2025 Data law trends

The primary objective of the new data access rights under the Data Act, EHDS and FIDA is to foster the development of a unified data market in the EU. This entails making all data produced in this unified data market, whether personal or non-personal, accessible to all market participants, irrespective of their size or influence, in accordance with fair, transparent, proportionate and non-discriminatory access rules. Entities and individuals possessing data, such as data generated via connected products or digital services, will be empowered to share this data for reuse, either freely or for compensation.

However, while all three laws contribute to a major shared objective, the Data Act aims to enhance data access across sectors, particularly for Internet of Things (IoT)-generated data, while the Common European Data Spaces create a framework for data sharing in key areas like health (EHDS) and finance (FIDA).

Data Act obligations

The Data Act, being a key pillar of the European Data Strategy, aims to create a horizontal framework for the access to, and sharing of, data generated through smart products and digital services. It also introduces new requirements for redistributing data access and use.

EHDS obligations

The EHDS imposes a complex array of obligations on various actors within the health data ecosystem, including health data holders and users, and manufacturers, importers and distributors of Electronic Health Records (EHR) systems. Key requirements in relation to data access rights include:

The FIDA obligations

The FIDA aims to grant effective control to customers over their financial data and to give the opportunity to benefit from new business models and products based on data sharing. As the FIDA is still under negotiation, this chapter summarizes the European Commission proposal of June 28, 2023.

The FIDA applies to credit institutions, insurance firms and most other EU financial sector entities. All of them can act as ‘data holder’ or ‘data user.’ Among others, the FIDA applies to customer data on loans, (non-payment) accounts, savings, investments, crypto-assets, real estate, non-life insurance products and data forming part of creditworthiness assessments of firms for loan application processes. Data on sickness and health insurance products, including data collected for related assessments, and data that forms part of creditworthiness assessments of consumers are excluded from the FIDA.

Important requirements in relation to data access rights include:

New opportunities for data-based business models

The Data Act, EHDS and FIDA open up new possibilities for different stakeholders, as summarized below:

Preparing for the Data Act

• Establish robust data governance processes and, in particular, evaluate existing product designs and contractual frameworks to ensure alignment with the Data Act’s provisions.
• Identify key datasets affected by the legislation and developing a comprehensive data strategy are critical steps towards compliance. By doing so, businesses can explore possible avenues for opening access to data and adapt manufacturing and design processes accordingly.
• In addition to risk mitigation, businesses could also explore the potential opportunities presented by the Data Act. By strategically leveraging the Data Act’s provisions, businesses may uncover new possibilities for growth and innovation.

Preparing for the EHDS

• Data holders must find effective ways to separate data that is commercially sensitive or subject to intellectual property restrictions from other health data to prevent unauthorized disclosure. This segregation is crucial to comply with transparency and privacy obligations under EU data protection law and the EHDS, which mandates robust mechanisms for safeguarding sensitive information while still allowing health data to be shared for broader purposes such as research and innovation.
• Data users should familiarize themselves with the processes and prerequisites set out in the EHDS for obtaining data permits, data requests and data access approvals. They should also set up a process for the timely publication of the results or output of their secondary use that complies with the anonymization requirements of the EHDS and aligns with data protection law.
• Manufactures, importers and distributors of EHR systems should ensure that their products meet the comprehensive requirements laid down in the EHDS. This is necessary to guarantee their systems comply with EU market standards and can be legally sold and used across EU Member States. Additionally, importers, distributors and users of an EHR system should also assess whether they might be considered a manufacturer of an EHR system according to the EHDS and thus subject to the obligations set out for manufacturers.

Preparing for the FIDA

While most details on the FIDA must still be settled during the legislative process, it has already become clear that the FIDA will (after the EU’s Digital Operational Resilience Act) be the next fire drill for financial sector entities in which IT and data departments will need to collaborate with their legal and compliance counterparts to ensure day-one readiness.

• IT and data departments should focus on the availability of IT assets that permit compliance with the ambitious data sharing standards.
• Legal and compliance will be involved in selecting or negotiating key terms of financial data sharing schemes.
• As part of their risk management, financial sector entities will need to consider strategies to shield themselves from liability risks due to loss or incorrect handling of financial data, including customer data that falls within the remits of data protection law.