Photo of Anna Oberschelp de Meneses

Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for "corporate data protection officer" by the German Association for Data Protection and Data Security ("Gesellschaft für Datenschutz und Datensicherheit e.V."). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Contact:Read more about Anna Oberschelp de MenesesEmail

The EU Representative Actions Directive (“RAD”) was meant to have been transposed by all EU member states by December 25, 2022. However, the EU Commission announced on January 27, 2023, that only three out of the 27 EU member states have properly transposed the RAD into their national legislation as required, and that it will now start issuing formal notices to the remaining countries to transpose the RAD as soon as possible.

As reported in our previous blog post, the RAD aims to harmonize member state frameworks on collective actions (i.e., whereby multiple claimants may lodge a claim or claims as a group) across the EU. It sets minimum requirements with respect to collective actions on a wide range of topics, including data protection matters (see also our blog post on the implications of RAD for data protection infringements and our separate blog post on the Court of Justice of the EU’s interpretation of Article 80(2) GDPR on data protection-related collective actions). This blogpost provides an overview of the RAD and its implementation status by EU member states.

Continue Reading National Transposition of the EU Representative Actions Directive: What is the Current Status?

On February 20, 2023, the European Commission launched an initiative to further specify procedural aspects relating to the enforcement of the GDPR (“ procedural initiative”). The aim of the procedural initiative is to clarify the administrative procedure that applies in cross-border investigations and enforcement under the GDPR. These rules are expected to clarify and complement the existing rules on cooperation and dispute resolution under GDPR Articles 60 and 65.

This procedural initiative was announced in the Commission’s work program for 2023, and the text of the proposal is not yet available. The European Commission is expecting to publish a draft regulation on procedural rules relating to the enforcement of the GDPR in Q2 2023.

Continue Reading European Commission Plans to Improve Cooperation Between Supervisory Authorities in Cross-Border GDPR Cases

On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21).  The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR.  In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.

Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest

On December 9, 2022, the European Commissioner for Justice and Consumer Protection, Didier Reynders, announced that the European Commission will focus its next 2023 mandate on regulating dark patterns, alongside transparency in the online advertising market and cookie fatigue. As part of this mandate, the EU’s Consumer Protection Cooperation (“CPC”) Network, conducted a sweep of 399 retail websites and apps for dark patterns, and found that nearly 40% of online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.

In order to enforce these issues, the EU does not have a single legislation that regulates dark patterns, but there are multiple regulations that discuss dark patterns and that may be used as a tool to protect consumers from dark patterns. This includes the General Data Protection Regulation (“GDPR”), the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), and the Unfair Commercial Practices Directive (“UCPD”), as well as proposed regulations such as the AI Act and Data Act.

As a result, there are several regulations and guidelines that organizations must consider when assessing whether their practices may be deemed as a dark pattern. In this blog post, we will provide a snapshot of the current EU legislation that regulates dark patterns as well as upcoming legislative updates that will regulate dark patterns alongside the current legal framework.

Continue Reading The EU Stance on Dark Patterns

On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.

The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.

Continue Reading EDPB Publishes Report of Cookie Banners Taskforce

On January 18, 2023, the European Data Protection Board (“EDPB”) published a report on the outcome of its investigation into the use of cloud-based services by the public sector.

The EDPB prepared the report as part of its first coordinated enforcement action under the Coordinated Enforcement Framework (“Framework”), a key part of the EDPB’s 2021-2023 strategy. The Framework facilitates coordinated actions between the EDPB and national data protection authorities to (i) share information and best practices on a topic related to data privacy, and (ii) provide recommendations to better support compliance with data protection laws. Through the Framework, the EDPB and national authorities investigate compliance with a specific data protection topic each year; in 2023, the EDPB will investigate the designation and role of data protection officers (“DPOs”).

This blog summarizes the main takeaways of the 2022 Coordinated Enforcement Action, and highlights its most relevant data privacy concerns.

Continue Reading EDPB Releases Outcome of its Investigation into the Use of Cloud-Based Services by the Public Sector

On December 1, 2022, a committee of the Brazilian Senate presented a report (currently available only in Portuguese) with research on the regulation of artificial intelligence (“AI”) and a draft AI law (see pages 15-58) (“Draft AI Law”) that will serve as the starting point for deliberations by the Senate on new AI legislation.  When preparing the 900+ page report and Draft AI Law, the Senate committee drew inspiration from earlier proposals for regulating AI in Brazil and its research into how OECD countries are regulating (or planning to regulate) in this area, as well as inputs received during a public hearing and in the form of written comments from stakeholders.  This blog posts highlights 13 key aspects of the Draft AI Law.

Continue Reading Brazil’s Senate Committee Publishes AI Report and Draft AI Law

At the beginning of a new year, we are looking ahead to five key technology trends in the EMEA region that are likely to impact businesses in 2023.

Continue Reading Top Five EMEA Technology Trends to Watch in 2023

The new EU-wide cyber law, Directive 2022/2555 (NIS2), entered into force on Monday, January 16, 2023. NIS2 builds on the original NIS Directive but significantly expands the categories of organizations that fall within the scope of the law, imposes new and more granular security and incident reporting rules, and creates a stricter enforcement regime. Member states now have until October 18, 2024 to transpose the new directive into their respective national laws.

The passage of NIS2 sets the stage for 2023 to be another big year for cybersecurity in Europe. We expect the global cyber threat landscape to remain challenging and the regulatory landscape to become even more complex due to a raft of new laws including the Cyber Resilience Act (which we covered here), the Critical Entities Resilience Directive (see our post here), the Digital Operational Resilience Act (DORA) (focused on financial services), and the UK’s ongoing reforms to its Network and Information Systems Regulations.

In this blog post, we summarize the key elements of NIS2 and describe what they will mean for your cybersecurity program this year.

Continue Reading New EU Cyber Law “NIS2” Enters Into Force

On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients.  The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”

Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient