REPORT on the proposal for a regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union

6.6.2018 - (COM(2017)0495 – C8‑0312/2017 – 2017/0228(COD)) - ***I

Committee on the Internal Market and Consumer Protection
Rapporteur: Anna Maria Corazza Bildt


Procedure : 2017/0228(COD)
Document stages in plenary
Document selected :  
A8-0201/2018

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union

(COM(2017)0495 – C8‑0312/2017 – 2017/0228(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2017)0495),

–  having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0312/2017),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the reasoned opinion submitted, within the framework of Protocol No 2 on the application of the principles of subsidiarity and proportionality, by the French Senate, asserting that the draft legislative act does not comply with the principle of subsidiarity,

–  having regard to the opinion of the European Economic and Social Committee of 15 February 2018[1],

–  after consulting the Committee of the Regions,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on the Internal Market and Consumer Protection and the opinion of the Committee on Industry, Research and Energy (A8-0201/2018),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Amendment    1

Proposal for a regulation

Recital 1

Text proposed by the Commission

Amendment

(1)  The digitisation of the economy is accelerating. Information and Communications Technology (ICT) is no longer a specific sector but the foundation of all modern innovative economic systems and societies. Electronic data is at the centre of those systems and can generate great value when analysed or combined with services and products.

(1)  The digitisation of the economy is accelerating. Information and Communications Technology (ICT) is no longer a specific sector but the foundation of all modern innovative economic systems and societies. Electronic data is at the centre of those systems and can generate great value when analysed or when combined, under secure conditions, with services and products.

Amendment    2

Proposal for a regulation

Recital 3

Text proposed by the Commission

Amendment

(3)  The freedom of establishment and the freedom to provide services under the Treaty on the Functioning of the European Union apply to data storage or other processing services. However, the provision of those services is hampered or sometimes prevented by certain national requirements to locate data in a specific territory.

(3)  The freedom of establishment and the freedom to provide services under the Treaty on the Functioning of the European Union apply to data processing services, including porting of data. However, the provision of those services is hampered or sometimes prevented by certain national, regional or local requirements to locate data in a specific territory.

Amendment    3

Proposal for a regulation

Recital 4

Text proposed by the Commission

Amendment

(4)  Such obstacles to the free movement of data storage or other processing services and to the right of establishment of data storage or other processing providers originate from requirements in the national laws of Member States to locate data in a specific geographical area or territory for the purpose of storage or other processing. Other rules or administrative practices have an equivalent effect by imposing specific requirements which make it more difficult to store or otherwise process data outside a specific geographical area or territory within the Union, such as requirements to use technological facilities that are certified or approved within a specific Member State. Legal uncertainty as to the extent of legitimate and illegitimate data localisation requirements further limits the choices available to market players and to the public sector regarding the location of data storage or other processing.

(4)  Such obstacles to the free movement of data processing services and to the right of establishment of data processing providers originate from requirements in the national laws of Member States to locate data in a specific geographical area or territory for the purpose of processing. Other rules or administrative practices have an equivalent effect by imposing specific requirements which make it more difficult to process data outside a specific geographical area or territory within the Union, such as requirements to use technological facilities that are certified or approved within a specific Member State. Legal uncertainty as to the extent of legitimate and illegitimate data localisation requirements further limits the choices available to market players and to the public sector regarding the location of data processing. This Regulation in no way limits the freedom of businesses to make contractual agreements specifying where data is to be located. This Regulation is merely intended to enhance that choice by ensuring that an agreed location may be situated anywhere within the Union.

Amendment    4

Proposal for a regulation

Recital 5 a (new)

Text proposed by the Commission

Amendment

 

(5a)  The combination of those obstacles has led to a lack of competition between cloud service providers in Europe, to various vendor locking issues, and to a serious lack of data mobility. Likewise, data-localisation policies have undermined the ability of research and development companies to facilitate collaboration between firms, universities, and other research organisations with the aim of driving their own innovation.

Amendment    5

Proposal for a regulation

Recital 7 a (new)

Text proposed by the Commission

Amendment

 

(7a)  Free flow of data within the Union will play an important role in achieving data-driven growth and innovation. Like businesses and consumers, the public authorities and bodies of Member States stand to benefit from increased freedom of choice regarding data-driven service providers, from more competitive prices and from a more efficient provision of services to citizens. Given the large amounts of data that public authorities and bodies handle, it is of the utmost importance that they lead by example by taking up data-processing services and that they refrain from making data localisation restrictions when they make use of data-processing services. Therefore public authorities and bodies should also be covered by this Regulation, including, without prejudice to Directive 2014/24/EU of the European Parliament and the Council1a, in the context of public procurement. At the same time, this Regulation creates no obligation for public entities to outsource data processing.

 

_____________

 

1a Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC Text with EEA relevance (OJ L 94, 28.3.2014, p. 65).

Amendment    6

Proposal for a regulation

Recital 9

Text proposed by the Commission

Amendment

(9)  The legal framework on the protection of natural persons with regard to the processing of personal data, in particular Regulation (EU) 2016/67930 , Directive (EU) 2016/68031 and Directive 2002/58/EC32 should not be affected by this Regulation.

(9)  The legal framework on the protection of natural persons with regard to the processing of personal data, and on respect for private life and the protection of personal data in electronic communications, in particular Regulation (EU) 2016/67930, Directive (EU) 2016/68031 and Directive 2002/58/EC32, are not affected by this Regulation.

__________________

__________________

30 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

30 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

31 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

31 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

32 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

32 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

Amendment    7

Proposal for a regulation

Recital 10

Text proposed by the Commission

Amendment

(10)  Under Regulation (EU) 2016/679, Member States may neither restrict nor prohibit the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union for non-personal data except when a restriction or a prohibition would be justified for security reasons.

(10)  Under Regulation (EU) 2016/679, Member States may neither restrict nor prohibit the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union for non-personal data except when a restriction or a prohibition would be justified for public security reasons. Regulation (EU) 2016/679 and this Regulation provide a coherent set of rules that cater for the free movement of different types of data. Where data sets contain both personal and non-personal data, Regulation (EU) 2016/679 should apply to the personal data part of the set, and this Regulation should apply to the non-personal data part of the set. Where non-personal and personal data in a mixed data set are inextricably linked, this Regulation should apply without prejudice to Regulation (EU) 2016/679. If technological advancements, such as artificial intelligence, machine learning, internet of things, and big data analysis, make it possible to turn anonymised data into personal data, such data are treated as personal data and Regulation (EU) 2016/679 applies accordingly. Furthermore, this Regulation does not impose an obligation to store the different types of data separately or an obligation to unbundle mixed data sets.

Amendment    8

Proposal for a regulation

Recital 12

Text proposed by the Commission

Amendment

(12)  Data localisation requirements represent a clear barrier to the free provision of data storage or other processing services across the Union and to the internal market. As such, they should be banned unless they are justified based on the grounds of public security, as defined by Union law, in particular Article 52 of the Treaty on the Functioning of the European Union, and satisfy the principle of proportionality enshrined in Article 5 of the Treaty on European Union. In order to give effect to the principle of free flow of non-personal data across borders, to ensure the swift removal of existing data localisation requirements and to enable for operational reasons storage or other processing of data in multiple locations across the EU, and since this Regulation provides for measures to ensure data availability for regulatory control purposes, Member States should not be able to invoke justifications other than public security.

