The transfer of data across international borders is essential for many companies in the digitalised world, but can pose a challenge in light of specific EU regulatory requirements. The European Union has introduced a number of regulations to ensure the protection of personal data on the one hand and otherwise sensitive data on the other, while promoting economic competitiveness and the free flow of data. These regulations, such as the General Data Protection Regulation (GDPR), the Data Act (DA) and the Data Governance Act (DGA), create a legal framework that forces companies to continuously adapt and, if necessary, rethink their data processing practices.
Why does the EU regulate data exchange?
The reasons for the EU’s regulation of data transmission are varied and sometimes contradictory. On the one hand, the EU aims to strengthen the competitiveness of the European economy and promote innovation through the free flow of data. On the other hand, the protection of privacy, trade secrets and intellectual property, for example, is a high priority. Geopolitical factors also play a role, for example in relation to the protection of critical infrastructures and sensitive data from unauthorised access by third countries. Increasing global competition – particularly between the USA and China – makes these regulations indispensable from the EU’s perspective in order to protect economic and strategic interests.
The Data Act and its far-reaching impacts
The Data Act will come into force on 12 September 2025. It is intended to play a central role in the EU’s regulatory environment. The Data Act not only regulates access to and use of data in B2B and B2C relationships, but also obliges companies to make data accessible ‘by design’. This means that data owners, including in particular providers of networked devices, must ensure that users can access the data they generate and share it with others.
Particular attention will be paid to the interoperability and portability of data. Providers of data processing services will be obliged to remove technical barriers that make it difficult to switch providers and to ensure that switching between services is possible without significant costs.
Data owners must ensure that such machine data can be exported to their customers (or the users of the devices) in a common, machine-readable format. These measures are part of a comprehensive attempt to reduce anti-competitive practices and strengthen the rights of users in the digital economy.
The Data Act also applies to cross-border trade. U.S. companies targeting the European market must grant customers in the E.U. access to the data. Conversely, companies based in the E.U. must grant their customers access to data.
Article 32 of the Data Act: Protection against unlawful access by third-country authorities
In order to ensure a minimum level of security for the data disclosed, Art. 32 DA regulates a very specific aspect of international data transfers: unlawful access by or unlawful transfer of non-personal data to authorities from non-EU countries. This provision does not apply to international data transfers between companies or within a group of companies. Rather, Art. 32 aims to prevent access by non-European authorities if this is contrary to the laws of the EU or individual member states.
Providers of data processing services must take technical, organisational and legal measures to ensure that access to the data they store complies with the laws of the EU and those of the Member States. This may include encrypting data and conducting regular audits.
International transfers of personal data, on the other hand, continue to fall under the GDPR. Art. 32 DA therefore only plays a role if non-personal data is to be requested or transferred by authorities from third countries.
Conflicts between the Data Act and GDPR
This brings with it considerable potential for conflict. While sharing data is required under the Data Act, this may be prohibited for personal data under the GDPR. It is therefore important to differentiate between personal and non-personal data. An incorrect classification can have significant legal consequences. While the GDPR lays down strict rules for the protection of personal data, the Data Act requires openness towards data sharing – especially for non-personal data. On the other hand, Art. 4 para. 13 DA provides for an obligation to conclude a data licence agreement between the manufacturer and user only for non-personal data. In this case, it may even be advantageous for the manufacturer if the data is not personal data, because the continued processing may be based on Art. 6 para. 1 sentence 1 lit. f GDPR (and a contract is not required).
The distinction is therefore extremely relevant, but has so far been completely unclear in many cases. For example, there are often mixed data sets that contain both personal data and non-personal data. This requires careful assessment by companies to ensure that there are no violations of the GDPR. A landmark ECJ ruling of 9 November 2023 (C-319/22) has clarified that data is considered personal if the recipient is able to identify a natural person – even if the data was originally classified as non-personal.
International Data Transfers under the Data Governance Act (DGA)
The Data Governance Act additionally regulates the international transfer of non-personal data. Companies may reuse and transfer such data to third countries as long as they meet certain requirements. This process involves two key phases:
- Notification to the public authority: The potential re-user must inform the public authority in advance of their intention to transfer the data internationally and the purpose of the transfer.
- Contractual obligations: The re-user must contractually commit to ensuring data protection even after the transfer and accept the jurisdiction of the Member State of the public authority in case of disputes.
To make international transfers safer, the European Commission is authorized to propose standard contractual clauses to be used in transfer agreements. In cases where numerous requests for data reuse come from specific third countries, the Commission may issue “equivalence decisions,” which recognize the data protection standards of those countries as equivalent to those of the EU. Such decisions facilitate data transfers but are not mandatory—companies can still rely on contractual agreements.
For particularly sensitive data, such as non-personal health data that may be classified as “highly sensitive” in future EU legislation, the Commission will set additional conditions for transfers to third countries. An example would be anonymized and aggregated health data, where international transfers could pose a risk to the EU’s public welfare.
Conclusion: Strategic Adjustments and the Protection of European Values
For companies operating in the EU or transferring data across EU borders, it is crucial to prepare for the upcoming regulatory changes. The Data Act, the Data Governance Act, and the GDPR form a comprehensive framework that not only protects privacy but also provides a basis for the fair and secure use of data. Companies must continuously review their data processing practices, technical safeguards, and legal frameworks to meet regulatory requirements while seizing the opportunities that free data flow offers.
The Data Act and the Data Governance Act should not be seen as barriers to the free flow of data outside the EU but rather as measures aimed at strengthening it by adding additional protection mechanisms.