A set of new EU-wide rules facilitating the cross-border free flow of non-personal data within the Union is expected to become effective at the end of 2018 or early 2019.

These rules are intended to remove within the next two years any restrictions introduced by EU Member States on storing or processing non-personal (i.e. aggregate and anonymised) data outside their territory. Such restrictions of geographic location of storing and processing would be legitimate only to the extent that they are justified on grounds of public security.

If a data set contains both personal and non-personal data, the General Data Protection Regulation will apply to the personal data part of the set, while the non-personal data will be covered by the free flow of data regulation.

The new rules also encourage the development of codes of conduct to make it easier for users of data processing services to switch computing service providers or to port their data back to their own IT systems.

Why the new rules matter?

Removing data localisation restrictions is regarded as a key factor in ensuring that the European data economy can achieve its full potential. Important sources of non-personal data include various forms of connected consumer and industrial devices. They effectively underpin the operations of the Internet of Things, artificial intelligence and machine learning. The use of connected devices expands rapidly. According to research by Gartner, globally there were over 6.3 billion devices connected to the Internet at the start of 2017, with the number predicted to rise to 20.8 billion by 2020. Such devices collect and generate vast amounts of aggregate and anonymised sets of non-personal data. Forecasts suggest that they will be responsible for a tenth of the world’s information in 2020, which equates to 44 zettabytes (or 44 trillion gigabytes).

If such non-personal data may flow freely across borders within the European Union, big data analytics, automatous driving, precision farming, e-healthcare and smart cities are expected to attain better market deployment and commercialisation. The sharing and re-use of non-personal data are also expected to stimulate innovation, reduce barriers to entry and expansion to European businesses and facilitate new business models that can address, among others, persistent social and economic concerns (e.g. access to healthcare and education in rural areas).

The newly adopted rules on non-personal data would also ease the storage, aggregation and processing – the so-called computing – of data in clouds (e.g. cloud services, bespoke cloud-based platforms). On-demand access to cloud services in particular can reduce capital expenditure and increase efficiency gains for European businesses. Small- and medium-sized enterprises especially stand to benefit from the cloud, as it allows them to access high-performance IT solutions that would otherwise be out of their reach.

The practical legal implications

The free flow of non-personal data and data aggregation and storage on platforms or in the cloud pose a range of legal issues, among which more prominently concerning are:

Ownership of the data

The question of who owns data stored, aggregated or otherwise processed on a platform or in the cloud is not strictly regulated by law. It lends itself to interpretation based on existing rules on confidentiality, data privacy, and protection of databases and trade secrets.

To overcome associated uncertainty, businesses should consider viable options available for managing title over and/or third-party access/use of the data based on appropriate contractual terms.

Security and privacy

Users have little control over security and technical and organisational measures effectively in place to protect data in the cloud/on the platform. Therefore, they largely depend on the business and technology choices that service providers and their sub-contractors make. The European data protection legislation (including the General Data Protection Regulation), existing cyber security standards in the US and the national legislation transposing the Network and Information Security Directive in Europe introduce requirements for adequate, “state-of-art” measures and safeguards for protection.

However, businesses – especially large corporates – should seek sufficient contractual and technical guaranties from service providers as to the technical and legal adequacy of the information security measures introduced. Customers should insist on the possibility to regularly verify that adequacy for themselves.

Service provider’s ability to unilaterally alter essential features of the platform/cloud computing service

Essential features of the service may change because of changes in the infrastructure used, “layering”, sharding and distributed storage of data across servers. This may affect the service levels or customer’s position under security and data protection legislation.

Corporate users may attempt and limit unfavourable outcomes by negotiating contractual safeguards against such unilateral changes, with more flexible termination rights as a fall-back.

Lock-ins and portability of data

Once users have uploaded their data in the cloud/onto a platform, there may be no incentive or be very difficult for them to switch to another service provider and ensure portability of the data.

Corporate customers should make sure that they have contractual arrangements in place with the service provider that warrant at least reasonable and technically viable assistance with migrating the customer’s data from one service to another or back onto the customer’s own IT systems.