Baltic business advised to prepare for new data laws

The General Data Protection Regulation (GDPR) has been in force for six years, but the area of data protection legislation keeps evolving. “We have just started to live with GDPR when a new package of legal acts is knocking on the door,” Mihkel Miidla, head of our Data Protection team, noted at a webinar held in February. 

Since 2020 the European Union has been implementing the European data strategy, and new measures are gradually adopted to regulate data-related matters. It is no longer limited to personal data – new legislation also regulates the reuse, sharing, and movement of industrial and business data, both in the public and private sectors.

Our Baltic data protection experts recently hosted seminars in Estonia, Latvia, and Lithuania to give an overview of the current state of the European data strategy, introduce new legislation, and share practical advice.

You can watch the event recordings in Latvian/English or Estonian/English. An English-language recording is available on the discussion on “Cross-Border Enforcement Activities by Baltic Supervisory Authorities: Process, Cases and Lessons Learned”

Businesses should prepare now

The European data strategy is here to stay, and businesses should start planning their actions and investments for setting up internal infrastructure with processes and allocating human resources to facilitate efficient data handling.

“The new pieces of legislation will bring new obligations for private and public sectors alike, and it is smart to start planning the investments, both money and human resources,” Mihkel Miidla says.

Although some regulations will take effect within a few years, businesses should already assess their compliance readiness, as the new obligations may require significant time to roll out necessary technical solutions.

Furthermore, businesses taking a proactive approach, rather than just complying, will get a competitive edge in finding new opportunities for business growth in the future.

The European Data Strategy – where are we now?

The European data strategy aims to make the EU a leader in a data-driven society. Creating a single market for data will allow it to flow freely within the EU and across sectors for the benefit of businesses, researchers, and public administrations.

As the amount of collected data constantly grows in real-time, the main idea behind the data strategy is to ensure that more data becomes available for use in the economy and society, while keeping the companies and individuals who generate the data in control.

The single market for data is expected to create new business opportunities and data-driven innovation that bring various benefits to both citizens and businesses, such as improving personal healthcare services, creating safer transport systems, generating new products and services, etc.

The European Commission has so far issued five separate pieces of legislation, each tackling different aspects of the data strategy. These are the Data Governance Act, the Digital Markets Act, the Digital Services Act, the Data Act, and the Artificial Intelligence Act (together known as the “Big Five”).

The Data Governance Act regulates data sharing and reuse, introducing data altruism

The Data Governance Act (DGA) provides a framework to enhance trust in voluntary data sharing for the benefit of businesses and citizens. It aims to regulate the reuse of publicly held, protected data, by boosting data sharing through the regulation of novel data intermediaries and by promoting data sharing for altruistic reasons.

The DGA covers personal and non-personal data, with the General Data Protection Regulation (GDPR) applying whenever personal data is involved. The DGA became officially applicable on 24 September 2023.

The aims of the Data Governance Act are:

• Make public-sector data available for reuse
• Facilitate the exchange of data in the EU and with third countries through data-sharing service
• Enable data sharing on altruistic grounds

The Data Governance Act enables reuse of data in public interest

The Data Governance Act stands on three pillars:

1) Reuse of data

The Open Data Directive regulates the reuse of publicly available information held by the public sector. However, the public sector also holds vast amounts of protected data (e.g. personal data and commercially confidential data) that cannot be reused as open data but that could be reused under specific EU or national legislation. A wealth of knowledge can be extracted from such data without compromising its protected nature, and the DGA provides rules and safeguards to facilitate such reuse whenever it is possible under other legislation.

2) Data intermediation services

Many companies currently fear that sharing their data would imply a loss of competitive advantage and represent a risk of misuse. The DGA defines a set of rules for providers of data intermediation services to ensure that they will function as trustworthy and neutral organisers of data sharing or pooling within the common European data spaces.

3) Data altruism

Data altruism is about individuals and companies giving their consent to make available data that they generate – voluntarily and without reward – to be used in the public interest. Such data has enormous potential to advance research and develop better products and services, including in the fields of health, environment, and mobility.

Data Act improves access to data in the EU market

The Data Act (DA) will enable a fair distribution of the value of data by establishing clear and fair rules for accessing and using data within the European data economy, a necessity heightened by the growing prevalence of the Internet of Things (IoT).

It also aims to stimulate a competitive and innovative data market by unlocking industrial data, and by providing legal clarity as regards the use of data. The Data Act entered into force on 11 January 2024 and will become applicable on 12 September 2025.

The new measures include:

• Increasing legal certainty for companies and consumers engaged in data generation, particularly within the IoT framework, by establishing clear rules on the permissible use of data and the associated conditions.
• Connected products will have to be designed and manufactured in a way that enables users to access the data generated by these devices and to share such data with third parties.
• Public sector bodies will be able to access and use data held by the private sector to help respond to public emergencies or when implementing a legal mandate.
• The Data Act also protects European businesses from unfair contractual terms in data-sharing contracts that one contracting party unilaterally imposes on the other. This will enable small and medium-sized enterprises (SMEs) to participate more actively in the data market.
• New rules set the framework for customers to effectively switch between different providers of data-processing services to unlock the EU cloud market.

Need assistance? Our Baltic team of experts is here to help you navigate the complex landscape of data protection. Contact the head of our Data Protection team Mihkel Miidla at mihkel.miidla@sorainen.com.