Photo of Kristof Van Quathem

Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

On March 20, 2025, the Court of Justice of the European Union (“CJEU”) ruled on the fairness, under EU consumer protection law, of a contractual clause allocating a percentage of an athlete’s income to a professional services provider (Case C‑365/23 [Arce]).  This ruling sets an important precedent and strengthens the protection afforded by consumer protection law to minors who enter into professional service contracts, whether in sport or elsewhere.

Background

The case was referred to the CJEU by a Latvian court.  It concerns a contract whereby a company undertook to provide career support services – including coaching, training, sports medicine, sports psychology, career guidance, club contracts, marketing, legal services, and accounting – to a basketball player, who was a minor at the time and therefore represented by his parents.  In exchange for the company’s services, the athlete agreed to pay 10% of any net income (plus VAT) he would receive over a period of 15 years from the signing of the contract.  At the time of signing the contract, the athlete was not a professional.  Some years later, however, he became a professional athlete.  When the athlete refused to pay the percentage to the company, the company sued him to enforce the contract.  The Latvian courts asked the CJEU, whether it could assess the fairness of this long-term financial commitment under the Latvian legislation implementing Directive 93/13/EEC on unfair terms in consumer contracts (“UCTD”).

Application of the Unfair Contract Terms Directive

Under the UCTD, a contractual clause in a business-to-consumer contract (not negotiated by the consumer) is unfair if it causes a significant imbalance in the parties’ rights and obligations under the contract, to the detriment of the consumer.  The CJEU ruled that the UCTD, as transposed into Latvian law, applies to the contract between the professional services provider and the athelete because the athlete was not yet engaged in professional sport at the time the contract was signed.  The status of “consumer” must be assessed at the time of the conclusion of the contract.  Consequently, the athlete was a “consumer” within the meaning of the UCTD.  The CJEU ruled that the UCTD applies even if the individual later embarks on a professional career.Continue Reading CJEU Rules on Fairness of Remuneration Clause in Sports Contract

On March 21, 2025, the European Commission announced that the Consumer Protection Cooperation Network (“CPC-N”) had initiated enforcement proceedings against an online gaming company, for allegedly violating EU consumer protection laws and engaging in practices that could pose a particular risk to children.  The gaming company now has one month

Continue Reading Consumer Watchdogs Turn Their Attention to the Online Gaming Industry

On 16 January 2025, the European Data Protection Board (“EDPB”) published a position paper, as it had announced last year, on the “interplay between data protection and competition law” (“Position Paper”).

In this blogpost, we outline the EDPB’s position on cooperation between EU data protection authorities (“DPAs”) and competition authorities (“CAs”) in the context of certain key issues at the intersection of data protection and competition law.

Key takeaways

  1. In the interest of coherent regulatory outcomes, the EDPB advocates for increased cooperation between DPAs and CAs.
  2. The Position Paper offers practical suggestions to that end, such as fostering closer personal relationships, mutual understanding, and a shared sense of purpose, as well as more structured mechanisms for regulatory cooperation.
  3. The EDPB is mindful of the Digital Markets Act’s (“DMA”) significance in addressing data protection and competition law risks.

Summary of the Position Paper

The EDPB first outlines certain overlaps between data protection and competition law (e.g., data serving as a parameter of competition). The EDPB argues that as both legal regimes seek to protect individuals and their choices, albeit in different ways, “strengthening the link” between data protection and competition law can “contribute to the protection of individuals and the well-being of consumers”.

The EDPB takes the view that closer cooperation between DPAs and CAs would therefore benefit individuals (and businesses) by improving the consistency and effectiveness of regulatory actions. Moreover, the EDPB emphasises that, based on the EU principle of “sincere cooperation” between regulatory authorities and pursuant to the European Court of Justice’s ruling in Meta v Bundeskartellamt (2023), cooperation between DPAs and CAs would be “in some cases, mandatory and not optional”.Continue Reading EDPB highlights the importance of cooperation between data protection and competition authorities

On October 3, 2024, the European Commission published a report evaluating the effectiveness of existing EU consumer protection laws in protecting consumers in the digital space.  More specifically, the report assesses the effectiveness of the following three consumer protection laws: (i) the Unfair Commercial Practices Directive (“UCPD”); (ii) the Consumer

Continue Reading EU Commission Publishes Report Assessing EU Consumer Laws and Paves Way for New and Stronger EU Consumer Law for the Digital Space

Now that the EU Artificial Intelligence Act (“AI Act”) has entered into force, the EU institutions are turning their attention to the proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence (the so-called “AI Liability Directive”).  Although the EU Parliament and the Council informally agreed on the text of the proposal in December 2023 (see our previous blog posts here and here), the text of the proposal is expected to change based on a complementary impact assessment published by the European Parliamentary Research Service on September 19.

Brief Overview of the AI Liability Directive

The AI Liability Directive was proposed to establish harmonised rules in fault-based claims (e.g., negligence).  These were to cover the disclosure of evidence on high-risk artificial intelligence (“AI”) systems and the burden of proof including, in certain circumstances, a rebuttable presumption of causation between the fault of the defendant (i.e., the provider or deployer of an AI system) and the output produced by the AI system or the failure of the AI system to produce an output.

Potential Changes to the AI Liability Directive

In July, news reports leaked a slightly amended version of the European Commission’s AI Liability Directive proposal to align the wording with the adopted AI Act (Council document ST 12523 2024 INIT).  The amendments reflect the difference in numbering between the proposed AI Act and the enacted version.

Over the summer, the EU Parliamentary Research Service carried out a complementary impact assessment to evaluate whether the AI Liability Directive should remain on the EU’s list of priorities.  In particular, the new assessment was to determine whether the AI Liability Directive is still needed in light of the proposal for a new Product Liability Directive (see our blog post here).Continue Reading The EU Considers Changing the EU AI Liability Directive into a Software Liability Regulation

On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission

Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.

1: Health data holder

The term “health data holder” includes, among others, any natural or legal person developing products or services intended for health, developing or manufacturing wellness applications, or performing research in relation to healthcare, who:

  • in relation to personal electronic health data: in its capacity of a data controller has the right or obligation to process the health data, including for research and innovation purposes; or
  • in relation to non-personal electronic health data: has the ability to make the data available through control of the technical design of a product and related services.  These terms appear to be taken from the Data Act, but they are not defined under the EHDS.

In practice, this means that, for example, hospitals, as data controllers, are data holders of their electronic health records.  Similarly, pharmaceutical companies are data holders of clinical trial data and biobanks.  Medical device companies may be data holders of non-personal data generated by their devices, if they have access to that data and an ability to produce it.  However, medical device companies would not qualify as a data holder where they merely process personal electronic health data on behalf of a hospital.

Individual researchers and micro enterprises are not data holders, unless EU Member States decide differently for their territory.

2: Data sets covered by EHDS

The EHDS sets out a long list of covered electronic health data that should be made available for secondary use under the EHDS.  It includes, among others:

  • electronic health records;
  • human genetic data;
  • biobanks;
  • data from wellness applications;
  • clinical trial data – though according to the recitals, this only applies when the trial has ended;
  • medical device data;
  • data from registries; and
  • data from research cohorts and surveys, after the first publication of the results – a qualifier that does not seem to apply for clinical trial data.

Continue Reading EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.

First, the Dutch SA decided that the company was required to perform a DPIA because

Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment