Privacy Act Changes Impacting Data Interoperability

🔍‼️The European Data Protection Board has just published for public consultstion long-awaited Joint Guidelines with the European Commission on the interplay #DMA and the #GDPR. I only read the document briefly, but it already sheds light on some of the most relevant issues for privacy professionals - especially around consent under Article 5(2) DMA and its relationship with consent under the GDPR. 🔹The Guidelines underline that the DMA and GDPR pursue distinct yet complementary goals: while the GDPR protects individuals’ fundamental rights and regulates personal data processing, the DMA seeks to ensure contestable and fair digital markets by curbing gatekeepers’ data-driven advantages. Compliance with both frameworks must be coherent and mutually reinforcing. 🔹The document focuses on areas where the DMA obligations overlap with GDPR principles, including consent, data portability, access to data, anonymisation, and interoperability. On consent, the #EDPB and the EC clarify that “valid consent” under Article 5(2) DMA must meet all GDPR conditions — being freely given, specific, informed and unambiguous. Gatekeepers must provide granular opt-ins for each distinct processing purpose, such as personalised advertising, content personalisation or service improvement, and describe each purpose clearly and without ambiguity. Acceptance and refusal options must be presented in an equivalent and neutral way, without design nudging or coercive interfaces. The guidelines also remind that refusal or withdrawal of consent must not lead to detriment or conditionality that undermines freedom of choice. 🔹Given the market power of gatekeepers, the imbalance between the user and the controller may in itself compromise the validity of consent if users perceive no realistic alternative to using the service. The EDPB further recalls that consent cannot legitimise unfair or disproportionate processing and that all processing must still respect the GDPR principles of fairness, necessity, proportionality, and data minimisation. When special categories of data are involved, gatekeepers must ensure a lawful basis under both Articles 6 and 9 GDPR and, where consent is used, it must be explicit. Importantly, under the #DSA and the new Regulation on Political Advertising, profiling based on sensitive data for advertising purposes is strictly prohibited. 🔹Beyond Article 5(2)DMA , the Guidelines address how DMA provisions on interoperability, access and portability must align with GDPR safeguards, including anonymisation standards and secure data sharing mechanisms.

🇪🇺 EU Data Act: what changes now for US SaaS vendors selling in Europe On 12 September 2025, the EU Data Act’s cloud‑switching regime became applicable. If you provide software to EU customers—even from the US—you should assume you are in scope. The law targets “data processing services,” a broad category that captures SaaS as well as PaaS and IaaS, and it aims to dismantle contractual, technical and commercial barriers that keep customers locked in. The customer’s exit rights are the headline shift. Buyers must be able to trigger a move to another provider (or to on‑prem) on no more than two months’ notice. Once that notice expires, providers are expected to complete the transfer without undue delay, within a defined transition window, and to deliver back all exportable data and digital assets in a structured, machine‑readable form. Contract clauses that frustrate these rights will have to give way. In practical terms, every SaaS vendor will need a tested, documented exit path—APIs, exports, runbooks, and named owners—ready to run on demand. Money matters too. Fees that penalize switching or data egress are being phased out. The regime moves from “cost‑based only” to a full ban, on a fixed timetable, which means vendors must revisit pricing and renewal strategies now. Selling portability as a feature will land better than fighting a battle the law has already decided. Interoperability is the other pillar. Providers are expected to expose open, well‑documented interfaces and to line up with EU interoperability specifications as they are finalized. For like‑for‑like IaaS moves, the destination environment should achieve functional equivalence—so migrations are more than just data dumps. Expect standards bodies to publish reference architectures and formats that narrow design freedom but increase customer trust. What to do next? 1. Treat switching as a core product journey, not a painful exception. 2. Map what is truly exportable versus what is legitimately protected (e.g., trade secrets). 3. Update customer agreements to reflect statutory notice, transition, and termination rights, and train CSM/ops/legal teams on a playbook that can execute without theatre. 4. Finally, watch for the EU Commission’s model terms and the coming wave of interoperability standards—they will shape how “good enough” switching is judged by customers and regulators alike. If you sell into the EU, the simplest strategy is to compete on being the easiest vendor to leave. Counter‑intuitive? Maybe—but it’s the quickest way to win and keep trust. Join the conversation. How are you adapting contracts, tooling and pricing to the Data Act’s switching rules? What’s worked (and what hasn’t) in real migrations? Share your approach below so peers can benchmark.

