The European Union is close to finalizing a new regulation on the free flow of non-personal data within the EU. This is part of an EU goal to remove technical and legislative barriers to open data flows, including data location restrictions which force service providers to build expensive local infrastructures in each region or country. The EU wants to make it easier to move, share and re-use non-personal data across global markets and borders.
In this Alert, we examine the EU’s plans and consider the potentially confusing interplay between these regulations, which cover non-personal data, and the EU’s regime on personal data introduced by the General Data Protection Regulation (GDPR) in May 2018.
The European Commission launched its Digital Single Market (DSM) strategy in May 2015. We have written a number of articles following the DSM’s progress: on its inception, one year in, and in 2017 following a mid-term review. The DSM strategy consists of three “pillars” and 16 “Key Actions”.
Data-reliant technologies play an increasingly large role in Europe’s economy and, as a result, facilitation of the free movement of data across the EU has become a vital policy area. In terms of personal data, the implementation of the General Data Protection Regulation (GDPR) in 2018 resulted in far-reaching obligations for companies in the EU that collect, use or otherwise process personal data.
The Commission has now turned its attention to non-personal data, and committed itself to removing national restrictions on data flow in the hope that this will stimulate growth and establish European companies at the forefront of developing and exploiting digital technology – especially in the fields of automation, robotics, the Internet of Things (IoT), sustainable manufacturing and artificial intelligence.
Key Action 14 in the DSM involves creating a free-flow-of-data initiative. The European Commission believes that the fragmented nature of EU rules, as well as national obligations imposed by some Member States, is a barrier to the full adoption of new technology trends across the EU. To benefit fully from the potential of digital and data-reliant technologies, the EU plans to remove a series of technical and legislative barriers. The European free-flow-of-data initiative is intended to tackle restrictions on the free movement of data for reasons other than the protection of personal data within the EU, and eliminate unjustified restrictions on the location of data for storage or processing purposes.
In June 2018, the EU legislative institutions announced that they had reached agreement on a framework for the free flow of non-personal data in the European Union (the “Draft Regulation”). After its formal adoption, the Draft Regulation will become directly applicable law in all EU Member States six months after its official publication.
The proposal would improve data mobility across borders by eliminating any national requirements to keep data within a particular country, and make it easier for users of data storage services to port data to different service providers.
It’s questionable whether the Draft Regulation will actually produce the vast economic and other benefits claimed by the EU lawmakers. While the most likely direct effect will be the reduction of national data localization requirements imposed by Member States, this is only one of the obstacles to the free movement of data (and the actual economic effect of this single factor remains unclear). The Draft Regulation does not address many other important legal issues regarding the sharing of non-personal data, such as questions regarding data ownership or liability in an increasingly collaborative digital economy.
The “vendor lock-in” effect, which was identified as another significant obstacle to the free movement of data, is addressed by the Draft Regulation. But it is dealt with in restrained fashion, through the concept of self-regulatory codes of conduct for providers of data processing services. So providers offering data processing services in the EU might want to participate in the standard-setting process of developing self-regulatory codes of conduct as envisaged by the Draft Regulation.
Data owners will need to pay attention to the guidance to be published by the Commission with regard to the interplay between the Draft Regulation and the GDPR, especially with regard to their application to mixed data sets.
Background of the New Regulation
In regulatory terms, when hearing the term “data” most people immediately think of “personal data” and, for example, how businesses can comply with the rules on the collection, processing and transfer of personal data under the GDPR, fearing the application of high penalties should they fail to do so. However, a large volume of the data upon which the worldwide data economy is built is non-personal data – such as machine data, environmental data, product and materials data, traffic data, infrastructure data and, of course, aggregated and anonymized usage data.
The digital transformation of industries in recent years, providing new technology and software with which to track and store data more efficiently, scalable storage space (in particular as result of cloud computing), and Internet access everywhere allow for the collection and processing of big data on an unprecedented scale. The number of IoT connected devices is expected to increase from 20 billion in 2017 to almost 31 billion worldwide by 2020, further adding to the volumes of data processed.
