Data Rights and Personal Data Marketplace

Regulatory and Domain Context

The EU Data Act, in force since January 2024 and applicable from September 2025, establishes the most consequential reordering of data economics in the Union since the GDPR. Chapter II grants users of connected products and related services a near-absolute right of access to the data those products generate, while Chapter III obliges data holders to make that data available to third parties on fair, reasonable, non-discriminatory and transparent (FRAND) terms. Article 8 prohibits the use of unfair contractual terms unilaterally imposed by data holders, and Article 12 prohibits data recipients from using the data to develop products that compete with the connected product from which the data originated. The combined effect is to redirect bilateral data flows away from platform aggregators and toward direct data-subject-to-recipient settlement.

The Data Governance Act, applicable since September 2023, complements this by introducing the regulated category of "data intermediation services" (Articles 10–15). Such intermediaries are forbidden from using the data they handle for any purpose other than facilitating the exchange, must be structurally independent from any other service they offer, and are required to register with national competent authorities. Together with the IDS-RAM v4 connector specification, the Gaia-X Trust Framework, and federation policies emerging across Catena-X (automotive), Manufacturing-X (industrial), the Mobility Data Space (transport), and the European Health Data Space proposed under COM(2022) 197, the result is a layered governance regime that demands cryptographically verifiable consent, lineage, and counter-party identity at every hop. In the United States, California Civil Code section 1798.135 (the CCPA "right to limit use and disclosure of sensitive personal information") imposes parallel obligations through a different doctrinal lens.

Architectural Requirement

A regulation-aware data marketplace must satisfy four structural requirements simultaneously. First, every transaction must carry the data subject's consent record, the data holder's authority to release, and a recipient credential that survives audit reconstruction years after settlement. Second, no operator of the exchange may be in a position to read, retain, or re-broker the data — the DGA's "neutrality" requirement is non-negotiable. Third, contractual terms must be machine-enforceable so that Article 8 unfairness reviews and Article 12 use-restrictions can be detected before disclosure occurs, not after harm has accrued. Fourth, federation across data-space boundaries must occur without requiring participants to re-onboard into a new identity domain for each space.

These properties cannot be added to a centralised exchange after the fact. They are architectural prerequisites, and they constrain the topology of any system that hopes to serve the regulated data economy. The marketplace must be pair-settled by construction, with the exchange acting only as a discovery and policy-checking surface, never as an intermediary in the legal sense.

Participants and Their Authority

A marketplace transaction in this regime involves four distinct authorities, each of which must be represented as a credentialed party rather than as a configuration entry inside the platform. The data subject (or, for industrial data, the user of the connected product) holds the consent or release authority that the Data Act protects. The data holder — the manufacturer of the connected product, the operator of the industrial system, or the controller under GDPR terminology — holds the technical capability to release the data and the legal duty to do so on FRAND terms. The data recipient holds an authorisation issued by the relevant data-space governance body certifying that it is qualified to receive the data for the declared purpose. The supervisory authority — a national data-protection authority for personal data, a national competent authority under DGA Article 13, or a sectoral regulator such as a transport ministry or health-data-access body — holds the residual authority to inspect transactions retrospectively.

A pair-settled architecture admits each of these authorities as a first-class signer of the relevant observation. The transaction is then evaluable not as a record stored by the marketplace but as a composite of credentialed observations whose admissibility can be reviewed by any authority with standing. This is the structural property that distinguishes a regulated data exchange from a contractual data-broker arrangement, and it is the property that procedural overlays cannot supply.

Why Procedural Compliance Fails

The dominant industry response to data-act obligations has been to append consent dashboards, data-portability APIs, and audit logs to existing platform architectures. This approach fails at the structural level. A platform that mediates flow between data subject and recipient is, under DGA Article 10, a regulated intermediary; if it also operates a downstream service that uses the same data, it violates the structural separation requirement. Consent dashboards generated by the platform itself cannot serve as evidence of subject authority because the platform has both the capability and the incentive to alter them. Audit logs maintained by the platform are not contemporaneous third-party records; they are self-attestations by an interested party.

