The Estonian presidency of the Council of the European Union, in a final effort of its six-month stint, led Member States to adopt a common position on the proposed Regulation on a framework for the free flow of non-personal data in the EU.
The proposal was issued by the Commission in September 2017 with the main objective of improving the mobility of non-personal data across borders in the EU, by preventing Member States from imposing localization restrictions and making it easier for professional users of data to switch data service providers and to port data across the EU. Along with the General Data Protection Regulation, which provides for the free movement of personal data, the Regulation constitutes the EU approach to the movement of data across Member States.
According to one of the support studies of the proposal, taking away data location restrictions in the EU is expected to generate an additional growth of up to 4% GDP by 2020. This is certainly important for the data-driven economy (cloud computing, automate work, business analytics services, market research) but it is not circumscribed to tech companies. It has an impact to the whole services’ area, making it easier for businesses to do daily transactions and access, store or process high-priority data by means of a data service provided in a different Member State.
The internal logic of the Regulation is simple: the EU will protect the flow of data within its borders and restrict limitations to it; but in exchange, cross-border requests for information on those data produced by foreign (EU) authorities are also made much easier.
Since national governments, often driven by privacy, law enforcement or protectionist concerns, have an inclination to restrict the cross-border movement of data, there was a lot of expectation on the examination of the proposal within the Council of the EU. Surprisingly, the model proposed has been essentially accepted: the debate went rather smoothly and the Member States reached an agreement just three months after the initial bill had been presented.
The position agreed embraces the main principle of the Commission proposal: Member States will only be able to impose data localization requirements when these are justified on grounds of public security. And this cannot be a free interpreted concept: they must notify their data localization measures to the Commission and all existing national rules that are not in compliance with the principle of free flow of non-personal data must be repealed. In addition, the Council of the EU proposes changes on the mechanisms for determining liability, a clarification on mixed data and opposes the establishment of a committee to assist the Commission in the adoption of implementing acts.
Within the European Parliament, the examination of the proposal has been postponed by a dispute of two Committees over the responsibility on the file. The rapporteur has not yet released the draft report which would need to be discussed and approved in the committee before starting negotiations with the Council of the EU.