In this seventh article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we focus on the free flow of data in the context of big data processing. Where relevant, illustrations from the transport sector will be provided.
The “free flow of data” is typically mentioned in the debate on restrictions to cross-border data flows. In such context, free flow of data represents an ideal scenario in which no (legal) barriers to cross-border data flows remain. While that scenario has yet to materialise, efforts have been taken at EU level with the adoption on 14 November 2018 of the Regulation on the free flow of non-personal data (hereinafter the "Free Flow Regulation" or the "Regulation"). This adds to the General Data Protection Regulation (hereinafter the "GDPR", see also our second article here), which stipulates under Article 3(1) that "the free movement of personal data within the Union shall neither be restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data".
The present article briefly addresses the topic of cross-border data flows and looks into the issues and opportunities presented by the Free Flow Regulation and, where relevant, the difficult interaction with the GDPR.
Restrictions to the free flow of data and their impact
Historically, the free flow of data has been hindered by the existence of so-called 'data localisation requirements'. Data localisation requirements are a global phenomenon and come in many different shapes and forms. They can apply to personal data or to non-personal data, but could also apply indiscriminately to all types of data regardless of their qualification. In essence however, a data localisation requirement constitutes a restriction on the flow of data from one country to another. These localisation requirements can range from a Russian law requiring all processing of Russian citizens’ personal data to be carried out using servers located in the Russian Federation to a French Ministerial Circular making it illegal to use a non-“sovereign” cloud for data produced by a public (both national and local) administration.
Data localisation requirements have one feature in common: they raise the cost of conducting business across borders. In the EU, over 60 of such restrictions were identified in 25 jurisdictions. These restrictions are often prompted by legislators’ or policy makers’ perception that data are more secure when stored within a country's border. A perception that is often ill-conceived, as data security depends on the specific security measures used to store the data rather than on the location where the data is stored. Security measures are just as strong or weak in a foreign country as they are domestically, or in other words: a secure server in Poland should not be different from a secure server in Belgium.
Cloud service providers are particularly affected by data localisation requirements. They argue that these restrictions undermine the cloud business model, either by preventing providers from accessing markets where they do not have a data center or by preventing users themselves from using cloud services provided from another EU Member State.
Data localisation requirements thus limit the access of businesses and public sector bodies to cheaper and more innovative services or force companies operating in multiple countries to contract excess data storage and processing capabilities. For start-ups and SMEs (including in the transport sector), this constitutes a serious obstacle to growth, to entering new markets, and to the development of new products and services.
Illustration in the transport sector: In 2014, Brussels Airport launched the idea to start developing cloud-based logistics applications. This resulted in the creation of BRUcloud, It enables the different stakeholders in the air cargo supply chain to work in a more integrated manner and increasingly act as a network. BRUcloud’s main priority is to make data sharing in a cloud environment possible. Data is stored only in a central location. Once a company is connected to the cloud, it can start using the different existing applications and can exchange data very easily with other stakeholders instead of maintaining system-to-system connections with all different partners individually. Applications create quick and easy efficiency gains for the parties involved. Several applications have already been created to improve the cargo handling process. The increased competition in the EU's cloud services market that would result from eliminating data localisation requirements would engender the creation of more services such as BRUcloud across the EU, which would generate cost reductions and efficiency gains for all actors in the transport sector.
The Free Flow Regulation
Recognising the fact that growth of and innovation emanating from the European data economy may be slowed down or hindered by barriers to the free cross-border movement of data within the EU, the European Commission presented a proposal for a Regulation on the free flow of non-personal data in the EU. This Regulation was adopted on 14 November 2018 and will become applicable in May 2019.
The Free Flow Regulation will apply to all processing of electronic data other than personal data within the meaning of the GDPR. The underlying rationale is for this scope of application to complement the GDPR, which already makes up the legal framework applicable to personal data.
The Free Flow Regulation includes the following key provisions:
- A general prohibition of data localisation requirements in the EU. EU Member States will no longer be allowed to restrict the location of data processing activities to a particular Member State’s territory, nor will they be able to achieve the same result by imposing restrictions on the processing of data in other Member States. Only in exceptional circumstances, where justified on grounds of public security and taking into account the principle of proportionality, could a data localisation requirement be accepted;
- A double obligation for Member States as regards any existing data localisation requirements. On the one hand, they must repeal any existing laws or regulations that are not compliant with the abovementioned rules and, on the other hand, they will need to justify any instances where they consider a certain data localisation requirement permissible and therefore intend to retain such requirement;
- The availability of (non-personal) data for authorities in the performance of their duties, establishing the principle that an authority may not be refused access to data on the basis that it is processed outside that authority's Member State. If that is the case, and the authority cannot get access, it may request assistance from a competent authority in the relevant Member State through a procedure set out in the Regulation;
- On the topic of data porting, no hard and fast obligations are imposed. Instead, the Regulation states that the Commission will encourage and facilitate the development of self-regulatory codes of conduct at EU level, which among others should offer guidance on best practices in assisting end-users that wish to switch providers.
Challenges related to the Free Flow Regulation's scope of application
As mentioned above, the Free Flow Regulation will apply to electronic data, with 'data' meaning all data other than personal data as defined in the GDPR in order not to affect the existing framework for personal data protection. On the contrary, the Regulation aims to complement the GDPR and the e-Privacy Directive (2002/58/EC) and thereby create a comprehensive and coherent EU framework for the free movement of all data in the digital single market.
Upon closer analysis however of the scope of both the Free Flow Regulation and the GDPR, concerns arise regarding the alleged comprehensiveness and coherence of this free movement of data framework.
It is no secret that the definition of personal data under the GDPR is far-reaching. The possible extent of the term “personal data” was clarified by the Court of Justice of the European Union in its judgment of 12 May 2016, commonly known as the Breyer case. In essence, the Court clarified that a piece of information can be considered personal data whenever additional information can be sought from third parties to identify a data subject.
When applying the principles of Breyer in practice, it is not unlikely that many individual pieces of data which prima facie seem to constitute non-personal data, still end up falling within the ambit of the GDPR's definition of personal data. As examples of sources of non-personal data, the Free Flow Regulation mentions the Internet of Things, artificial intelligence and machine learning, for instance as used in automated industrial production processes, as well as a few very specific examples. While this clarifies the European Commission’s intention to a certain extent; one can imagine situations of data (re-)combination and re-identification - particularly in a context of big data analytics - that would render even these types of data personal data. This gives rise to some uncertainty as to what data will actually fall within the scope of the Free Flow Regulation.
Illustration in the transport sector: In its Opinion on processing personal data in the context of Cooperative Intelligent Transport Systems (C-ITS), the Article 29 Working Party (the predecessor of the European Data Protection Board) offered an interesting perspective as to how much is covered by the concept of personal data. Noting that the messages exchanged by vehicles in a C-ITS contain on the one hand authorisation certificates which are associated with the sender, and that on the other hand these messages contain heading, timestamp and location data, they must be considered personal data. Moreover, the Article 29 Working Party notes that messages may communicate information concerning “signal violation”, for instance when a driver ignores a red light at an intersection. Since this constitutes a traffic violation, the data could even become criminal data, which is a special category of personal data under the GDPR.This shows that what initially may be considered non-personal data - generated from sensors built into impersonal machines - may still constitute personal data and consequently lead to application of the GDPR and non-applicability of the Free Flow Regulation.
