The fourth industrial revolution has been fueled by an explosion of information. From social media to home appliances, everything produces data. This includes details about our health, location, preferences, and behaviours. The amount of data we create is expected to grow exponentially, and around 150 years from now, digital bits will exceed atoms on Earth. In 2020 alone, 79 trillion gigabytes of data were generated — but where does all the data go, who owns it and has the right to use it, and what is the best way to share it?
This article sets out to summarise the main data debates and the European Union’s (EU) regulations that arise from them. In particular, you will learn about the complex landscape of data governance in the EU, including the advantages and challenges of big data, privacy concerns, and key regulations like GDPR and the Data Act.
We will also explore the development of common data spaces across various sectors, such as the European Single Access Point for finance, manufacturing data spaces, and the European Dataspace for Smart Circular Applications, which aim to foster innovation, sustainability, and economic growth while maintaining data sovereignty and protection.
What are the advantages and disadvantages of big data?
Consumer data can be used for various purposes, and while some data applications are promising, others are potentially harmful. Diverse aggregated data delivers richer insights and helps in meeting the needs of new products and services. For example, the use of data has the potential to allocate resources better to fight malaria, consequently saving up to 5 billion euros. Furthermore, harmonised data collection can enable large-scale collaboration, hence accelerating innovations in such fields as AI and circular economy. Data pooling also creates an opportunity to increase transparency and data sovereignty by keeping companies and individuals who generated it in control and empowering those stakeholders affected by data processing to access it. Data sovereignty is the principle that digital information is subject to the laws of the country where it is generated, even if stored or processed elsewhere under data residency or localisation rules.
At the same time, risks to privacy and security arise when personal data is handled inappropriately. Security breaches or loss of data are almost inevitable, while privacy protection is costly and time-consuming — unless effective legal and technological measures are put in place.
Sometimes, the benefits of data are not accessible to all, creating knowledge and power asymmetry between firms who own the data and individuals who do not. Instagram and Facebook can see what people like and share, Google what we search for, and Amazon what we buy. Big corporate players start accumulating capital by collecting and selling this behavioural and other data as a market commodity. When Google began using personal data for advertisement, it managed to increase its revenues by a shocking 3590%7. Similarly, Facebook’s 2019 revenue accounted for 20% of the $333 billion worldwide digital advertising market. Even as businesses capture the growing potential of the data economy, many data subjects pay little attention to what happens to their information.
Why is it hard to control your private and personal information?
There are two potential explanations as to why the majority of the users are careless with their data, even when such an attitude is unfavourable. First, it might lie in the fact that consumers are not yet accustomed to seeing data as a unit of exchange, thinking in conventional monetary terms. Unless it is money, it is not valuable, or not valuable enough. Another explanation might be that data subjects do not see data as something that can be owned.
Some people stress the need to not only start treating data as a tradable property that can be owned, but also as a fundamental right to privacy4. However, by doing so, they forget that privacy and data protection are already human rights in many jurisdictions. For example, Article 8 of the EU Charter of Fundamental Rights - which was created in 2000 - states:
"Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified."
In those regions where data regulations are already in place, the problem then lies within the weak legal regimes that do not develop fast enough and cannot account for nascent threats. To utilise the benefits of data proliferation without suffering the risk associated with it, successful data management has to enhance the flow of information in the economy while simultaneously effectively protecting it. The issue calls for tighter and more detailed technological regulations, which policymakers in the European Union (EU) have started to respond to.
The European data strategy
At the centre stage of these efforts to ensure the effectiveness of regulation is the EU, with its dynamic and innovative data economy that is estimated to grow to 829 billion euros by 20253. In February 2020, the European Commission published the European data strategy. The framework sets a general direction for data regulations. The strategy increases the availability of data for better EU-wide decision-making, while keeping those who generated it in control.

The priorities are:
- To set up a single market for data, where
- data can flow within the EU
- European privacy, data protection, and competition rules are fully respected
- the rules for access and use of data are practical and clear
- To establish a secure and dynamic data economy by
- pooling data in key sectors with data spaces
- setting clear and fair rules on access
- investing in tools to store and process data
- joining forces in cloud capacity
- giving users rights, tools, and skills to control their data
The strategy for data is not only limited to guaranteeing privacy but also focused on ensuring secure management of the data economy as public infrastructure, which includes handling (collection, storage, and distribution) of data. The key data management initiatives are the General Data Protection Regulation (GDPR), Data Act, and European data spaces (the European Single Access Point, data spaces for smart manufacturing, and the European Dataspace for Smart Circular Applications).
The General Data Protection Regulation (GDPR)
In May 2018, the EU rolled out the General Data Protection Regulation (GDPR). The GDPR is believed to be one of the most rigid privacy and security regulations in the world9. It establishes a harmonised framework for the protection of personal data by setting requirements for collecting, storing, and managing it.
The regulation mainly applies to:
- All EU-based firms handling users’ data
- All non-EU firms targeting people living within the union and processing their data
The GDPR describes 6 conditions under which firms have a right to collect personal data, such as the presence of a formal opt-in of a data subject. In all of these cases, firms are required to be transparent about how the data is managed13. The GDPR is a complex and elaborate law, but the minimum information to be included is:
- Who is processing the data
- Why is it being processed
- On what legal basis
- Who will receive it
Another focus area of the regulation is users’ empowerment. The increased transparency around what happens to the data gives the subjects the right – after it has been collected – to access, rectify, erase, and transfer the data, as well as to lodge a complaint about data usage12.
Within organisations that regularly process large scales of users’ data as a core business activity, compliance with these requirements has to be monitored by a data protection officer designated by the company. The officer serves as a contact point for data subjects and the Data Protection Authority. The officer is also responsible for keeping a record of company acts. Firms that violate the EU’s privacy rules risk fines up to either 4% of their annual turnover or 20 million euros. Furthermore, additional measures such as an order requesting to stop data handling might be considered.
The Data Act
The European Data Act is the first deliverable of the European data strategy. The proposal was published on 23rd February 2022 and entered into force in January 2024. The European Data Act aims to make valuable data more accessible between companies and consumers in all economic sectors. It harmonises rules on fair access to and use of data, cloud switching, and transfers by setting relevant obligations for stakeholders.
Such obligations are of a contractual, commercial, and technical nature and specify who, other than manufacturers or other data holders, is entitled to access the data generated by products, under which conditions and on what basis. Examples of the requirements are designing products in a way that makes the data they collect easily accessible by default, ensuring a secure transfer of data to other providers, or pushing providers to prevent unlawful third-party access to non-personal data held in the EU.
The stakeholders affected by the regulation are companies handling data, providers of Internet of Things (IoT) products, and cloud service providers. Fines will be imposed on those non-compliant with the requirements.
As regulations, the GDPR and the European Data Act set rules governing obligations for organisations handling data to protect consumer data and encourage information sharing. However, to fulfil some of its obligations, the policies need to be complemented by a relevant digital infrastructure. For example, to ensure a secure transfer of data to other providers, a system that can read data in a single format must be established to make a successful data transfer. This is in part fulfilled by the introduction of industry-specific common European data spaces.
Circularise is the leading software platform that provides end-to-end traceability for complex industrial supply chains. We offer two traceability solutions: MassBalancer to automate mass balance bookkeeping and Digital Product Passports for end-to-end batch traceability.