In 2020, the European Commission unveiled its comprehensive strategy for data[1], marking a significant shift in how the European Union approaches data governance, sharing, and utilisation. This strategy represents a crucial component of the EU’s broader digital transformation agenda[2], aiming to create a single European data space where personal and non-personal data can flow freely while maintaining high privacy, security, and ethical standards.
The European Commission identified several critical challenges that required a comprehensive data strategy. A primary concern relates to data availability – despite the potential value in data re-use, there remains insufficient data available for innovative purposes, including artificial intelligence development. This limitation significantly impacts the EU’s ability to compete in the global digital economy. Market power imbalances represent another substantial challenge, with the Commission noting considerable concentration in cloud services and data infrastructures. The strategy document specifically highlights how “a small number of players may accumulate large amounts of data, gathering important insights and competitive advantages.”[3] This concentration of power threatens market competition and innovation, particularly affecting smaller enterprises’ ability to compete effectively. The Commission also identified significant interoperability issues that hinder the combination of data from different sources both within and across sectors. This technical fragmentation creates barriers to data sharing and limits the potential value that could be derived from combining diverse data sources. Furthermore, the EU faces concerning technological dependencies in strategic data infrastructures, which affect its digital sovereignty and ability to maintain control over critical data resources. In addition to these challenges relating to data availability, imbalances in the market power and lack of infrastructure, the Commission also identified the fragmentation of the regulatory framework at Member States level, which undermines the proper functioning of the internal market, and the lack of individual empowerment, as problematic.
In response to these challenges, the Commission developed a vision centred on creating an environment where the EU’s share of the data economy matches its economic weight. As stated in the strategy document, “the EU should create an attractive policy environment so that, by 2030, the EU’s share of the data economy – data stored, processed and put to valuable use in Europe – at least corresponds to its economic weight, not by fiat but by choice.”[4] The strategy embraces a human-centric approach firmly rooted in European values and fundamental rights, maintaining that the human being is and should remain at the centre. It recognizes data’s unique nature as a resource that “can be replicated at close to zero cost and its use by one person or organisation does not prevent the simultaneous use by another person or organisation.”[5] This understanding shapes the strategy’s approach to data sharing and utilization. Furthermore, the strategy aims to balance data flow and usage while preserving high standards of privacy, security, safety, and ethics. This balanced approach reflects the EU’s commitment to fostering innovation while protecting fundamental rights and ensuring responsible data use.
Before launching its comprehensive data strategy in 2020, the European Commission had already established significant groundwork in data governance and digital trust. The most notable achievement was the General Data Protection Regulation (GDPR)[6], which came into force in 2018. This landmark regulation created a robust framework for digital trust and personal data protection, setting global standards that many other jurisdictions have since emulated. The Commission also implemented several other crucial initiatives during this period. The Regulation on the Free Flow of Non-Personal Data (FFD)[7] enhanced data mobility across borders within the EU. The Open Data Directive[8] further supported the data economy by facilitating the reuse of public sector information. These early initiatives laid the foundation for the more comprehensive approach that would follow in the 2020 strategy.
Following on these footsteps, and having identified the main challenges to the use of data in the EU economy, the Commission established four pillars upon which the EU’s relevant action should be based, summarised in the following figure[9]:
The first pillar concerns the regulatory framework to be introduced to ensure better access to, and more responsible use of data. Here, two major cross-sectoral initiatives were envisioned by the Commission. The first has led to the adoption of the Data Governance Act and requires a legislative framework for the governance of the European data spaces. The second led to the adoption of the Data Act, aiming to incentivise data availability for access and re-use. The second pillar contains initiatives the Commission should implement to strengthen the EU’s capabilities for hosting, processing, and using data. This includes the creation and functioning of common European data spaces and interconnecting cloud infrastructures to overcome the legal and technical barriers to data sharing across Europe. The third pillar looks at the empowerment of individuals. It foresees measures to enforce individuals’ rights when it comes to the use of the data they generate. As for legal persons, and Small and Medium-sized Enterprises, in particular, the Strategy promotes the creation of better opportunities in the data economy, also thanks to capacity-building schemes and specific investment funds. Finally, the fourth pillar complements the previous ones by fostering the development of common European data spaces in strategic economic sectors and other domains of public interest – the first to be established being the European Health Data Space[10].
After the publication of the European Strategy for Data, and in line with the strategic pillars described above, the European Commission has introduced several key regulations to implement its vision:
- The Data Governance Act (DGA)[11], which entered into force in June 2022 and is applicable since September 2023, establishes mechanisms for data sharing and reuse across sectors. The regulation creates a framework for data intermediaries, introducing the concept of data altruism and establishing mechanisms for reusing public sector data. It also sets up structures for international data transfers and creates the European Data Innovation Board to facilitate best practices.
