Short Reads

Freedom no. 5: new regulation on the free flow of non-personal data in the EU

Freedom no. 5: new regulation on the free flow of non-personal data i

Freedom no. 5: new regulation on the free flow of non-personal data in the EU

13.11.2018 EU law

On 9 November, the European Council approved a regulation aiming to secure the free flow of non-personal data in the EU (the "Regulation"). This is another step towards the adoption of the Regulation, which aims to remove obstacles to the free movement of non-personal data in the EU.

Based on the current timeline (and assuming official publication will quickly follow the signing), it is expected that the Regulation will apply from mid-2019. In this blog, we will cover the main rights and obligations that follow from this Regulation.

What is the purpose?

Most people have by now become aware of the importance of their personal data, particular to marketeers and advertisers. The value of non-personal data is perhaps less well known, though it is quickly becoming an invaluable resource for trade, research and development. This includes commercial and machine data, as well as fully anonymised sets of personal data. A good example of the former would be the usage data that Tesla can download whenever one of their cars is plugged into a charging point, which can then be used for a plethora of purposes: from optimising urban fuel consumption to fine-tuning collision avoidance software. Due to the value of such data, calls for regulating it are becoming louder, both from a free trade perspective and a data ownership or intellectual property standpoint.

In anticipation of this, the overall objective of the Regulation is to create a more competitive and integrated internal market for data processing services, so that the full potential of the data economy can be achieved. In particular, the European legislators aim to tackle two identified obstacles to data mobility: data localisation requirements by Member States and vendor lock-in practices in the private sector. To this end, the Regulation provides rules on three topics:

1. data localisation requirements by Member States

2. the availability of data to competent authorities

3. data portability for professional users.

In which cases does it apply?

Put shortly, the rules apply to the processing of electronic data other than personal data which is either provided as a service to users in the EU, or carried out by a natural or legal person in the EU for its own needs. Under the Regulation, "data" means data other than personal data as defined under the GDPR. The definition of "processing", whilst relating to data and not personal data, is the same as under the GDPR, and therefore extremely broad: "any operation or set of operations which is performed on data or on sets of data, whether or not by automated means". Where a dataset is combined of both personal and non-personal data, the Regulation applies to the non-personal data part of the data set. If the personal and non-personal data are however inextricably linked, the Regulation will not prejudice the GDPR.

What are the main rules and obligations?

First, the Regulation establishes the principle of free movement of data. Under the Regulation, data localisation requirements are prohibited unless they are justified on grounds of public security in compliance with the principle of proportionality. Data localisation requirements are defined broadly, as any type of obligation that requires data to be processed in the territory of a specific Member State or which hinders the processing of data in another Member State. The regulation's main sponsor, Swedish MEP Anna Maria Corazza Bildt,  has referred to this principle as the 'fifth freedom' on the EU single market, to exist alongside goods, services, people and capital. The Regulation requires Member States to repeal any existing data localisation requirements within a year from the date of application or to notify the commission of such requirements including a justification. Furthermore, all Member States are required to make national data localisation requirements available on a single online information point, so that such information is readily available for users and service providers.

Second, the Regulation ensures availability of data stored abroad for competent authorities. Data localisation requirements often originate from the concern that without such rules, competent authorities would not have access to data that is stored abroad. With this background in mind, it is stated that the Regulation does not affect the powers of competent authorities to request or obtain access to data for the performance of their official duties. Moreover, the Regulation provides Member-States with the possibility of imposing penalties on users for failure to comply with an obligation to provide data. This includes "strictly proportionate interim measures" including re-localisation of data. Furthermore, the Regulation establishes a mechanism for the requesting of assistance from foreign competent authorities. Member-States are to establish a single point of contact that serves as an intermediary between the requesting foreign authority and the relevant national authority that can provide the data.

Third, the Regulation requires codes of conduct to be developed by service providers that ensure data portability for professional users. More specifically, the European Commission will encourage and facilitate the development of such codes of conduct in cooperation with all relevant stakeholders, including service providers and also users. It is the intention that such codes of conduct will be implemented 18 months after the Regulation's date of publication.

What are the likely implications?

With regard to the free movement of data, it seems that the objectives are, for a large part, preventative rather than remedial. That is, most major EU countries do not have strong data localisation laws in respect of non-personal data.  The data localisation laws that do exist tend to apply only to (semi-) public bodies, such as ministries, local governments or hospitals.  In respect of such data users, free movement of data will broaden the range of data storage providers that can be contracted with. For example, a local council in Germany will be able to store its financial records through a cloud service provider with servers in Cyprus. It will also be a boon for cloud and Software-as-a-Service ("SaaS") providers, who will be able to host more of their products in friendly climes from a tax or data protection perspective, such as Ireland.

The requirement to make data stored abroad accessible to competent authorities can be seen as a failsafe on the right to free movement of data, and is similar to the so-called Cloud Act enacted by the US earlier this year. In both cases,  the provisions seek to ensure that criminals cannot avoid authorities by using servers in other countries.

Data portability has already been brought into law for private data subjects by the GDPR, but is yet to find many practical applications. However, some of the most obvious applications of data portability, such as keeping one's own phone number or domain name when migrating to another service provider, would be equally beneficial in a business context.

Team

Related news

30.04.2019 EU law
Climate goals and energy targets: legal perspectives

Seminar - On Tuesday April 30th, Stibbe organizes a seminar on climate goals and energy targets. Climate change has incited different international and supranational institutions to issue climate goals and renewable energy targets. Both the UN and the EU have led this movement with various legal instruments.

Read more

12.04.2019 NL law
Hoogste Europese rechter bevestigt dat overheden onrechtmatige staatssteun proactief moeten terugvorderen

Short Reads - De maand maart 2019 zal vermoedelijk de juridisch handboeken ingaan als een historische maand voor het mededingings- en staatssteunrecht. Niet alleen deed het Hof van Justitie een baanbrekende uitspraak op het gebied van het verhaal van kartelschade. Het heeft in de uitspraak Eesti Pagar (C-349/17) van 5 maart 2019 belangrijke vragen opgehelderd over de handhaving van het staatssteunrecht op nationaal niveau.

Read more

04.04.2019 NL law
Tick-tock: no reset of the appeal clock for amending Commission decision

Short Reads - The European Court of Justice recently upheld the General Court's order finding that metal production and recycling company Eco-Bat had submitted its appeal outside of the appeal term. Eco-Bat had relied on the term starting from the date of the European Commission's decision correcting figures for the fine calculation in the initial infringement decision.

Read more

10.04.2019 BE law
Acrylamide: zijn frieten ook juridisch schadelijk voor de gezondheid?

Articles - De risico’s door de aanwezigheid van acrylamide in levensmiddelen noopten de EU tot het nemen van risicobeperkende maatregelen. Exploitanten van levensmiddelenbedrijven van bepaalde levensmiddelen (o.a. frieten, chips, koekjes, …) kregen de verplichting om tal van maatregelen te nemen.  De juridische kwalificatie van acrylamide en het regime van deze maatregelen worden in deze blog toegelicht.

Read more

04.04.2019 NL law
Fine liability in antitrust cases is closely scrutinised by Dutch courts

Short Reads - A parent company can be held liable for a subsidiary's anti-competitive conduct if the parent has exercised decisive influence over the subsidiary, because the two are then considered a single undertaking. This is why the Trade and Industry Appeals Tribunal (CBb) recently found that the ACM cannot simply rely on managing partners' civil liability to determine fine liability for a limited partnership's anti-competitive conduct.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring