The new European framework on the free flow of non-personal data
On 13 September 2017, the European Commission published its proposal for a Regulation on a framework for the free flow of non-personal data25. The Commission hereby aims to facilitate the cross border data flow within the European Union and includes new provisions for data storage and processing services (e.g. cloud services providers). The proposal that purely deals with nonpersonal data is part of the large-scale Strategy for a Digital Single Market. Just in time for the turn of the year, the European Council took a stand on the Commission's proposal and published a revised version of the draft26. Nils Rauer and Andreas Doser outline the key aspects of the proposed regulation and take a sneak preview on the practical challenges for businesses.
DSM The big picture
Back in May 2015, the European Commission announced its Strategy for a Digital Single Market. The overall aim was to create and implement a uniform and fairly homogeneous market place on a pan-European basis, particularly for the Internet. The goal of an internal market within the EU was by no means a new idea in 2015. In 1982, the European Court of Justice defined the overall aim of bringing about a market that "involves the elimination of all obstacles to intra-Community trade in order to merge the national markets into a single market bringing about conditions as close as possible to those of a genuine internal market."24 Of course, the judges back then did not have the digital market in mind but were focused on the analogue world.
However, the concept of an internal market as set out in Article 26 TFEU does not stop at the front porch of the Internet. Trade and communication are digital now. This is why phenomena such as geo-blocking, domestic access restrictions and territorial data localisation are perceived as unreasonable obstacles to a barrier-free Internet within the EU.
Over the past three years we have seen plenty of consultations, impact assessments and proposed legislation partly regulations, partly directives initiated by the Commission. Some of the initiatives have been enacted already. A good example is Regulation 2017/1128 on cross-border portability of online content services in the internal market, which will take effect from 1 April 2018. The proposed regulation regarding the free flow of non-personal data will be yet another important cornerstone in the course of implementing the Digital Single Market.
Global Media Technology and Communications Quarterly Spring 2018
The need for regulation
One of the current issues that many companies are facing is the shortcoming in regards to the mobility of data within the EU. There are major obstacles such as national data localisation restrictions (e.g. for the financial and health industries), a lack of trust in cross-border data storage and processing and difficulties in switching from one online service provider to another because of so-called vendor lock-in practices.
It is predicted that in 2020, a fully functioning EU data market could potentially amount to more than 106 billion.
In 2015, the Commission released its first consultation on the regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy. This was followed by a second consultation on building a European data economy in 2017. No less than 61.9% of stakeholders stated that data localisation restrictions within the EU should be removed. The call for effective measures allowing for cross-cutting free movement of data and the creation of an environment with legal certainty was clearly articulated. Business drivers such as a level playing field, adequate data mobility, the cutting back of data localisation requirements, market conditions allowing for simple ways to switch providers and the porting of data on a cross-border basis and above all the need for adequate data security were identified.
It is predicted that in 2020, a fully functioning EU data market could potentially amount to more than 106 billion. In its latest press release, the European Council estimated that removing data localisation restrictions could allow for "the data economy to reach its full potential and double its value to 4% of European GDP" within the next two to three years.
In light of this potential and in consideration of the impact assessment the Commission proposed a draft Regulation on a framework for the free flow of non-personal data that we will look at now.
One of the current issues that many companies are facing is the shortcoming in regards to the mobility of data within the EU.
Scope of the Regulation
It is important to note that the proposed Regulation does not touch upon personal data. Personal data meaning any information relating to an identified or identifiable natural person is, in the first place, subject to the new General Data Protection Regulation 2016/679 (GDPR) which will apply from 25 May 2018. Here, we talk about non-personal data only.
The provisions of the proposed Regulation shall apply to services relating to the storage or other processing of electronic data. Both terms are to be understood in a broad sense, encompassing the usage of all types of IT systems, no matter whether they are located on the premises of the user or outsourced to a data storage or other processing service provider. The various forms and manifestations such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) shall be covered.
According to Article 2(1) there is no ultimate need to have an establishment within the EU in order to fall within the scope of application. Rather, the provision of a service to users residing or having an establishment in the EU will suffice. Of course, if the service is carried out by a natural or legal person residing or having an establishment in the EU for its own needs, the provisions of the new Regulation will have to be obeyed.
The draft Regulation as proposed by the Commission is fairly straightforward and concise in its structure. In total, 30 recitals are followed by ten articles. The core provision is without doubt Article 4(1). According to this article, the location of data for storage or other processing within the Union shall not be restricted to the territory of a specific Member State, and storage or other processing in any other Member State shall not be prohibited or restricted, unless it is justified on grounds of public security. Article 4(2) obliges the Member States to notify to the Commission of any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement. In other words, the Commission wishes to keep track of anything that could hamper the free flow of non-personal data.
Global Media Technology and Communications Quarterly Spring 2018
What will impact the domestic law-making process even more is the obligation set out in Article 4(3) that within twelve months after the application of the Regulation, Member States must ensure that any conflicting laws are repealed. Member States shall make the details of any such data localisation requirements applicable in their territory publicly available online via a single information point which they must keep up-to-date. In other words, Member States are required to become active immediately after the final wording is agreed given the common period of time bills have to climb through the legislative process.
