Data Law Consolidation: From 5 Acts to 2
The EU Digital Omnibus achieves one of the most significant simplifications in European regulatory history: consolidating five separate data laws into two. This consolidation eliminates overlaps, reduces compliance complexity, and creates a coherent framework for Europe's data economy.
The Current Fragmentation
Five Separate Data Laws
Before the Omnibus, organizations navigating EU data regulation must comply with five distinct legal instruments:
1. General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679
Scope: Processing of personal data
Focus:
- Individual rights (access, erasure, portability)
- Lawful processing bases
- Controller and processor obligations
- Supervisory authority enforcement
Status: Foundational regulation, not repealed
2. Free Flow of Data Regulation (FFDR)
Regulation (EU) 2018/1807
Scope: Free movement of non-personal data
Focus:
- Prohibition of data localization requirements
- Professional user data portability
- Self-regulatory codes of conduct
- Regulatory barriers monitoring
Current problem: Creates artificial distinction between personal/non-personal data that is difficult to apply in practice
3. Data Governance Act (DGA)
Regulation (EU) 2022/868
Scope: Framework for trusted data sharing
Focus:
- Re-use of protected public sector data
- Data intermediation services (registration regime)
- Data altruism organizations
- European data innovation board
Current problem: Only 27 registered data intermediaries despite expectations of 100-150; heavy compliance burden
4. Open Data Directive (ODD)
Directive (EU) 2019/1024
Scope: Public sector information re-use
Focus:
- Open data by default
- High-value datasets publication
- Charging principles
- Exclusive arrangements prohibition
Current problem: Overlaps with DGA on public sector data; creates confusion on which regime applies
5. Data Act
Regulation (EU) 2023/2854
Scope: Data access and sharing rights
Focus:
- User access to IoT device data
- Data holder obligations to share with users
- Business-to-business data sharing
- Switching between data processing services
- Public sector access in emergencies
Current problem: Newest regulation, but already needs integration with older frameworks
The Complexity Problem
For businesses:
- Must navigate five separate legal texts
- Overlapping definitions create uncertainty
- Different compliance procedures
- Multiple reporting obligations
- High legal advisory costs
For regulators:
- Fragmented enforcement
- Inconsistent interpretation
- Coordination challenges
- Resource inefficiency
For innovation:
- Legal uncertainty deters investment
- Compliance complexity favors large players
- Difficult to build pan-European data services
- Regulatory burden slows deployment
The Consolidation Solution
Result: 2 Laws
After the Digital Omnibus:
- GDPR (amended): Governs all personal data processing
- Data Act (consolidated): Governs all other data economy rules
Why GDPR Remains Separate
The GDPR is amended but not merged because:
Distinct purpose: Fundamental rights protection vs. economic framework
Different legal basis: Article 16 TFEU (data protection) vs. Article 114 TFEU (internal market)
Special enforcement: Data protection authorities with independence guarantees
International standard: GDPR is globally recognized; maintaining as standalone regulation preserves its status
Proportionality: Personal data rules deserve distinct treatment given fundamental rights implications
What Moves Into the Data Act
From FFDR: Data Localization Ban
FFDR Article 4 prohibition on data localization requirements becomes Data Act Article 32h.
Content:
Member States shall not impose data localisation requirements that restrict the storage or processing of data in a specific geographical location within the Union.
Exceptions maintained:
- National security justified restrictions
- Public interest requirements (proportionate and necessary)
Rationale for consolidation: Data localization affects all data (personal and non-personal), so better integrated into comprehensive Data Act rather than separate regulation.
What happens to rest of FFDR: Mostly repealed; portability provisions absorbed into Data Act Chapter V (switching).
From DGA: Data Intermediation Services
DGA Chapter III (Articles 9-15) moves to Data Act Chapter VIIa.
What's included:
- Data intermediation service provider definition
- Notification and registration (now voluntary—see below)
- Neutrality and transparency requirements
- Code of conduct framework
- Competent authority designation
Key changes in consolidation:
- Notification becomes voluntary (trust label system instead)
- Separate legal entity requirement removed (functional separation sufficient)
- Streamlined registration process
- Lighter monitoring obligations
Services covered:
- Data sharing platforms
- Data marketplaces
- Data cooperatives
- Personal data intermediaries
From DGA: Data Altruism Organizations
DGA Chapter IV (Articles 16-28) moves to Data Act Chapter VIIa.
What's included:
- Data altruism definition (voluntary sharing for general interest)
- Registration of recognized data altruism organizations
- Transparency requirements
- European data altruism consent form
- Oversight mechanisms
Key changes in consolidation:
- Rulebook requirement deleted (too burdensome for voluntary activity)
- National policy reporting deleted
- Simplified compliance
- Easier registration
Purpose: Enable citizens and companies to donate data for research, statistics, and public interest purposes.
From DGA: Protected Public Sector Data
DGA Chapter II (Articles 3-8) moves to Data Act Chapter VIIa.
