The European Commission has issued a proposal for a new Regulation on the free flow of non-personal data (“the Proposal”).
The Commission adopted a Communication in January 2017 on “Building a European Data Economy”, in which its work on free flow of data was announced in the context of actions to enhance the data economy. The Commission then launched a public consultation and dialogue with stakeholders to gather further evidence on the issues restricting the free flow of data.
The Commission has identified the main obstacles that preclude free flow of data in the Digital Single Market as follows:
- Unjustified data localisation restrictions by Member States’ public authorities
- Legal uncertainty about legislation applicable to cross-border data storage and processing
- A lack of trust in cross-border data storage and processing linked to concerns among Member States’ authorities about the availability of data for regulatory scrutiny purposes
- Difficulties in switching service providers (such as cloud) because of vendor lock-in practicesThe Proposal is intended to address these obstacles and remove barriers to data mobility. This is important for the data economy because removing data localisation restrictions is expected to generate additional growth of up to 4% GDP by 2020 (as estimated by Deloitte in one of the support studies). It will also drive down the cost of data services, providing customers greater flexibility in organising their data management and data analytics, while expanding their use and choice of providers.
In practice, these obstacles mean that a business may not be or feel free to make full use of cloud services, choose the most cost-effective locations for IT resources, switch between service providers, or port its data back to their own IT systems. The Commission considers that with the principle of free flow of non-personal data, businesses can avoid duplication of data at several locations, may feel more confident to enter new markets, and scale-up their activities more easily.
The Proposal is intended to address these obstacles and remove barriers to data mobility. This is important for the data economy because removing data localisation restrictions is expected to generate additional growth of up to 4% GDP by 2020 (as estimated by Deloitte in one of the support studies). It will also drive down the cost of data services, providing customers greater flexibility in organising their data management and data analytics, while expanding their use and choice of providers.
What are the key elements of the Proposal?
The Proposal aims to ensure:
- Free movement of non-personal data across borders: Every organisation should be able to store and process data anywhere in the EU
- The availability of data for regulatory control: Public authorities will retain access to data when it is located in another Member State, or when it is stored or processed in the cloud
- Easier switching of cloud service providers for professional users: The Commission proposes a self-regulatory approach, encouraging providers to develop codes of conduct regarding the conditions under which users can port data between cloud service providers and back into their own IT environments
- Full consistency with the cybersecurity package, and clarification that any security requirements that already apply to businesses storing and processing data will continue to do so when they store or process data across borders in the EU or in the cloud
How does the Proposal sit with the EU personal data regulatory framework?
The new framework for the free movement of non-personal data is intended to complement existing EU legislation for personal data (including the General Data Protection Regulation (GDPR), the e-Privacy Directive (2002/58/EC) and the Police Directive (2016/680)), which already provides for the free movement and portability of personal data within the EU. The Proposal avoids duplication and ensures consistency with these existing legal instruments, while seeking to provide the same free movement rules to the storage and processing of electronic data other than personal data in the EU.
The Proposal will clearly benefit both businesses and business users of data storage or other processing services. By ensuring the free flow of non-personal data within the EU, companies will have access to a wider choice of service providers offering competitive rates, thus enabling them to choose the most cost-effective IT solutions. The cloud industry also sees this as a positive move, with CISPE, the trade association of cloud computing infrastructure companies in Europe, describing the Proposal as a “major step forward for Europe’s cloud industry”.
However, it remains to be seen whether the UK will benefit from the Proposal after it leaves the EU, because there would need to be some form of agreement with the EU on the cross-border flow of non-personal data. It is possible that this could be addressed as part of the UK’s discussions with the EU on cross-border transfers of personal data post-Brexit, although this will presumably depend on whether the proposed Regulation is effective before Brexit.