On various occasions, the Commission has emphasized that the powers of competent authorities to request and receive access to data for regulatory control purposes, such as for inspection and audit, must remain unaffected despite the risk that the data at issue might end up being stored and/or processed abroad. Accordingly, Article 5 explicitly stresses the need for data availability. The competent authorities must be able to retain cross-border access to the relevant data. Where a competent authority has exhausted all applicable means to obtain access to the data, it may request the assistance of a competent authority in another Member State. Article 7 provides procedural guidance as to how such requests shall be dealt with (the cooperation mechanism).
However, data access for regulatory control purposes is nothing new for regulated businesses. For instance, outsourcing in the financial services industry already requires that regulators are in a position to request information from the outsourcing provider. This applies even if the outsourcing provider is not regulated and/or does not conduct its activities in the regulator's territory. It is to be expected that the new provisions for data access, in particular the new cooperation mechanism, have the potential to increase regulatory oversight. This is highly relevant as more and more information is stored by cloud service providers and regulatory supervision depends on appropriate tools to address the new outsourcing landscape.
The Commission wishes to keep track of anything that could hamper the free flow of non-personal data.
The Commission, however, does not place its bet only on top-down regulation. Rather, the facilitation of self-regulation is an equal part of the concept as can be seen in Article 6 of the draft regulation. As mentioned above, it is the aim to ease and enable switching between different online service providers as regards the storage or other processing of non-personal data. In this context, the Commission encourages and facilitates the development of self-regulatory codes of conduct at EU-level. Guidelines are to be defined and best practices developed.
Professional users of such services shall be equipped with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded. This information shall, inter alia, include: (1) the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another provider or port data back to its own IT systems, and (2) the operational requirements to switch or port data in a structured, commonly used and machine-readable format allowing sufficient time for the user to switch or port the data.
Free Flow of Data Committee
According to Article 8 of the draft regulation, a new Free Flow of Data Committee shall be established to assist the Commission in its endeavours to bring about a true free flow of non-personal data within the Digital Single Market.
It goes without saying that the free flow of data is and must be a core element and a cornerstone of a fully functioning internal market. Particularly in the digital world, data is an asset of great value. Thus, the overall aim the Commission is pursuing is beyond question. The "tricky" part will be the implementation. For example, the exemption referred to in Article 4(1), i.e. "unless it is justified on grounds of public security" is open to interpretation. Of course, guidance can be drawn from previous case law and approved administrative practice as to what determines "public security". However, stakeholders and particularly service providers falling within the scope of the new Law will inevitably be confronted with differing views as to what obstacles may be deemed justified on the grounds of public security.
Despite this reservation, the regulation will certainly contribute to a more liberal flow of non-personal data which in consequence will make life easier for companies that depend on service providers that take care of the storage and processing of their data. Not only major international companies but also small and medium-sized enterprises will benefit. At the receiving end, we may thus expect a broadening of options.
Global Media Technology and Communications Quarterly Spring 2018
Service providers will also benefit from the free flow of non-personal data. They will be able to spread their potential customer base across the EU. Since the location for the storage and processing can be freely chosen, they can expand their offering as far as the Digital Single Market goes. However, service providers will need to review their standard contracts first making sure that the provisions are compliant with the new law. In particular, the new information obligations need to be considered with adequate diligence. For, it may already be anticipated that the right scope and depth of information to be provided to the professional customer will give rise to disputes and litigation. For the time being, it is hoped that the codes of conduct the Commission has requested will provide adequate detail on the data porting conditions which need to be made available to the professional users in advance.
The Outlook for 2018
With the Commission having put forward the initial draft, it is now for the Council and the Parliament to form their positions and to agree on the final text before the Regulation can enter into force. Whilst the Parliament has not yet adopted its position, the Council published its comments and suggested amendments on 19 December 2017. The Council did so with a clear expectation that all three co-legislators may reach an agreement "on this priority dossier" by June 2018.
Amongst the aspects stressed by the Council are unresolved questions around data ownership and appropriate mechanisms for determining liability. Also, the term data "processing" shall be defined most broadly as "any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".
The twelve-month period for eliminating domestic obstacles to the free flow of data has been extended to two years. Article 5(3a) shall hold additional provisions on sanctions imposed in the case of failure to comply with an obligation to provide data to the competent authority. Also, the Council stresses the need to develop certification schemes for data processing products and services for professional users, taking into account established national or international norms, facilitating the comparability of these products and services. And, the Council does not see the ultimate need for the Free Flow of Data Committee as suggested by the Commission.
The free flow of data is and must be a core element and a cornerstone of a fully functioning internal market.
All in all, the changes proposed by the Council do not seem so substantial in nature as to deem unrealistic the anticipated end date of discussions in June. Still, we are waiting on comments from the European Parliament. This article was first published in Digital Business Lawyer in February 2018.
Nils Rauer Partner, Frankfurt T +49 69 96236 334 [email protected]
Andreas Doser Associate, Frankfurt T +49 69 96236 445 [email protected]