(12)  Data localisation requirements represent a clear barrier to the free provision of data processing services across the Union and to the internal market. As such, they should be banned unless they are justified based on imperative grounds of public security, as defined by Union law, in particular Article 52 of the Treaty on the Functioning of the European Union, and satisfy the principle of proportionality enshrined in Article 5 of the Treaty on European Union. In order to give effect to the principle of free flow of non-personal data across borders, to ensure the swift removal of existing data localisation requirements and to enable for operational reasons the processing of data in multiple locations across the EU, and since this Regulation provides for measures to ensure data availability for regulatory control purposes, Member States should not be able to invoke justifications other than public security.

Amendment    9

Proposal for a regulation

Recital 12 a (new)

Text proposed by the Commission

Amendment

 

(12a)  The concept of ‘public security’, within the meaning of Article 52 TFEU, as interpreted by the Court of Justice, covers both the internal and external security of a Member State. It presupposes the existence of a genuine and sufficiently serious threat affecting one of the fundamental interests of society, such as a threat to the functioning of institutions and essential public services and the survival of the population, as well as the risk of a serious disturbance to foreign relations or to peaceful coexistence of nations, or a risk to military interests. The concept of ‘imperative grounds of public security’ presupposes a threat to public security that is of a particularly high degree of seriousness. In accordance with the principle of proportionality, data localisation requirements that are justified in exceptional cases by imperative grounds of public security should be suitable for attaining the objective pursued, and should not go beyond what is necessary to attain that objective.

Amendment    10

Proposal for a regulation

Recital 13

Text proposed by the Commission

Amendment

(13)  In order to ensure the effective application of the principle of free flow of non-personal data across borders, and to prevent the emergence of new barriers to the smooth functioning of the internal market, Member States should notify to the Commission any draft act that contains a new data localisation requirement or modifies an existing data localisation requirement. Those notifications should be submitted and assessed in accordance with the procedure laid down in Directive (EU) 2015/153533.

(13)  In order to ensure the effective application of the principle of free flow of non-personal data across borders, and to prevent the emergence of new barriers to the smooth functioning of the internal market, Member States should immediately communicate to the Commission any draft act that contains a new data localisation requirement or modifies an existing data localisation requirement. Those draft acts should be submitted and assessed in accordance with Directive (EU) 2015/1535 33.

__________________

__________________

33 Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).

33 Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).

Amendment    11

Proposal for a regulation

Recital 14

Text proposed by the Commission

Amendment

(14)  Moreover, in order to eliminate potential existing barriers, during a transitional period of 12 months, Member States should carry out a review of existing national data localisation requirements and notify to the Commission, together with a justification, any data localisation requirement that they consider being in compliance with this Regulation. These notifications should enable the Commission to assess the compliance of any remaining data localisation requirements.

(14)  Moreover, in order to eliminate potential existing barriers, during a transitional period of 12 months, Member States should carry out a review of existing national data localisation requirements and communicate to the Commission, together with a justification, any data localisation requirement that they consider being in compliance with this Regulation. These communications should enable the Commission to assess the compliance of any remaining data localisation requirements, and to adopt decisions, where appropriate, requesting Member States to amend or to repeal such data localisation requirements.

Amendment    12

Proposal for a regulation

Recital 15

Text proposed by the Commission

Amendment

(15)  In order to ensure the transparency of data localisation requirements in the Member States for natural and legal persons, such as providers and users of data storage or other processing services, Member States should publish on a single online information point and regularly update the information on such measures. In order to appropriately inform legal and natural persons of data localisation requirements across the Union, Member States should notify to the Commission the addresses of such online points. The Commission should publish this information on its own website.

(15)  In order to ensure the transparency of data localisation requirements in the Member States for natural and legal persons, such as providers and users of data storage or other processing services, Member States should publish details of such requirements on a single online information point or should provide such details to a Union-level information point established under another Union act, [such as Regulation (EU) No ... of the European Parliament and of the Commission the Digital Single Gateway]. Member States should regularly update this information. In order to appropriately inform legal and natural persons of data localisation requirements across the Union, Member States should notify to the Commission the addresses of such online points. The Commission should publish this information on its own website, along with a consolidated list of data localisation requirements in force in Member States. The Commission should, in addition, publish information on those requirements in its official working languages.

Amendment    13

Proposal for a regulation

Recital 16

Text proposed by the Commission

Amendment

(16)  Data localisation requirements are frequently underpinned by a lack of trust in cross-border data storage or other processing, deriving from the presumed unavailability of data for the purposes of the competent authorities of the Member States, such as for inspection and audit for regulatory or supervisory control. Therefore, this Regulation should clearly establish that it does not affect the powers of competent authorities to request and receive access to data in accordance with Union or national law, and that access to data by competent authorities may not be refused on the basis that the data is stored or otherwise processed in another Member State.

(16)  Data localisation requirements are frequently underpinned by a lack of trust in cross-border data processing, deriving from the presumed unavailability of data for the purposes of the competent authorities of the Member States, such as for inspection and audit for regulatory or supervisory control. Therefore the security of data hosting systems should be reinforced in all Member States, and this Regulation should clearly establish that it does not affect the powers of competent authorities to request and receive access to data in accordance with Union or national law, and that access to data by competent authorities may not be refused on the basis that the data is stored or otherwise processed in another Member State.

Amendment    14

Proposal for a regulation

Recital 18

Text proposed by the Commission

Amendment

(18)  Where a natural or legal person subject to obligations to provide data fails to comply with them and provided that a competent authority has exhausted all applicable means to obtain access to data, the competent authority should be able to seek assistance from competent authorities in other Member States. In such cases, competent authorities should use specific cooperation instruments in Union law or international agreements, depending on the subject matter in a given case, such as, in the area of police cooperation, criminal or civil justice or in administrative matters respectively, Framework Decision 2006/96034 , Directive 2014/41/EU of the European Parliament and of the Council35 , the Convention on Cybercrime of the Council of Europe36 , Council Regulation (EC) No 1206/200137 , Council Directive 2006/112/EC38 and Council Regulation (EU) No 904/201039 . In the absence of such specific cooperation mechanisms, competent authorities should cooperate with each other with a view to provide access to the data sought, through designated single points of contact, unless it would be contrary to the public order of the requested Member State.

(18)  Where a natural or legal person subject to obligations to provide data fails to comply with them, the competent authority should be able to seek assistance from competent authorities in other Member States. In such cases, competent authorities should use specific cooperation instruments in Union law or international agreements, depending on the subject matter in a given case, such as, in the area of police cooperation, criminal or civil justice or in administrative matters respectively, Framework Decision 2006/960 34 , Directive 2014/41/EU of the European Parliament and of the Council 35 , the Convention on Cybercrime of the Council of Europe 36 , Council Regulation (EC) No 1206/200137 , Council Directive 2006/112/EC38 and Council Regulation (EU) No 904/201039 . In the absence of such specific cooperation mechanisms, competent authorities should cooperate with each other with a view to provide access to the data sought, through designated single points of contact.

__________________

__________________

34 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union (OJ L 386, 29.12.2006, p. 89).

34 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union (OJ L 386, 29.12.2006, p. 89).

35 Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (OJ L 130, 1.5.2014, p. 1).

35 Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (OJ L 130, 1.5.2014, p. 1).

