On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”). Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.
David Curtis is a member of Orrick's nationally-recognized Cyber, Privacy & Data Innovation practice.
David’s practice focuses on data privacy, cybersecurity, digital advertising, Internet law and consumer protection. David advises clients on data collection, storage, use, licensing and transfer issues. He also provides guidance on issues relating to the California Consumer Privacy Act of 2018 (CCPA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and other state and federal laws and self-regulatory frameworks. In addition, David has experience evaluating the applicability of European data protection requirements to U.S. companies.
Before joining Orrick, David was an associate at Ropes & Gray LLP and an adjunct professor at Harvard Law School, where he taught legal research, writing and analysis. David clerked for Justice Barbara Lenk of the Supreme Judicial Court of Massachusetts.
Posts by: David Curtis
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE