On May 30, 2024, the European Court of Justice (“CJEU”) ruled that any button a consumer uses to order a service online must clearly indicate that the consumer commits to pay the price for the relevant service by affirmatively clicking on it. (Conny Case C-400/22) At issue was whether this requirement applies in cases where the consumer’s obligation to pay the trader is subject to the trader meeting a specific condition specified in the contract. The CJEU confirmed that the rule applies in such cases.Continue Reading CJEU Clarifies Online “Order Buttons” Must Indicate that the Consumer is Assuming an Obligation to Pay
Anna Oberschelp de Meneses
Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.
Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.
Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.
She has obtained a certificate for "corporate data protection officer" by the German Association for Data Protection and Data Security ("Gesellschaft für Datenschutz und Datensicherheit e.V."). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).
Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.
Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.
NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents
Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.
Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.
The IR is open for feedback via the Commission’s Have Your Say portal until July 25.Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents
EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?
On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU. In particular, the report provides a snapshot of the findings of each supervisory authority (“SA”) on the role of DPOs, with a particular focus on (i) the challenges DPOs face and (ii) recommendations to mitigate and address these obstacles in light of the GDPR. This blog post summarizes the key findings of the EDPB’s 2023 CEF report.Continue Reading EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?
German Government Proposes to Amend Federal Data Protection Act
On February 7, 2024, the German Federal Cabinet approved a draft law (“the Draft Law”) amending the Federal Data Protection Act (“BDSG”). The Draft Law will now go to the Bundesrat (the legislative body that represents the sixteen Länder (federated states) of Germany at the federal level ) for its opinion and then to the Bundestag (the federal parliament) for discussion and, potentially, adoption.Continue Reading German Government Proposes to Amend Federal Data Protection Act
The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data
On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure. (Case C‑46/23)Continue Reading The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data
The Cyber Resilience Act is One Step Closer to Becoming Law
Yesterday, the European Parliament approved the Cyber Resilience Act (“CRA”), which sets out cybersecurity requirements for “products with digital elements” (“PDEs”) placed on the EU market. The term PDE is defined broadly to include both hardware and software products, such as antivirus software, VPNs, smart home devices, connected toys, and wearables. The approved text is available here.Continue Reading The Cyber Resilience Act is One Step Closer to Becoming Law
EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?
On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR. For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated enforcement.
In 2023, regulators focused upon data protection officers’ designation and role. And, on January 17, 2024, the EDPB published its report providing an overview of the actions SAs took in the context of the 2023 action. This blog post provides an overview of what you can expect from the coordinated enforcement action in 2024, based on the lessons learned from 2023.Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?
EU Data Act Regulates Business-to-Business Contracts Relating to Access and Use of Data
While the EU Directive on Unfair Terms in Consumer Contracts prohibits certain clauses in standard (i.e., unilaterally imposed) contracts between businesses and consumers, some recently enacted EU laws restrict the use of certain clauses in standard contracts between businesses (“B2B”). The Data Act is the latest example of such a law, as it prohibits certain “unfair contractual terms” (“Unfair Clauses”) in standard contracts between businesses relating to the access and use of data. As such, it has a potentially very wide scope. Businesses entering into such a contract should therefore ensure that they do not include any clause that could be considered “unfair” because such a clause would not be binding on the other party to the contract. This blog post focuses specifically on the Data Act’s provision on Unfair Clauses. For more information on the Data Act, see our previous blog post.Continue Reading EU Data Act Regulates Business-to-Business Contracts Relating to Access and Use of Data
Rules on Targeted Advertising: What do the Digital Markets Act and Digital Services Act Say?
2023 was marked by the adoption of key EU legislation in the field of data privacy, such as the Digital Services Act (“DSA”) and Digital Markets Act (“DMA”). Both introduce limitations and obligations on online platforms that process personal data for digital advertising. Ahead of the DSA and DMA’s implementation deadlines in February and March 2024 respectively, we will discuss below the key requirements they introduce specifically in relation to online targeted advertising. This blog post complements our previous blog post on the EU’s targeted advertising rules.Continue Reading Rules on Targeted Advertising: What do the Digital Markets Act and Digital Services Act Say?
EU Rules Restricting the International Transfers of Non-Personal Data
While the EU GDPR regulates the international transfer of personal data, several recently enacted EU laws regulate the international transfer of non-personal data, which is any data that is not “personal data” under the GDPR. In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, including anonymized data and data about industrial equipment, significantly expanding the types of data subject to international transfer restrictions. Some of this legislation has been enacted recently, and other legislation on this topic is making its way through the legislative process but has yet to be adopted. In this blog post, we outline the current and forthcoming EU legislation on the international transfer of non-personal data.Continue Reading EU Rules Restricting the International Transfers of Non-Personal Data