- The Digital Markets Act (DMA)[12], which entered into force in November 2022 and became applicable in May 2023, addresses market imbalances in the digital sector. This landmark legislation regulates “gatekeeper” platforms – large online platforms with a significant impact on the internal market. The DMA promotes fair competition by ensuring these gatekeepers cannot abuse their market power and must allow third parties to interoperate with their services.
- The Digital Services Act (DSA)[13], entering into force in November 2022 with a staggered implementation through 2024, focuses on creating a safer digital space. The DSA introduces comprehensive rules for online platforms’ content moderation, algorithmic transparency, and user protection. Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) had to comply with the regulations by August 2023, while other platforms had until February 2024.
- The Data Act (DA)[14], which entered into force in January 2024, and it will become applicable in September 2025, complements the Data Governance Act by establishing specific rules for data access and sharing. The regulation introduces new rights for users of connected devices to access their generated data, facilitates switching between cloud service providers, and protects SMEs from unfair contractual terms in data sharing contracts. It also creates mechanisms for public sector bodies to access and use privately held data in exceptional circumstances.
- The European Health Data Space Regulation (EHDSR)[15], adopted by the Council of the European Union in January 2025, represents the first sector-specific implementation of the data strategy. This regulation aims to facilitate health data sharing across borders for both primary and secondary use. It introduces standardized electronic health records, strengthens data security requirements, and establishes a framework for research institutions to access health data.
The European Strategy for Data and its implementing regulations represent a comprehensive approach to establishing the EU as a leader in the data economy while maintaining its values and standards. As noted in the original document, “the EU can become a leading role model for a society empowered by data to make better decisions – in business and the public sector.”[16]
The success of this strategy depends on effective implementation of the regulatory framework, development of necessary technological infrastructure, enhancement of data skills and literacy across the EU, and international cooperation and data flow agreements.
In this context, CONSENTIS is geared to alleviate the challenges posed by personal data sharing towards the implementation of EU regulations and strategic initiatives. By introducing a novel framework which offers Self-Sovereign Identity and user-centric consent management solutions, it will enable users to (a) have full control over their personal data collection and usage and (b) provide informed consent through user-friendly interfaces and notifications. CONSENTIS aims to address the challenges arising from a lack of solutions that can truly facilitate the sharing and processing of personal information, while simultaneously ensuring that the rights and obligations enshrined in the European data governance framework.
[1] European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data, COM/2020/66 final, Brussels, Belgium, Feb. 2020. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52020DC0066
[2] European Parliament, Digital Agenda for Europe. Brussels, Belgium, 2024. [Online]. Available: https://www.europarl.europa.eu/factsheets/en/sheet/64/digital-agenda-for-europe
[3] European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data, COM/2020/66 final, Brussels, Belgium, Feb. 2020. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52020DC0066
[4] European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data, COM/2020/66 final, Brussels, Belgium, Feb. 2020. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52020DC0066
[5] European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data, COM/2020/66 final, Brussels, Belgium, Feb. 2020. [Online]. Available: eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52020DC0066
[6] European Parliament and Council of the European Union, Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, Apr. 2016. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2016/679/oj
[7] European Parliament and Council of the European Union, Regulation (EU) 2018/1807 of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. Official Journal of the European Union, Nov. 2018. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2018/1807/oj
[8] European Parliament and Council of the European Union, Directive (EU) 2019/1024 of 20 June 2019 on open data and the re-use of public sector information. Official Journal of the European Union, Jun. 2019. [Online]. Available: https://eur-lex.europa.eu/eli/dir/2019/1024/oj
[9] F. Casolari, C. Buttaboni, and L. Floridi, “The EU Data Act in context: A legal assessment,” Int. J. Law Inf. Technol., vol. 31, no. 4, p. 403, 2023. [Online]. Available: https://doi.org/10.1093/ijlit/eaae005
[10] F. Casolari, C. Buttaboni, and L. Floridi, “The EU Data Act in context: A legal assessment,” Int. J. Law Inf. Technol., vol. 31, no. 4, p. 403, 2023. [Online]. Available: https://doi.org/10.1093/ijlit/eaae005
[11] European Parliament and Council of the European Union, Regulation (EU) 2022/868 of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act). Official Journal of the European Union, May 2022. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2022/868/oj
[12] European Parliament and Council of the European Union, Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act). Official Journal of the European Union, Sep. 2022. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2022/1925/oj
[13] European Parliament and Council of the European Union, Regulation (EU) 2022/2065 of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act). Official Journal of the European Union, Oct. 2022. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2022/2065/oj
[14] European Parliament and Council of the European Union, Regulation (EU) 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act). Official Journal of the European Union, Dec. 2023. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2023/2854/oj
[15] European Parliament and Council of the European Union, Regulation (EU) 2025/327 of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847 (Text with EEA relevance). Official Journal of the European Union, Feb. 2025. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2025/327/oj
[16] European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data, COM/2020/66 final, Brussels, Belgium, Feb. 2020. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52020DC0066
