From data act to eIDAS: The future of personal data sharing and ownership in the EU

The EU has been a driving force in reshaping rules around personal data ownership and data sharing, pushing the agenda for greater user empowerment and access. At the core of this transformation is the idea that data is a resource to be shared and used responsibly, not owned or siloed by a single entity. 

This focus on data access champions the ownership of personal data. This empowers users to manage, control, and transfer their data across platforms, rather than giving ownership to any single entity. This shift supports the EU’s broader vision of a more connected, data-driven economy, and is backed by several regulations, such as the EU Data Act.

Companies that embrace this shift towards increased ownership of personal data by the user will be better positioned to build trust, foster collaboration, and innovate in the growing data economy. Those who fail to align with these changes risk falling behind as data becomes a more valuable asset in shaping the digital future. 

This blog explores the landscape of data ownership and sharing in Europe, key regulations driving open data access in the EU, and what companies need to do to stay ahead of the curve. 

In recent years, the EU has rolled out initiatives aimed at giving individuals greater control over their personal data while promoting transparency in its use. At the core of these efforts is the European Data Strategy, which outlines plans to create a single European data market. This strategy seeks to enhance data access across borders and sectors, enabling innovation and economic growth, while safeguarding privacy and security in line with GDPR.

One of the key components of the strategy is the Common European Data Spaces, which aim to provide secure, transparent, and legally compliant environments for businesses, governments, and individuals to share and access data. These spaces are sector-specific, tailored to industries like healthcare, finance, mobility, and energy. They are also designed to facilitate more efficient data exchange within and across borders, further bolstering Europe’s digital economy.

Read more: Complete guide to data sharing for businesses from itsme^®

The Data Act sets out a comprehensive framework for the access, sharing, and use of data across the EU. It ensures that businesses, public bodies, and individuals can securely share data while protecting privacy, intellectual property, and trade secrets. The law also introduces mechanisms for resolving data-related disputes and establishing clearer rights for data usage, making data exchange more predictable and transparent.

Better data sharing regulation streamlines data access across sectors like healthcare, finance, and energy. The Data Act serves as a foundation to support innovation, enhance collaboration, and ensure that data is used in ways that benefit both the economy and society.

Explore how secure data sharing can help your organisation

Data access allows users to manage and transfer their data. To take ownership of your personal data, however, suggests a more powerful position where you control how your data is used, shared, or even monetised.  

Companies that view data as a shared asset and leverage it in an ethical, compliant, and consent-driven way can unlock new insights and collaborate more effectively. This approach drives innovation in ways that were previously impossible.

Continue reading: itsme^®'s comprehensive guide for data sharing

The EU has introduced several key regulations to define data ownership. Those regulations aim to secure data handling, empower users with greater control over their personal information, and promote secure data sharing. In this section, we’ll explore the most important regulations shaping data ownership and access in the EU: 

• Electronic Identification and Trust Services (eIDAS): Introduced in 2014, eIDAS laid the foundation for secure digital interactions across the EU by establishing standards for electronic identification (eID) and trust services. While it doesn’t directly define data ownership, eIDAS ensures that actions like signing a document electronically or logging in to a government portal using a digital ID are trusted and recognised across all EU member states. With the introduction of eIDAS 2.0, the framework further strengthens cross-border trust and data sharing, creating a reliable environment for sectors like healthcare, finance, and public services. 

• General Data Protection Regulation (GDPR): Introduced in 2018, GDPR revolutionised personal data handling by granting individuals rights like access, correction, deletion, and portability of their data. While GDPR set the scene for data protection, other regulations went into more detail about how it should be done. GDPR is crucial for safeguarding data privacy, reinforcing personal data ownership for users, and enhancing accountability in data sharing, particularly across platforms. 

• Data Act: Introduced in 2022, the Data Act is designed to make it easier and more secure for businesses to share data across sectors like healthcare, manufacturing, and finance. It sets clear rules about who owns data, how it can be accessed, and how it can be used. This especially concerns non-personal data, such as machine data from IoT devices or data stored in cloud services. The Data Act ensures that businesses can share data securely with each other with clear guidelines on how the data should be used and protected. This regulation fosters a more transparent data sharing andfair competition. 

