Abstract Data has become a vital resource in the digital economy, offering firms a competitive advantage through access to large, accurate datasets, which are essential for personalisation, targeted advertising, and training AI models. This paper examines the evolution of the EU data acquis governing international data transfers, arguing that it pursues two interconnected objectives: promoting business-to-business data sharing to enhance EU competitiveness and ensuring high levels of personal data protection under the GDPR. It explores the tensions between these objectives by comparing the GDPR framework for personal data with the emerging rules for non-personal data under the Data Act and Data Governance Act. The paper highlights the blurred boundary between personal and non-personal data and the expanding ‘appropriate measures’ obligations under the GDPR, which collectively constrain economic operators’ ability to process data outside the EU, potentially limiting international data flows. In light of the European Commission’s Digital Omnibus proposal (November 2025) to simplify EU digital regulations, the paper concludes that while the proposal may reduce the dichotomy between personal and non-personal data, it retains distinct regimes for their international transfers. As a result, it does not resolve the complexities surrounding EU rules on international data transfers.
Menéndez et al. (Mon,) studied this question.