The Committee on the Internal Market and Consumer Protection adopted the report by Anna Maria CORAZZA BILDT (EPP, SE) on the proposal for a regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union.
As a reminder, the proposed Regulation seeks to ensure the free movement of data other than personal data within the Union by laying down rules relating to data localisation requirements, the availability of data to competent authorities and data porting for professional users.
The committee recommended that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should amend the Commission proposal as follows:
Principle of free movement of non-personal data: Members specified that data location requirements shall be prohibited unless, on an exceptional basis, and in compliance with the principle of proportionality, they are justified on imperative grounds of public security.
The concept of ‘imperative grounds of public security’ presupposes a threat to public security that is of a particularly high degree of seriousness. The amendment builds on the Treaty and the relevant case law of the Court of Justice to clarify the concept of public security and increase legal certainty.
Members wanted to introduce a clear deadline (no later than one year after the entry into force of the regulation) by which Member States must communicate the location requirements of the data they wish to maintain. The Commission shall examine the draft act within three months and decide whether or not the Member State concerned should amend or repeal the data location requirements. Any remaining data localisation requirements should be published on the Commission’s website to ensure easy accessibility of this information.
Scope: Members specified that public sector authorities and entities shall also benefit from the free movement of data. The Regulation shall apply to all levels of governance, including public procurement.
Mixed data sets: in the case of a mixed data set, namely a data set composed of both personal and non-personal data, the Regulation shall apply to the non-personal data of the data set. Where non-personal and personal data are inextricably linked, this Regulation should apply without prejudice to Regulation (EU) 2016/679.
Access to data for public authorities: the Commission's proposal provides that where a competent authority has exhausted all possible means of accessing data, it could request the assistance of an authority in another Member State if no specific cooperation mechanism exists. Members believe that such assistance could be requested where a competent authority does not obtain access to the data after contacting the user of the data processing service and where there is no specific cooperation mechanism under EU law or international agreements for the exchange of data between competent authorities of different Member States.
Members also pointed out that access to the premises where data is stored must be given in accordance with the national law of the Member State where the premises or equipment is located.
Codes of conduct: self-regulatory codes of conduct at EU level shall contribute to a competitive data economy, which are based on the principle of transparency and which establish guidelines on, inter alia, the following issues:
- best practices for facilitating the switching of providers and porting data in a structured, commonly used, interoperable and machine-readable format;
- minimum information requirements to ensure that professional users are provided with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded.
The Commission shall encourage providers to effectively implement the codes of conduct by 24 months after the date of publication of this Regulation. It shall ensure that the codes of conduct are developed in close cooperation with all relevant stakeholders, including associations of small and medium-sized enterprises and start-ups, users and providers of cloud services.
Single point of contact: Members considered that the know-how of the single points of contact can be used not only as a link between the Member States and the Commission, but also to connect the institutions with users.
Review: no later than 3 years and 6 months after the date of publication of the Regulation, the Commission shall submit a report evaluating the implementation of the Regulation, in particular as regards: (i) the application of the Regulation to mixed data sets; (ii) the implementation by Member States of the public security exception; (iii) the development and effective implementation of codes of conduct.