Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe's digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act, the European Health Data Space, and EU consumer protection law, including product safety, product liability, and consumer rights legislation. She focuses on the operational side of compliance — helping clients design policies and processes, draft documentation, and build the internal frameworks needed to meet regulatory requirements in practice.

She also advises on contentious matters, drawing on experience managing investigations before national regulators and proceedings before national courts and the Court of Justice of the European Union. She works closely with Covington's disputes teams on matters at the intersection of regulatory compliance and litigation.

Follow:

French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm

By Dan Cooper, Kristof Van Quathem & Anna Sophia Oberschelp de Meneses on December 21, 2025

Posted in Advertising, EU Law and Regulatory, GDPR, Privacy

On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.

European Commission Announces 2030 Consumer Policy Strategy

By Anna Sophia Oberschelp de Meneses, Jane Pinho, Cándido García Molyneux & Dan Cooper on December 5, 2025

Posted in Consumer, EU Law and Regulatory, Privacy

On November 19, 2025, the European Commission unveiled its 2030 Consumer Agenda, setting out priorities for EU consumer policy over the next five years. Below is an overview of the six key measures most relevant to industry.

Help Shape the Future of EU Product Compliance: Participate in the Public Consultations

By Anna Sophia Oberschelp de Meneses, Lasse Luecke & Cándido García Molyneux on December 4, 2025

Posted in Consumer, product safety

On November 12, 2025, the European Commission launched two public consultations that could significantly reshape EU product compliance rules. To participate, stakeholders – including businesses, consumer groups, and industry associations – are invited to complete the Commission’s online questionnaires, available until February 4, 2026.

EDPB to Focus on Transparency in 2026 Enforcement

By Dan Cooper, Anna Sophia Oberschelp de Meneses & Alix Bertrand on November 3, 2025

Posted in Data Protection, EU Law and Regulatory

On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).

New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research

By Kristof Van Quathem, Dr. Dr. Adem Koyuncu, Lars Lensdorf & Anna Sophia Oberschelp de Meneses on October 24, 2025

Posted in Cybersecurity, Data Protection, EU Law and Regulatory, Health Privacy, Life Sciences & Digital Health

On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.

Brazil Adopts Law Protecting Minors Online

By Anna Sophia Oberschelp de Meneses, Diego Bonomo & Dan Cooper on October 9, 2025

Posted in Brazil, Privacy

On September 17, 2025, Brazil enacted the Digital Statute of the Child and Adolescent (“Digital ECA”), establishing a pioneering regulatory framework for protecting children (under 12 years of age) and adolescents (between the ages of 12 and 18) online. Brazil’s Congress approved the new law in a matter of just a few days in response to parents’ pressure, after a well-known Brazilian digital influencer published a series of online videos on the “adultization” of children on the internet.

Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus

By Dan Cooper, Kristof Van Quathem & Anna Sophia Oberschelp de Meneses on September 22, 2025

Posted in Artificial Intelligence (AI), Cybersecurity, Data Protection, EU Law and Regulatory, Privacy

On September 16, 2025, the European Commission launched a call for evidence to collect feedback and best practices on simplifying several key areas of the EU digital rulebook, ahead of its planned Digital Omnibus package. This initiative targets legislation related to data, cybersecurity, and artificial intelligence, aiming to reduce administrative burdens and compliance costs for businesses while preserving high standards of fairness, security, and privacy online.

EU and Brazil Advance Towards Mutual Adequacy Decision

By Anna Sophia Oberschelp de Meneses, Diego Bonomo & Dan Cooper on September 12, 2025

Posted in EU Law and Regulatory

***Update (January 27, 2026): The EU and Brazil have now formally adopted mutual adequacy decisions, confirming that both jurisdictions ensure comparable levels of data protection and enabling the free and safe flow of personal data between the EU and Brazil without the need for additional transfer mechanisms.***

On September 5, 2025, the European Commission announced the launch of the process to adopt an adequacy decision with Brazil under the General Data Protection Regulation (GDPR), determining that Brazil ensures an adequate level of personal data protection comparable to that in the EU. Once adopted, the decision would permit personal data to flow freely between Brazil and the EU without the need for additional safeguards, covering flows from businesses, public authorities, and research projects.

The Brazilian federal government, through the National Data Protection Authority (ANPD), announced that it is simultaneously progressing on adopting an equivalent adequacy decision to facilitate the uninterrupted flow of data from Brazil to the EU. The parallel initiatives highlight a mutual commitment to aligning privacy and data protection standards across the Atlantic, and take place in a context of closer bilateral relations and increased U.S. scrutiny of Brazilian and European digital policies.

European Parliament Study Recommends Strict Liability Regime for High-Risk AI Systems

By Anna Sophia Oberschelp de Meneses, Louise Freeman & Dan Cooper on August 26, 2025

Posted in Artificial Intelligence (AI), EU Law and Regulatory, Privacy

On July 24, 2025, the European Parliament (EP) published a study entitled Artificial Intelligence and Civil Liability – A European Perspective. The study considers some of the EU’s existing and proposed liability frameworks, notably the revised Product Liability Directive (PLDr) and the AI Liability Directive (AILD), which was proposed by the European Commission only to be later withdrawn. The study concludes that neither instrument sufficiently addresses the full scope of product liability risks and defects uniquely posed by high-risk AI systems, as that concept is defined by the EU AI Act. Therefore, it calls for the creation of a dedicated strict liability framework, specifically designed to tackle the particular liability risks that these systems are said to give rise to. While it is too early to predict whether other key European stakeholders will support such a framework and bring it to fruition, this development is an important one to monitor closely for those creating or working with high-risk AI systems.

Digital Fairness Act Series — Topic 4: Digital Subscriptions

By Anna Sophia Oberschelp de Meneses, Jane Pinho, Dan Cooper, Moritz Hüsch & Edwin Djabatey on August 14, 2025

Posted in EU Law and Regulatory

Digital contracts and subscriptions have significantly increased, with the subscription economy tripling since 2017, according to the European Commission’s Digital Fairness Act Fitness Check. However, the Fitness Check points out that the number of issues with digital subscriptions, such as difficult cancellations, automatic renewals without reminders, and unclear subscription terms, have also increased. The Commission proposes to tackle these issues in its proposed Digital Fairness Act (“DFA”), which recently entered its consultation phase (see our blog post here).

This post briefly highlights certain issues with digital subscriptions identified in the Fitness Check, outlines how these issues are currently regulated in the EU, and considers the Fitness Check’s proposals to address these issues. It is the fourth post in our series on the upcoming DFA – previous posts covered influencer marketing, AI chatbots in consumer interactions, and personalised advertising and pricing.