On 4th October 2018 the European Parliament (by 520 to 81 votes) agreed the text of the proposed EU Regulation on the Free Flow of Non-Personal Data in the European Union. The draft Regulation was proposed by the European Commission in 2017, as part of its Digital Single Market Strategy. The European Parliament, Council of Ministers and the European Commission reached a political consensus on it in June 2018. This adoption by the Parliament brings the regulation one step closer to becoming law. All that remains now is for the Council of Ministers to agree it on 6th November. It will then enter into force by the end of the year, although Member States will have 6 months to apply the new rules. This mean that it will enter into force before the UK exits the European Union in March 2019.
Background to the proposal
The European Commission proposed this regulation as part of its Digital Single Market Strategy.
According to the EU Commission the value of the EU data market in 2016 was estimated to be almost 60 billion Euros, with one study suggesting it could increase to more than 106 billion Euros by 2020. The new regulation is designed to unlock this potential by improving the mobility of non-personal data across borders. According to the EU Commission, the free flow of non-personal data is hampered by:
- National rules and administrative practices that restrict where data can be processed and stored. The regulation refers to such rules as data localisation requirements;
- Uncertainty for organisations and the public sector about the legitimacy of national restrictions on data storage and processing;
- Private restrictions (legal and contractual and technical) that hinder or prevent users of data storage or other processing services from porting their data from one service provider to another or back to their own IT systems (so called vendor lock-ins).
The aims and outline of the regulation
The regulation only apples to the processing of non-personal electronic data. However, like the GDPR, its territorial scope is wide and includes the processing of electronic data which is:
- provided as a service to users residing or having an establishment in the EU, regardless of whether the service provider is established in the EU; or
- is carried out by a natural or legal person (an individual, business, organisation or a public authority) residing or having an establishment in the EU for its own needs.
Processing is also defined in very similar terms to the GDPR – as meaning any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Unlike the GDPR, it only relates to data in electronic format. Its application is wide and encompasses outsourced data storage, processing of data on platforms, or in applications.
The regulation does not apply to personal data (see below).
National rules on data storage (data localisation requirements)
The regulation aims to ensure the free movement of non-personal data within the European Union by laying down a set of rules relating to national data processing localisation rules. These are essentially any rules, laws or administrative practices that restrict, prohibit, limit or impose conditions on where data can be processed. The regulation states that such data localisation requirements are prohibited. Member States have 24 months to repeal any such laws.
However, Member States can retain or introduce data localisation rules provided they are justified on the grounds of public security and that the rules are proportionate. In the original proposal Member States would have only had 12 months, but this was extended to 24 months by the European Parliament. Although the main body of the regulation doesn’t define public security, the recitals refer to the fact that the term has been interpreted widely to include both internal and external public security, as well as issues of public safety.
Data Availability for Competent Authorities
The regulation does not affect the powers of ‘competent’ authorities to request or obtain access to data for the performance of their official duties. The definition of competent authority is wide and includes any authority of a Member State, or any other entity authorised by national law to perform a public function or to exercise official authority, that has the power to obtain access to data processed by a natural or legal person for the performance of its official duties, as provided for by Union or national law. It therefore includes central and local government but can also include other organisations that fulfil statutory functions.
This is important, particularly if data is going to be processed in another Member State. The aim is to ensure that the powers of competent authorities to request and receive data, to enable them to fulfil their functions and regulatory powers, remain unaffected by the free movement of data. Consequently, the regulation including a procedure for cooperation between national authorities and the possibility of Member States imposing penalties for failure to comply with an obligation to provide data.
The regulation also establishes a single point of contact for each Member State, to liaise with the contacts in other Member States, and the Commission. The aim is to ensure the effective application of the new rules.
The Regulation also seeks to encourage and facilitate data portability via the use of self-regulatory codes of conduct and certification schemes. The European Commission’s role is to encourage, for example, cloud service providers to develop self-regulatory codes of conduct for easier switching of service provider and porting back data to in house servers. These must be implemented by
Reference is also made to certification schemes that facilitate comparison of data processing products and services for professional users. Such certification schemes may relate to quality management, information security management or environmental management.
Actions to encourage cloud service providers to develop self-regulatory codes of conduct for easier switching of provider and porting data back to in-house servers, which must be implemented within 18 months of the regulation coming into force (mid 2020).
The European Commission is tasked with monitoring development and implementation of these codes of conduct.
The new regulation does not apply to personal data
The regulation concerns non -personal data and does not cover personal data. Data Protection practitioners will no doubt be relieved to know that this means it will have no impact on the GDPR. According to the European Commission, the two regulations will operate together to enable the free flow of any data-both personal and non-personal “creating a single European space for data”.
In the case of a data set composed of both personal and non-personal data, this new Regulation applies to the non-personal data part of the data set. Where personal and non-personal data in a data set are inextricably linked, this Regulation shall not prejudice the application of Regulation (EU) 2016/679.
The difficulty that this raise will inevitably be a practical one; applying two different regulations to a single data set that contains both person and non-personal data. The regulation rests on the assumption of a clear personal/non-personal data dichotomy, which is practice may be difficult to distinguish.
The impact of Brexit
If the new Regulation enters into force at the end of the year it will apply directly in the UK as per any other Member State. It will remain in force after the date of exit because of the provisions of the EU Withdrawal Act 2018.
After the date of exit, the UK will no longer be a Member State. The regulation effectively allows for any non personal data to be stored and processed anywhere in the EU. It does not extend this ‘right; to storage and processing in third countries. There is of course concern that data localisation rules could be applied against data processors outside the EU, which in turn could have significant adverse business implications for UK data processors.
Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.