Enough about personal data, what about (restrictions to) the free flow of “non-personal data” ?

As part of its Digital Single Market strategy, the European Commission published on 13 September 2017 a proposal for a Regulation “on a framework for the free flow of non-personal data in the European Union”.

Why a Regulation governing “non-personal” data?

  • To make sure that it is safe for businesses to store data anywhere in the EU;
  • To eliminate barriers to trade and to enable a ‘EU data community’;
  • To enhance data mobility within the EU, which is currently hindered by:
  • national laws or regulators requiring certain data to be stored within the country (e.g. in the banking sector, where the regulator sometimes prohibits cross-border data storage, or localisation requirements in public tender procedures);
  • customers of service providers requiring their data to be stored locally; and
  • a lack of trust when data storage is outsourced (as there is no equivalent in the EU of the US “cloud security alliance”).

The combination of these elements leads to a lack of competition between cloud service providers in Europe, various ‘vendor locking’ issues, and a serious lack of data mobility. Switching between (cloud service) providers is often made very difficult. The aim of the new Regulation is therefore to create more competition on the data market, which will result in lower digitalisation costs for companies and a higher trust level on the market, ultimately benefiting both cloud service providers, their clients, and the end-consumers.

What is the scope of application of this draft Regulation?

The new Regulation is intended to apply to the “storage or other processing of electronic data other than personal data” in the EU, which is:

  • provided as a service to users residing or having an establishment in the EU, regardless of whether the provider is established or not in the EU; or
  • carried out by a natural or legal person residing or having an establishment in the EU for its own needs.

The term “electronic data other than personal data” is defined as “data other than personal data as referred to in Article 4(1) of Regulation (EU) 2016/679”. Every type of information that is not “personal data” within the meaning of the GDPR would thus be qualified as “non-personal data” within the meaning of this draft Regulation.

Taking into account the fact that, in practice, most data sets held by companies are ‘mixed’ (i.e. they contain both personal and non-personal data, which cannot be easily separated), both types of legislation should be applied to most data sets. According to the European Commission, this should not be problematic for businesses, as the consistency between the GDPR and the draft Regulation has been ensured.

Key takeaways of the proposed Regulation?

  • EU Member States will be obliged to remove national law requirements for data localisation:
  • location of data for storage or other processing within the EU shall not be restricted to the territory of a specific Member State, and storage or other processing in any other Member State may not be prohibited or restricted by national law, unless it is justified on grounds of public security;
  • Member States will have to notify to the European Commission of any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement; and
  • Member States will have to make the details of data localisation requirements applicable in their territory publicly available online via a single information point.
  • The Regulation will not affect the powers of competent authorities to request and receive access to data for the performance of their official duties. Access to data by competent authorities may not be refused on the basis that it is stored or otherwise processed in another Member State.
  • Facilitation of data portability (via codes of conduct – ‘standard contractual clauses’): the European Commission encourages and will facilitate the development of self-regulatory codes of conduct at EU level, in order to define guidelines on best practices regarding the switching of cloud service providers and to ensure that cloud service providers provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded.

Next steps?

The draft Regulation was proposed by the European Commission on 13 September 2017 and still has to be discussed in and approved by the European Parliament.

More information on the website of the European Commission: https://ec.europa.eu/digital-single-market/en/free-flow-non-personal-data.