As part of the Digital Single Market strategy, the Commission has set the goal for building a European data economy. In that context, the Commission has published a proposal for a Regulation on a framework for the free flow of non-personal data in the EU. With this proposal, the Commission aims at taking away barriers that impede the free flow of non-personal data within the EU, e.g. by reducing the range of national data localisation requirements. Special attention is paid in the proposed Regulation to making it easier for professional users to switch service providers and avoid vendor lock-in. For that purpose, the Commission assigns service providers to develop self-regulatory codes of conduct to facilitate professional users in porting their data.
Background: The Digital Single Market strategy
With the ‘Digital Single Market strategy’, published in the spring of 2015, the Commission intends to strengthen the European Digital Single Market. One of the actions outlined in the Digital Single Market strategy is to set the right conditions for collecting, storing, transmitting and analysing data within the EU. This should clear the road for businesses to make use of the full potential of (big)data.
In January 2017, the Commission adopted the Communication “Building a European Data Economy” where it outlined the legal issues around data, e.g. regarding access to and transfer of data, data ownership, data portability and liability. Following up this Communication and the outcome of the mid-term review of the Digital Single Market strategy, the Commission published this proposed Regulation on a frame work for the free flow of non-personal data in the EU.
The free flow of data
The scope of the proposed Regulation is limited to non-personal data, e.g. machine-generated-data that does not relate to an identifiable natural person. The legal framework for the free movement and portability of personal data is i.a provided by the Regulation EU 2016/679 (the GDPR, per 25 may 2018). Under the GDPR, Member States may not restrict or prohibit the free flow of personal data within the EU for reasons connected with the protection of natural persons. Together, the proposed Regulation and the GDPR should contribute to the free flow of data within the EU.
The proposed Regulation
The general policy objective of the proposed Regulation is to set the right conditions for a more competitive and integrated internal market for the storing and other processing of non-personal data. To achieve this, the proposed Regulation basically exists out of the following measures:
- Restrictions on national data localisation requirements
The proposed Regulation prohibits Member States to implement or maintain data localisation requirements, unless such requirements are justified on grounds of public security. Every organisation should be able to store and process its electronic non-personal data anywhere in the European Union. Member States will have to notify the Commission of any new or existing data localisation requirements.
- Availability of non-personal data for regulatory control
National data localisation restrictions are frequently based on presumed unavailability of the data to the Member State’s authorities. In that context, the proposed Regulation emphasizes that it shall not affect the powers of such authorities to request and receive access to the non-personal data. In fact, it even facilitates the availability of the data on cross-broader level by providing the option to such authorities to seek assistance from the Member State where the data resides. Also, the proposed Regulation clearly sets out that the storing or other processing of non-personal data in another Member State may not be used as a ground to refuse national competent authorities access to the non-personal data.
- Porting of data
The proposed Regulation aims at making it easier for professional users to port their data if they want to switch to another (cloud) service provider or place the data into their own IT environment. Under the proposed Regulation, Service providers shall be encouraged and facilitated by the Commission to develop and implement codes of conduct (on EU level) on facilitating professional users in the porting of their data. Such code of conduct should ensure that, before the conclusion of the contract, the services providers provide professional users with sufficient information on the conditions for the porting of their data. Various aspects concerning the porting process should be considered, e.g. technical requirements, timeframes, charges that may apply and the processes and location of any data back-up.
At this point, the Commission proposes a self-regulatory approach. However, the preamble of the proposed regulation hints that if such codes of conduct are not put in place and effectively implemented within a reasonable period, the Commission might choose for a more regulated approach. Pursuant to the proposed Regulation, providers are expected to effectively implement the relevant codes of conduct within one year after the Regulation came into force.
What’s next?
The proposed Regulation is now put forward for adoption by the EU Parliament and Council. Until 19 December 2017, the public is invited to respond to the proposal and accompanying impact assessment. This can also be done anonymously.