Data policies in the EU

The fourth industrial revolution has been fueled by an explosion of information. From social media to home appliances, everything produces data. This includes details about our health, location, preferences, and behaviours. The amount of data we create is expected to grow exponentially, and around 150 years from now, digital bits will exceed atoms on Earth. In 2020 alone, 79 trillion gigabytes of data were generated — but where does all the data go, who owns it and has the right to use it, and what is the best way to share it?

This article sets out to summarise the main data debates and the European Union’s (EU) regulations that arise from them. In particular, you will learn about the complex landscape of data governance in the EU, including the advantages and challenges of big data, privacy concerns, and key regulations like GDPR and the Data Act. 

We will also explore the development of common data spaces across various sectors, such as the European Single Access Point for finance, manufacturing data spaces, and the European Dataspace for Smart Circular Applications, which aim to foster innovation, sustainability, and economic growth while maintaining data sovereignty and protection.

What are the advantages and disadvantages of big data?

Consumer data can be used for various purposes, and while some data applications are promising, others are potentially harmful. Diverse aggregated data delivers richer insights and helps in meeting the needs of new products and services. For example, the use of data has the potential to allocate resources better to fight malaria, consequently saving up to 5 billion euros. Furthermore, harmonised data collection can enable large-scale collaboration, hence accelerating innovations in such fields as AI and circular economy. Data pooling also creates an opportunity to increase transparency and data sovereignty by keeping companies and individuals who generated it in control and empowering those stakeholders affected by data processing to access it. Data sovereignty is the principle that digital information is subject to the laws of the country where it is generated, even if stored or processed elsewhere under data residency or localisation rules.

At the same time, risks to privacy and security arise when personal data is handled inappropriately. Security breaches or loss of data are almost inevitable, while privacy protection is costly and time-consuming — unless effective legal and technological measures are put in place. 

Sometimes, the benefits of data are not accessible to all, creating knowledge and power asymmetry between firms who own the data and individuals who do not. Instagram and Facebook can see what people like and share, Google what we search for, and Amazon what we buy. Big corporate players start accumulating capital by collecting and selling this behavioural and other data as a market commodity. When Google began using personal data for advertisement, it managed to increase its revenues by a shocking 3590%⁷. Similarly, Facebook’s 2019 revenue accounted for 20% of the $333 billion worldwide digital advertising market. Even as businesses capture the growing potential of the data economy, many data subjects pay little attention to what happens to their information. 

Why is it hard to control your private and personal information?

There are two potential explanations as to why the majority of the users are careless with their data, even when such an attitude is unfavourable. First, it might lie in the fact that consumers are not yet accustomed to seeing data as a unit of exchange, thinking in conventional monetary terms. Unless it is money, it is not valuable, or not valuable enough. Another explanation might be that data subjects do not see data as something that can be owned.

Some people stress the need to not only start treating data as a tradable property that can be owned, but also as a fundamental right to privacy⁴. However, by doing so, they forget that privacy and data protection are already human rights in many jurisdictions. For example, Article 8 of the EU Charter of Fundamental Rights - which was created in 2000 - states:

"Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified." 

In those regions where data regulations are already in place, the problem then lies within the weak legal regimes that do not develop fast enough and cannot account for nascent threats. To utilise the benefits of data proliferation without suffering the risk associated with it, successful data management has to enhance the flow of information in the economy while simultaneously effectively protecting it. The issue calls for tighter and more detailed technological regulations, which policymakers in the European Union (EU) have started to respond to. 

The European data strategy

At the centre stage of these efforts to ensure the effectiveness of regulation is the EU, with its dynamic and innovative data economy that is estimated to grow to 829 billion euros by 2025³. In February 2020, the European Commission published the European data strategy. The framework sets a general direction for data regulations. The strategy increases the availability of data for better EU-wide decision-making, while keeping those who generated it in control. 

The priorities are:

1. To set up a single market for data, where
   
   1. data can flow within the EU
   2. European privacy, data protection, and competition rules are fully respected
   3. the rules for access and use of data are practical and clear
2.  To establish a secure and dynamic data economy by

1. pooling data in key sectors with data spaces
2. setting clear and fair rules on access
3. investing in tools to store and process data
4. joining forces in cloud capacity
5. giving users rights, tools, and skills to control their data

The strategy for data is not only limited to guaranteeing privacy but also focused on ensuring secure management of the data economy as public infrastructure, which includes handling (collection, storage, and distribution) of data. The key data management initiatives are the General Data Protection Regulation (GDPR), Data Act, and European data spaces (the European Single Access Point, data spaces for smart manufacturing, and the European Dataspace for Smart Circular Applications).

