On 19 September 2017, the European Commission (the "Commission") published a proposal for a new regulation prohibiting mandatory localisation requirements for non-personal data in the EU. Exactly three months later, on 19 December 2017, the European Council (the "Council") published a revised version of this proposal and gave the green light for negotiations with the European Parliament (the "Parliament") to start as soon as possible.
The Commission has underlined the importance of the draft Regulation as a key enabler of the EU data economy. In fact, it has stated in the press release accompanying the draft that the removal of data localisation restrictions (including those that apply to non-personal data) is considered the most important factor for the data economy to double its value to 4% of GDP in 2020. The significance attached to this legislative initiative is demonstrated by the speed at which the Council published a revised version of the draft proposal and provided a mandate to commence negotiations with the Parliament.
This article explores the background behind this legislative initiative. We look briefly at mandatory data localisation requirements and summarise the main concerns associated with such requirements. We then address the Commission's legislative initiative, explaining the key principles of the draft Regulation while also discussing its principal shortcomings.
What are mandatory data localisation requirements?
Data localisation requirements dictate or influence the localisation of data for processing or storage. This can include both personal and non-personal data. As services move increasingly to the cloud, one of the main reasons for States to enact data localisation requirements is to ensure that law enforcement authorities have direct access to electronic data relating to their residents or citizens at all times. Such restrictions can also enable a State to address data security concerns, especially where there is a risk that data would be "off-shored" in a country with less robust security and privacy standards than the country-of-origin. Some have argued that, because they can place multinational service providers at a disadvantage over their local counterparts or competitors, data localisation requirements can even serve as tools of economic protectionism.
A number of countries have introduced data localisation requirements in recent years, including Russia and China. Closer to home, separate reports prepared for the Commission in 2016 identified at least 60 localisation restrictions across 25 Member States that relate to non-personal data alone. However, the Commission believes there to be many more such requirements and that this figure is the "tip of the iceberg" only.
What is the impact of such requirements?
Mandatory data localisation requirements are generally regarded as a troubling development for a number of reasons. There is concern that the imposition of such requirements will facilitate domestic surveillance that would not otherwise have been possible where the data is exported and stored in another country. Some commentators have also argued that data localisation requirements raise important issues in respect of economic trade and competition as they can place multi-national or "foreign" service providers at a disadvantage to their local counterparts. A related point is the cost of compliance for service providers (which could involve duplication of data storage activities and facilities). There are also legitimate concerns that these types of requirements could undermine the Internet's innovative potential, leading to its fragmentation, and that they may discourage the development of new digital technologies (such as the Internet of Things ("IoT")) that are inherently global in nature.
What is the EU legislator proposing?
The EU legislator's key proposals in the draft Regulation are summarised below.
- Free flow of non-personal data across borders: The EU legislator wants to prohibit Member States from requiring companies to locate the storage or processing of "non-personal data" within their borders, except where this can be justified on grounds of "public security" (which would need to be notified to the Commission for approval). Non-personal data is defined as data other than personal data as defined in the General Data Protection Regulation ("GDPR"). For more information on the GDPR, see our guide here.
- Data availability for regulatory control: The draft proposal aims to reinforce the right of "competent authorities" (i.e. any Member State authority that has the power to procure access to data for the performance of its official duties) to access data wherever it is stored or processed in the EU. This means that any obligation for service providers to furnish data to surveillance authorities would be unaffected by the proposed Regulation. The Commission has also made provision for a framework to facilitate cross-border access to data. Under this framework, a competent authority in one Member State would be able to request assistance from an authority in another Member State where it has "exhausted all applicable means" of obtaining access to that data. Although the Council's draft differs from the Commission's as to how this framework will operate in practice, both institutions agree that cross-border access should only be granted under this mechanism where no specific cooperation mechanism exists between the relevant States.
- Cloud services portability: If enacted, the proposal would encourage and facilitate the development of self-regulatory codes of conduct aimed at facilitating user switching between service providers of cloud storage and to porting data back to users' own IT systems.