What's included:
- Re-use of protected data held by public sector bodies
- Single information points
- Competent bodies for re-use requests
- Conditions and fees
- Non-discrimination requirements
Integration rationale: Fits naturally with Data Act's public sector data access provisions (emergency access, high-value datasets).
From Open Data Directive: Public Sector Information
Entire ODD framework moves to Data Act Chapter VIIc.
What's included:
- Open data by default principle
- High-value datasets identification and publication
- Real-time data access
- Charging principles (marginal cost)
- Prohibition of exclusive arrangements
- Research data access
Benefits of consolidation:
- Single regime for all public sector data
- No more confusion between DGA and ODD
- Harmonized charging rules
- One-stop shop for public data access
Member States: Must transpose ODD provisions into national law (Directive obligations); now superseded by directly applicable Data Act provisions (Regulation).
What Gets Fully Repealed
Platform-to-Business Regulation (P2B)
Regulation (EU) 2019/1150 is fully repealed.
Why: Completely superseded by Digital Services Act (DSA) and Digital Markets Act (DMA).
DSA coverage:
- Platform transparency obligations
- Terms and conditions requirements
- Algorithmic transparency
- Complaint handling mechanisms
DMA coverage:
- Gatekeeper obligations
- Fair treatment requirements
- Data access for business users
- Interoperability mandates
Result: P2B obligations now covered (and exceeded) by DSA/DMA; no need for separate regime.
Transition: Existing P2B compliance efforts seamlessly transfer to DSA/DMA compliance.
Most of Free Flow of Data Regulation
FFDR mostly repealed except:
- Article 4 (data localization ban) → moves to Data Act
- Core free movement principle preserved in recitals
What's deleted:
- Separate monitoring framework (€846,612/year savings for public authorities)
- Standalone portability provisions (covered by Data Act switching rules)
- Code of conduct facilitation (redundant with Data Act mechanisms)
Correlation Tables: Article-by-Article Mapping
The Digital Omnibus includes detailed Annexes with correlation tables showing exactly where each article of the repealed regulations moves in the consolidated framework.
Example: DGA to Data Act Mapping
| DGA Article | Topic | New Location |
|---|---|---|
| Articles 3-8 | Protected public sector data | Data Act Chapter VIIa, Section 1 |
| Articles 9-15 | Data intermediation services | Data Act Chapter VIIa, Section 2 |
| Articles 16-28 | Data altruism | Data Act Chapter VIIa, Section 3 |
| Articles 29-32 | Competent authorities | Data Act Chapter VIIa, Section 4 |
| Article 33 | European Data Innovation Board | Data Act Chapter VIIa, Section 5 |
Example: ODD to Data Act Mapping
| ODD Chapter | Topic | New Location |
|---|---|---|
| Chapter I | General provisions | Data Act Chapter VIIc, Section 1 |
| Chapter II | Re-use requests | Data Act Chapter VIIc, Section 2 |
| Chapter III | High-value datasets | Data Act Chapter VIIc, Section 3 |
| Chapter IV | Research data | Data Act Chapter VIIc, Section 4 |
Practical value: Legal counsel and compliance teams can trace every obligation from old law to new location.
Benefits of Consolidation
1. Single Legal Framework for Data Economy
Before: Navigate GDPR + FFDR + DGA + ODD + Data Act
After: Navigate GDPR (personal) + Data Act (everything else)
Impact:
- Simpler compliance mapping
- Reduced legal advisory costs
- Easier training for compliance teams
- Better accessibility for SMEs
2. Harmonized Definitions
Current problem: Same concepts defined differently across laws.
Examples:
- "Data holder" in Data Act vs. "data controller" in GDPR
- "Data intermediary" in DGA vs. "data processing service" in Data Act
- "Public sector body" in ODD vs. DGA
Consolidation solution: Single set of definitions in Data Act applicable to all non-personal data provisions.
Result: Legal certainty, consistent interpretation, predictable enforcement.
3. Reduced Compliance Complexity
Fewer registers to check:
- Before: National DGA registers + Data Act registers + ODD high-value datasets
- After: Unified Data Act registers
Fewer notifications:
- Before: Separate DGA intermediation notification + Data Act switching notification
- After: Integrated notification process (and voluntary for intermediation)
Fewer competent authorities:
- Before: DGA authority + ODD authority + Data Act authority
- After: Single Data Act competent authority per Member State
4. Easier Compliance Navigation
Single regulatory text: Instead of cross-referencing five laws, consult two.
Integrated obligations: Related requirements in same chapters instead of scattered across regulations.
Unified enforcement: One competent authority for data economy (excluding personal data).
Better guidance: Regulators can issue comprehensive guidance on Data Act instead of fragmented guidance across multiple laws.
5. Supports Innovation
Legal certainty: Clear rules encourage investment in data-driven services.
Lower barriers to entry: Simplified compliance helps startups and SMEs compete.
