photo
20.05.2026

The data ecosystem in the EU – report from the open expert lecture

On 15 May, the inaugural lecture and discussion within the Series of Open Expert Lectures took place at the headquarters of the Personal Data Protection Office. The first meeting was co‑organised by the Personal Data Protection Office and the National Bar of Attorneys‑at‑Law. Topic concerned legal issues relating to the data ecosystem in the European Union.

The Series of Open Expert Lectures is an initiative dedicated to the most important challenges related to personal data protection and privacy in the context of the development of new technologies. The aim of the series is to create a space for the exchange of knowledge and experience on key and current issues, as well as on the directions of change in the field of data protection.

In his opening remarks, the President of the Personal Data Protection Office, Mirosław Wróblewski, noted that this was the first meeting in such a format and expressed hope that it would help present different perspectives on data protection in the sphere of new technologies.

“Today it is already clear that the GDPR does not function in isolation, as a dense network of regulations concerning the data market has emerged. Only by looking at all these acts together will we see whether we are jointly creating a single ecosystem, or whether these regulations form separate silos. Today we are considering how to reconcile these challenges. From the GDPR perspective, the protection of personal data is paramount, but legal regimes now also focus, for example, on artificial intelligence systems,” the President of the Personal Data Protection Office pointed out.

Mirosław Wróblewski also observed: “The question most frequently raised today is, of course, whether regulation restricts innovation. In this sense, the role of personal data protection does not fade into the background but becomes crucial. Can we speak of trustworthy artificial intelligence without personal data protection? The European Commission would like to increase data availability and support interoperability, yet on the other hand, the issue of fundamental rights protection arises. Trust and personal data protection are conditions for innovation.”

Opening the meeting, the President of the National Bar of Attorneys‑at‑Law, Włodzimierz Chróścik, emphasised that personal data protection is extremely important for attorneys‑at‑law, particularly because artificial intelligence systems, increasingly analysed in recent times, are finding applications in the legal profession.

In her lecture entitled “Creating the Law of the Data Ecosystem in the European Union”, Karolina Mojzesowicz, PhD – Deputy Head of the unit responsible for data protection at the European Commission (Directorate‑General for Justice and Consumers) – stressed that a dozen or so years ago data protection law seemed clearly defined, focusing primarily on safeguarding the rights of individuals. Today, however, data have become, among other things, fuel for artificial intelligence, a source of competitive advantage and a matter of security. For this reason, the European Union eventually began to develop the law of the data ecosystem.

As Mojzesowicz explained, the GDPR laid the foundation, but personal data regulation in the EU has always been viewed in a broader context, and additional questions – particularly concerning who has access to data – have become increasingly important.

In this perspective, she noted, fundamental questions emerged: what must be done to genuinely give citizens control over their data? Who builds AI models, and on what data? Who controls cloud services, and who profits from EU citizens’ data? Finally, the question was raised whether Europe possesses its own digital sovereignty. To address this, the European Data Strategy was launched in 2020.

Karolina Mojzesowicz explained that Europe’s main problems included the lack of access to data, the lack of interoperability, and the lack of control over data held by companies outside the European Economic Area. The European Data Strategy sought to address these issues: data flows were to become easier, the burdensome fragmentation of the data market was to be overcome, and all of this was to be achieved while respecting personal rights.

A key element of this effort was finding a way to share data despite the evident dependence on external platforms. Shortly afterwards, the concept of data sovereignty emerged in the EU, and achieving it required – and still requires – Europe’s own data infrastructure.

As Dr Mojzesowicz recalled, the European Commission views data both as an economic resource and as a private good, and this distinction proved fundamental in shaping subsequent EU legal acts aimed at organising the data ecosystem.

According to the expert, it is important to remember that the EU has never abandoned the GDPR – it remains the constitutional element of the data economy, and all other legal acts must be built on its basis so as to enable the pursuit of various objectives and their mutual reinforcement.

In this context, Mojzesowicz pointed out that one of the first acts of this kind, the Data Governance Act (DGA), addressed the problem of inaccessible public‑sector data locked in so‑called silos.

Another important act was the Data Act, which focused more on the individual rights of citizens in relation to data contained in everyday devices.

A notable example of organising shared access in the EU to one of the most important data markets – health data – is the European Health Data Space.

Among the most important acts shaping the data ecosystem, Mojzesowicz also listed the Digital Markets Act (DMA) and the Digital Services Act (DSA). The former was created to increase data interoperability and enable data collection within a more competitive environment of data‑driven services. The latter was designed to ensure protection in light of the growing importance of online platforms, focusing primarily on the transparency of the content they disseminate.

The aim of the AI Act, in turn, was to answer the question of how to refine artificial intelligence systems in the context of the GDPR – how to create strong yet responsible AI, taking into account the obligation of data minimisation.

During her lecture, Mojzesowicz also described methods for improving EU law. Among them, she highlighted good practices such as call for evidence, impact assessment, and implementation dialogues.

The discussion panel following the lecture included: moderator Dominik Lubasz, PhD – member of the Working Group on Artificial Intelligence operating within the Social Team of Experts to the President of the Personal Data Protection Office; Agnieszka Grzelak, PhD – Deputy President of the Personal Data Protection Office; attorney‑at‑law Izabela Kowalczuk‑Pakuła – head of the data protection team at Bird & Bird; Przemysław Polański, PhD – lawyer, IT specialist and expert in IT law; and Karolina Mojzesowicz, PhD.

In his introduction to the debate, Dominik Lubasz noted that there are now 116 legal acts in the EU concerning the broadly understood digital market (most of which are already in force), which naturally raises the question of whether we are dealing with a coherent data protection system or a mosaic of regulations. This question shaped the character and focus of the entire discussion.

Participants largely agreed that, at present, we are still dealing with an archipelago of regulations, between which bridges sometimes exist. However, they noted that the EU is clearly moving towards integrating these regulations into a single system – although, as they emphasised, this will take considerable time.

In this context, Karolina Mojzesowicz stressed that the existing imperfections of EU acts do not preclude the existence of a system. Individual instruments are not perfect, but because the structure of changes is open, shortcomings can be corrected. She explained that, for example, the Digital Omnibus package contains attempts to address issues of coherence between different acts.

Agnieszka Grzelak observed that coherence between EU acts does exist, but concerns arise regarding differences in the perceived role of supervisory authorities responsible for overseeing individual regulations – both in terms of their responsibilities and the number of tasks assigned to tchem.

Agreeing with this observation, Izabela Kowalczuk‑Pakuła pointed to the example of deepfake technology, which may fall under several regulations simultaneously (e.g. the DSA and the AI Act). To which authority should an individual turn? She stressed that avoiding interpretative conflicts is essential, and from an organisational and administrative perspective, this is a major challenge.

Przemysław Polański added that over the long period of developing EU digital market law, not only the number of legal acts has changed, but also their volume. In his view, earlier regulations were more concise, whereas today interpretative conflicts will arise more frequently. He argued that the EU has focused on data in its regulations but has neglected infrastructure, which in practice strengthens big tech companies, as data escapes anyway due to cloud services. He emphasised that businesses are now fearful because the scope of regulation in Europe is too extensive, prompting them to move investments to the United States. According to Polański, the only solution is to build Europe’s own competitive data market strategy.

Agnieszka Grzelak added that eight years of the GDPR’s functioning show that it is an act enabling institutional action, yet practical problems do not diminish and will continue to grow, particularly due to the rapidly changing technological landscape.

The participants agreed that the discussion on the data ecosystem should be continued, including during future meetings of this kind. They expressed hope that this broad topic would return in the near future.

A recording of the event’s livestream is available below.