EU Data Act aims for innovation, fairness & strong governance
The European Union has marked a significant milestone in its digital legislative landscape with the introduction of the EU Data Act, a regulation set to redefine how data is accessed, shared, and managed across the bloc. Intended to enhance the competitiveness of the EU's data economy, the Act seeks to stimulate innovation while maintaining rigorous standards of responsibility and transparency.
The new rules extend to a broad array of industry players, encompassing manufacturers and service providers of connected devices, digital platforms, and crucially, cloud and edge service operators. The legislation encompasses all data processing activities, making no distinction between personal and non-personal data. However, in instances where personal data is involved, the General Data Protection Regulation (GDPR) remains the overriding framework, ensuring continued prioritisation of privacy and individual rights.
Anita Hodea, associate at law firm Katten Muchin Rosenman UK, notes the significance of the changes introduced: "The Act aims to create a fairer and more competitive data ecosystem, applying to manufacturers and service providers of connected products, providers of related digital services, and cloud and edge service providers. The Act encompasses all data processing activities, covering both personal and non-personal data. Where personal data is involved, the GDPR takes precedence, ensuring privacy and protection remain intact."
Hodea further explains the implications for businesses: "The introduction of new terms, such as 'data holder', and limited guidance on their application mean organisations must carefully define roles, governance, and responsibilities to comply with both frameworks. For companies, the Act requires designing products for accessible and secure data, enabling fair third-party sharing and improving transparency. These changes promise more open markets, stronger innovation, and empowered users across the EU."
The scope of the Act has prompted industry observers to consider the challenges surrounding compliance, particularly in areas such as data governance, portability, and cloud-provider transition. George Tziahanas, Vice President of Compliance at Archive360, stresses the necessity for organisations to approach the new requirements as more than just a tick-box exercise. "Regulation is always about balance: enabling innovation while ensuring responsibility. The EU Data Act will open up valuable new data paths, but with that openness comes new obligations for how organisations govern and protect information," Tziahanas states.
He elaborates: "For organisations, the challenge isn't simply moving or sharing data – it's ensuring defensibility throughout. That means minimising and classifying data, so only what the Act requires is disclosed, preserving metadata and legal holds across transfers, and avoiding portability traps that erode governance. Handled in the right way, the Act becomes more than a compliance exercise. It's an opportunity to embed responsible governance into data-sharing and cloud-exit strategies, enabling organisations to reduce risk while innovating with confidence."
The cloud computing sector, in particular, faces notable change. Brenton O'Callaghan, Chief Product Officer at Avantra, points out, "It can only be a good thing to allow more cost-effective transfer of data between clouds when you choose to move cloud provider. Be under no illusion, though, that this won't necessarily make it easier or quicker – the transition services and commitments from the major cloud providers have fine print and requirements that mean it will still be a drag and will be available only if you are adhering to their requirements." O'Callaghan highlights that transfers are typically restricted to inter-company data and must be between similar services across platforms, creating limits to true portability despite legislative intention.
O'Callaghan also addresses the broader regulatory landscape and the importance of proportionality: "EU regulation is helpful in forcing companies to classify and understand the risks in their AI systems. The danger is that if the scope expands too broadly, it risks slowing innovation under layers of compliance. The balance should stay risk-based and focused on high-risk use cases. If this is done right, then it will prevent regulation from becoming an administrative tax or barrier to market entry."
Although overshadowed in the media by the introduction of the EU AI Act, the Data Act's transformative legal framework is expected to bring far-reaching implications for European businesses and global companies operating within the EU. By mandating transparency, accountability, and responsible data governance, the EU seeks to strike a difficult but essential balance between fostering technological advances and protecting the rights and interests of citizens and enterprise stakeholders.
