EU Data Act operational impacts: The Data Act as a challenge to data protection or other way around?
Contributors:
Matthias Niebuhr
Rechtsanwalt, Fachanwalt für IT-Recht
BDO Legal Rechtsanwaltsgesellschaft gmbH
Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This is the third article in a five-part series on the EU Data Act. The first article, "EU Data Act operational impacts: Introducing the Data Act," explores the creation of the Data Act, its objectives, the negotiation backdrop, and how it fits within the EU's digital rulebook. The second article, "EU Data Act operational impacts: The Data Act's interplay within the EU digital rulebook," dives into the roles and requirements under the Act.
As of 12 Sept. 2025, the majority of the provisions of the EU Data Act are applicable. With this new piece of legislation, the EU aims to open up the "treasure troves" of manufacturers and make data available for new business models and use cases. This is also part of the paradigm shift in EU data policy towards data use.
The Data Act is bound to create conflict with the EU's existing strict data protection regime.
Relationship between the Data Act and the EU's data protection regime
While many recent pieces of EU legislation are rightfully criticized for their vague wording of "leaving data protection laws unaffected" — Article 2(7) of the AI Act for example — Article 1(5) of the Data Act states that data protection law prevails over the rights and obligations of the Data Act. This establishes a clear hierarchy of the EU General Data Protection Regulation and other data protection-related legislation, such as the ePrivacy Directive and its national implementations, over the Data Act.
Contributors:
Matthias Niebuhr
Rechtsanwalt, Fachanwalt für IT-Recht
BDO Legal Rechtsanwaltsgesellschaft gmbH