The General Data Protection Regulation (GDPR)

In May 2018, the EU rolled out the General Data Protection Regulation (GDPR). The GDPR is believed to be one of the most rigid privacy and security regulations in the world⁹. It establishes a harmonised framework for the protection of personal data by setting requirements for collecting, storing, and managing it. 

The regulation mainly applies to: 

1. All EU-based firms handling users’ data
2. All non-EU firms targeting people living within the union and processing their data 

The GDPR describes 6 conditions under which firms have a right to collect personal data, such as the presence of a formal opt-in of a data subject. In all of these cases, firms are required to be transparent about how the data is managed¹³. The GDPR is a complex and elaborate law, but the minimum information to be included is:

• Who is processing the data
• Why is it being processed
• On what legal basis
• Who will receive it

Another focus area of the regulation is users’ empowerment. The increased transparency around what happens to the data gives the subjects the right – after it has been collected – to access, rectify, erase, and transfer the data, as well as to lodge a complaint about data usage¹². 

Within organisations that regularly process large scales of users’ data as a core business activity, compliance with these requirements has to be monitored by a data protection officer designated by the company. The officer serves as a contact point for data subjects and the Data Protection Authority. The officer is also responsible for keeping a record of company acts. Firms that violate the EU’s privacy rules risk fines up to either 4% of their annual turnover or 20 million euros. Furthermore, additional measures such as an order requesting to stop data handling might be considered.

The Data Act

The European Data Act is the first deliverable of the European data strategy. The proposal was published on 23rd February 2022 and entered into force in January 2024. The European Data Act aims to make valuable data more accessible between companies and consumers in all economic sectors. It harmonises rules on fair access to and use of data, cloud switching, and transfers by setting relevant obligations for stakeholders. 

Such obligations are of a contractual, commercial, and technical nature and specify who, other than manufacturers or other data holders, is entitled to access the data generated by products, under which conditions and on what basis. Examples of the requirements are designing products in a way that makes the data they collect easily accessible by default, ensuring a secure transfer of data to other providers, or pushing providers to prevent unlawful third-party access to non-personal data held in the EU. 

The stakeholders affected by the regulation are companies handling data, providers of Internet of Things (IoT) products, and cloud service providers. Fines will be imposed on those non-compliant with the requirements.

As regulations, the GDPR and the European Data Act set rules governing obligations for organisations handling data to protect consumer data and encourage information sharing. However, to fulfil some of its obligations, the policies need to be complemented by a relevant digital infrastructure. For example, to ensure a secure transfer of data to other providers, a system that can read data in a single format must be established to make a successful data transfer. This is in part fulfilled by the introduction of industry-specific common European data spaces.

Common European Data Spaces

The European strategy for data includes an objective to create common and interoperable data spaces³. Data spaces connect governance frameworks (e.g. the GDPR and the European Data Act) and relevant digital infrastructure (tools and services) for secure and scalable data merging, processing, and sharing across the EU. Data stored in the European data spaces includes information that is required to be publicly disclosed under EU legislation – such as the CSRD, GDPR, or ESPR – as well as voluntarily shared data.

The European data spaces are currently being created in 14 fields of economic and public interests, with an intention to gradually enlarge to other sectors: 

1. Financial
2. Public administration
3. Health
4. Agriculture
5. Manufacturing
6. Energy
7. Mobility
8. Skills
9. The European Open Science Cloud
10. The Green Deal objectives
11. Tourism
12. Construction
13. Media
14. Cultural heritage

European Single Access Point (ESAP) for the financial sector

One of the data spaces currently being developed for the financial sector is the European Single Access Point (ESAP). The European Single Access Point offers an ability to examine public financial and sustainability-related information that firms operating in the EU have to share in accordance with the standards for reporting, such as the Sustainable Finance Disclosure Regulation, the EU Taxonomy, and the Corporate Sustainability Reporting Directive (CSRD). The measure aims to ensure that key stakeholders such as investors, banks, customers, and consumers can easily access the required information about entities and products. 

The proposal text describes a set of technical principles to be followed when collecting the information:

1. The accumulation of data will be monitored by designated collection bodies
2. Firms will have to submit their information to a collection body in a machine-readable format at the same time as they make the data public. 
3. The platform is to build upon existing EU and national IT infrastructure in order to avoid adding to companies’ reporting burden. 
4. It will include a ‘file only once principle’, meaning that firms should only have to report once and to one authority, with as little additional formatting and reporting requirements as possible to avoid duplication. 

The initiative is scheduled to be operational by summer 2027. From this date, management reports, annual financial statements, sustainability statements, and audit reports will be made available via ESAP.

