As of 28th May enters into force the new EU Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union.

The Regulation focuses primarily on prohibition of mandatory localisation requirements, established by the EU Member States’ national laws. The new rules will allow data to be stored and processed everywhere in the EU without unjustified restrictions. This Regulation should apply to natural or legal persons who provide data processing services to users residing or having an establishment in the Union, including those who provide data processing services in the EU without an establishment in the EU, for example, providers of cloud services.

A remarkable question that the new Regulation raises is the interaction between the new free flow data rules and the General Data Protection Regulation (GDPR) – especially when datasets are composed of both personal and non-personal data (mixed datasets).

Indeed, the two Regulations will function together to enable the free flow of any data. If businesses decide to process mixed datasets, the data protection rules will apply to the entire mixed dataset.

On 29th May the European Commission published a new guidance on the interaction of free flow of non-personal data with the EU data protection rules. It aims to help users – especially small and medium-sized enterprises – understand the interaction between the Free Flow of Non-Personal Data Regulation and the General Data Protection Regulation.

As referred to in this guidance the new Regulation has the following notable features:

  • It prohibits, as a rule, Member States imposing requirements on where data should be localised. Exceptions to this rule may only be justified on grounds of public security in compliance with the proportionality principle.
  • It establishes a cooperation mechanism to make sure that competent authorities continue to be able to exercise any rights they have to access data that are being processed in another Member State.
  • It provides incentives for industry, with the support of the Commission, to develop self-regulatory codes of conduct on the switching of service providers and the porting of data.