36 Convention on Cybercrime of the Council of Europe, CETS No 185.

36 Convention on Cybercrime of the Council of Europe, CETS No 185.

37 Council Regulation (EC) No 1206/2001 of 28 May 2001 on cooperation between the courts of the Member States in the taking of evidence in civil or commercial matters (OJ L 174, 27.6.2001, p. 1).

37 Council Regulation (EC) No 1206/2001 of 28 May 2001 on cooperation between the courts of the Member States in the taking of evidence in civil or commercial matters (OJ L 174, 27.6.2001, p. 1).

38 Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax (OJ L 347, 11.12.2006, p. 1).

38 Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax (OJ L 347, 11.12.2006, p. 1).

39 Council Regulation (EU) No 904/2010 of 7 October 2010 on administrative cooperation and combating fraud in the field of value added tax (OJ L268, 12.10.2010, p.1).

39 Council Regulation (EU) No 904/2010 of 7 October 2010 on administrative cooperation and combating fraud in the field of value added tax (OJ L268, 12.10.2010, p.1).

Amendment    15

Proposal for a regulation

Recital 21

Text proposed by the Commission

Amendment

(21)  In order to take full advantage of the competitive environment, professional users should be able to make informed choices and easily compare the individual components of various data storage or other processing services offered in the internal market, including as to the contractual conditions of porting data upon the termination of a contract. In order to align with the innovation potential of the market and to take into account the experience and expertise of the providers and professional users of data storage or other processing services, the detailed information and operational requirements for data porting should be defined by market players through self-regulation, encouraged and facilitated by the Commission, in the form of Union codes of conduct which may entail model contract terms. Nonetheless, if such codes of conduct are not put in place and effectively implemented within a reasonable period of time, the Commission should review the situation.

(21)  In order to take full advantage of the competitive environment, professional users should be able to make informed choices and easily compare the individual components of various data processing services offered in the internal market, including as to the contractual conditions of porting data upon the termination of a contract. In order to align with the innovation potential of the market and to take into account the experience and expertise of the providers and professional users of data storage or other processing services, the detailed information and operational requirements for data porting should be defined by market players through self-regulation, encouraged, facilitated and monitored by the Commission, in the form of Union codes of conduct which may entail model contract terms. Codes of conduct should be comprehensive, should make clear that vendor lock-in is not an acceptable business practice, should provide for trust-increasing technologies, and should be regularly updated in order to keep pace with technological developments. The Commission should ensure that all relevant stakeholders, including small and medium-sized enterprises and start-ups are consulted throughout the process. The Commission should evaluate the development, and the effectiveness of the implementation, of such codes of conduct.

Amendment    16

Proposal for a regulation

Recital 28

Text proposed by the Commission

Amendment

(28)  The Commission should periodically review this Regulation, in particular with a view to determining the need for modifications in the light of technological or market developments.

(28)  The Commission should submit a report on the implementation of this Regulation, in particular with a view to determining the need for modifications in the light of technological or market developments, such as artificial intelligence, machine learning, internet of things, and big data analysis. Such report should in particular evaluate the experience gained in applying this Regulation to mixed data sets, in order to ensure that innovation flourishes, and should evaluate the implementation of the public security exception. The Commission should also publish guidelines, before the other rules of this Regulation apply, on how it applies to mixed data sets, in order for companies, including SMEs, to better understand the interaction between this Regulation and Regulation (EU) 2016/679.

Amendment    17

Proposal for a regulation

Article 2 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  This Regulation shall apply to the storage or other processing of electronic data other than personal data in the Union, which is

1.  This Regulation shall apply to the processing of electronic data other than personal data in the Union, which is

Amendment    18

Proposal for a regulation

Article 2 – paragraph 1 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

In the case of mixed data sets, this Regulation shall apply to the non-personal data part of the set. Where personal and non-personal data in a mixed data set are inextricably linked, this Regulation shall apply without prejudice to Regulation (EU) 2016/679.

Amendment    19

Proposal for a regulation

Article 3 – paragraph 1 – point 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  ‘mixed data set’ means a data set composed of both personal and non-personal data;

Amendment    20

Proposal for a regulation

Article 3 – paragraph 1 – point 2

Text proposed by the Commission

Amendment

2.  'data storage' means any storage of data in electronic format;

deleted

Amendment    21

Proposal for a regulation

Article 3 – paragraph 1 – point 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  'processing' means any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Amendment    22

Proposal for a regulation

Article 3 – paragraph 1 – point 4

Text proposed by the Commission

Amendment

4.  'provider' means a natural or legal person who provides data storage or other processing services;

4.  'provider' means a natural or legal person who provides data processing services;

Amendment    23

Proposal for a regulation

Article 3 – paragraph 1 – point 5

Text proposed by the Commission

Amendment

5.  'data localisation requirement' means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions of the Member States, which imposes the location of data storage or other processing in the territory of a specific Member State or hinders storage or other processing of data in any other Member State;

5.  'data localisation requirement' means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions, or resulting from the administrative practices, of the Member States and their emanations, including in the field of public procurement, which imposes the location of data processing in the territory of a specific Member State or hinders the processing of data in any other Member State;

Amendment    24

Proposal for a regulation

Article 3 – paragraph 1 – point 6

Text proposed by the Commission

Amendment

6.  'competent authority' means an authority of a Member State that has the power to obtain access to data stored or processed by a natural or legal person for the performance of its official duties, as provided for by national or Union law;

6.  'competent authority' means an authority of a Member State that has the power to obtain access to data processed by a natural or legal person for the performance of its official duties, as provided for by national or Union law;

Amendment    25

Proposal for a regulation

Article 3 – paragraph 1 – point 7

Text proposed by the Commission

Amendment

7.  'user' means a natural or legal person using or requesting a data storage or other processing service;

7.  'user' means a natural or legal person, including a public sector entity, using or requesting a data processing service;

Amendment    26

Proposal for a regulation

Article 3 – paragraph 1 – point 8

Text proposed by the Commission

Amendment

8.  'professional user' means a natural or legal person, including a public sector entity, using or requesting a data storage or other processing service for purposes related to its trade, business, craft, profession or task.

8.  'professional user' means a natural or legal person, including a public sector entity, using or requesting a data processing service for purposes related to its trade, business, craft, profession or task.

Amendment    27

Proposal for a regulation

Article 4 – paragraph 1

Text proposed by the Commission

Amendment

1.  Location of data for storage or other processing within the Union shall not be restricted to the territory of a specific Member State, and storage or other processing in any other Member State shall not be prohibited or restricted, unless it is justified on grounds of public security.

1.  Data localisation requirements shall be prohibited, unless, on an exceptional basis, and in compliance with the principle of proportionality, they are justified on imperative grounds of public security.

Amendment    28

Proposal for a regulation

Article 4 – paragraph 2

Text proposed by the Commission

Amendment

2.  Member States shall notify to the Commission any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement in accordance with the procedures set out in the national law implementing Directive (EU) 2015/1535.

2.  Member States shall immediately communicate to the Commission any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement in accordance with the procedures set out in Articles 5, 6 and 7 of Directive (EU) 2015/1535.

