Non-Personal Data Flow

Free flow of non-personal data in the European Union

Regulation (EU) 2018/1807 — on a framework for the free flow of non-personal data in the European Union

It aims to ensure that electronic data, apart from personal data, can be processed freely throughout the EU.
It bans restrictions on where the data can be stored or processed.

KEY POINTS

The regulation applies to the processing of non-personal data* which is:

provided as a service to users living in the EU;
conducted by an individual, company or organisation in the EU for its own needs.
The regulation bans measures known as localisation requirements*, restricting data processing to a specific territory in the EU, except on public security grounds.

EU countries must:

inform the European Commission immediately of any potential new data localisation requirement;
by 30 May 2021, repeal any unjustified localisation requirements or notify the Commission of any it believes are justified;
establish a national online single information point containing all up-to-date localisation requirements;
appoint a single contact point to liaise and cooperate with counterparts in other EU countries and the Commission, particularly on assistance requests.
Public authorities may request access to data located in another EU country, or stored or processed in the cloud, and required for their official duties.

The Commission must:

publish links to the national online single information points on its website and update regularly a consolidated list of localisation requirements;
by 29 May 2019, provide guidance on the interaction between the regulation and Regulation (EU) 2016/679 on the processing and transfer of personal data, especially data with both personal and non-personal information;
by 29 November 2022, report to the European Parliament, the Council and the European Economic and Social Committee on how the regulation is being applied.

The Commission encourages the creation of EU-level self-regulatory codes of conduct. These should:

be developed in close cooperation with interested parties, such as small- and medium-sized enterprise associations, start-ups, users and cloud service providers;
be completed by 29 November 2019 so they can be implemented by 29 May 2020;
cover
best practices when switching service providers or porting data*
minimum information requirements for professional users before signing a data-processing contract
certification schemes to enable comparisons between data-processing products and services for professionals
communication to raise awareness of the codes of conduct.

BACKGROUND

The new rules are designed to make it easier to do business across borders in the EU and to create a single market for data storage and processing services, such as cloud computing.

The ability to choose a data service provider anywhere in the EU should lead to more innovative data-driven services and more competitive prices for businesses, consumers and public administrations.

With a favourable regulatory environment, it is estimated the data economy could be worth 4% of EU GDP (gross domestic product) by 2020.

It applies from 18 June 2019. As mentioned in the summary, there are specific deadlines in the regulation that must be met such as the repeal, by 30 May 2021, of any unjustified localisation requirements.

KEY TERMS

Non-personal data: any information not linked to an identified or identifiable individual, that is any data other than personal data as defined in point (1) of Article 4 of the General Data Protection Regulation (GDPR).
Localisation requirements: any legal or administrative measure which states that data processing must take place in a specific EU territory.
Porting data: transferring data from one service provider to another, or back to a company’s own servers.

DOCUMENT

Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (OJ L 303, 28.11.2018, pp. 59-68)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)