• Data Governance Act (DGA): Adopted by the EU in 2022, the Data Governance Act establishes frameworks for trusted data intermediaries. This facilitates the creation of data sharing mechanisms that ensure both data providers and recipients comply with EU privacy and security standards. DGA enables individuals, organisations and governments to securely share data for societal benefits, (e.g. for research or the environment). It also promotes a more transparent, interoperable, and secure data sharing ecosystem across Europe.

• Common European Data Space: Introduced as part of the European Data Strategy, it is an initiative designed to create a unified, secure framework for data sharing across the EU. Data spaces will provide the infrastructure and tools needed to manage data access, while maintaining privacy and security across borders and sectors. By 2025, the EU plans to establish data spaces in sectors like health, energy, and agriculture. This helps ensure that data can be shared freely and securely between businesses, governments, and individuals to build a connected, data-driven economy in Europe.

Financial Data Access regulation (FiDA) regulation has been originally proposed to enable secure, federated data exchange. The exact scope of the regulation is still subject to ongoing discussions as the EU shifts focus to more targeted initiatives like the Data Act and Data Governance Act. While the future of FiDA is still uncertain, its concepts highlight the direction the EU is heading, emphasising secure, user-controlled data exchanges.

Curious about how to remain compliant around your data practices? Request a consultation

As Europe redefines data ownership through regulations like the GDPR, the roles of the personal data controller and personal data processor have become more important than ever. The clear separation of controller and processor responsibilities is increasingly central to building trust and enabling responsible innovation.

A personal data controller is the entity that determines why and how personal data is processed. This includes deciding what data is collected, for what purpose, and how long it is retained. Controllers carry the primary responsibility for ensuring data is processed lawfully and transparently, and for enabling user rights such as access, correction, and deletion.

A personal data processor, on the other hand, acts on behalf of the controller and processes data only under the controller’s instructions. Examples include cloud providers or analytics platforms managing data infrastructure but not determining how the data is used. Under GDPR, processors must implement strong security measures and support the controller in meeting compliance obligations.

In Europe’s evolving data landscape, characterised by decentralised sharing, cross-border collaboration, and sector-specific data spaces, understanding and clearly defining these roles is crucial. Controllers must not only secure data and manage consent, but also ensure that processors uphold strict data handling standards.

Both personal data controllers and processors can rely on digital identity tools to confidently authenticate users, obtain explicit consent, and manage access rights, delivering both legal compliance and a better user experience.

• Create clear data collection policies: This includes providing transparent information to users about how their data will be used, and ensuring users can easily give or withdraw consent.  

• Implement strong data management systems: Businesses should invest in tools that facilitate prompt responses to data portability, access, and deletion requests in line with GDPR requirements. This involves setting up automated systems to manage user requests, track consent, and ensure actions are processed within the required timeframes. Digital identity tools can play a crucial role in supporting businesses in verifying and authenticating individuals requesting data access. Those tools also help organisations in obtaining explicit owner consent for the specific use of their personal data, which provides 'out-of-the-box compliance' to data sharing processes. 

• Adopt secure and transparent data sharing practices: In line with the Data Act, businesses should establish clear protocols for sharing non-personal data with third parties. This includes using secure data sharing technologies to ensure proper consent and maintain security. 

• Stay informed on regulations: Keep up with emerging regulations, such as the European Digital Strategy. To stay proactive, businesses should adopt data sharing technologies that prioritise user control and security, integrating them into their operations. 

Secure your business with Europe's leading digital identity platform

The EU's Data Strategy and regulations emphasise giving individuals ownership of personal data, making data sharing a key element of regulatory compliance. By adopting secure data sharing practices, businesses can more easily meet requirements related to the European Data Act.

Moreover, secure data sharing practices help businesses by reducing redundancies, lowering costs related to data exchange, and optimising resource allocation. This can be seen in industries such as healthcare, HR, and finance, which are already leveraging shared data to unlock insights and create value in ways that would be difficult or impossible otherwise.

In the financial services industry, sharing real-time transaction data through secure platforms enables banks, fintech companies, and credit agencies to improve fraud detection, streamline loan approvals, and offer personalised financial services. 

In Belgium, DIBBS platform, an app designed to help students find work opportunities, leverages itsme^®'s data sharing capabilities to access student attestations securely stored in Athumi's data vault. This integration allows students to seamlessly share verified evidence of their student status when applying for vacancies, without the need for manual verification or physical documentation.

Enhance your organisation's compliance, customer satisfaction and growth with data sharing