On 19 June 2018, the European Parliament, Council and Commission reached a political agreement on the rules that will enable the free flow of non-personal data in the EU without local restrictions on storage and processing, a change that has long been demanded by stakeholders. This agreement is part of the Digital Single Market Strategy of the EU and follows a proposal for a new Regulation on ‘Free flow of non-personal data’ that had already been published on 19 September 2017 by the European Commission and that aims to remove obstacles to the free cross border movement of non-personal data.
Obstacles to Free Flow of Data
Today, the main obstacles that proclude the free flow of data in the Digital Single Market are:
- Unjustified data localisation restrictions by Member States’ public authorities,
- Legal uncertainty about legislation applicable to cross-border data storage and processing,
- A lack of trust in cross-border data storage and processing linked to concerns amongst Member States’ authorities about the availability of data for regulatory scrutiny purposes
- Difficulties in switching service providers (such as cloud) due to vendor lock-in practices.
The Regulation on the free flow of data
The European Commission, the Council of the EU and the European Parliament reached on 19 June 2018 a provisional political agreement on the Regulation on free flow of non-personal data.
This Regulation aimed at removing obstacles to the free movement of non-personal data.
On personal data, as well as ensuring a high level of protection for personal data, the General Data Protection Regulation (GDPR) already provides for the free movement of personal data within the Union. Together with the GDPR, this Regulation will therefore ensure a comprehensive and coherent approach to the free movement of all data in the EU.
The new Regulation will ensure:
- Free movement of non-personal data across borders: every organisation should be able to store and process data anywhere in the European Union,
- The availability of data for regulatory control: public authorities will retain access to data, also when it is located in another Member State or when it is stored or processed in the cloud,
- Easier switching of cloud service providers for professional users. The Commission has started facilitating self-regulation in this area, encouraging providers to develop codes of conduct regarding the conditions under which users can port data between cloud service providers and back into their own IT environments,
- Full consistency and synergies with the cybersecurity package, and clarification that any security requirements that already apply to businesses storing and processing data will continue to do so when they store or process data across borders in the EU or in the cloud.
The Commission’s work on free flow of data was announced in the context of actions to enhance the data economy – see Communication “Building a European Data Economy” (10 January 2017), in a more targeted context, in the Communication “DSM mid-term review” (10 May 2017). The Regulation on the free flow of non-personal data is one of the sixteen intended actions listed in the Digital Single Market strategy of May 2015.