Tying the Free Flow Regulation’s application entirely to the residual category of non-personal data leads to uncertainties for the various stakeholders active in the data ecosystem. Indeed, the applicability, and the possible exceptions, of the Free Flow Regulation and the GDPR are determined entirely based upon the nature of the data. In such context, it is worth noting that in the impact assessment that was conducted in preparation of the proposal for the Regulation, a different scope of application had been envisaged. The approach presented there was to determine the Free Flow Regulation’s scope in terms of the type of data localisation requirement concerned rather than in terms of the nature of the data. This was based on the idea that the GDPR itself already eliminates a number of data localisation requirements. With the aim of creating a comprehensive and coherent framework for the free movement of data within the EU, the approach suggested was therefore to have the Free Flow Regulation apply to all data localisation requirements other than those enacted for data protection purposes. As a consequence, data localisation requirements imposed on personal data would also be covered by the Free Flow Regulation, as long as they were adopted for a different purpose than the actual protection of such personal data. If localisation requirements were adopted for purposes of personal data protection, such restrictions would already be addressed by GDPR and the Free Flow Regulation would not (need to) apply.
However, the approach that was adopted eventually in the Free Flow Regulation entails that in principle, Member States could still impose data localisation requirements on personal data for other reasons than those connected with personal data protection.
Challenges with mixed datasets
A further challenge involves mixed datasets of personal and non-personal data. Particularly in the context of big data, which may involve large amounts of unstructured data of various natures, this raises practical concerns. In theory, applying both pieces of legislation would lead to the GDPR being applicable to all personal data elements of a dataset and the Free Flow Regulation to all non-personal data elements. In the same vein, the exceptions adopted on the basis of the GDPR or the Free Flow Regulation would depend on the type of data.
The Free Flow Regulation confirms that, in the event of a dataset composed of both personal and non-personal data, it shall only apply to the non-personal data part of that dataset. It follows that the applicable provisions of the GDPR must be fully complied with in respect of the personal data part of the set. The Regulation moreover clarifies that, in case personal and non-personal data in a dataset are "inextricably linked", it should not prejudice the application of the GDPR and that it does not "impose an obligation to store the different types of data separately”.
In practice however, it will often not be possible to determine which parts of a dataset contain personal data and which contain non-personal data. Therefore, it will be impossible to apply each Regulation to the relevant part of the dataset. This could again create a loophole for Member States to still impose exceptions and re-instate data localisation requirements on other grounds than public security, simply by applying data localisation requirements to personal data for reasons that are not connected to the protection of such personal data.
This concern also arises when for instance a set of non-personal data is ported from one controller to another and the latter then merges the data with either non-personal or personal data to generate new information or single out individuals, which results in the entire dataset becoming personal data. This is not an unlikely scenario in the context of big data analytics applications. In such scenario, this dataset will fall entirely within the scope of the GDPR, and the Free Flow Regulation will no longer apply.
Another point of uncertainty relates to the cross-border access to non-personal data for competent authorities. The Free Flow Regulation does not foresee the situation in which such disclosure of data is prohibited by the Member State in which the data is located. It does however stipulate that access to data “may not be refused on the basis that the data are processed in another Member State”. Service providers could thus be confronted with a situation in which on the one hand, they are under an obligation to provide access to an authority from another Member State, and on the other hand, doing so is prohibited under the laws of the Member State in which the data is located.
Finally, the Regulation does not foresee any safeguards surrounding such access by competent authorities, for instance to protect intellectual property rights of third parties or data protected by commercial confidentiality such as trade secrets.
Despite some of the challenges mentioned above, the Free Flow Regulation remains an important step in the elimination of restrictions to cross-border data flows and their negative impact on business. Companies expect cost reductions to be the main benefit of eliminating data localisation requirements. This is deemed to be particularly significant for start-ups and SMEs, as it is expected that abolishing data localisation requirements will reduce the cost of starting a business in the EU. For start-ups contemplating an activity involving extensive data storage and processing, the need to organise data storage across different countries significantly increases costs and potentially even eliminates the benefits to be realised by innovative technologies such as (big) data analytics.
Furthermore, start-ups in the European transport sector and in the EU in general increasingly rely on competitive cloud services for their products or services. Prohibiting localisation restrictions would therefore increase competitiveness of the EU cloud services market. This in turn could allow start-ups to go to market quicker, to increase their pace of innovation and would also support scalability and achieve economies of scale.
This series of articles has been made possible by the LeMO Project (www.lemo-h2020.eu), of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.