European data spaces for manufacturing

In the industrial sector, the data spaces for smart manufacturing aim to enable key actors in the supply chain (e.g. supplier, client, service provider), including those firms involved with the circular economy (e.g. remanufacturing and recycling companies), to access large amounts of manufacturing data. Thus, addressing the industrial data silos and high fragmentation of the supply chain digitalisation. 

The dataspaces are now being created for specific value chains through several workshops with stakeholders. Some questions under discussion are:

1. What data (design/maintenance/product engineering/supply chain planning/etc.; historical/live) to share
2. Which subsector to focus on
3. Whether to implement the data space in a centralised or distributed way

In November 2021, the Commission published a call for proposals to establish two viable manufacturing data spaces. The work started around July-September 2022 and will last 1-2 years.

European Dataspace for Smart Circular Applications (EDSCA)

Similarly, there is a plan to create several data spaces for information necessary for reaching the objectives of the European Green Deal²⁰. One of these data spaces is the European Dataspace for Smart Circular Applications (EDSCA), which is a registry that makes available the relevant data for enabling circular value creation along supply chains. This data is related to such applications and services as:

• Digital product passports (DPPs)
• Resource mapping
• Consumer information

The call for proposals for working on the data space was published in 2021 and the project started around July-September 2022 and lasted two years. The EDSCA first assisted in the creation of DPPs for electronics and batteries, and then expanded to textiles and building materials.

Read more about the DPPs and the requirements for the battery passports.

Benefits of creating common data spaces 

The European Commission sees several key advantages in setting up data spaces¹⁶. 

1. First of all, the common and interoperable format can enable the pooling of a wide range of first-party data together. This data, in turn, has the potential to be used for the public good and the development of new data-driven innovative products.
2. Second, European data spaces can make the information organisations have to report accessible for the data subject and for the stakeholders affected by the data processing. Accessibility of data, in turn, enhances transparency. 
3. Third, the data spaces have the potential to enhance data control, when data holders get the ability to use the tool to, for example, upload data in a single format, and make changes to access rights. 

Ultimately, the European Commission believes the standards will provide a coordinated technical infrastructure prioritising the findable, accessible, interoperable and reusable principles. It is essential to bear in mind, however, that whether all these aspirations become a reality depends greatly on the implementation of the strategy, as well as its effectiveness in addressing key challenges associated with data processing mentioned at the beginning of the blog post. 

Conclusion

Big data offers both significant opportunities and potential risks. To harness its benefits while minimising harm, a robust governance system with strict, harmonised rules for data handling is essential — an approach the EU has already begun to implement. The European data strategy sets a general direction for data regulation, prioritising the single market for data and data economy. 

Following the strategy, the General Data Protection Regulation sets out to protect users’ personal data. The European Data Act establishes the harmonised rules to encourage information sharing by service providers and firms handling data. The regulations require the establishment of industry-specific common European data spaces (e.g. the European Single Access Point (ESAP) for the financial sector, European Dataspace for Smart Circular Applications (EDSCA) for reaching the objectives of the Green Deal, and two other dataspaces for smart manufacturing that are yet to be defined). These spaces connect the aforementioned governance frameworks with relevant digital infrastructure for secure and scalable data merging, processing, and sharing. 

Besides the GDPR that came into effect in 2018, other policy measures are still in development. The European Data Act was published in December 2023 and will become applicable on 12 September 2025. The least progress has been made with data spaces. Among them, the most defined are the data spaces in the financial sector. The main challenge in policy formulation for other sectors seems to lie in defining what data to share and through which medium (e.g. centralised versus decentralised storage). 

To be ready for the new requirements for data spaces, firms need to start preparing now. For example, the regulations around the ESAP and EDSCA require the data to be included in DPPs or annual management reports to be disclosed in a machine-readable format. Hence, organisations should already start thinking about how to implement a new secure and scalable enterprise system for storing and sharing data that is to be made public. 

Stakeholders should closely monitor the policy progress because the European data strategy, being the first fully fledged data management framework, will define how the narrative around big data (should data be owned, be seen as a unit of exchange or perceived as a fundamental right, and other) will evolve and, most importantly, will test how to implement in practice. 

Want to know more about other regulations mentioned in this article? Read our blog post explaining the digital product passports (DPPs), battery passports, CSRD, and ESPR.

About Circularise

Circularise provides an end-to-end traceability solution for complex supply chains. We help companies verify the origins, certificates, CO2 footprint, and other material and product data on the blockchain to improve their ESG performance, demonstrate responsible sourcing, and enable a circular economy at scale.