Amendment    29

Proposal for a regulation

Article 4 – paragraph 3

Text proposed by the Commission

Amendment

3.  Within 12 months after the start of application of this Regulation, Member States shall ensure that any data localisation requirement that is not in compliance with paragraph 1 is repealed. If a Member State considers that a data localisation requirement is in compliance with paragraph 1 and may therefore remain in force, it shall notify that measure to the Commission, together with a justification for maintaining it in force.

3.  By ... [12 months after the date of entry into force of this Regulation], Member States shall ensure that any data localisation requirement that is not in compliance with paragraph 1 has been repealed. By ... [12 months after the date of entry into force of this Regulation], if a Member State considers that a data localisation requirement is in compliance with paragraph 1 and may therefore remain in force, it shall communicate that measure to the Commission, together with a justification for maintaining it in force.

Amendment    30

Proposal for a regulation

Article 4 – paragraph 3 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

Without prejudice to Article 258 TFEU, the Commission shall, within a period of three months from the date of receipt of such communication, examine the compliance of that measure with paragraph 1 and shall, where appropriate, adopt a decision requesting the Member State in question to amend or repeal the measure.

Amendment    31

Proposal for a regulation

Article 4 – paragraph 4

Text proposed by the Commission

Amendment

4.  Member States shall make the details of any data localisation requirements applicable in their territory publicly available online via a single information point which they shall keep up-to-date.

4.  Member States shall make the details of any data localisation requirements applicable in their territory publicly available online via a single information point which they shall keep up-to-date, or, where available, via a Union-level information point established under another Union act.

Amendment    32

Proposal for a regulation

Article 4 – paragraph 5

Text proposed by the Commission

Amendment

5.  Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish the links to such points on its website.

5.  Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish the links to such points on its website, along with a regularly updated consolidated list of all data localisation requirements referred to in paragraph 4, including information on those requirements in its official working languages.

Amendment    33

Proposal for a regulation

Article 5 – paragraph 2

Text proposed by the Commission

Amendment

2.  Where a competent authority has exhausted all applicable means to obtain access to the data, it may request the assistance of a competent authority in another Member State in accordance with the procedure laid down in Article 7, and the requested competent authority shall provide assistance in accordance with the procedure laid down in Article 7, unless it would be contrary to the public order of the requested Member State.

2.  Where a competent authority does not receive access to the data after having contacted the user of the data processing service, and if no specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States, that competent authority may request the assistance of a competent authority in another Member State in accordance with the procedure laid down in Article 7. The requested competent authority shall provide assistance in accordance with that procedure.

Amendment    34

Proposal for a regulation

Article 5 – paragraph 3

Text proposed by the Commission

Amendment

3.  Where a request for assistance entails obtaining access to any premises of a natural or legal person including to any data storage or other processing equipment and means, by the requested authority, such access must be in accordance with Union or Member State procedural law.

3.  Where a request for assistance entails obtaining access to any premises of a natural or legal person including to any data processing equipment and means, by the requested authority, such access must be in accordance with Union law or procedural law of the Member State in which the premises or equipment is located.

Amendment    35

Proposal for a regulation

Article 5 – paragraph 4

Text proposed by the Commission

Amendment

4.  Paragraph 2 shall only apply if no specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States.

deleted

Amendment    36

Proposal for a regulation

Article 6 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  The Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level, in order to define guidelines on best practices in facilitating the switching of providers and to ensure that they provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded, as regards the following issues:

1.  The Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level, in order to contribute to a competitive data economy, that are based on the principle of transparency and that establish guidelines covering inter alia the following issues:

Amendment    37

Proposal for a regulation

Article 6 – paragraph 1 – point -a (new)

Text proposed by the Commission

Amendment

 

(-a)  best practices for facilitating the switching of providers and porting data in a structured, commonly used, interoperable and machine-readable format, including open standard formats where required or requested by the service provider receiving the data;

Amendment    38

Proposal for a regulation

Article 6 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a)  the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another provider or port data back to its own IT systems, including the processes and location of any data back-up, the available data formats and supports, the required IT configuration and minimum network bandwidth; the time required prior to initiating the porting process and the time during which the data will remain available for porting; and the guarantees for accessing data in the case of the bankruptcy of the provider; and

(a)  minimum information requirements to ensure that professional users are provided with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded, regarding the processes, technical requirements, timeframes and charges that apply in the case that a professional user wants to switch to another provider or port data back to its own IT systems, and the guarantees for accessing data in the case of the bankruptcy of the provider.

Amendment    39

Proposal for a regulation

Article 6 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b)  the operational requirements to switch or port data in a structured, commonly used and machine-readable format allowing sufficient time for the user to switch or port the data.

deleted

Amendment    40

Proposal for a regulation

Article 6 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  The Commission shall ensure that the codes of conduct referred to in paragraph 1 are developed in close cooperation with all relevant stakeholders, including associations of small and medium-sized enterprises and start-ups, users and providers of cloud services.

Amendment    41

Proposal for a regulation

Article 6 – paragraph 2

Text proposed by the Commission

Amendment

2.  The Commission shall encourage providers to effectively implement the codes of conduct referred to in paragraph 1 within one year after the start of application of this Regulation.

2.  The Commission shall encourage providers to complete the development of the codes of conduct referred to in paragraph 1 by ... [12 months after the date of publication of this Regulation], and to effectively implement them by ... [24 months after the date of publication of this Regulation].

Amendment    42

Proposal for a regulation

Article 6 – paragraph 3

Text proposed by the Commission

Amendment

3.  The Commission shall review the development and effective implementation of such codes of conduct and the effective provision of information by providers no later than two years after the start of application of this Regulation.

deleted

Amendment    43

Proposal for a regulation

Article 7 – paragraph 6 a (new)

Text proposed by the Commission

Amendment

 

6a.  The single points of contact shall provide users with general information on this Regulation, and in particular on the drawing up of codes of conduct, as referred to in Article 6.

Justification

The know-how of the single points of contact can be used not only as a link between the Member States and the Commission, but also to connect the institutions with users.

Amendment    44

Proposal for a regulation

Article 9 – paragraph 1

Text proposed by the Commission

Amendment

1.  No later than [5 years after the date mentioned in Article 10(2)], the Commission shall carry out a review of this Regulation and present a report on the main findings to the European Parliament, the Council and the European Economic and Social Committee.

1.  No later than [3 years and 6 months after the date of publication of this Regulation], the Commission shall submit a report to the European Parliament, the Council and the European Economic and Social Committee evaluating the implementation of this Regulation, in particular in respect of:

 

(a)  the application of this Regulation to mixed data sets, especially in the light of market developments and technological developments which may expand the possibilities for deanonymising data;

 

(b)  the implementation by Member States of Article 4(1), in particular the public security exception; and

 

(c)  the development and effective implementation of the codes of conduct referred to in Article 6 and the effective provision of information by providers.

Amendment    45

Proposal for a regulation

Article 9 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  By ... [6 months after the date of publication of this Regulation] the Commission shall publish guidelines on the interaction of this Regulation and Regulation (EU) 2016/679 as regards mixed data sets.

Amendment    46

Proposal for a regulation

Article 10 – paragraph 2

Text proposed by the Commission

Amendment

2.  This Regulation shall apply six months after its publication.

2.  This Regulation shall apply six months after its publication.

However, Article 9(2a) shall apply from ... [1 day after entry into force of this Regulation].

  • [1]  OJ C 0, 0.0.0000, p. 0.