🇪🇺 EU Data Act enters into force 📢 One of the pillars of the European data strategy, the EU Data Act will enter into force as from today. While it didn't grab as many headlines as the EU AI Act discussions, the Data Act will undoubtedly also leave a strong mark in the years to come. The Data Act aims for instance to clarify rules on fair data access and data sharing, to establish better data portability rights and to enable easier switching between data processing services. 🔔 Having said that, the Data Act tries to cover a lot of different things and in doing so further complicates the regulatory environment, creating potential overlaps, inconsistencies and uncertainties with regard to other existing EU frameworks. Note that the Data Act covers both personal and non-personal data (hello GDPR). ⛅ The Data Act will also have an impact on the healthcare sector, in particular for certain connected medical devices, virtual assistants, wearables, cloud, IoT and digital applications. To highlight just a few relevant articles: ⚡Article 3. Obligation to make product data and related service data accessible to the user ⚡Article 5. Right of the user to share data with third parties ⚡Article 14. Obligation to make data available on the basis of an exceptional need ⚡Article 21. Sharing of data obtained in the context of an exceptional need with research organisations or statistical bodies ⚡Article 33. Essential requirements regarding interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces [to be read together with Article 44] ⛓ And for my people out there in the blockchain community: Article 36. Essential requirements regarding smart contracts for executing data sharing agreements 📌 The EU Data Act will become applicable from 12 September 2025. The obligation to make product data and related service data accessible to the user will start to apply to connected products and related services placed on the market after 12 September 2026. #DataAct #dataaccess #dataportability #cloud #interoperability #digitalhealth #healthdata #EHDS #medicaldevices

Updated Data Act FAQs V1.4 - Interoperability & Compensation Get Concrete Timelines The EU Commission released Version 1.4 of the Data Act FAQs on 22 January 2026. This update marks a shift from policy intent to concrete implementation milestones. Download V1.4 here: https://lnkd.in/ehG9tJhe What's New? 🚀 Interoperability Repository (Q57) - From mapping to mandatory baseline V1.4 defines the common Union repository as an online one-stop-shop for harmonised standards and common specifications. 🔵Providers must ensure customer-facing interfaces are compatible with repository-referenced standards. 🔵This turns technical norms into a compliance benchmark for switching and functional equivalence under Chapter VI. 🔵 Inclusion of standards now requires a formal implementing act via a comitology procedure. 💰 "Reasonable Compensation" (Q72) - Q2/Q3 2026 Target Guidelines on calculating compensation for mandatory data access - following consultation with the European Data Innovation Board - are expected by Q2/Q3 2026. #IoT manufacturers can now roadmap pricing models and cost allocations against a clear horizon. 🏗️ ETDF Standardisation (Q73) - Adoption by end-Q2 2025 The European Trusted Data Framework (ETDF) request, defining technical rules for data spaces, is slated for formal adoption by the end of Q2 2025. Data-space operators should align governance and tech stacks now to avoid costly retrofits. 📑 MCTs/SCCs - Transition to published tools (Q74) Version 1.4 has now included the final Model Contractual Terms (MCTs) and Standard Contractual Clauses (SCCs) that have been published recently (English version). Quick Check for Companies 🔍 Benchmark data usage, cloud/ data-sharing contracts against MCTs/SCCs for gaps in exit and liability clauses. ⚙️ Audit APIs and data models against the standards likely to appear in the Union repository. 📊 Document cost structures for IoT scenarios ahead of the 2026 guidelines. Full V1.3 vs. V1.4 redline: https://lnkd.in/esHAipMa #DataAct #Cloud #Interoperability #DataStrategy #EULaw #DigitalMarkets

Digital Omnibus (Official): What Changed Today - and What It Means The Commission has published the Digital Omnibus proposal. Below is a practitioner’s take for DPOs, privacy counsel, product, and analytics leaders. The headline shifts - Cookie/SDK device access moves into the GDPR (new Art. 88a), creating a single enforcement track for on-device storage/access and subsequent processing. - Machine-readable browser/OS signals (GPC-style) are introduced, with a 6-month switch-on after standards land. - Media service providers are exempt from the obligation to honor those signals (consent can still be sought directly on site). - A closed list of consent-free purposes appears (transmission; user-requested service; controller’s own aggregated audience measurement; security). - Identifiability is clarified in a more entity-relative way (means reasonably likely for that controller). - AI training gets guard-railed allowances, including a narrow residual path for special-category data with minimization/removal safeguards. - Single incident-reporting entry point (report-once, share-many) and 96-hour notification rule. - Data Act becomes the hub (repeals/merges Open Data, FFDR; aligns with DGA), plus clean-ups to reduce SME burden. What this means - Signals are great for “NO,” not sufficient for a valid EU “YES.” You’ll still need a contextual, first-party consent layer for explicit, informed, granular agreement. - First-party, in-house audience measurement gets a clearer lane; third-party analytics/AdTech remains consent-heavy. - The media carve-out will be the flashpoint: expect scrutiny if browser/OS “no” is ignored while ad stacks still run. - Enforcement and playbooks change: device access and follow-on processing now sit under GDPR from the start; incident reporting consolidates. What teams should do next - CMP/Banner: Design for Art. 88a and future signal honouring; keep a robust on-site flow for granular “yes.” - Audience measurement: If you want the “own aggregated” lane, document scope, controls, and the no-sharing boundary. - Media & publishers: Assess legal/UX/reputation risk of not honouring signals; consider voluntary respect to de-risk. - Incident response: Update runbooks to the single entry point and 96h SLA. - AI training: Lock in minimisation/removal of special-category data; document legitimate-interest balancing and objection handling. - Data Act consolidation: Map contracts/policies touched by the merge; adjust fees/licensing/emergency-access playbooks. I’ve attached the official proposal PDF and my executive summary for teams that need to brief leadership and start workstreams now. #GDPR #ePrivacy #DigitalOmnibus #DataProtection #AdTech #Media #AI #Compliance #PrivacyEngineering #FirstPartyData