European Law Monitor

Make your voice heard!

newsA framework for the free flow of non-personal data in the EU

Brussels, 19 September 2017

Questions and Answers

IP/17/3190

What does the Commission propose?

With the Regulation on the free flow of non-personal data, the Commission proposes a new principle that abolishes data localisation requirements while ensuring access rights to competent authorities for regulatory control.

In combination with the European rules on personal data protection introduced by the General Data Protection Regulation (GDPR), the new measures create a common European data space – a key element of the Digital Single Market strategy.

 

What are the key elements of the proposal?

The Regulation will address obstacles preventing the free movement of data within the EU for companies, public administrations and citizens:

a)    It supports the proper functioning of the internal market by ensuring the free movement of non-personal data within the EU. It removes unjustified or disproportionate national rules that hamper or restrict companies in choosing a location for storage or processing of their data. Member States will have to notify the Commission of new or existing data localisation requirements.

b)    It ensures that competent authorities have access to data stored or processed in another Member State in order to be able to perform their tasks in line with their regulatory mandate, just as they do when the data is stored in their own territory.

c)    It encourages the development of self-regulatory codes of conduct in order to make it easier to switch cloud service providers, for example by informing users about the terms and conditions under which they can port data outside their IT environments.

d)It establishes a single point of contact per Member State to liaise with other Member States' contact points and the Commission to ensure the effective application of the new rules on the free flow of non-personal data.

Why is it necessary to remove barriers to data mobility?

Data driven innovation is a key enabler of growth and jobs and has the potential to significantly boost European competitiveness in the global market. In order to make the most of the data economy, it is essential to enable data to flow across borders and to use data beyond national borders.

Removing data localisation restrictions is considered the most important factor for the data economy to unlock its full potential, and to grow up to €739 billion in 2020, doubling its value to 4% of GDP.

Moreover, removing existing data localisation measures will drive down the costs of data services, provide companies greater flexibility in organising their data management and data analytics, while expanding their use and choice of providers. This could boost GDP by up to €8 billion per year.

What are current obstacles for the free flow of non-personal data?

Currently, data localisation restrictions by Member States' public authorities and obstacles to the movement of data across IT systems (so-called vendor lock-in practices) prevent business and organisations in the EU from capturing economic, social and business opportunities. Legal uncertainty and lack of trust cause additional barriers to the free flow of non-personal data.

In practice, this means a business may not be or feel free to make full use of cloud services, choose the most cost-effective locations for IT resources, switch between service providers or port its data back to their own IT systems. With the principle of free flow of non-personal data, businesses can avoid duplication of data at several locations, may feel more confident to enter new markets, and scale up their activities more easily.

What are examples for data localisation restrictions?

The Commission has identified numerous restrictions to the location of data storage or processing through studies, stakeholder discussions and public consultations. Data localisation restrictions that either directly or indirectly restrict data mobility take different forms and exist in various sectors, such as in the public sector. For example:

  • Supervisory authorities advising financial service providers to store their data locally;
  • Professional secrecy rules (e.g. in the health sector) implying local data storage or processing;
  • Broad regulations requiring local storage of information generated by the public sector, whatever the sensitivity of the information.

While data localisation restrictions may be justified and proportionate in particular contexts (e.g. public security) there is a trend of unjustified data localisation requirements both in Europe and globally. This is often based on the misconception that localised services are 'by default' more secure than cross-border services.

Why is the proposal limited to non-personal data?

The new framework for the free movement of non-personal data complements already existing legislation for personal data which will enter into application on 25 May 2018. While ensuring a high level of protection for personal data, the General Data Protection Regulation (GDPR) already provides for the free movement and portability of personal data within the EU. The processing and storage of personal data falls under its scope and Member States may not impose data localisation restrictions on the grounds of protecting personal data.

The new framework for the free movement of non-personal data avoids duplication and ensures consistency with existing EU legal instruments. It seeks to provide the same free movement rules to the storage and processing of electronic data other than personal data in the EU. Together with the GDPR, the new measures will ensure a comprehensive and coherent approach to the free movement and portability of data in the EU.

Are data flows with non-EU countries also covered?

No, the Regulation on a framework for the free flow of non-personal data in the European Union only covers data mobility within the EU.

When will competent authorities get access to data stored in another EU Member State?

As a matter of principle, the storage or other processing of data abroad may not be used as a ground to refuse access to data to national regulators. Such access will have to be allowed in cases where a national regulator is legally empowered to request it from a particular holder of the data, and where it is necessary for the performance of official duties of the regulator.