Pan-European services: Easier to build services across all Member States with unified framework.
Faster deployment: Less time spent on legal analysis, more on product development.
Cost Savings from Consolidation
Direct Regulatory Savings
FFDR monitoring relief: €846,612/year for public authorities
- No separate monitoring framework
- Resources redirected to Data Act implementation
DGA separate entity removal: €318,750 one-off savings
- Data intermediaries no longer need separate legal entities
- Functional separation sufficient
DGA monitoring simplification: €6M/year
- Lighter oversight regime
- Risk-based supervision instead of continuous monitoring
Indirect Business Savings
Reduced legal advisory: Fewer laws to analyze and cross-reference
Simpler compliance procedures: Unified processes instead of parallel tracks
Lower training costs: Staff learn one framework instead of five
Faster market entry: Less time from idea to launch for data services
Public Sector Efficiency
One competent authority per Member State instead of multiple:
- Shared expertise
- Consistent interpretation
- Better resource allocation
- Coordinated enforcement
Implementation Considerations
Transitional Provisions
Existing DGA registrations: Automatically transfer to Data Act regime
- No need to re-register
- Existing rights and obligations continue
- Can opt in to new voluntary regime benefits
ODD transposition: Member States that transposed ODD Directive can repeal national laws once Data Act provisions apply
- Directly applicable regulation supersedes national transposition
- Simplifies national legal landscape
FFDR compliance: Organizations already complying with FFDR data localization ban continue under Data Act Article 32h
- No substantive change to obligations
- Same exemptions apply
For Organizations
Compliance mapping:
- Identify which regulations currently apply to your activities
- Use correlation tables to find new Data Act provisions
- Update internal policies and procedures
- Train compliance teams on consolidated framework
Documentation updates:
- Privacy policies and transparency documents
- Data processing agreements
- Compliance manuals
- Training materials
Legal basis review:
- Ensure legal bases remain valid under consolidated framework
- Update references from repealed regulations to Data Act
- Consider new opportunities from simplified regime
Visual Summary: Before and After
Before Omnibus (2024)
Personal Data:
└─ GDPR
Non-Personal Data:
├─ Free Flow of Data Regulation (FFDR)
├─ Data Governance Act (DGA)
├─ Open Data Directive (ODD)
└─ Data Act
Mixed/Unclear:
└─ Platform-to-Business Regulation (P2B)
Result: Fragmented, overlapping, complex
After Omnibus (2027)
Personal Data:
└─ GDPR (amended)
All Other Data:
└─ Data Act (consolidated)
├─ Data access and sharing (original Data Act)
├─ Data localization ban (from FFDR)
├─ Data intermediation (from DGA)
├─ Data altruism (from DGA)
├─ Protected public data (from DGA)
└─ Open data (from ODD)
Platform Regulation:
├─ Digital Services Act (DSA)
└─ Digital Markets Act (DMA)
Result: Coherent, integrated, simplified
Comparison Table
| Aspect | Before (5 Laws) | After (2 Laws) |
|---|---|---|
| Legal texts to consult | GDPR + FFDR + DGA + ODD + Data Act | GDPR + Data Act |
| Personal data | GDPR only | GDPR only (unchanged) |
| Non-personal data localization | FFDR Article 4 | Data Act Article 32h |
| Data intermediation | DGA Chapter III (mandatory) | Data Act Ch VIIa (voluntary) |
| Data altruism | DGA Chapter IV (with rulebook) | Data Act Ch VIIa (no rulebook) |
| Public sector data | ODD + DGA overlap | Data Act Ch VIIc (unified) |
| Platform obligations | P2B Regulation | DSA + DMA |
| Competent authorities | Multiple per MS | One per MS (plus DPAs) |
| Definitions | Inconsistent across laws | Harmonized in Data Act |
| Compliance complexity | High (fragmentation) | Reduced (consolidation) |
Related Resources
- EU Digital Omnibus Overview - Complete regulation guide
- GDPR Amendments - What changes in the GDPR
- Data Intermediation Services - Details on voluntary regime
- Timeline and Implementation - Key dates for consolidation
Key Takeaways
- Five data laws consolidated into two: GDPR (personal) + Data Act (everything else)
- GDPR remains separate with amendments; Data Act absorbs DGA, ODD, and FFDR core provisions
- P2B Regulation fully repealed (superseded by DSA/DMA)
- Correlation tables provided for article-by-article mapping
- Major cost savings: €6M+/year from monitoring reduction alone
- Simplified compliance: One framework instead of fragmented rules
- Better for innovation: Legal certainty and lower barriers to entry
- Practical implementation: Existing registrations and compliance transfer automatically
The consolidation is not just bureaucratic housekeeping—it's a fundamental restructuring of Europe's data economy framework. By eliminating overlaps, harmonizing definitions, and creating a single coherent legal regime (alongside GDPR), the Digital Omnibus makes EU data law navigable for businesses of all sizes while maintaining strong protections and enabling innovation.