1. Home
  2. |Professionals
  3. |Rita Heimes

Rita Heimes

Senior Counsel
Senior Counsel
cmhlaW1lc0Bjcm93ZWxsLmNvbQ==
VCard
VCard

Areas of Focus

Overview

Rita Heimes has devoted her career to addressing the legal issues arising from the relentless evolution of technology. Before joining Crowell, Rita served as General Counsel and Chief Privacy Officer at the International Association of Privacy Professionals (IAPP), the world’s largest privacy organization. That role gave her an insider’s view into the rapidly evolving landscape of privacy, cybersecurity, and AI regulations at the federal, state, and international levels, and front row access to the most pressing business-to-business (B2B) and business-to-consumer (B2C) privacy and data protection problems and solutions. She also managed organization-wide legal issues for IAPP in collaboration with senior executive team, including overseeing litigation and other disputes, risk management, international operations strategy, insurance portfolio, talent opportunities, terminations, and supporting the CEO with Board relations.

At Crowell, Rita supports clients across industries with risks and opportunities presented by emerging technologies and, more specifically, data. A senior counsel in Crowell’s Privacy and Cybersecurity Group, Rita assists organizations from start-ups to major technology companies to Tier One research institutions in navigating the various U.S. and global privacy and data protection laws. Her fluency with digital technology developments – from privacy to intellectual property to artificial intelligence (AI) regulation – equips her to guide clients successfully through complex data-related transactions and disputes. Over decades and myriad legal settings, Rita’s collaborative instincts and positive energy put clients and colleagues at ease while bringing cheerfulness to serious lawyering.

Rita has taught privacy law and policy at the University of Maine School of Law as a Senior Privacy Fellow and Adjunct Law Professor for the last 10 years. During her time at the law school, she developed the University’s acclaimed privacy program, including organizing and hosting the annual Information Privacy Summer Institute and conference. She also launched and grew one of the nation’s first intellectual property law school clinics in both patent and trademark law, supporting inventors and start-ups address a multitude of IP issues and worked with universities and non-profit research laboratories to develop collaborative tech transfer conversations and programs to support state economic development initiatives. Her extensive experience working with higher education and academia in innovation and economic development research and teaching roles, honed her skills as a connector, problem-solver, and issue spotter.

A native of Iowa, Rita’s legal career has spanned geography, skills, and subject matters, starting with a Ninth Circuit clerkship and developing through commercial litigation, IP acquisition and tech transactions, teaching and scholarship in multiple legal areas, and executive roles in higher education and business.

Career & Education

|

    • Drake University Law School, J.D., 1993
      Order of the Coif
    • University of Iowa, B.A., 1990
      Phi Beta Kappa
    • Drake University Law School, J.D., 1993
      Order of the Coif
    • University of Iowa, B.A., 1990
      Phi Beta Kappa

    • Maine
    • District of Columbia
    • Maine
    • District of Columbia

Rita's Insights

Client Alert | 6 min read | 03.11.25

Europe’s Highest Court Compels Disclosure of Automated Decision-Making “Procedures and Principles” In Data Access Request Case

On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a ruling about the requirements on data controllers to respond to data access requests regarding an automated decision-making system. In particular, the CJEU interpreted the meaning (under Article 15(1)(h) GDPR) of the phrase “meaningful information about the logic involved” in automated decision-making. Importantly, the ruling also separately addressed how to balance data access rights with the protection of the controller’s trade secrets, when the protection of trade secrets is invoked under Article 15(4) as a reason not to disclose a copy of personal data in an access request....

View All Insights

Representative Matters

  • Privacy, Data Protection, AI, and Cybersecurity

    • Developed and managed interdisciplinary privacy and data protection program for global non-profit (data inventory and mapping; global privacy law compliance; consumer-facing privacy statements and consent management; employee training; privacy and security policies; data protection impact assessments; international data transfers).
    • Drove time-sensitive responses (internally and with outside counsel) to European regulatory investigations relating to GDPR.
    • Investigated and managed multiple customer privacy complaints.
    • Developed guidelines for assessing risk and opportunity to incorporate AI tools into products, services and use of suppliers’ platforms.
    • Collaborated across disciplines on development of internal AI governance program.
    • Championed development of information security policies and program.
    • Managed security incidents at various levels of complexity, internally and in private practice.

  • General Counsel and Risk Management

    • Translated complex legal concerns into actionable decisions consistent with fast-growing and resource-constrained nonprofit with international business ambitions.
    • Worked directly with product owners, sales, marketing, and technology teams to guide business forward through complex commercial relationships with the world’s largest companies.
    • Assisted with purchase and sale of assets.
    • Selected, engaged and managed outside counsel on international corporate tax and compliance matters.

  • Technology transactions / IP acquisition, litigation, and licensing

    • Negotiated multi-year (e-filing) software agreements on behalf of the two New England states’ judicial systems.
    • Counseled children’s cancer research institute on IP and data sharing issues associated with international research collaboration
    • Created and supported several multi-stakeholder events addressing technology transfer by R1 universities and federally-funded research institutions in Maine.
    • Managed copyright and trademark portfolios; prepare licensing and cease-and-desist letters; co-counsel on significant IP litigation matters.

Rita's Insights

Client Alert | 6 min read | 03.11.25

Europe’s Highest Court Compels Disclosure of Automated Decision-Making “Procedures and Principles” In Data Access Request Case

On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a ruling about the requirements on data controllers to respond to data access requests regarding an automated decision-making system. In particular, the CJEU interpreted the meaning (under Article 15(1)(h) GDPR) of the phrase “meaningful information about the logic involved” in automated decision-making. Importantly, the ruling also separately addressed how to balance data access rights with the protection of the controller’s trade secrets, when the protection of trade secrets is invoked under Article 15(4) as a reason not to disclose a copy of personal data in an access request....

View All Insights

Insights

Client Alert | 6 min read | 03.11.25

Europe’s Highest Court Compels Disclosure of Automated Decision-Making “Procedures and Principles” In Data Access Request Case

Client Alert | 3 min read | 02.27.25

House Committee Seeks Comment on New Comprehensive Data Privacy and Security Framework

Client Alert | 7 min read | 02.19.25

Trump Administration Seeks Input from Public on National Artificial Intelligence Action Plan

Firm News | 4 min read | 02.11.25

Crowell & Moring Adds Former IAPP General Counsel Rita Heimes and Naspers Associate General Counsel Justin Weiss to Growing Privacy & Cybersecurity Group
|

View All Insights

Practices

Rita's Insights

Client Alert | 6 min read | 03.11.25

Europe’s Highest Court Compels Disclosure of Automated Decision-Making “Procedures and Principles” In Data Access Request Case

On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a ruling about the requirements on data controllers to respond to data access requests regarding an automated decision-making system. In particular, the CJEU interpreted the meaning (under Article 15(1)(h) GDPR) of the phrase “meaningful information about the logic involved” in automated decision-making. Importantly, the ruling also separately addressed how to balance data access rights with the protection of the controller’s trade secrets, when the protection of trade secrets is invoked under Article 15(4) as a reason not to disclose a copy of personal data in an access request....

View All Insights