- Failure to make strong case for legislating on this issue The Commission has argued that mandatory data localisation restrictions are unduly hindering cross-border data flows in the EU at a significant cost to the ICT sector and wider European economy. It has therefore proposed to legislate for the prohibition of mandatory (non-personal) data localisation under national law and to enable cloud service portability. However, the Commission has not clearly identified the nature and scale of the problem it is seeking to address through this proposal. This is particularly problematic considering there may be legitimate customer preferences for local storage that could contradict the very aim of this measure. This was identified as a serious omission by the Commission's Regulatory Scrutiny Board in August 2017 when it issued its second negative opinion on this legislative initiative.
- Scope of application The proposed scope of application of the draft Regulation is potentially problematic. Under the current draft wording, the application of the Regulation would be determined purely in relation to the character of the data, as opposed to the type of national localisation requirement applied in respect of that data. However, the Commission's impact assessment report published in September 2017 assumes a wider scope of application for the draft Regulation. According to the impact assessment report, the applicability of the Regulation would be determined on the basis of the type of localisation requirement that applied to the data, rather than the character of the data itself. There is a significant difference between both approaches. When considered in conjunction with the personal data protection regime, there is a risk that the current wording used in the draft could lead to an incongruity in terms of the regulation of personal and non-personal data flows in the EU. Specifically, data that does not qualify as personal data would be subject to the broad localisation prohibition established under Article 4 (1) of the draft Regulation (with the exception of data localised for “public security” purposes), while personal data would be subject to the more limited prohibition on restricting or prohibiting free movement established under Article 1(3) of the GDPR that applies only in respect of national measures aimed at personal data protection. Such an outcome clearly presents a conceptual challenge, particularly considering that one of the objectives of this legislative initiative has been the creation of a single EU data space. Aside from this, the incongruity described above risks creating problems for service providers at the operational level, particularly in the case of mixed data sets (containing both personal and non-personal data). Assuming that the scope of application of the draft Regulation is determined on the basis of the current definition of non-personal data, the Member States would be free to require localisation of the personal data part of a mixed set (where this requirement is not based on the protection of such data) but prohibited from doing so with regard to the non-personal part of that set (unless on grounds of public security). This could mean that service providers are forced to split out a mixed data set so as to enable the free flow of the non-personal data part of the set (likely at some cost).
- Proposed framework for cross-border access to non-personal data Facilitating easier cross-border access to data is aimed at assuaging Member States' concerns that the proposed Regulation would undermine their ability to procure access to data for law enforcement purposes. The Commission has therefore sought to create a type of quid pro quo in that, while the draft Regulation prohibits mandatory data localisation requirements on the one hand, it makes it easier for the Member States to procure cross-border access to data on the other. This decision has, however, given rise to a number of concerns.
- First, the EU legislator is proposing to address the sensitive issue of cross-border data in a secondary manner in a legislative instrument that is primarily aimed at achieving economic market integration within the EU (the draft Regulation is based on Article 114 of the Treaty on the Functioning of the European Union ("TFEU") which allows for the harmonisation or approximation of national laws for the creation of an internal market).
- Second, the possibility that the disclosure of data to a competent authority in one Member State could actually be prohibited in the Member State where such data is actually stored or otherwise processed has not been addressed in the draft Regulation. This creates the risk of legal uncertainty going forward.
- Third, the draft Regulation published by the Commission in September 2017 requires that "all applicable means" be exhausted before a competent authority of one Member State can request the assistance of another. This draft does not, however, provide any guidance as to how far a Member State has to go in order to satisfy this standard. In its revised draft, the Council removes this reference outright and substitutes it with wording that implies a lower threshold.
- Fourth, it is unclear what substantive safeguards (if any) would be applied when a Member States requests another Member State for assistance in procuring cross-border access to data. For example, the Commission and Council drafts are silent as to whether a request for assistance from one Member State to another must respect the rule of law or fundamental rights as established under the EU Charter of Fundamental Rights, including the right to liberty and security (Article 6), the right to privacy (Article 8) (assuming that the draft Regulation will also apply in principle to personal data) and some of the rights established under Chapter VI (Justice).
Despite the significance that has been attached to it, there are a number of shortcomings to the EU's draft Regulation on the free flow of non-personal data. It is hoped that these shortcomings can be remedied by the EU co-legislators as the draft progresses through the trilogue stage in the coming months. The question remains, however, whether it is possible to reconcile the competing issues of data sovereignty, achieving a consistent approach towards data free flow in the EU and fundamental rights protection. Only time will tell.
First published in Volume 45, Issue 4 (Dec/Jan 2018) of the IIC publication, InterMedia