Together with the rules on processing of personal data set out by the Regulation 2016/679 of 27 April 2016 (GDPR), which has applied since May 25, 2018, the European Union (EU) establishes new rules on processing of non-personal data.
The European Parliament approved a new regulation – Regulation 2018/1807 of 14 November 2018 –, which seeks to promote free movement of non-personal electronic data within the EU where: (i) the data processing is provided as a service to users with residence or establishment in the EU, regardless of whether the service provider is established or not in the EU, or (Ii) the data processing is carried out, for own needs, by individuals or businesses in the EU.
But, after all, what does “non-personal data” mean? In contrast to "personal data", non-personal data is any information that does not refer to an identified or identifiable natural person (individuals). Examples of non-personal data include aggregate and anonymised datasets used for analysing large volumes of data in the current context of strong development of the Internet of things, Artificial Intelligence, autonomous systems and 5 G.
In order to enable the free movement of non-personal data in the EU, Member States are obliged to repeal all non-personal electronic data localisation requirements established in their local laws until May 30, 2021. If, however, this removal could be detrimental to public security, the Member State should consult the European Commission, which, after examination, may decide whether the Member-State shall keep (or not) the localisation requirements.
The rule will be, however, the free movement of non-personal electronic data in the EU, including data portability to professional users. This may be only limited or prohibited for justified public security reasons.
Considering that non-personal data and personal data may coexist, as there is no obligation to separately store these different types of data, the new regulation applies together with the GDPR. Thus, if, for example, technological developments make it possible to turn anonymised data into personal data, such data is personal data and the GDPR will apply.
This may raise new legal issues (and ethics), particularly where decisions are taken without human interaction, including, among others, issues concerning data access and reuse and the issue of liability along the entire value chain of data processing.
In the future, the European Commission will be in charge of drafting codes of conduct with best practices and information requirements in order to ensure full transparency and interoperability in the so-called “data economy and emerging technologies."