EXPLANATORY STATEMENT

I. Introduction

The Digital Single Market (DSM) is a cornerstone of the European economy with enormous potential to create growth and jobs. This Regulation on the Free flow of non-personal data de facto establishes data as the fifth freedom in the Single Market. With the emergence of new technologies such as cloud computing, big data, and artificial intelligence, the possibility to move data freely has become a key issue for European companies. This is of course a possibility, not an obligation. Localisation requirements put in place by Member States reduce competition and increase storage costs by an estimated 120 percent. However, by removing these requirements the EU could benefit from up to €8 billion, or 0.06 percent, in GDP gains per year. That is the equivalent of the GDP gains from the recent free trade agreements with Canada and South Korea put together.

The Rapporteur has focused on simplifying, clarifying and make the Regulation easy to apply. The Rapporteur aims at making the text legally certain and future proof in order to maximize the benefits of free movement of data.

II. The Rapporteur’s position

A.  Public Security exception

The Rapporteur recognises that, in exceptional cases, Member States have legitimate reasons to restrict the free movement of data. However, considering the harmful effects to the EU’s digital economy, the Rapporteur considers it vital to keep these requirements to a minimum. By introducing the well-established concept of ‘imperative grounds of public security’ the Rapporteur seeks to ensure that Member State do not over interpret the Public Security exception. As there is no definition of Public Security, the Rapporteur draws on the Treaty and applicable case law by the ECJ in order to clarify this concept, and increase legal certainty.

The Rapporteur also clarifies that all parts of society should benefit from free movement of data, including public sector entities. As many localisation requirements do not originate on national level it is clarified that this Regulation will apply on all levels of governance, including in the area of public procurement which is one of the main concerns especially for SMEs.

The Commission is given the power and obligation to monitor the application of the exception and ensure that it is not interpreted in a disproportionate way. The Rapporteur wishes to introduce a clear deadline by which Member States have to report data localisation requirements that they wish to maintain. The Commission should examine the draft act and decide whether the Member State in question should amend or repeal the data localisation requirement. Any remaining data localisation requirements should be published on the Commission’s website to ensure easy accessibility of this information.

B.  Access to data for public authorities

The possibility for companies and public sector entities to process their data outside of their Member State of establishment should under no circumstances be used as a way to keep information from competent authorities. The Rapporteur believes that obliging competent authorities to exhaust all other means before being allowed to contact their counterparts for help would unnecessarily prolong the process of obtaining legitimate access to the data in question. Facilitating access to data should also be achieved by the new system of Single Points of Contact. The draft report also clarifies that access to the premises where data is stored must be given in accordance with the national law of the Member State where the premises or equipment is located.

C.  Mixed data sets

This Regulation and the GDPR are complementary and do not overlap. Together they provide a coherent set of rules that cover all types of data and that lead to a “Single EU Dataspace”. Most data sets contain both personal and non-personal data with the majority of data being non-personal, but with personal data such as names and/or email addresses included for administrative purposes only. Excluding such mixed data sets from the scope would seriously limit the benefits of this Regulation. Where mixed data sets can easily be unbundled, this Regulation should apply to the non-personal data part of the set. In a mixed data set where non-personal and personal data is inextricably linked, this Regulation should apply to the whole data set without prejudice to the GDPR. Since the scope of the GDPR is limited to personal data, and does not cover non-personal data, it would be disproportionate and legally incorrect to apply the GDPR instead of this Regulation to the whole mixed data set. It would create unnecessary burdens for companies such as SMEs and start-ups required to follow more stringent rules and would hamper innovation. The application of this Regulation to non-personal data does not mean that privacy protections under the GDPR would cease to apply in mixed data sets no matter where the data is stored in the EU. At the same time this Regulation does not impose an obligation to store the different types of data separately nor an obligation to unbundle mixed data sets.

D.  Porting of data

To reap the full potential of the DSM, competition must be increased. One part of this is to ensure portability between different cloud service providers. The Rapporteur agrees with the idea of giving the market players the task of producing Codes of Conduct to regulate the possibility for professional users to switch service and port data. This process should be encouraged, facilitated and monitored by the Commission.

For the creation of balanced and well-functioning Codes of Conduct (CoC) it is imperative that both users and service providers are included in the process. Furthermore, the Rapporteur underlines that the essence of a CoC is interoperability and transparency, and has therefore chosen to remove some of the more prescriptive parts of the Commission’s text and leaves room for market players to define how self-regulation should be formulated. The Rapporteur has also extended the deadline by 6 months as experience shows that more time is needed to create and implement a CoC.

E.  Review

Given the importance of keeping up with technological developments, the Rapporteur proposes to shorten the evaluation period, in particular concerning mixed data sets as the grey zones are likely to increase over time. We do not yet know how data sets will look in the future and it is therefore important to assess whether this Regulation is up-to-date and fit-for-purpose. The Rapporteur wishes to clarify that the outcome of the Commission’s evaluation should be to present a report with its assessment to the co-legislators.

ANNEX: LIST OF ENTITIES OR PERSONSFROM WHOM THE RAPPORTEUR HAS RECEIVED INPUT

The following list is drawn up on a purely voluntary basis under the exclusive responsibility of the rapporteur. The rapporteur has received input from the following entities or persons in the preparation of the report, until the adoption thereof in committee:

Entity and/or person

Allied for Startups

Almega (Employers’ Organisation for the Swedish Service Sector )

Ametic

Association of Swedish Engineering Industries

AT&T

Bisnode

Bitkom

BSA - The software alliance

Bulgarian Permanent Representation to the EU

Business Europe

CERCA - European Council for Motor and Repairs

Cercle de l'Industrie

Computer & Communications Industry Association (CCIA Europe)

Confederation of Swedish Enterprise

Confindustria

Danish Chamber of Commerce

Deutsche Telekom

Digital Europe

Dr Kristina IRION - University of Amsterdam (IMCO Workshop of 20th of February)

Dr Simon Forge - SCF Associates (IMCO Workshop of 20th of February)

European Economic and Social Committee

Ericsson

Estonian Permanent Representation to the EU

European Commission

European Telecommunications Network Operators' Association (ETNO)

EyeEm

Federation of European Direct and Interactive Marketing (FEDMA)

FIGIEFA - Automotive Aftermarket Distributors

Företagarna

France Digitale

French Permanent Representation to the EU

German Insurance Association (GDV)

Google

GSMA

IBM

IDC-European Government Consulting

Information Technology & Innovation Foundation

INTUG

Intuit Inc.

Irish Department of Communications, Climate Action and Environment

Microsoft

National Board of Trade

Orange Group

Polish Permanent Representation to the EU

Schneider Electric Services International

Spanish Permanent Representation to the EU

SUP46

Swedbank

Swedish IT and Telecom Industries

Swedish Trade Federation

The European Lotteries Association (EL)

The Federation of Swedish Farmers (LRF)

UEAPME – the European craft and SME employers’ organisation

UK Federation of Small Businesses

UK Permanent Representation to the EU

Veolia

Vodaphone

OPINION of the Committee on Industry, Research and Energy (26.4.2018)

for the Committee on the Internal Market and Consumer Protection

on the proposal for a regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union
(COM(2017)0495 – C8‑0312/2017 – 2017/0228(COD))

Rapporteur: Zdzisław Krasnodębski

AMENDMENTS

The Committee on Industry, Research and Energy calls on the Committee on the Internal Market and Consumer Protection, as the committee responsible, to take into account the following amendments:

Amendment    1

Proposal for a regulation

Recital 2

Text proposed by the Commission

Amendment

(2)  Data value chains are built on different data activities: data creation and collection; data aggregation and organisation; data storage and processing; data analysis, marketing and distribution; use and re-use of data. The effective and efficient functioning of data storage and other processing is a fundamental building block in any data value chain. However, such effective and efficient functioning and the development of the data economy in the Union are hampered, in particular, by two types of obstacles to data mobility and to the internal market.

