Kristina Ehle and Stephan Kress
Technology Transactions, Communications Service + Technology | Europe, Media + Entertainment | Europe, and Technology, Media + Telecommunications | Europe
The European Union is close to finalizing a new regulation on the free flow of non-personal data within the EU. This is part of an EU goal to remove technical and legislative barriers to open data flows, including data location restrictions which force service providers to build expensive local infrastructures in each region or country. The EU wants to make it easier to move, share and re-use non-personal data across global markets and borders.
In this Alert, we examine the EU’s plans and consider the potentially confusing interplay between these regulations, which cover non-personal data, and the EU’s regime on personal data introduced by the General Data Protection Regulation (GDPR) in May 2018.
The European Commission launched its Digital Single Market (DSM) strategy in May 2015. We have written a number of articles following the DSM’s progress: on its inception, one year in, and in 2017 following a mid-term review. The DSM strategy consists of three “pillars” and 16 “Key Actions”.
Data-reliant technologies play an increasingly large role in Europe’s economy and, as a result, facilitation of the free movement of data across the EU has become a vital policy area. In terms of personal data, the implementation of the General Data Protection Regulation (GDPR) in 2018 resulted in far-reaching obligations for companies in the EU that collect, use or otherwise process personal data.
The Commission has now turned its attention to non-personal data, and committed itself to removing national restrictions on data flow in the hope that this will stimulate growth and establish European companies at the forefront of developing and exploiting digital technology – especially in the fields of automation, robotics, the Internet of Things (IoT), sustainable manufacturing and artificial intelligence.
Key Action 14 in the DSM involves creating a free-flow-of-data initiative. The European Commission believes that the fragmented nature of EU rules, as well as national obligations imposed by some Member States, is a barrier to the full adoption of new technology trends across the EU. To benefit fully from the potential of digital and data-reliant technologies, the EU plans to remove a series of technical and legislative barriers. The European free-flow-of-data initiative is intended to tackle restrictions on the free movement of data for reasons other than the protection of personal data within the EU, and eliminate unjustified restrictions on the location of data for storage or processing purposes.
In June 2018, the EU legislative institutions announced that they had reached agreement on a framework for the free flow of non-personal data in the European Union (the “Draft Regulation”). After its formal adoption, the Draft Regulation will become directly applicable law in all EU Member States six months after its official publication.
Background of the New Regulation
In regulatory terms, when hearing the term “data” most people immediately think of “personal data” and, for example, how businesses can comply with the rules on the collection, processing and transfer of personal data under the GDPR, fearing the application of high penalties should they fail to do so. However, a large volume of the data upon which the worldwide data economy is built is non-personal data – such as machine data, environmental data, product and materials data, traffic data, infrastructure data and, of course, aggregated and anonymized usage data.
The digital transformation of industries in recent years, providing new technology and software with which to track and store data more efficiently, scalable storage space (in particular as result of cloud computing), and Internet access everywhere allow for the collection and processing of big data on an unprecedented scale. The number of IoT connected devices is expected to increase from 20 billion in 2017 to almost 31 billion worldwide by 2020, further adding to the volumes of data processed.
The EU legislators intend the Draft Regulation, applicable to the processing of such non-personal data, to supplement the GDPR, so that together they form a comprehensive legal framework for the free flow of data of any kind throughout the EU. “Free flow of data” means unrestricted movement of data across borders and IT systems in the EU. The European parliament (EP) considers free movement of data to be the “fifth freedom” in the single market, after the free movement of persons, goods, services and capital.
The establishment of a framework for the free movement of data is aimed at facilitating the development of an affordable, innovative and internationally competitive European data economy as part of the DSM strategy. According to the Commission, the Draft Regulation could boost EU GDP by up to €8 billion per year by bringing down costs for data services and creating greater flexibility for companies.
Specifically, the Commission has identified four types of main obstacles to data mobility within the EU, which the Draft Regulation is specifically aiming to counter:
Main Areas of Regulation
The main changes proposed by the Draft Regulation are as follows:
Selected Points of Criticism and Discussion
There are a few immediately obvious problem areas with the Draft Regulation.
Although it is one of the declared goals of the Draft Regulation to provide a coherent set of rules for the free movement of both types of data, such coherency remains elusive. Take the example of data portability: while the GDPR expressly stipulates a right for data portability under certain circumstances (Art. 20 GDPR), such right does not exist under the Draft Regulation but is left for the service providers to define as part of their self-regulatory code of conduct. Another example is the extent to which data localization is permitted. Under both the Draft Regulation and the GDPR, data localization requirements are in principle prohibited. However, where the GDPR does permit data localizations for reasons other than the protection of personal data (such as under taxation or accounting laws), the Draft Regulation only permits data localization if justified on grounds of public security (or based on existing EU law). So the possibilities for data localization of non-personal data seem more restrictive than those under the GDPR.
The problem is compounded with regard to mixed data sets where non-personal data and personal data are “inextricably linked” (i.e., cannot be unbundled). While the Committee on the Internal Market and Consumer Protection (IMCO) discussed amendments to the Commission’s initial proposal for the new regulation (the “Commission’s Proposal”) whereby, in cases of such inextricable mixed data sets, only the GDPR should be applicable to the data set as a whole, the Draft Regulation merely states that, in these cases, the Draft Regulation “shall not prejudice the application” of the GDPR. This probably means that, with regard to mixed data sets where non-personal data and personal data are inextricably linked, both sets of rules apply but, in cases of conflict, the rules of the GDPR will prevail over the rules of the Draft Regulation.
The problem of mixed data sets has been identified by the EU legislators as a significant point of legal uncertainty. So the Draft Regulation provides that the Commission shall, within six months of the publication of the Draft Regulation in the Official Journal, publish “informative guidance” on the interplay between the Draft Regulation and the GDPR, especially with regard to mixed data sets, in order to enable companies to comply with both relevant regulations.
DIGITAL SINGLE MARKET
For more information about the Digital Single Market:
©1996-2019 Morrison & Foerster LLP. All rights reserved.