Jones Day

With this new legislative act, the European legislature aims to remove existing data localization requirements and enable storage of data in multiple locations across the EU.

On November 14, 2018, the European Parliament and the Council of the EU approved a legislative reform banning data localization restrictions. The new Regulation (EU) 2018/1807 ("regulation"), published in the Official Journal of the European Union on November 28, 2018 and therefore applicable in all EU Member States as of May 2019, creates a framework for the free flow of electronic non-personal data in the EU and promotes the idea of a data economy and enhanced competitiveness of the EU industry.

Prohibition of data localization: This new framework forms part of the EU's digital single market strategy and responds to the need for removing obstacles to data mobility and the internal single market which affect trade and distort competition. In particular, the new regulation prohibits data localization requirements put in place by EU Member States regarding the storing or processing of non-personal data. An exception to the general prohibition applies where data localization restrictions are justified on grounds of public security.

Enabling new technologies: From a business perspective, the regulation enables the rapid development of the data economy and emerging technologies, such as artificial intelligence, Internet of things products and services, autonomous systems, and 5G, as all these technologies are based on data and require the free flow of data within the European Union in order to achieve data-driven economic growth and innovation.

Practical implications: Specific examples of non-personal data include aggregate and anonymized data sets used for big data analytics, data on precision farming that can help to monitor and optimize the use of pesticides and water, or data on maintenance needs for industrial machines. Companies with business models involving non-personal data should assess to what extent they may benefit from the new regulation. Those companies currently using personal data may want to explore the possibility of applying anonymization techniques to their data sets.

Self-regulation: Focusing on vendor lock-in practices in the private sector, the new regulation promotes market player self-regulation through the development of codes of conduct which allow users to switch between service providers without hindrance.

The European Commission is expected to publish guidance on how to handle data sets composed of both personal and non-personal data to allow companies to better understand the interaction between the new regulation and the General Data Protection Regulation.