! Apparently it was decreed that the names of his descendants should be added to the book over all future generations, male only unsurprisingly, and my brother's and male cousins' names were added to it, but not mine or my female cousins'. Supposedly there is a village of Hons/Hans somewhere in China where the original book is still maintained, again if anyone knows anything about the name of that village or about the original book, please let me know! Despite all that, English is my first, and effectively only, language. I could speak Mandarin, Cantonese and Hokkien from age 1, but since starting kindergarten at age 4, where everyone spoke just English, I gradually lost all my Chinese-speaking abilities. I remember very clearly waking up one day, when I was about 6 to 8 years old, and thinking: "Oh, I'm now dreaming in English!". Re-learning Mandarin someday is on my bucket list.>
This site is hosted via Google App Engine (just static files generally, deployed via the Google App Engine SDK for Python, with CloudFlare's CDN.
