On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”). Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.
Webinar (recording available) | June.25.2019
California was the first U.S. state to enact a sweeping new privacy law, known as the CCPA, with an effective date of January 2020. Nevada has now enacted a scaled-down version of the CCPA that is slated to take effect even sooner – as early as October 2019.
Today, Orrick announced the launch of our automated CCPA Readiness Assessment Tool which helps businesses globally determine whether they are covered by the California Consumer Privacy Act (CCPA) and, if yes, their readiness to comply with the new law that is revolutionizing the United States privacy landscape. This free tool is available to all organizations and takes 10-30 minutes to complete. It segments the CCPA into five workable themes and guides users through a series of dynamic questions relating to each theme. Upon completion of the questionnaire, the tool provides a free and comprehensive readiness assessment tailored to the business’s unique positioning and individual needs.
(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
In this Corporate Counsel article, Orrick attorneys Renee Phillips and Shea Leitch discuss the emerging issue of cybersecurity whistleblowing. The authors discuss scenarios in which cybersecurity whistleblowers may step forward and how a company can best address complaints internally and mitigate the potential of regulatory scrutiny. Click here to read the full article.
On July 5, 2016, the Ninth Circuit Court of Appeals issued its highly anticipated decision in the most recent chapter of United States v. Nosal, holding that an individual acts “without authorization” as used in the Computer Fraud and Abuse Act (“CFAA”) when, after his/her own access has been revoked, the individual utilizes legitimate log‑in information of another to access company databases. This decision has important consequences for organizations as they consider how to implement policy and technical controls on user access to ensure they are protected against unauthorized access under the CFAA.
Can employers look at the company email accounts of employees, such as when they do not show up to work? Can employers monitor employee Internet use during working hours? Can employers read employee emails if they use the company email account for personal purposes?
Companies face these and many more questions about employer-provided email accounts and Internet access every day. To give employers guidance on this, the German Data Protection Authorities (“DPAs”) published “privacy guidelines” about using email and the Internet at the workplace. These guidelines provide essential information, practical tips and helpful advice on this topic.
In this Law360 article, Orrick attorneys Renee Phillips, Aravind Swaminathan, and Shea Leitch explore the rise of the cybersecurity whistleblower. The article examines the DOJ’s investigation, prompted by a cybersecurity whistleblower, into whether Tiversa Holding Corp. provided false information to the Federal Trade Commission about data breaches at companies that declined to purchase its data protection services. Click here to read more about the growing trend of whistleblower-initiated regulatory investigations and what companies can do to protect themselves against this growing risk.