Summary statistics
Overlaps: 3 · Conflicts: 1 · Gaps: 2
6 article-level crossrefs catalogued between Data Act and ePrivacy Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| Data Act Art 18 | ePrivacy Directive Art 5 | overlap | medium | [entity affected: data holder / provider of publicly available electronic communications service] Both regulations require entities handling personal data to implement technical measures (anonymizatio |
| Data Act Art 19 | ePrivacy Directive Art 6 | overlap | medium | [entity affected: public sector body / provider of public communications network] Both regulations mandate the erasure of data when it is no longer necessary for the specific purpose for which it was |
| Data Act Art 19 | ePrivacy Directive Art 4 | overlap | medium | [entity affected: public sector body / provider of publicly available electronic communications service] Both regulations require the implementation of appropriate technical and organizational measure |
| Data Act Art 14 | ePrivacy Directive Art 5 | conflict | high | [entity affected: data holder / provider of publicly available electronic communications service] The Data Act mandates making data available to public bodies upon request, while ePrivacy strictly pro |
| Data Act Art ? | ePrivacy Directive Art ? | gap | medium | [entity affected: IoT device manufacturers] Neither regulation explicitly defines the liability or compliance obligations for IoT manufacturers regarding the security of embedded data collection mecha |
| Data Act Art ? | ePrivacy Directive Art ? | gap | low | [entity affected: Cross-border data intermediaries] There is a lack of clear guidance on how to reconcile the Data Act's requirement for data portability with ePrivacy's strict consent requirements wh |
Conflicts explained
The 1 article-level conflicts between Data Act and ePrivacy Directive mean a control that satisfies one can pull the wrong way on the other:
- Data Act Art 14 vs ePrivacy Directive Art 5 — [entity affected: data holder / provider of publicly available electronic communications service] The Data Act mandates making data available to public bodies upon request, while ePrivacy strictly prohibits interception or surveillance of communications without user consent, creating a tension between mandatory disclosure and confidentiality obligations.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between Data Act and ePrivacy Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 3 overlaps as design opportunities — one control, two regulatory anchors. Treat the 1 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- data act article 37 commission
- data act obligations data services
- data act vs data governance act comparison
- data act vs dma comparison
Check your full compliance exposure with the 5-minute Fontvera diagnostic →