On 9 November, the European Council approved a regulation aiming to secure the free flow of non-personal data in the EU (the "Regulation"). This is another step towards the adoption of the Regulation, which aims to remove obstacles to the free movement of non-personal data in the EU.
Based on the current timeline (and assuming official publication will quickly follow the signing), it is expected that the Regulation will apply from mid-2019. In this blog, we will cover the main rights and obligations that follow from this Regulation.
What is the purpose?
Most people have by now become aware of the importance of their personal data, particular to marketeers and advertisers. The value of non-personal data is perhaps less well known, though it is quickly becoming an invaluable resource for trade, research and development. This includes commercial and machine data, as well as fully anonymised sets of personal data. A good example of the former would be the usage data that Tesla can download whenever one of their cars is plugged into a charging point, which can then be used for a plethora of purposes: from optimising urban fuel consumption to fine-tuning collision avoidance software. Due to the value of such data, calls for regulating it are becoming louder, both from a free trade perspective and a data ownership or intellectual property standpoint.
In anticipation of this, the overall objective of the Regulation is to create a more competitive and integrated internal market for data processing services, so that the full potential of the data economy can be achieved. In particular, the European legislators aim to tackle two identified obstacles to data mobility: data localisation requirements by Member States and vendor lock-in practices in the private sector. To this end, the Regulation provides rules on three topics:
1. data localisation requirements by Member States
2. the availability of data to competent authorities
3. data portability for professional users.
In which cases does it apply?
Put shortly, the rules apply to the processing of electronic data other than personal data which is either provided as a service to users in the EU, or carried out by a natural or legal person in the EU for its own needs. Under the Regulation, "data" means data other than personal data as defined under the GDPR. The definition of "processing", whilst relating to data and not personal data, is the same as under the GDPR, and therefore extremely broad: "any operation or set of operations which is performed on data or on sets of data, whether or not by automated means". Where a dataset is combined of both personal and non-personal data, the Regulation applies to the non-personal data part of the data set. If the personal and non-personal data are however inextricably linked, the Regulation will not prejudice the GDPR.
What are the main rules and obligations?
First, the Regulation establishes the principle of free movement of data. Under the Regulation, data localisation requirements are prohibited unless they are justified on grounds of public security in compliance with the principle of proportionality. Data localisation requirements are defined broadly, as any type of obligation that requires data to be processed in the territory of a specific Member State or which hinders the processing of data in another Member State. The regulation's main sponsor, Swedish MEP Anna Maria Corazza Bildt, has referred to this principle as the 'fifth freedom' on the EU single market, to exist alongside goods, services, people and capital. The Regulation requires Member States to repeal any existing data localisation requirements within a year from the date of application or to notify the commission of such requirements including a justification. Furthermore, all Member States are required to make national data localisation requirements available on a single online information point, so that such information is readily available for users and service providers.
Second, the Regulation ensures availability of data stored abroad for competent authorities. Data localisation requirements often originate from the concern that without such rules, competent authorities would not have access to data that is stored abroad. With this background in mind, it is stated that the Regulation does not affect the powers of competent authorities to request or obtain access to data for the performance of their official duties. Moreover, the Regulation provides Member-States with the possibility of imposing penalties on users for failure to comply with an obligation to provide data. This includes "strictly proportionate interim measures" including re-localisation of data. Furthermore, the Regulation establishes a mechanism for the requesting of assistance from foreign competent authorities. Member-States are to establish a single point of contact that serves as an intermediary between the requesting foreign authority and the relevant national authority that can provide the data.
Third, the Regulation requires codes of conduct to be developed by service providers that ensure data portability for professional users. More specifically, the European Commission will encourage and facilitate the development of such codes of conduct in cooperation with all relevant stakeholders, including service providers and also users. It is the intention that such codes of conduct will be implemented 18 months after the Regulation's date of publication.
What are the likely implications?
With regard to the free movement of data, it seems that the objectives are, for a large part, preventative rather than remedial. That is, most major EU countries do not have strong data localisation laws in respect of non-personal data. The data localisation laws that do exist tend to apply only to (semi-) public bodies, such as ministries, local governments or hospitals. In respect of such data users, free movement of data will broaden the range of data storage providers that can be contracted with. For example, a local council in Germany will be able to store its financial records through a cloud service provider with servers in Cyprus. It will also be a boon for cloud and Software-as-a-Service ("SaaS") providers, who will be able to host more of their products in friendly climes from a tax or data protection perspective, such as Ireland.
The requirement to make data stored abroad accessible to competent authorities can be seen as a failsafe on the right to free movement of data, and is similar to the so-called Cloud Act enacted by the US earlier this year. In both cases, the provisions seek to ensure that criminals cannot avoid authorities by using servers in other countries.
Data portability has already been brought into law for private data subjects by the GDPR, but is yet to find many practical applications. However, some of the most obvious applications of data portability, such as keeping one's own phone number or domain name when migrating to another service provider, would be equally beneficial in a business context.