Where a regulator exhausts the means to obtain access to data directly from the holder of the data, it could rely on an existing specific cooperation mechanism to ask for assistance from another Member State. If no specific cooperation mechanism applies or exists, the Regulation provides for a default cooperation mechanism between competent authorities.

When will service providers not be obliged to provide data to authorities from another EU Member State?  

A Member State, asked to assist a regulator from another Member State to obtain access to data, can only refuse this request if it would be contrary to its public order. Service providers will continue benefiting from all the applicable rights and procedural guarantees provided by the law, including the right to an effective judicial remedy and any requirement of a prior judicial authorisation of access to the premises.

How will the Commission support codes of conduct for easier switching of data service providers?

The Commission will encourage and facilitate the development of self-regulatory codes of conduct to facilitate the switching of providers and to ensure that those providers give sufficiently detailed, clear and transparent information to professional users on the terms and conditions applicable before a contract for data storage and processing is concluded.

Different aspects concerning processes, technical requirements, timeframes and charges that may apply in case of switching of providers should be considered. This may include the processes and location of any data back-up, the available data formats and supports, the required IT configuration and minimum network bandwidth; the time required prior to initiating the porting process and the time during which the data will remain available for porting; and the guarantees for accessing data in the case of the bankruptcy of the provider.

The Commission will see that providers effectively implement the relevant codes of conduct within one year after the start of application of the Regulation. The Commission will also review whether providers comply with the transparency requirements. If the Commission deems this compliance insufficient, it may propose additional measures.

 

What will be the impact on the security of data?

The new Regulation clarifies that all security requirements that currently apply to businesses and public administrations will continue to apply also when they choose to store or process data in another Member State or to use cloud services. Accordingly, the Regulation makes businesses more aware of their responsibilities regarding the security of data storage and processing in cross-border contexts.

The new measures are relying on the implementation mechanisms provided in the Directive on security of network and information systems to enhance cyber resilience of cross-border data storage and other processing. Together with this draft regulation, the Commission has proposed to scale up the EU's response to cyber attacks by presenting a new cybersecurity framework to better anticipate, respond, and counter cyber threats. It has also proposed a new European cybersecurity certification framework which will support cross-border supply and demand of cloud and other data services, and make the system much more transparent and more efficient.

 

How will this Regulation affect EU citizens?

The Regulation on free flow of non-personal data covers data other than personal data. For that reason, it primarily affects businesses and business users of data storage of other processing services, or individuals acting in professional capacity. The Regulation on free flow of non-personal data is one of a series of proposals in the Digital Single Market Strategy. Other proposals may affect citizens more directly. For example, digital contract rules enhance the rights of consumers to terminate contracts with digital content suppliers, such as cloud service providers, or to retrieve personal data that is processed by digital content suppliers. To avoid overlap with this and other EU instruments, the Regulation on free flow of non-personal data does not cover citizens directly. However, citizens are expected to benefit indirectly from this Regulation through a more competitive and open single market for data storage and processing services in the EU.

 

What has the Commission done to support the EU data economy?

In 2014, in the Communication on "Towards a thriving data-driven economy", the Commission proposed measures to accelerate the transition towards a data-driven economy, in particular to develop a EU-wide data ecosystem and promote data-driven innovation. Tackling obstacles to the free flow of non-personal data is also one of the key actions announced in the Mid-Term Review of the Digital Single Market Strategy.

This proposal complements the measures for Building a European Data Economy launched in January 2017, in which the Commission aimed to foster the best possible use of the potential of digital data to benefit the economy and society; it assessed the barriers to the free movement of data and other emerging challenges to the European data economy.

Furthermore, the proposal builds upon the Digitising European Industry package of April 2016 that included the European Cloud Initiative for a high-capacity cloud solution for storing, sharing and re-using scientific data. It also draws upon the revision of the European Interoperability Framework for a better digital collaboration between public administrations in Europe.

Embracing digital opportunities, including the use of data-driven technologies and services, is also one of the goals of the holistic industry policy strategy presented yesterday.

Which additional measures does the Commission explore?

To gather stakeholders' views on emerging issues of the data economy – such as access to non-personal data in a business-to-business context and new technologies such as the Internet of Things (IoT), advanced robotics and autonomous systems – the Commission ran a public consultation on Building a European Data Economy from January to April 2017. A full report has now been published to accompany the Regulation on the free flow of non-personal data.

On business-to-business data access, many stakeholders are in favour of more data sharing. Most stakeholders think the regulatory framework should not be changed at this moment in time and rather support non-regulatory measures. The Commission is now exploring how to put these results into practice. In relation to the liability challenges in the context of emerging technologies, the Commission will continue to gather further evidence and conduct more investigations before action is announced.

MEMO/17/3191 Copyright European Union