Our article providing a summary of the key takeaways from the FAQs is available here.

For more information on how DLA Piper can support with the Data Act and other recent EU digital regulations, please refer to our EU Digital Decade website.

In order to capture the benefits of data-driven innovation, the EU and the UK are taking action to facilitate data sharing across various industries.

In the EU, the European Commission is investing €2 billion to foster the development of so-called “common European data spaces” and the associated digital infrastructure. The UK government has announced similar, mainly policy, initiatives regarding the establishment of data-sharing frameworks, referred to as smart data schemes.

Despite the shared objectives, differences emerge between the EU and UK approaches, raising questions about alignment, implementation efficiency and market dynamics.

In this article, DLA Piper:

• Explores the concepts of data spaces and data schemes, and the policy objectives behind them.
• Gives an overview of the emerging rules that will be part of the foundation of these data-sharing frameworks in the EU and the UK.
• Examines what can be expected from these initiatives and what hurdles still need to be overcome in order to secure successful implementation.

The article is available here.

Background

The EDPS investigation was opened following the Schrems II judgment and Recommendations previously issued by the EDPS on the use of the software company’s products and services by EU institutions and bodies. The investigation was part of the EDPS’ participation in the EDPB 2022 Coordinated Enforcement Action into the use of cloud- based services by the public sector.

Summary of EDPS findings

The EDPS found that the Commission had infringed several provisions of Regulation (EU) 2018/1725, including those on transfers of personal data outside the EEA. In particular, the EDPS found that the Commission had failed to:

• provide appropriate safeguards ensuring that data transferred enjoy an essentially equivalent level of protection to that in the EEA;

• provide what types of personal data can be transferred to which recipients in which third country and for which purposes;

• map the proposed transfers, conduct a transfer impact assessment and include appropriate safeguards in the Standard Contractual Clauses (SCCs);

• obtain authorisation of those SCCs from the EDPB; and

• ensure that transfers took place “solely to allow tasks within the competence of the controller to be carried out.”

In addition, the EDPS found that the Commission had failed to comply with a number of other requirements of Regulation (EU) 2018/1725, including failing to adequately specify the types of personal data in relation to its intended purposes, leading to ambiguity and potential non- compliance with the Regulation (EU) 2018/1725; and failing to provide sufficiently clearly documented instructions for the processing.

EDPS Corrective Measures

As a result of its findings, the EDPS imposed a number of corrective measures on the Commission, including:

• from 9 December 2024, suspend all data flows resulting from its use of the software to the software company and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision; and

• bring the processing operations resulting from its use of the software into compliance with Regulation (EU) 2018/1725.

Taking into account the need not to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise its official authority, as well as the need to allow appropriate time for the Commission to implement the suspension of relevant data flows, the EDPS held that the Commission has until 9 December 2024 to demonstrate compliance with both orders.