On May 30, 2024, the European Court of Justice (“CJEU”) ruled that any button a consumer uses to order a service online must clearly indicate that the consumer commits to pay the price for the relevant service by affirmatively clicking on it. (Conny Case C-400/22) At issue was whether
Continue Reading CJEU Clarifies Online “Order Buttons” Must Indicate that the Consumer is Assuming an Obligation to PayAnna Oberschelp de Meneses
Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.
Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.
Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.
She has obtained a certificate for "corporate data protection officer" by the German Association for Data Protection and Data Security ("Gesellschaft für Datenschutz und Datensicherheit e.V."). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).
Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.
Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.
NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents
Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, electronic communications service providers, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.
Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.
The IR is open for feedback via the Commission’s Have Your Say portal until July 25.
- Cybersecurity risk-management measures
The Annex to the draft IR sets out further detail on the cybersecurity risk-management measures referred to in Article 21(2) of NIS2 that covered entities must implement.
As a general matter, the IR states that relevant entities should take a proportionate approach to applying these measures, and implement alternatives that achieve the same purpose if a specific measure is unsuitable (e.g., if a particular covered entity is small).Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents
EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?
On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU. In particular, the report provides a snapshot of the findings of each supervisory authority…
Continue Reading EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?
On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR. For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated…
Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?CJEU Holds That GDPR Right of Access Overrules Local Laws
On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW). As a result, the CJEU held that a provision under German…
Continue Reading CJEU Holds That GDPR Right of Access Overrules Local LawsEuropean Commission Publishes Directive on the Right of Repair Proposal
On March 22, 2023, the European Commission published a proposal for Directive on common rules promoting the repair of goods (“Proposal”), which would grant consumers the right to request from producers the repair of products that under EU law are subject to “reparability requirements.” The Proposal’s aim is to encourage producers to develop more sustainable business models by ensuring that their products are reparable.
The European Parliament and Council are now considering the Proposal for adoption and may introduce amendments. Manufacturers should consider the impact of the Proposal on their products and suggest their amendments to Members of the European Parliament and Member States. If adopted, the Proposal’s requirements are not likely to apply in the different Member States before the end of 2026.
Contextual Background of the Proposal
The Proposal is intended to achieve the product sustainability and circularity objectives of the European Commission’s Circular Economy Action Plan of 2020, one of the main building blocks of the European Green Deal, that announced the Commission’s intention to introduce legislative initiatives aimed at “improving product durability, reusability, upgradability and reparability.” Other initiatives affecting the durability, reparability and reusability of appliances and other products include: (i) a proposal for Regulation on Ecodesign Requirements for Sustainable Products (“Proposed Sustainable Products Regulation”), which will replace the existing Ecodesign Directive 2009/125/EC; and (ii) a proposal for a Directive amending Directives 2005/29/EC and 2011/83/EU as regards Empowering Consumers for the Green Transition Through Better Protection Against Unfair Practices and Better Information (“Proposal for a Greenwashing Directive”).Continue Reading European Commission Publishes Directive on the Right of Repair Proposal
Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest
On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21). The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR. In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.
The CJEU rulings concerned DPOs who were employed at German companies and dismissed “for just cause” from their respective DPO positions due to conflicts of interest concerns. In one case, the DPO was simultaneously chair of the company’s works council. In the other case, there was a perceived incompatibility with the DPO’s other professional responsibilities at the company (which the judgment does not disclose). Importantly, the DPOs had not been dismissed because of the way they performed their duties and tasks as a DPO.
The term “just cause” is used in the German Civil Code to refer to situations where it cannot be reasonably expected for the employment contract to continue as normal, i.e., until the end of the notice period or until the agreed termination date, taking into account all the circumstances of the individual case and weighing the interests of both parties. This requirement goes beyond the provision in Article 38(3) GDPR, which provides that the DPO “shall not be dismissed or penalized by the controller or the processor for performing his tasks.”Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest
Sixteen Changes of the Upcoming EU General Product Safety Regulation
The European Parliament and Council are about to formally adopt a General Product Safety Regulation (“GPSR”), which will repeal and replace the General Product Safety Directive 2001/95 (“GPSD”)Just like the GPSD, the GPSR sets out the basic rules on the safety of products placed on, or made available in, the EU market and intended for, or likely to be used by, consumers. While the GPSR builds on the existing legal framework of the GPSD it introduces several changes and new requirements that aim to enhance the protection of consumer’s health and safety, and adapt its requirements to new technologies.
This blog post outlines 16 changes and new requirements that the GPSR introduces and that industry should carefully take into consideration.
Changes Introduced by the GPSR
The GPSR will introduce the following 16 changes:Continue Reading Sixteen Changes of the Upcoming EU General Product Safety Regulation
The Spanish AEPD Publishes Statement on the Interplay Between its Code of Conduct for the Pharmaceutical Industry and the Potential EU Code of Conduct on Clinical Trials
On December 28, 2022, the Spanish Data Protection Authority (“AEPD”) published a statement on the interplay between its recently approved Spanish code of conduct for the pharmaceutical industry and the European Federation of Pharmaceutical Industries and Associations’ (“EFPIA”) proposal for an EU code of conduct on clinical trials and pharmacovigilance. …
Continue Reading The Spanish AEPD Publishes Statement on the Interplay Between its Code of Conduct for the Pharmaceutical Industry and the Potential EU Code of Conduct on Clinical TrialsEU Publishes Draft Cyber Resilience Act
On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market—the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:
- the planning, design, development, production, delivery and maintenance of PDEs;
- the prevention and handling of cyber vulnerabilities; and
- the provision of cybersecurity information to users of PDEs.
The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.
The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.Continue Reading EU Publishes Draft Cyber Resilience Act