On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW). As a result, the CJEU held that a provision under German law that permitted doctors to
Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group. Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker. Anna advises companies on European data protection law and helps clients coordinate international data protection law projects. She has obtained a certificate for "corporate data protection officer" by the German Association for Data Protection and Data Security ("Gesellschaft für Datenschutz und Datensicherheit e.V."). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP). Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area. Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.
On March 22, 2023, the European Commission published a proposal for Directive on common rules promoting the repair of goods (“Proposal”), which would grant consumers the right to request from producers the repair of products that under EU law are subject to “reparability requirements.” The Proposal’s aim is to encourage producers to develop more sustainable business models by ensuring that their products are reparable.
The European Parliament and Council are now considering the Proposal for adoption and may introduce amendments. Manufacturers should consider the impact of the Proposal on their products and suggest their amendments to Members of the European Parliament and Member States. If adopted, the Proposal’s requirements are not likely to apply in the different Member States before the end of 2026.
Contextual Background of the Proposal
The Proposal is intended to achieve the product sustainability and circularity objectives of the European Commission’s Circular Economy Action Plan of 2020, one of the main building blocks of the European Green Deal, that announced the Commission’s intention to introduce legislative initiatives aimed at “improving product durability, reusability, upgradability and reparability.” Other initiatives affecting the durability, reparability and reusability of appliances and other products include: (i) a proposal for Regulation on Ecodesign Requirements for Sustainable Products (“Proposed Sustainable Products Regulation”), which will replace the existing Ecodesign Directive 2009/125/EC; and (ii) a proposal for a Directive amending Directives 2005/29/EC and 2011/83/EU as regards Empowering Consumers for the Green Transition Through Better Protection Against Unfair Practices and Better Information (“Proposal for a Greenwashing Directive”).…
On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21). The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR. In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.
The CJEU rulings concerned DPOs who were employed at German companies and dismissed “for just cause” from their respective DPO positions due to conflicts of interest concerns. In one case, the DPO was simultaneously chair of the company’s works council. In the other case, there was a perceived incompatibility with the DPO’s other professional responsibilities at the company (which the judgment does not disclose). Importantly, the DPOs had not been dismissed because of the way they performed their duties and tasks as a DPO.
The term “just cause” is used in the German Civil Code to refer to situations where it cannot be reasonably expected for the employment contract to continue as normal, i.e., until the end of the notice period or until the agreed termination date, taking into account all the circumstances of the individual case and weighing the interests of both parties. This requirement goes beyond the provision in Article 38(3) GDPR, which provides that the DPO “shall not be dismissed or penalized by the controller or the processor for performing his tasks.”…
The European Parliament and Council are about to formally adopt a General Product Safety Regulation (“GPSR”), which will repeal and replace the General Product Safety Directive 2001/95 (“GPSD”)Just like the GPSD, the GPSR sets out the basic rules on the safety of products placed on, or made available in, the EU market and intended for, or likely to be used by, consumers. While the GPSR builds on the existing legal framework of the GPSD it introduces several changes and new requirements that aim to enhance the protection of consumer’s health and safety, and adapt its requirements to new technologies.
This blog post outlines 16 changes and new requirements that the GPSR introduces and that industry should carefully take into consideration.
Changes Introduced by the GPSR
The GPSR will introduce the following 16 changes:…
On December 28, 2022, the Spanish Data Protection Authority (“AEPD”) published a statement on the interplay between its recently approved Spanish code of conduct for the pharmaceutical industry and the European Federation of Pharmaceutical Industries and Associations’ (“EFPIA”) proposal for an EU code of conduct on clinical trials and pharmacovigilance. The statement relates specifically to…
On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market—the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:
- the planning, design, development, production, delivery and maintenance of PDEs;
- the prevention and handling of cyber vulnerabilities; and
- the provision of cybersecurity information to users of PDEs.
The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.
The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.…
On April 28, 2022, Covington convened experts across our practice groups for the Covington Robotics Forum, which explored recent developments and forecasts relevant to industries affected by robotics. Sam Jungyun Choi, Associate in Covington’s Technology Regulatory Group, and Anna Oberschelp, Associate in Covington’s Data Privacy & Cybersecurity Practice Group, discussed global regulatory trends that affect robotics, highlights of which are captured here. A recording of the forum is available here until May 31, 2022.
Trends on Regulating Artificial Intelligence
According to the Organization for Economic Cooperation and Development Artificial Intelligence Policy Observatory (“OECD”), since 2017, at least 60 countries have adopted some form of AI policy, a torrent of government activity that nearly matches the pace of modern AI adoption. Countries around the world are establishing governmental and intergovernmental strategies and initiatives to guide the development of AI. These AI initiatives include: (1) AI regulation or policy; (2) AI enablers (e.g., research and public awareness); and (3) financial support (e.g., procurement programs for AI R&D). The anticipated introduction of AI regulations raises concerns about looming challenges for international cooperation.…
The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German). The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced…
On March 25, 2022, the EU Commission and US announced that an agreement in principle on a new framework for transatlantic data flows had been reached (see the Commission’s statement here, here, and here, and the US White House’s statement here). The Commission and the U.S. published draft factsheets outlining the…
On February 23, 2022, the European Commission published the draft EU Regulation on harmonized rules on fair access to and use of data, also referred to as the “Data Act” (available here). The Data Act is just the latest EU legislative initiative, sitting alongside the draft Data Governance Act, Digital Services Act, and Digital Markets Act, motivated by the EU’s vision to create a single market for data and to facilitate greater access to data.
Among other things, the proposed Regulation:
- grants “users” of connected “products” and “related services” – meaning a digital service incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions – offered in the EU rights to access and port to third parties the data generated through their use of these products and services (including both personal and non-personal data);
- requires manufacturers of these products and services to facilitate the exercise of these rights, including by designing them in such a way that any users – which may be natural and legal persons – can access the data they generate;
- requires parties with the right, obligation or ability to make available certain data (including through the Data Act itself) – so-called ”data holders” – to make available to users the data that the users themselves generate, upon request and “without undue delay, free of charge, and where applicable, continuously and in real-time”;
- requires data holders to enter into a contract with other third-party “data recipients” on data sharing terms that are fair, reasonable and non-discriminatory; relatedly, any compensation agreed between the parties must be “reasonable” and the basis for calculating the compensation transparent, with special rules set out for micro, small or medium-sized data recipients to facilitate their access to the data at reduced cost;
- authorizes public sector bodies and Union institutions, agencies or bodies to request access to the data in “exceptional need” situations;
- requires certain digital service providers, such as cloud and edge service providers, to implement safeguards that protect non-personal data from being accessed outside the EU where this would create a conflict with EU or Member State law;
- requires such data processing service providers to make it easy for the customers of such services to switch or port their data to third-party services; and
- imposes interoperability requirements on operators of “data spaces”.
As a next step, the Council of the EU and the European Parliament will analyze the draft Regulation, propose amendments and strive to reach a compromise text that both institutions can agree upon. Below, we discuss the key provisions of the Data Act in more detail.
Continue Reading European Commission Publishes Draft Data Act