This lecture offers an overview of multiple legal regimes overlapping on data. In particular, it addresses the contested personal-non-personal data dichotomy and sheds light on how trade secrecy intersects secondary law on data, including the GDPR, the Data Act and the Health Data Space Regulation.

Data transfers across borders are getting harder to manage—caught between fast-moving tech, shifting rules, and rising geopolitical tensions. As governments push for greater strategic autonomy over their digital infrastructure and data, balancing openness with control has never been more complex. This panel explores the challenge from three angles: how the European Commission is reviewing and updating its tools to keep transfers legal and workable, how the OECD’s “Data Free Flow with Trust” initiative aims to build global alignment (especially around financial and payment data), and what key trade-offs emergingin practice—zooming in on health data and the role of safeguards like anonymisation and pseudonymisation.

As the EU advances its cybersecurity ambitions through the implementation of the NIS2 Directive, important questions arise about how these strengthened regulatory requirements align with the Union’s broader goal of achieving strategic autonomy in the digital sphere. This panel will take stock of the current state of NIS2 transposition and implementation, assess whether it effectively addresses the fragmentation and inconsistencies observed under NIS1, and examine whether the push for enhanced cybersecurity—through improved risk management, incident reporting, and supply chain security—can be successfully aligned with efforts to reduce reliance on foreign technologies and external actors.

This workshop explores practical applications of data sharing under the EU Data Act Regulation through a series of case studies. Participants will examine how the Regulation facilitates access to and reuse of data across sectors, identify challenges in implementation, and discuss potential legal and governance implications. The workshop encourages interactive dialogue between participants to draw actionable insights from real-world examples.

With the Digital Services Act (DSA) introducing new obligations for online platforms—and new guidelines on Article 28 expected from the European Commission—the protection of minors is now at the forefront of the EU's digital policy agenda. This panel will examine how best to safeguard young users online, drawing on the DSA, EU data protection, and consumer law frameworks. It will explore the effectiveness and limitations of current age verification and assurance methods, alongside the broader responsibilities of platforms to mitigate risks. What legal and technical measures are truly fit for purpose—and how can different regulatory approaches work together to create an age-appropriate digital environment for children and teens?

Join representatives from the European Commission for an in-depth discussion on the enforcement of the Digital Services Act (DSA) and the AI Act. This session will provide insights into the Commission’s priorities, challenges, and upcoming actions in overseeing these landmark regulations. Whether you are a policymaker, practitioner, or researcher, this is a rare opportunity to engage directly with those shaping the enforcement landscape of digital regulation in the EU.

Following the meeting at the European Commission, the Summer Academy will head to the EDPS headquarters for an exclusive evening gathering where we will reflect on the past and future of data protection enforcement. Over tea and informal discussions, we will explore key challenges regulators face, lessons learned from enforcement actions, and the evolving role of data protection authorities in a rapidly changing digital world.

Following the EDPS discussion, we invite you to continue the conversation over drinks and tapas in a relaxed setting. This networking session will provide a fantastic opportunity to connect with fellow participants in an informal and engaging atmosphere.

This session explores how Brazil’s General Data Protection Law (LGPD) reflects and diverges from European data protection norms, particularly under the influence of the Brussels Effect. We’ll unpack regulatory convergences, institutional developments, and Brazil’s role in the global data governance debate.