On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”). Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR. READ MORE
The Clarifying Lawful Overseas Use of Data (“CLOUD”) Act was enacted into law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries – a key question in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27. Both the government and Microsoft recently agreed that the closely watched case is now moot following the CLOUD Act. READ MORE
(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
According to a press release of the Data Protection Supervisory Authority in the Land Mecklenburg Vorpommern of November 3, German supervisory authorities have randomly selected 500 companies in Germany and sent them requests for information on their international data transfers. The German supervisory authorities are undertaking this coordinated action in order to increase awareness among companies of the need to ensure data privacy compliance of international data transfers.
In the 1969 film Butch Cassidy and the Sundance Kid, after Butch and Sundance rob Union Pacific Railroad (“Union Pacific”) the first time, Union Pacific employs a stronger safe. After Butch and Sundance rob Union Pacific a second time, Union Pacific forgoes the safe and hires a posse of unrelenting gunmen, hell bent on capturing and/or killing the duo. The posse ultimately forces Butch and Sundance to flee to Bolivia—where they resume their bank-robbing antics. Ultimately, it takes the Bolivian army to stop them. In their case, albeit fictional, the active deterrent (the posse) was more effective at protecting Union Pacific’s money than the passive deterrent (the safe), in part, because Butch and Sundance were highly-motivated actors.
Data breach notification requirements are going global. By spring 2018, companies operating in the European Union must comply with the new General Data Protection Regulation’s (GDPR) data breach notification requirements and the Network and Information Security (NIS) Directive’s security incident notification requirements. Stricter and more far-reaching notification obligations underscore the importance of establishing a proactive Security Incident Response Policy to analyze potential legal obligations and prepare to respond to incidents long before they occur.
Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.
Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.