(2)  Data value chains are built on different data activities: data creation and collection; data aggregation and organisation; processing; data analysis, marketing and distribution; use and re-use of data. The effective and efficient functioning of processing is a fundamental building block in any data value chain. However, such effective and efficient functioning and the development of the data economy in the Union are hampered, in particular, by two types of obstacles to data mobility and to the internal market.

Justification

The definition of "processing" added to art. 3 contains "data storage". This amendment applies throughout the text. Adopting it will necessitate corresponding changes.

Amendment    2

Proposal for a regulation

Recital 3

Text proposed by the Commission

Amendment

(3)  The freedom of establishment and the freedom to provide services under the Treaty on the Functioning of the European Union apply to data storage or other processing services. However, the provision of those services is hampered or sometimes prevented by certain national requirements to locate data in a specific territory.

(3)  The freedom of establishment and the freedom to provide services stipulated in Article 26, Articles 49 to 55 and Articles 56 to 62 of the Treaty on the Functioning of the European Union (TFEU), apply to processing services, including porting of data. However, the provision of those services is hampered or sometimes prevented by certain national requirements to locate data in a specific territory.

Justification

Article 6 lays down technical aspects of data porting. The draft regulation does not provide either a definition of the right to port data or a definition of data porting itself. Therefore, in order for the Article 6 to be deliverable, we need to anchor porting of data as a service, therefore falling within the Treaty’s freedom to provide services.

Amendment    3

Proposal for a regulation

Recital 5 a (new)

Text proposed by the Commission

Amendment

 

(5a)  The combination of these obstacles leads to a lack of competition between cloud service providers in Europe, various ‘vendor locking’ issues, and a serious lack of data mobility. Likewise, data-localisation policies undermine the ability of research and development companies to facilitate collaboration between firms, universities, and other research organisations to drive their own innovation.

Amendment    4

Proposal for a regulation

Recital 7 a (new)

Text proposed by the Commission

Amendment

 

(7a)  Like businesses and consumers, public authorities and bodies of Member States should benefit from an increased freedom of choice regarding data-driven service providers, from more competitive prices and more efficient provision of services to citizens. Given the large amounts of data that public authorities and bodies handle, public authorities should lead by example by using data-services in the Union regarding non-personal data and refrain from making any unjustified data localisation restrictions when they make use of the data-services of private parties.

Amendment    5

Proposal for a regulation

Recital 10

Text proposed by the Commission

Amendment

(10)  Under Regulation (EU) 2016/679, Member States may neither restrict nor prohibit the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union for non-personal data except when a restriction or a prohibition would be justified for security reasons.

(10)  Under Regulation (EU) 2016/679, Member States may neither restrict nor prohibit the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union for non-personal data except when a restriction or a prohibition would be justified for security reasons. The Regulation (EU) 2016/679 and this Regulation provide a coherent set of rules that cater for free movement of different types of data. Therefore the Regulation (EU) 2016/679 should be applied to the personal data part of the set, and this Regulation should be applied to the non-personal data part of the set. Where non-personal and personal data are inextricably linked, this Regulation should apply without prejudice to Regulation (EU) 2016/679. Furthermore, the Regulation does not impose either an obligation to unbundle mixed data sets or an obligation to store the different types of data separately.

Amendment    6

Proposal for a regulation

Recital 10 a (new)

Text proposed by the Commission

Amendment

 

(10a)  This Regulation therefore should not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679 and at the same time should be easy for business to comply with, particularly not constitute an obstacle for the development of start-ups and SMEs. The Commission should provide on its website clear guidance to business on the legal treatment of mixed data sets together with information on possibilities to unbundle mixed data sets. The Commission should asses the application of this Regulation to mixed data sets and propose further recommendations in its review if necessary.

Amendment    7

Proposal for a regulation

Recital 12

Text proposed by the Commission

Amendment

(12)  Data localisation requirements represent a clear barrier to the free provision of data storage or other processing services across the Union and to the internal market. As such, they should be banned unless they are justified based on the grounds of public security, as defined by Union law, in particular Article 52 of the Treaty on the Functioning of the European Union, and satisfy the principle of proportionality enshrined in Article 5 of the Treaty on European Union. In order to give effect to the principle of free flow of non-personal data across borders, to ensure the swift removal of existing data localisation requirements and to enable for operational reasons storage or other processing of data in multiple locations across the EU, and since this Regulation provides for measures to ensure data availability for regulatory control purposes, Member States should not be able to invoke justifications other than public security.

(12)  Data localisation requirements represent a clear barrier to the free provision of processing services across the Union and to the internal market. As such, they should be banned unless they are justified based on the imperative grounds of public security, as defined by Union law, in particular Article 52 of the Treaty on the Functioning of the European Union, and satisfy the principle of proportionality enshrined in Article 5 of the Treaty on European Union. In order to give effect to the principle of free flow of non-personal data across borders, to ensure the swift removal of existing data localisation requirements and to enable for operational reasons processing of data in multiple locations across the EU, and since this Regulation provides for measures to ensure data availability for regulatory control purposes, Member States should not be able to invoke justifications other than public security. The concept of ‘public security’ within the meaning of Article 52 TFEU and as interpreted by the Court of Justice, covers both internal and external security of a Member State. The Member State requesting such exemption should prove that it is necessary to have recourse to that derogation in order to protect its essential security interests.

Amendment    8

Proposal for a regulation

Recital 14

Text proposed by the Commission

Amendment

(14)  Moreover, in order to eliminate potential existing barriers, during a transitional period of 12 months, Member States should carry out a review of existing national data localisation requirements and notify to the Commission, together with a justification, any data localisation requirement that they consider being in compliance with this Regulation. These notifications should enable the Commission to assess the compliance of any remaining data localisation requirements.

(14)  Moreover, in order to eliminate potential existing barriers, during a transitional period of 12 months, Member States should carry out a review of existing laws, regulations or administrative provisions of a general nature laying down data localisation requirements and notify to the Commission, together with a justification, any data localisation requirement that they consider being in compliance with this Regulation. These notifications should enable the Commission to assess the compliance of any remaining data localisation requirements, and to adopt opinions, where appropriate, requesting to amend or to repeal such data localisation requirements, and the utmost account should be taken by Member Statesof them.

Amendment    9

Proposal for a regulation

Recital 15

Text proposed by the Commission

Amendment

(15)  In order to ensure the transparency of data localisation requirements in the Member States for natural and legal persons, such as providers and users of data storage or other processing services, Member States should publish on a single online information point and regularly update the information on such measures. In order to appropriately inform legal and natural persons of data localisation requirements across the Union, Member States should notify to the Commission the addresses of such online points. The Commission should publish this information on its own website.

