Short Reads

Freedom no. 5: new regulation on the free flow of non-personal data in the EU

Freedom no. 5: new regulation on the free flow of non-personal data i

Freedom no. 5: new regulation on the free flow of non-personal data in the EU

13.11.2018 EU law

On 9 November, the European Council approved a regulation aiming to secure the free flow of non-personal data in the EU (the "Regulation"). This is another step towards the adoption of the Regulation, which aims to remove obstacles to the free movement of non-personal data in the EU.

Based on the current timeline (and assuming official publication will quickly follow the signing), it is expected that the Regulation will apply from mid-2019. In this blog, we will cover the main rights and obligations that follow from this Regulation.

What is the purpose?

Most people have by now become aware of the importance of their personal data, particular to marketeers and advertisers. The value of non-personal data is perhaps less well known, though it is quickly becoming an invaluable resource for trade, research and development. This includes commercial and machine data, as well as fully anonymised sets of personal data. A good example of the former would be the usage data that Tesla can download whenever one of their cars is plugged into a charging point, which can then be used for a plethora of purposes: from optimising urban fuel consumption to fine-tuning collision avoidance software. Due to the value of such data, calls for regulating it are becoming louder, both from a free trade perspective and a data ownership or intellectual property standpoint.

In anticipation of this, the overall objective of the Regulation is to create a more competitive and integrated internal market for data processing services, so that the full potential of the data economy can be achieved. In particular, the European legislators aim to tackle two identified obstacles to data mobility: data localisation requirements by Member States and vendor lock-in practices in the private sector. To this end, the Regulation provides rules on three topics:

1. data localisation requirements by Member States

2. the availability of data to competent authorities

3. data portability for professional users.

In which cases does it apply?

Put shortly, the rules apply to the processing of electronic data other than personal data which is either provided as a service to users in the EU, or carried out by a natural or legal person in the EU for its own needs. Under the Regulation, "data" means data other than personal data as defined under the GDPR. The definition of "processing", whilst relating to data and not personal data, is the same as under the GDPR, and therefore extremely broad: "any operation or set of operations which is performed on data or on sets of data, whether or not by automated means". Where a dataset is combined of both personal and non-personal data, the Regulation applies to the non-personal data part of the data set. If the personal and non-personal data are however inextricably linked, the Regulation will not prejudice the GDPR.

What are the main rules and obligations?

First, the Regulation establishes the principle of free movement of data. Under the Regulation, data localisation requirements are prohibited unless they are justified on grounds of public security in compliance with the principle of proportionality. Data localisation requirements are defined broadly, as any type of obligation that requires data to be processed in the territory of a specific Member State or which hinders the processing of data in another Member State. The regulation's main sponsor, Swedish MEP Anna Maria Corazza Bildt,  has referred to this principle as the 'fifth freedom' on the EU single market, to exist alongside goods, services, people and capital. The Regulation requires Member States to repeal any existing data localisation requirements within a year from the date of application or to notify the commission of such requirements including a justification. Furthermore, all Member States are required to make national data localisation requirements available on a single online information point, so that such information is readily available for users and service providers.

Second, the Regulation ensures availability of data stored abroad for competent authorities. Data localisation requirements often originate from the concern that without such rules, competent authorities would not have access to data that is stored abroad. With this background in mind, it is stated that the Regulation does not affect the powers of competent authorities to request or obtain access to data for the performance of their official duties. Moreover, the Regulation provides Member-States with the possibility of imposing penalties on users for failure to comply with an obligation to provide data. This includes "strictly proportionate interim measures" including re-localisation of data. Furthermore, the Regulation establishes a mechanism for the requesting of assistance from foreign competent authorities. Member-States are to establish a single point of contact that serves as an intermediary between the requesting foreign authority and the relevant national authority that can provide the data.

Third, the Regulation requires codes of conduct to be developed by service providers that ensure data portability for professional users. More specifically, the European Commission will encourage and facilitate the development of such codes of conduct in cooperation with all relevant stakeholders, including service providers and also users. It is the intention that such codes of conduct will be implemented 18 months after the Regulation's date of publication.

What are the likely implications?

With regard to the free movement of data, it seems that the objectives are, for a large part, preventative rather than remedial. That is, most major EU countries do not have strong data localisation laws in respect of non-personal data.  The data localisation laws that do exist tend to apply only to (semi-) public bodies, such as ministries, local governments or hospitals.  In respect of such data users, free movement of data will broaden the range of data storage providers that can be contracted with. For example, a local council in Germany will be able to store its financial records through a cloud service provider with servers in Cyprus. It will also be a boon for cloud and Software-as-a-Service ("SaaS") providers, who will be able to host more of their products in friendly climes from a tax or data protection perspective, such as Ireland.

The requirement to make data stored abroad accessible to competent authorities can be seen as a failsafe on the right to free movement of data, and is similar to the so-called Cloud Act enacted by the US earlier this year. In both cases,  the provisions seek to ensure that criminals cannot avoid authorities by using servers in other countries.

Data portability has already been brought into law for private data subjects by the GDPR, but is yet to find many practical applications. However, some of the most obvious applications of data portability, such as keeping one's own phone number or domain name when migrating to another service provider, would be equally beneficial in a business context.

Team

Related news

06.09.2019 NL law
Supervision of crypto services

Short Reads - On 3 September 2019, De Nederlandsche Bank ("DNB") published a press release in which DNB points out to providers of crypto services that they should prepare for imminent DNB supervision. Companies facilitating the exchange of crypto currency for normal money and companies that offer crypto wallets will have to comply with a registration obligation from the beginning of 2020.

Read more

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 2nd at 4 pm, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

05.09.2019 NL law
ECJ answers preliminary questions on jurisdiction in cartel damage case 

Short Reads - On 29 July 2019, the ECJ handed down a preliminary ruling concerning jurisdiction in follow-on damages proceedings in what is termed the trucks cartel. The court clarified that Article 7(2) Brussels I Regulation should be interpreted in such a way as to allow an indirect purchaser to sue an alleged infringer of Article 101 TFEU before the courts of the place where the market prices were distorted and where the indirect purchaser claims to have suffered damage. In practice, this often means that indirect purchasers will be able to sue for damages in their home jurisdictions.

Read more

11.09.2019 EU law
Legal trend: climate change litigation

Articles - Climate change cases can occur in many shapes and forms. One well-known example is the Urgenda case in which the The Hague Court condemned the Dutch government in 2015 for not taking adequate measures to combat the consequences of climate change. Three years later, the Court of Justice of The Hague  upheld this decision, and it is now pending before the Dutch Supreme Court. This case is expected to set a precedent for Belgium, i.a. Since both the Belgian climate case and the Urgenda case are in their final stages of proceedings, this blog provides you with an update on climate change litigation.

Read more

05.09.2019 NL law
Wanted: fast solutions for fast-growing platforms

Short Reads - Dominant digital companies be warned: calls for additional tools to deal with powerful platforms in online markets are increasing. Even though the need for speed is a given in these fast-moving markets, the question of which tool is best-suited for the job remains. Different countries are focusing on different areas; the Dutch ACM wants to pre-emptively strike down potential anti-competitive conduct with ex ante measures, while the UK CMA aims for greater regulation of digital markets and a quick fix through interim orders.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring