Today, the European Commission published a new guidance on the interaction of free flow of non-personal data with the EU data protection rules.
As part of the Digital Single Market strategy, the new Regulation on the free flow of non-personal data, which has started to apply in the Member states, will allow data to be stored and processed everywhere in the EU without unjustified restrictions. Today’s guidance aims to help users – in particular small and medium-sized enterprises – understand the interaction between these new rules and the General Data Protection Regulation (GDPR) – especially when data sets are composed of both personal and non-personal data.
Vice-President for the Digital Single Market Andrus Ansip said: “By 2025 the data economy of the EU27 is likely to provide 5.4% of its GDP, equivalent to €544 billion. However, that huge potential is limited if data cannot move freely. By removing forced data localisation restrictions, we give more people and businesses the chance to make the most out of data and its opportunities. Today’s guidance will now give full clarity on how free-flow of non-personal data interacts with our strong personal data protection rules.”
Commissioner for Digital Economy and Society Mariya Gabriel said: “Our economy is increasingly driven by data. With the regulation on the free flow of non-personal data and the General Data Protection Regulation, we have a comprehensive framework for a common European data space and the free movement of all data within the European Union. The guidance that we are publishing today will help businesses, especially small and medium-sized enterprises, to understand the interaction between the two regulations.”
Together with the General Data Protection Regulation (GDPR), which started to apply one year ago, the new Regulation on the free flow of non-personal data provides for a stable legal and business environment on data processing. The new Regulation prevents EU countries from putting laws in place that unjustifiably force data to be held solely inside national territory. It is the first of its kind in the world. The new rules increase legal certainty and trust for businesses and make it easier for SMEs and start-ups to develop new innovative services, to make use of the best offers of data processing services in the internal market, and to expand business across borders.
Today’s guidance gives practical examples on how the rules should be applied when a business is processing data sets composed of both personal and non-personal data. It also explains the concepts of personal and non-personal data, including mixed data sets; lists the principles of free movement of data and the prevention of data localisation requirements under both, the GDPR and the free flow of non-personal data Regulation; and covers the notion of data portability under the Regulation on the free flow of non-personal data. The guidance also includes the self-regulatory requirements set out in the two Regulations.
The Commission presented the framework for the free flow of non-personal data in September 2017 as part of President Jean-Claude Juncker‘s State of the Union address to unlock the full potential of the European Data Economy and the Digital Single Market strategy. The new Regulation applies since yesterday 28 May. As part of the new rules, the Commission was required to publish guidance on the interaction between this Regulation and the General Data Protection Regulation (GDPR), especially as regards data sets composed of both personal and non-personal data.
The free flow of non-personal data rules are in line with existing rules for the free movement and portability of personal data in the EU. They:
- Ensure the free flow of data across borders: The new rules set a framework for data storing and processing across the EU, preventing data localisation restrictions. Member States will have to communicate any remaining or planned data localisation restrictions to the Commission, which in turn will assess if they are justifiable. The two Regulations will function together to enable the free flow of any data – personal and non-personal – thus creating a common European space for data. In the case of a mixed data set, the GDPR provision guaranteeing free flow of personal data will apply to the personal data part of the set, and the free flow of non-personal data principle will apply to the non-personal part.
- Ensure data availability for regulatory control: Public authorities will be able to access data for scrutiny and supervisory control wherever it is stored or processed in the EU. Member States may sanction users that do not provide upon request by a competent authority access to data stored in another Member State.
- Encourage the development of codes of conduct for cloud services to facilitate switching between cloud service providers by the end of November 2019. This will make the market for cloud services more flexible and the data services in the EU more affordable.