EDPB Adopts Non-Binding Standard Contractual Clauses for Data Sharing Under Data Act

On July 8, 2025, the European Data Protection Board (EDPB) adopted the European Commission's recommendations on non-binding standard contractual clauses for data sharing. This decision, numbered 4/2025, represents the first practical application of the Data Act, aiming to facilitate data sharing while adhering to GDPR standards for personal data protection.

The Data Act is a significant piece of legislation designed to enhance data availability and usability across sectors and member states within the EU. By adopting these standard contractual clauses, the EDPB is providing a framework that organizations can use to share data more easily and securely. Although these clauses are non-binding, they offer valuable guidance and can help ensure that data sharing agreements include necessary security measures, thereby reducing the risk of data breaches and unauthorized access.

From a cybersecurity perspective, the adoption of these clauses is a positive step towards enhancing data protection and compliance. Organizations will have clearer guidelines on how to share data while remaining compliant with GDPR, which can reduce the risk of non-compliance penalties. Moreover, standardized clauses can help ensure consistent data protection measures across different organizations and sectors, thereby enhancing overall data security.

The impact on the cybersecurity landscape is multifaceted. Firstly, it promotes trust between organizations and with consumers by providing clear and standardized rules for data sharing. Secondly, it drives innovation by making more data available for research and development. Lastly, it enhances legal certainty and maintains high data protection standards, which are crucial for a robust cybersecurity posture.

Technically, the standardized clauses likely include provisions for security measures such as encryption, access controls, and data breach notification procedures. This can help organizations manage risks associated with data sharing, including risks of data breaches and non-compliance with GDPR. Additionally, the Data Act's focus on facilitating data sharing across sectors and member states increases the need for robust cybersecurity measures to protect this data.

In conclusion, the EDPB's decision to adopt non-binding standard contractual clauses for data sharing under the Data Act is a significant development. It facilitates data sharing while ensuring compliance with GDPR, thereby enhancing data protection and cybersecurity across the EU.