(15)  In order to ensure the transparency of data localisation requirements in the Member States for natural and legal persons, such as providers and users of processing services, Member States should publish on a single online information point and regularly update the information on such measures. In order to appropriately inform legal and natural persons of data localisation requirements across the Union, Member States should notify to the Commission the addresses of such online points. The Commission should publish on its own website regularly updated information on these national measures available in its working/procedural languages, together with the addresses of the online single points of contact of the Member States.

Amendment    10

Proposal for a regulation

Recital 21

Text proposed by the Commission

Amendment

(21)  In order to take full advantage of the competitive environment, professional users should be able to make informed choices and easily compare the individual components of various data storage or other processing services offered in the internal market, including as to the contractual conditions of porting data upon the termination of a contract. In order to align with the innovation potential of the market and to take into account the experience and expertise of the providers and professional users of data storage or other processing services, the detailed information and operational requirements for data porting should be defined by market players through self-regulation, encouraged and facilitated by the Commission, in the form of Union codes of conduct which may entail model contract terms. Nonetheless, if such codes of conduct are not put in place and effectively implemented within a reasonable period of time, the Commission should review the situation.

(21)  In order to take full advantage of the competitive environment, professional users should be able to make informed choices and easily compare the individual components of various data storage or other processing services offered in the internal market, including as to the contractual conditions of porting data upon the termination of a contract. In order to align with the innovation potential of the market and to take into account the experience and expertise of the providers and professional users of data storage or other processing services, the detailed information and operational requirements for data porting should be defined by market players through self-regulation, encouraged and facilitated by the Commission, in the form of Union codes of conduct which may entail model contract terms. These codes of conduct should stipulate that a vendor lock-in is not an acceptable business practice, should make use of open standards and open specifications and provide for technologies that increase trust, like encryption. The Commission should encourage a consultation of all relevant stakeholders such as cloud users and providers of all sizes, including start-ups and SMEs, during the development of this self-regulatory code of conduct. Nonetheless, if such codes of conduct are not put in place and effectively implemented within the set period of time, the Commission should review the situation and asses the need to present legislative proposals to effectively reduce the number of barriers to the porting of data.

Amendment    11

Proposal for a regulation

Recital 21 a (new)

Text proposed by the Commission

Amendment

 

(21a)  Where processing of data is carried out, professional users should also be allowed to receive data in a structured, commonly used, machine-readable and interoperable format, and to transmit it or have it transmitted directly from one data processing to another or to a processing service. Service providers should be encouraged to develop interoperable formats, making use of open standards and open specifications that enable data porting.

Amendment    12

Proposal for a regulation

Recital 23

Text proposed by the Commission

Amendment

(23)  In order to ensure the effective implementation of the procedure for assistance between Member State competent authorities, the Commission may adopt implementing acts setting out standard forms, languages of requests, time limits or other details of the procedures for requests for assistance. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.40

(23)  In order to ensure the effective implementation of the procedure for assistance between Member State competent authorities, the Commission may adopt implementing acts setting out standard forms, formats and channels of transmission, languages of requests, time limits or other details of the procedures for requests for assistance. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.40

_________________

_________________

40 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

40 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

Amendment    13

Proposal for a regulation

Recital 24

Text proposed by the Commission

Amendment

(24)  Enhancing trust in the security of cross-border data storage or other processing should reduce the propensity of market players and the public sector to use data localisation as a proxy for data security. It should also improve the legal certainty for companies on applicable security requirements when outsourcing their data storage or other processing activities, including to service providers in other Member States.

(24)  Enhancing trust in the security of cross-border processing should reduce the propensity of market players and the public sector to use data localisation as a proxy for data security. It should also improve the legal certainty for companies on applicable security requirements when outsourcing their processing activities, including to service providers in other Member States, and take into account the rapid ongoing development of new technologies, in order to adjust to them promptly. For that purpose Member States should avoid intrusive legislation that would put into question the security, integrity or authenticity of the data, and the service providers should deploy state of the art available technologies to implement security-by-design and privacy-by-design policies and practices. Ease of switching providers and data portability are also trust increasing factors and should be ensured.

Justification

Trust is nominated as the biggest non legal barrier in the use of cloud services.Therefore trust building needs to be an objective of this text.

Amendment    14

Proposal for a regulation

Recital 29

Text proposed by the Commission

Amendment

(29)  This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and should be interpreted and applied in accordance with those rights and principles, including the rights to the protection of personal data (Article 8), the freedom to conduct a business (Article 16), and the freedom of expression and information (Article 11).

(29)  This Regulation should be without prejudice to other applicable regulations on treatment of data, respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and should be interpreted and applied in accordance with those rights and principles, including the rights to the protection of personal data (Article 8), the freedom to conduct a business (Article 16), and the freedom of expression and information (Article 11).

Justification

In order to avoid setting a hierarchy of legal texts and enhance the fundamental rights enforcement, strict interpretation is needed.

Amendment    15

Proposal for a regulation

Article 2 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  This Regulation shall apply to the storage or other processing of electronic data other than personal data in the Union, which is

1.  This Regulation shall apply to the processing of electronic data other than personal data in the Union, which is

Amendment    16

Proposal for a regulation

Article 2 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a)  provided as a service to users residing or having an establishment in the Union, regardless of whether the provider is established or not in the Union or

(a)  provided as a service to users, regardless of whether it is a private or a public-private entity, or a public authority, residing or having an establishment in the Union, regardless of whether the provider is established or not in the Union or

Amendment    17

Proposal for a regulation

Article 2 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  In the case of mixed data sets, Regulation (EU) 2016/679 should be applied to the personal data part of the set and this Regulation should be applied to the non-personal data part of the set. Where personal and non-personal data are inextricably linked, this Regulation shall apply without prejudice to Regulation (EU) 2016/679.

Amendment    18

Proposal for a regulation

Article 3 – paragraph 1 – point 2

Text proposed by the Commission

Amendment

2.  'data storage' means any storage of data in electronic format;

2.  'processing' means any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

(This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)

Amendment    19

Proposal for a regulation

Article 3 – paragraph 1 – point 4

Text proposed by the Commission

Amendment

4.  'provider' means a natural or legal person who provides data storage or other processing services;

4.  'provider' means a natural or legal person who provides processing services;

Amendment    20

Proposal for a regulation

Article 3 – paragraph 1 – point 5

Text proposed by the Commission

Amendment

5.  'data localisation requirement' means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions of the Member States, which imposes the location of data storage or other processing in the territory of a specific Member State or hinders storage or other processing of data in any other Member State;

5.  'data localisation requirement' means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions or practises, including in the field of public procurement, of the Member States, imposed by local, central or regional governments or by public entities, which requires the location of processing in the territory of a specific Member State or hinders storage or other processing of data in any other Member State;

Amendment    21

Proposal for a regulation

Article 3 – paragraph 1 – point 6

Text proposed by the Commission

Amendment

6.  'competent authority' means an authority of a Member State that has the power to obtain access to data stored or processed by a natural or legal person for the performance of its official duties, as provided for by national or Union law;

6.  'competent authority' means an authority of a Member State that has the power to obtain access to data processed by a natural or legal person for the performance of its official duties, as provided for by national or Union law;

Amendment    22

Proposal for a regulation

Article 3 – paragraph 1 – point 7

Text proposed by the Commission

Amendment

7.  'user' means a natural or legal person using or requesting a data storage or other processing service;

7.  'user' means a natural or legal person using or requesting a data processing service;

Amendment    23

Proposal for a regulation

Article 4 – paragraph 1

Text proposed by the Commission

Amendment

1.  Location of data for storage or other processing within the Union shall not be restricted to the territory of a specific Member State, and storage or other processing in any other Member State shall not be prohibited or restricted, unless it is justified on grounds of public security.

