Photo of Anna Oberschelp de Meneses

Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for "corporate data protection officer" by the German Association for Data Protection and Data Security ("Gesellschaft für Datenschutz und Datensicherheit e.V."). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Contact:Read more about Anna Oberschelp de MenesesEmail

On March 20, 2025, the Court of Justice of the European Union (“CJEU”) ruled on the fairness, under EU consumer protection law, of a contractual clause allocating a percentage of an athlete’s income to a professional services provider (Case C‑365/23 [Arce]).  This ruling sets an important precedent and strengthens the protection afforded by consumer protection law to minors who enter into professional service contracts, whether in sport or elsewhere.

Background

The case was referred to the CJEU by a Latvian court.  It concerns a contract whereby a company undertook to provide career support services – including coaching, training, sports medicine, sports psychology, career guidance, club contracts, marketing, legal services, and accounting – to a basketball player, who was a minor at the time and therefore represented by his parents.  In exchange for the company’s services, the athlete agreed to pay 10% of any net income (plus VAT) he would receive over a period of 15 years from the signing of the contract.  At the time of signing the contract, the athlete was not a professional.  Some years later, however, he became a professional athlete.  When the athlete refused to pay the percentage to the company, the company sued him to enforce the contract.  The Latvian courts asked the CJEU, whether it could assess the fairness of this long-term financial commitment under the Latvian legislation implementing Directive 93/13/EEC on unfair terms in consumer contracts (“UCTD”).

Application of the Unfair Contract Terms Directive

Under the UCTD, a contractual clause in a business-to-consumer contract (not negotiated by the consumer) is unfair if it causes a significant imbalance in the parties’ rights and obligations under the contract, to the detriment of the consumer.  The CJEU ruled that the UCTD, as transposed into Latvian law, applies to the contract between the professional services provider and the athelete because the athlete was not yet engaged in professional sport at the time the contract was signed.  The status of “consumer” must be assessed at the time of the conclusion of the contract.  Consequently, the athlete was a “consumer” within the meaning of the UCTD.  The CJEU ruled that the UCTD applies even if the individual later embarks on a professional career.Continue Reading CJEU Rules on Fairness of Remuneration Clause in Sports Contract

On March 21, 2025, the European Commission announced that the Consumer Protection Cooperation Network (“CPC-N”) had initiated enforcement proceedings against an online gaming company, for allegedly violating EU consumer protection laws and engaging in practices that could pose a particular risk to children.  The gaming company now has one month

Continue Reading Consumer Watchdogs Turn Their Attention to the Online Gaming Industry

On October 3, 2024, the European Commission published a report evaluating the effectiveness of existing EU consumer protection laws in protecting consumers in the digital space.  More specifically, the report assesses the effectiveness of the following three consumer protection laws: (i) the Unfair Commercial Practices Directive (“UCPD”); (ii) the Consumer

Continue Reading EU Commission Publishes Report Assessing EU Consumer Laws and Paves Way for New and Stronger EU Consumer Law for the Digital Space

Now that the EU Artificial Intelligence Act (“AI Act”) has entered into force, the EU institutions are turning their attention to the proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence (the so-called “AI Liability Directive”).  Although the EU Parliament and the Council informally agreed on the text of the proposal in December 2023 (see our previous blog posts here and here), the text of the proposal is expected to change based on a complementary impact assessment published by the European Parliamentary Research Service on September 19.

Brief Overview of the AI Liability Directive

The AI Liability Directive was proposed to establish harmonised rules in fault-based claims (e.g., negligence).  These were to cover the disclosure of evidence on high-risk artificial intelligence (“AI”) systems and the burden of proof including, in certain circumstances, a rebuttable presumption of causation between the fault of the defendant (i.e., the provider or deployer of an AI system) and the output produced by the AI system or the failure of the AI system to produce an output.

Potential Changes to the AI Liability Directive

In July, news reports leaked a slightly amended version of the European Commission’s AI Liability Directive proposal to align the wording with the adopted AI Act (Council document ST 12523 2024 INIT).  The amendments reflect the difference in numbering between the proposed AI Act and the enacted version.

Over the summer, the EU Parliamentary Research Service carried out a complementary impact assessment to evaluate whether the AI Liability Directive should remain on the EU’s list of priorities.  In particular, the new assessment was to determine whether the AI Liability Directive is still needed in light of the proposal for a new Product Liability Directive (see our blog post here).Continue Reading The EU Considers Changing the EU AI Liability Directive into a Software Liability Regulation

On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission

Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR

On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses (the “Regulation”).  The Regulation implements the international data transfer framework under the Brazilian General Data Protection Law (“LGPD”).

Under the LGPD, international data transfers from Brazil to a third country are permitted if: (i) the ANPD recognizes the third country as providing adequate protection for personal data; (ii) the data exporter and data importer enter into standard contractual clauses (“SCCs”), binding corporate rules, or special contractual clauses; or (iii) one of the specific cases listed in the LGPD applies (e.g., the transfer is necessary to protect the life of the data subject, the data subject consents to the transfer, or the ANPD authorizes the transfer).  The Regulation relates to the data transfer instruments mentioned in (i) and (ii).

Standard Contractual Clauses
The Regulation approves and publishes SCCs for the transfer of personal data outside of Brazil without ANPD’s authorization.  The SCCs cover both controller-to-controller and controller-to-processor international data transfers.  Like the EU SCCs, they are contracts signed between the data exporter (in Brazil) and the data importer (in a third country).  The parties may not modify them.  The ANPD may allow the transfer of personal data outside of Brazil on the basis of “equivalent SCCs” adopted by third countries, provided that they are compatible with the LGPD.  The ANPD has not (yet) indicated that it would recognize the EU SCCs as equivalent.

Brazilian controllers that use contractual clauses to transfer personal data internationally must replace those contracts with the newly published SCCs by August 22, 2025.Continue Reading Brazil Issues New Regulation on International Data Transfers

On May 30, 2024, the European Court of Justice (“CJEU”) ruled that any button a consumer uses to order a service online must clearly indicate that the consumer commits to pay the price for the relevant service by affirmatively clicking on it. (Conny Case C-400/22) At issue was whether

Continue Reading CJEU Clarifies Online “Order Buttons” Must Indicate that the Consumer is Assuming an Obligation to Pay

Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, electronic communications service providers, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.

  1. Cybersecurity risk-management measures

The Annex to the draft IR sets out further detail on the cybersecurity risk-management measures referred to in Article 21(2) of NIS2 that covered entities must implement.

As a general matter, the IR states that relevant entities should take a proportionate approach to applying these measures, and implement alternatives that achieve the same purpose if a specific measure is unsuitable (e.g., if a particular covered entity is small).Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents

On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU.  In particular, the report provides a snapshot of the findings of each supervisory authority

Continue Reading EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?