The EU legislators intend the Draft Regulation, applicable to the processing of such non-personal data, to supplement the GDPR, so that together they form a comprehensive legal framework for the free flow of data of any kind throughout the EU. “Free flow of data” means unrestricted movement of data across borders and IT systems in the EU. The European parliament (EP) considers free movement of data to be the “fifth freedom” in the single market, after the free movement of persons, goods, services and capital.
The establishment of a framework for the free movement of data is aimed at facilitating the development of an affordable, innovative and internationally competitive European data economy as part of the DSM strategy. According to the Commission, the Draft Regulation could boost EU GDP by up to €8 billion per year by bringing down costs for data services and creating greater flexibility for companies.
Specifically, the Commission has identified four types of main obstacles to data mobility within the EU, which the Draft Regulation is specifically aiming to counter:
Data localization requirements (requiring data to be stored within a certain Member State’s jurisdiction) imposed by Member States’ laws or administrative practices
The “vendor lock-in” effect, i.e., obstacles (economic, contractual or otherwise) to movement of data between different service providers
The lack of an overarching principle in the current complex EU legal patchwork regarding the cross-border processing of non-personal data, causing legal uncertainty
A lack of trust due to security risks (in particular, the risk of security breaches), causing a propensity of market players and the public sector to use localization as a default safe option.
Main Areas of Regulation
The main changes proposed by the Draft Regulation are as follows:
Reduction of National Data Localization Requirements. Art. 4 requires that data localization requirements in the laws or administrative practices of Member States must be eliminated, unless they are proportionate and justified on grounds of public security (or based on existing EU law). Member States are obliged to repeal any prohibited data localization requirement within 24 months after the start of application of the Draft Regulation.
Cross-Border Access to Data by Competent Authorities. Art. 5 and Art. 7 of the Draft Regulation establish a general cooperation procedure for the exchange of non-personal data between public authorities of different Member States in areas where no specific cooperation mechanism exists under EU law or international agreements. According to the Commission, this addresses the Member States’ main motivation for imposing data localization requirements, namely the concern of not being able to enforce local laws because of data being stored outside the respective Member State’s jurisdiction. Under the Draft Regulation, where a competent authority does not receive access to the data of a user of data processing services stored in a different Member State after requesting such access from the user, that competent authority may request assistance from such other Member States’ authorities to obtain access to such data. The original requirement that a competent authority must first exhaust “all applicable means” to obtain access to the data itself before being able to submit the cooperation request has been removed from the Draft Regulation, as it would “unnecessarily prolong the process of obtaining legitimate access to the data in question.”
Self-Regulatory Codes of Conduct to Facilitate Switching between Service Providers. With regard to the facilitation of data portability and easier switching of service providers, the Draft Regulation applies a self-regulatory approach. Under Art. 6, the Commission wants to “encourage and facilitate” the development of self-regulatory codes of conduct by providers. The Draft Regulation does not itself specify concrete minimum requirements but merely lists important key aspects that should be taken into account when developing the codes of conduct, such as (a) best practices for facilitating the switching of providers and porting data in a structured, commonly used and machine-readable format; and (b) minimum pre-contractual information requirements towards professional cloud users (not consumers) if such a user wants to switch to another provider or port data back to its own IT systems. The Draft Regulation sets out a timeframe of one year to develop these codes of conduct and to effectively implement them within 18 months after the publication of the Draft Regulation.
Transparency and Information Requirements. The Draft Regulation provides publication and information obligations for both the Commission and the Member States. The Member States’ single points of contact must provide users with general information on the Draft Regulation, including on the self-regulatory codes of conduct developed pursuant to it. Also, Member States must make the details of any national data localization requirement publicly available online via a national single information point, which they must keep up-to-date. The Commission will publish the links to such national information points on its website, along with a regularly updated consolidated list and summary of all data localization requirements of the Member States.
Selected Points of Criticism and Discussion
There are a few immediately obvious problem areas with the Draft Regulation.
