This paper offers a business perspective on the EU data governance framework, particularly related to data sharing in the financial sector. With policy-making ("on the books") centred on guaranteeing data privacy and data security whilst promoting innovation, firms face complexities when implementing this framework "on the ground". We build on existing work in internet policy, governance and law, multidisciplinary insights from business and management studies, and equally consider practitioner reports, legal/policy documents and industry consultations. Using the Revised Payment Services Directive as an illustrative case, our exploratory analysis reveals an implementation labyrinth, with a so-called "privacy-security-control" nexus at its core. Already problematic for firms operating across borders in the EU, this proves to be even more the case for global companies subject to various data sharing frameworks. Our analysis also reveals that the sectoral framework by the books neither reckons with the heterogeneity of firms (incumbent and new banks, fintechs and bigtechs) nor with their business models. We expose how these "on the ground" business realities might bring unintended effects that could be further aggravated by the (inherently slower) pace of regulation, and offer recommendations for policymakers, researchers and practitioners.