The Catena-X experience illustrates the limit of bolt-on compliance. Early implementations relied on centralised connector registries that became single points of governance capture, prompting the federation to redesign around decentralised identity and verifiable-credential issuance. The same trajectory is visible in Manufacturing-X negotiations and in the emerging Mobility Data Space rulebook. Procedural overlays do not deliver the structural neutrality the regulations require, and litigation under Article 8 of the Data Act will increasingly test whether platform-mediated arrangements meet the FRAND standard at all.

What the AQ Primitive Provides

The governed-marketplace primitive is constructed as a pair-settled bilateral exchange anchored to the governance-chain trust substrate. A transaction is a tuple of credentialed observations: the data subject's consent (or, for non-personal industrial data, the holder's release authority), the recipient's possession of a permission credential issued by the relevant data-space governance body, and the policy admissibility check performed against the contractual terms in force. Settlement occurs directly between the two principals; the marketplace surface holds no copy of the payload and earns no economic rent from intermediation.

Because the exchange is anchored to a governance chain rather than to a platform-operator's database, the lineage of every transaction is reconstructable by any party with audit standing — the data subject, a national competent authority under DGA Article 13, or a court adjudicating an Article 8 unfairness claim. Federation across data spaces is handled through declared trust anchors: a Catena-X participant transacting with a Manufacturing-X counterpart presents credentials issued under each federation's policy, and the marketplace admits the exchange only when both policies are simultaneously satisfied. CCPA section 1798.135 "limit use" requests are expressed as policy predicates that downstream recipients inherit cryptographically, not as platform-side filters that recipients must trust.

Compliance Mapping

Data Act Chapter II access rights map to the data-subject's role as authority-credentialed party in every observation involving their connected-product data. Chapter III FRAND obligations map to the policy-admissibility predicate, which records the contractual terms in effect at the moment of release and makes them available for later review. Article 12 use-restrictions are encoded as downstream policy constraints that travel with the data through the lineage record. DGA Article 12 neutrality is satisfied structurally because the marketplace surface is pair-settled and holds no payload. IDS-RAM connector requirements map onto the credentialed-observation interface, and Gaia-X self-descriptions are admitted as authority credentials. CCPA section 1798.135 limit-of-sale signals are carried as first-class policy predicates rather than as platform-side configuration. For the European Health Data Space proposal, the secondary-use authorisation issued by a Health Data Access Body becomes a credentialed observation that gates downstream research access; for the Mobility Data Space, transport-operator licences and aggregator permissions compose through the same admissibility evaluation.

Adoption Pathway

Operators serving regulated data economies typically adopt the primitive in three stages. The first stage replaces platform-mediated exchange in a single high-value flow — typically connected-vehicle telemetry under Catena-X or industrial-equipment data under Manufacturing-X — while leaving legacy flows in place. The pilot establishes the credential issuance pathway, the policy-admissibility predicate library, and the lineage-recording infrastructure without disrupting incumbent commercial relationships. The second stage extends the primitive to cross-space federation, using the governance-chain anchor as a common trust substrate that makes Catena-X and Manufacturing-X credentials mutually intelligible. At this stage the operator typically formalises its registration as a data intermediation service under DGA Article 11 if it has not done so already, since the structural neutrality of the primitive makes the registration application substantially less burdensome.

The third stage retires platform-mediated flows entirely, at which point the operator's role narrows to discovery, dispute resolution, and policy curation — the functions the DGA actually permits a neutral intermediary to perform. Each stage produces audit artefacts sufficient to demonstrate compliance under Data Act Article 8 unfairness review and DGA Article 13 supervisory inquiry. For consumer-facing services subject to CCPA section 1798.135, the same primitive supplies the cryptographic evidence that "limit use" signals were honoured throughout downstream processing, displacing the current practice of relying on contractual representations from data recipients. The economic effect is to redirect rents away from intermediation and toward the curation, dispute-resolution, and policy-engineering functions that genuinely add value in the regulated data economy.