Mixed Data Sets. The Draft Regulation clearly separates the scope of the Draft Regulation (applicable only to non-personal data) from the scope of the GDPR (applicable to personal data). Many data sets, however, will contain both personal data and non-personal data (“mixed data sets”). With regard to such mixed data sets, the Draft Regulation provides that its rules only apply to the non-personal part of a data set. Although Recital 10 clarifies that the Draft Regulation does not impose an obligation to store the different types of data separately, the question is whether affected entities will ultimately be forced to do exactly that in order to be able to clearly distinguish between their respective applicable obligations.
Although it is one of the declared goals of the Draft Regulation to provide a coherent set of rules for the free movement of both types of data, such coherency remains elusive. Take the example of data portability: while the GDPR expressly stipulates a right for data portability under certain circumstances (Art. 20 GDPR), such right does not exist under the Draft Regulation but is left for the service providers to define as part of their self-regulatory code of conduct. Another example is the extent to which data localization is permitted. Under both the Draft Regulation and the GDPR, data localization requirements are in principle prohibited. However, where the GDPR does permit data localizations for reasons other than the protection of personal data (such as under taxation or accounting laws), the Draft Regulation only permits data localization if justified on grounds of public security (or based on existing EU law). So the possibilities for data localization of non-personal data seem more restrictive than those under the GDPR.
The problem is compounded with regard to mixed data sets where non-personal data and personal data are “inextricably linked” (i.e., cannot be unbundled). While the Committee on the Internal Market and Consumer Protection (IMCO) discussed amendments to the Commission’s initial proposal for the new regulation (the “Commission’s Proposal”) whereby, in cases of such inextricable mixed data sets, only the GDPR should be applicable to the data set as a whole, the Draft Regulation merely states that, in these cases, the Draft Regulation “shall not prejudice the application” of the GDPR. This probably means that, with regard to mixed data sets where non-personal data and personal data are inextricably linked, both sets of rules apply but, in cases of conflict, the rules of the GDPR will prevail over the rules of the Draft Regulation.
The problem of mixed data sets has been identified by the EU legislators as a significant point of legal uncertainty. So the Draft Regulation provides that the Commission shall, within six months of the publication of the Draft Regulation in the Official Journal, publish “informative guidance” on the interplay between the Draft Regulation and the GDPR, especially with regard to mixed data sets, in order to enable companies to comply with both relevant regulations.
Codes of Conduct. The self-regulatory approach for the facilitation of data portability and easier switching of service providers through the development of codes of conduct has faced criticism that it is ineffective. One influential EU committee suggested the need to provide at least a series of basic contractual rules, and a “blacklist” of prohibited clauses or guidelines for drafting the codes of conduct. IMCO went even further, explicitly suggesting an express right to data portability. At first, the Commission also wanted to create an explicit right on data portability; however, after two negative opinions from the Regulatory Scrutiny Board (RSB) criticizing the insufficient evidence to justify such an explicit right, the Commission opted for the self-regulatory solution. The Draft Regulation also does not stipulate any legal consequences for non-compliance with the obligation to develop codes of conduct – so one wonders what practical effect the self-regulatory solution will actually have.
Lack of Safeguards Regarding Cross-Border Data Access Requests. With regard to cross-border data access requests between authorities of different Member States, the Draft Regulation remains fairly vague. It simply states that the administrative cooperation mechanism can be invoked as soon as a competent authority “does not receive access to data” and that no specific cooperation mechanisms under EU law or international agreements exist. For example, no rules for the treatment of business secrets are specified. The Commission has also been criticized because the Draft Regulation is silent as to how the rule of law and fundamental rights established under the EU Charter of Fundamental Rights have to be respected during the cooperation process. The only substantive requirement established in the Commission’s Proposal (namely, a Member State’s right to refuse to cooperate with competent authorities where it would be “contrary to their public order”) was removed from the Draft Regulation. While the Draft Regulation provides that the request for access must include a written explanation by the requesting authority as to its justification and legal basis for seeking access to the data, it is unclear to what extent and in what detail the authority receiving the cooperation request has to review the written explanation.
Security Requirements. Despite the declared objective of reducing the propensity of market players and Member States using data localization as a practical measure for data security by enhancing trust in the security of cross-border data processing, the Draft Regulation does not contain any specific regulations on security requirements. Recitals 25 through 27 merely clarify that the respective existing legal patchwork of EU and national law should continue to apply.