Photo of Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for "corporate data protection officer" by the German Association for Data Protection and Data Security ("Gesellschaft für Datenschutz und Datensicherheit e.V."). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

On February 23, 2022, the European Commission published the draft EU Regulation on harmonized rules on fair access to and use of data, also referred to as the “Data Act” (available here).  The Data Act is just the latest EU legislative initiative, sitting alongside the draft Data Governance Act, Digital Services Act, and Digital Markets Act, motivated by the EU’s vision to create a single market for data and to facilitate greater access to data.

Among other things, the proposed Regulation:

  • grants “users” of connected “products” and “related services” – meaning a digital service incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions – offered in the EU rights to access and port to third parties the data generated through their use of these products and services (including both personal and non-personal data);
  • requires manufacturers of these products and services to facilitate the exercise of these rights, including by designing them in such a way that any users – which may be natural and legal persons – can access the data they generate;
  • requires parties with the right, obligation or ability to make available certain data (including through the Data Act itself) – so-called ”data holders” – to make available to users the data that the users themselves generate, upon request and “without undue delay, free of charge, and where applicable, continuously and in real-time”;
  • requires data holders to enter into a contract with other third-party “data recipients” on data sharing terms that are fair, reasonable and non-discriminatory; relatedly, any compensation agreed between the parties must be “reasonable” and the basis for calculating the compensation transparent, with special rules set out for micro, small or medium-sized data recipients to facilitate their access to the data at reduced cost;
  • authorizes public sector bodies and Union institutions, agencies or bodies to request access to the data in “exceptional need” situations;
  • requires certain digital service providers, such as cloud and edge service providers, to implement safeguards that protect non-personal data from being accessed outside the EU where this would create a conflict with EU or Member State law;
  • requires such data processing service providers to make it easy for the customers of such services to switch or port their data to third-party services; and
  • imposes interoperability requirements on operators of “data spaces”.

As a next step, the Council of the EU and the European Parliament will analyze the draft Regulation, propose amendments and strive to reach a compromise text that both institutions can agree upon.  Below, we discuss the key provisions of the Data Act in more detail.
Continue Reading European Commission Publishes Draft Data Act

On January 20, 2022, the European Parliament agreed amendments to the draft version of the Digital Services Act (“DSA”) that the Council agreed on November 25, 2021(see the European Parliament’s announcement here and agreed text here;  see our blog post about the Council’s draft here).  As a next step, the Parliament will discuss these

On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a reprimand to the European Parliament for its offering of a website to its staff and members to schedule Covid-19 tests which violated the transparency and transfer provisions of Regulation (EU) 2018/1725 (“Regulation”).  In addition, the EDPS ordered the European Parliament to bring the

On December 22, 2021, the Austrian Supervisory Authority (“Authority”) found that an Austrian website that implemented the (free version of) Google analytics violated the GDPR’s rules on international data transfers (see here).

The Authority decided that the Standard Contractual Clauses, combined with the Austrian website operator’s supplementary measures to transfer personal data to Google

Consumer Law Developments

Over the past 5 years, the EU has launched several legislative initiatives aimed at revamping EU consumers protection laws.  One such initiative was the “New Deal for Consumers” adopted by the European Commission on April 11, 2018.  The New Deal for Consumers amends existing EU consumer legislation in order to, on the

On December 2, 2021, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) held that consumer protection associations may bring collective claims without a mandate for violations of the GDPR relying on national consumer law provisions (see here).  The words “without a mandate” mean that the organization is not

On November 26, 2021, the Court of Justice of the EU (“CJEU”) held in Case C-102/20 that the display of advertising messages in an electronic inbox in a form similar to that of an actual email constitutes direct marketing, and therefore is subject to EU Member States’ rules on direct marketing (see press release here

On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption.  The European Parliament will discuss the drafts on December 9 and plans to announce

According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):

  • Chapter III (End-Users’ Rights

On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea.  Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.

The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR.  In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR.
Continue Reading EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea