Background

On September 13 the European Commission (“Commission” or “EC”) issued a proposal for a new Regulation on a framework for the free flow of non-personal data in the EU.

The proposal has three main declared objectives:

  • Improving the mobility of non-personal data across borders in the European Union single market, by stopping the trend towards compulsory local data storage localisation imposed by some Member States and by reinforcing legal certainty in the matter;
  • Ensuring that the powers of competent authorities of any Member State to request and receive access to data for regulatory control purposes remain strong even if the data are stored in the territory of another EU Member;
  • Making it easier for professional users of data storage or other processing services to switch service providers and to port data, while not creating an excessive burden on service providers or distorting the market.

The proposal is a new important element in the whole EU data protection policy, along with the three major components of the personal data regulatory framework: the General Data Protection Regulation (Regulation 2016/679 or “GDPR”), which reinforces the protection granted to personal data and harmonises personal data privacy legislation across the EU; the so called ePrivacy Directive, soon to be replaced by the new Regulation on Privacy and Electronic Communications, and the Directive 2016/680 (“Police Directive”), which aims to improve cooperation in the cross-border exchange of personal data for purposes of law enforcement.

The Regulation’s content

It is important to underline that this Regulation applies to the storage or other processing of electronic data, which is not covered by the scope of the GDPR and is:

a. provided as a service to users residing or having an establishment in the Union, regardless of whether the provider is established or not in the Union, or

b. carried out by a natural or legal person residing or having an establishment in the Union for its own needs.

While the political and regulatory importance of this new text cannot be underestimated, it will be an extremely simple text in legal terms. Each one of the declared objectives is turned into an article with its clear measures to reach the declared goal.

Free movement of data within the Union

In a reaction against a development, which seriously risked the fragmentation of the Union, the Regulation prevents any Member State from imposing territorial restrictions or prohibitions regarding the storage or any other processing of data anywhere within the Union. There is always a door open to exceptions based on grounds of public security, which will need to be expressly justified, and notified ex ante to the Commission for its assessment and approval.

Cross-border data availability for public authorities

The Commission attempts to undermine the argument often presented by Member States when approving territorial restrictions to data storage, by imposing clear mechanisms of collaboration and mutual assistance between competent authorities regarding cross border access to data within the Union, and by denying to private parties any legitimacy to refuse access to such data based on the country where they are stored.

Porting of data

In this matter, the Commission initial proposals were strongly criticized and finally rejected by its own internal body in charge of monitoring regulatory quality. Having abandoned other more coercive possibilities, the Regulation now calls on the Commission to “encourage and facilitate the development of self-regulatory codes of conduct at Union level, in order to define guidelines on best practices in facilitating the switching of providers and to ensure that they provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded”. And this, in particular, regarding any contractual obligation with a direct or indirect effect on the portability of data between service providers.

As it did in other areas of EU law where self-regulation has been the preferred option, the Commission imposes a two-year deadline for such Codes of Conduct to be in force and fully effective… or it may come back with new legal measures to fulfill its declared policy objective.

Next steps

The proposed Regulation has just started its legislative path, and will be open to amendments by the two co-legislators, the Parliament and the Council. It remains to be seen whether some Member States in the Council may try to enlarge the now rather narrow escape door of the public security exception.