Regulation on Free Flow of Non-Personal Data Update
The proposal for a Regulation on Free Flow of Data was agreed in trilogue negotiations on 19 June 2018, only after a few weeks of negotiations.
The European Commission saluted this outcome with enthusiasm. Vice-President for the Digital Single Market Andrus Ansip said: "Data localisation restrictions are signs of protectionism for which there is no place in a single market. After free movement of people, goods, services and capital, we have made the next step with this agreement for a free flow of non-personal data to drive technological innovations and new business models and create a European data space for all types of data." Commissioner for Digital Economy and Society Mariya Gabriel said: "Data is the backbone of today's digital economy and this proposal will help to build a common European data space. The European data economy can become a powerful driver for growth, create new jobs and open up new business models and innovation opportunities. With this agreement we are one step closer to completing the Digital Single Market by the end of 2018."
The agreed text is now under the judicial linguist review process after which, it will be formally adopted and published in the Official Journal of the EU by the end of 2018.
Once in force, the new rules will remove any restrictions imposed by Member States’ authorities on data localization requirements for storing or processing non-personal data, except If such restrictions can be justified on grounds of national security. In summary, the regulation puts forward measures which are aimed to:
- Remove restrictions for data localization (unless on grounds of national security)
- Enhance legal certainty on the availability of data on a cross-border level;
- Facilitate switching between cloud service providers; and
- Reinforce the trust and security of cross-border data storage and processing.
Member States will have to notify the European Commission of any remaining or planned data localization restrictions in relation to public sector data processing. The regulation also encourages service providers and professional users to develop codes of conduct detailing the information on data porting conditions.
The agreed text indicates that the Regulation shall enter into force 6 months after the OJEU publication (i.e. potentially in April 2019 or May 2019, depending on the date of publication). In the meantime, cloud services providers will have the time to study the agreed text, together with their advisors, in order to understand the precise extent of the scope of application of the regulation, its implications for data localization and storage requirements, its interaction with GDPR requirements for personal data, and the challenges and opportunities arising from the free flow of non-personal data. In addition, UK cloud services providers will need to consider what arrangements, if any, will likely be required in order to benefit from the free flow of non-personal data within the EU post Brexit.
Francesco Liberatore, Partner, Squire Patton Boggs (UK) LLP, Chair, IIC Brussels Chapter
Christina Economides, Public Policy Advisor, Public Policy Advisor, Squire Patton Boggs (Belgium) LLP
- Tuesday, 11 September 2018