The European Parliament has adopted the Regulation on the Free Flow of Non-Personal Data in the European Union (the “Regulation”), which was already provisionally adopted by the Council of the EU.
Seen as a major building block of the Digital Single Market of the EU, the Regulation aims to safeguard the free flow of non-personal data across borders, allowing companies and public authorities to store and process non-personal data wherever they choose in the EU.
The Regulation does not regulate personal data and therefore does not impact the application of the GDPR. It is expected that the Commission will publish guidance on the interaction between the Regulation and the GDPR, regarding the interaction of both instruments in the context of mixed data sets.
The removal of data localisation restrictions is considered to be the most important factor for the data economy to unlock its full growth potential. Under the Regulation, EU countries will be prohibited from imposing unjustified data localisation restrictions, on the grounds that these represent a form of protectionism which is incompatible with a true single market.
The objective of the Regulation is to create legal certainty for businesses allowing them to process their data anywhere in the EU and boosting operational efficiency for European businesses with cross-border operations.
The Regulation will enter into force at the end of December 2018 and be applicable six months later.
The key principles of the free movement of non-personal data under the Regulation are the following:
Free flow of data across borders
The Regulation reinforces the free flow of non-personal data, prohibiting data localisation restrictions in all cases, except where proportionate and duly justified by public security. Member States will also have to communicate any data localisation restrictions to the Commission.
Data availability for regulatory control
Competent authorities will be able to access data for supervisory control wherever it is stored or processed in the EU. Member States may sanction users that do not provide access to data stored in another Member State, but as a rule they may not deviate from the free flow principle.
Switching cloud service providers
The Regulation requires cloud service providers and cloud users to jointly develop codes of conduct that will make it easier to switch cloud service providers. Resulting in a more competitive and lower priced European cloud market. The codes must be developed and implemented by mid-2020