1.  Data localisation requirements shall be prohibited, unless they are justified by a documented and serious threat to public security and constitute adequate and proportionate measures.

Amendment    24

Proposal for a regulation

Article 4 – paragraph 3

Text proposed by the Commission

Amendment

3.  Within 12 months after the start of application of this Regulation, Member States shall ensure that any data localisation requirement that is not in compliance with paragraph 1 is repealed. If a Member State considers that a data localisation requirement is in compliance with paragraph 1 and may therefore remain in force, it shall notify that measure to the Commission, together with a justification for maintaining it in force.

3.  Within 12 months after the start of application of this Regulation, Member States shall ensure that any data localisation requirement that is not in compliance with paragraph 1 is repealed. If, by the end of this period, a Member State considers that a data localisation requirement is in compliance with paragraph 1 and may therefore remain in force, it shall notify that measure to the Commission, together with a justification for maintaining it in force.

Amendment    25

Proposal for a regulation

Article 4 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a.  Without prejudice to Article 258 TFEU, the Commission shall, within a period of three months from the date of receipt of such notification, examine the compliance of that measure with paragraph 1 of this Article and shall, where appropriate, adopt an opinion requesting the Member State in question to amend or repeal the measure.

Amendment    26

Proposal for a regulation

Article 4 – paragraph 5

Text proposed by the Commission

Amendment

5.  Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish the links to such points on its website.

5.  Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish on its website regularly updated information available in its working/procedural languages on the national measures referred in paragraphs 2 and 3, together with the addresses of the online single points of contact of the Member States.

Amendment    27

Proposal for a regulation

Article 4 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a.  The Commission shall publish on its website guidance for providers and users of data processing on the application of this Regulation including information on legal treatment of different types of data sets.

Amendment    28

Proposal for a regulation

Article 6 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  The Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level, in order to define guidelines on best practices in facilitating the switching of providers and to ensure that they provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded, as regards the following issues:

1.  The Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level, based on the principle of interoperability, in order to define guidelines covering following aspects:

Amendment    29

Proposal for a regulation

Article 6 – paragraph 1 – point -a (new)

Text proposed by the Commission

Amendment

 

(-a)  best practices in facilitating the switching of providers and porting data in a structured, commonly used open standards and machine-readable format allowing sufficient time for the user to switch or port the data; and

Amendment    30

Proposal for a regulation

Article 6 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a)  the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another provider or port data back to its own IT systems, including the processes and location of any data back-up, the available data formats and supports, the required IT configuration and minimum network bandwidth; the time required prior to initiating the porting process and the time during which the data will remain available for porting; and the guarantees for accessing data in the case of the bankruptcy of the provider; and

(a)  minimum information requirements to ensure that professional users are provided with sufficiently detailed, clear and transparent information before a contract for data processing is concluded, regarding the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another provider or port data back to its own IT systems, including the processes and location of any data back-up, the available data formats and supports, the required IT configuration and minimum network bandwidth; the time required prior to initiating the porting process and the time during which the data will remain available for porting; and the guarantees for accessing data in the case of the bankruptcy of the provider; and

Amendment    31

Proposal for a regulation

Article 6 – paragraph 1 – point a a (new)

Text proposed by the Commission

Amendment

 

(aa)  certification schemes for data processing products and services, facilitating the comparability of quality of these products and services including quality management, information security management, business continuity management and, environmental management;

Amendment    32

Proposal for a regulation

Article 6 – paragraph 3 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

Where the self-regulatory code of conduct has not reduced the number of existing barriers to the porting of data, the review shall, as appropriate, be followed by a legislative proposal.

Amendment    33

Proposal for a regulation

Article 6 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a.  If such codes of conduct are not put in place and effectively implemented within the set period of time, or if there are causes for concern after proper review the Commission may adopt implementing acts setting minimal guidance. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 8.

Justification

While self regulation is encouraged, overcoming barriers that might appear in the process of drafting the codes can be helped by the involvement of the Commission

Amendment    34

Proposal for a regulation

Article 7 – paragraph 6

Text proposed by the Commission

Amendment

6.  The Commission may adopt implementing acts setting out standard forms, languages of requests, time limits or other details of the procedures for requests for assistance. Such implementing acts shall be adopted in accordance with the procedure referred to in Article 8.

6.  The Commission may adopt implementing acts setting out standard forms, formats and channels of transmission, languages of requests, time limits or other details of the procedures for requests for assistance. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 8.

Amendment    35

Proposal for a regulation

Article 7 – paragraph 6 a (new)

Text proposed by the Commission

Amendment

 

6a.  The single contact point shall also provide general information to professional users and the public concerning the obligations provided for in this Directive, as well as concerning any code of conduct developed in accordance with Article 6.

Justification

The Single Contact Point has been mainly designed to help administrations from Member States, but could further be enlarged its function as a contact point to the general public and the business community in general.

PROCEDURE – COMMITTEE ASKED FOR OPINION

Title

Free flow of non-personal data in the European Union

References

COM(2017)0495 – C8-0312/2017 – 2017/0228(COD)

Committee responsible

       Date announced in plenary

IMCO

23.10.2017

 

 

 

Opinion by

       Date announced in plenary

ITRE

23.10.2017

Rapporteur

       Date appointed

Zdzisław Krasnodębski

9.11.2017

Discussed in committee

28.11.2017

21.2.2018

 

 

Date adopted

24.4.2018

 

 

 

Result of final vote

+:

–:

0:

59

1

4

Members present for the final vote

Zigmantas Balčytis, José Blanco López, David Borrelli, Jonathan Bullock, Cristian-Silviu Buşoi, Reinhard Bütikofer, Jerzy Buzek, Angelo Ciocca, Edward Czesak, Jakop Dalunde, Pilar del Castillo Vera, Christian Ehler, Fredrick Federley, Ashley Fox, Adam Gierek, Theresa Griffin, Rebecca Harms, Hans-Olaf Henkel, Eva Kaili, Kaja Kallas, Barbara Kappel, Krišjānis Kariņš, Seán Kelly, Jeppe Kofod, Peter Kouroumbashev, Zdzisław Krasnodębski, Miapetra Kumpula-Natri, Christelle Lechevalier, Janusz Lewandowski, Paloma López Bermejo, Edouard Martin, Angelika Mlinar, Csaba Molnár, Nadine Morano, Dan Nica, Angelika Niebler, Morten Helveg Petersen, Miroslav Poche, Julia Reda, Paul Rübig, Massimiliano Salini, Algirdas Saudargas, Neoklis Sylikiotis, Dario Tamburrano, Evžen Tošenovský, Claude Turmes, Vladimir Urutchev, Kathleen Van Brempt, Henna Virkkunen, Martina Werner, Lieve Wierinck, Hermann Winkler, Flavio Zanonato, Carlos Zorrinho

Substitutes present for the final vote

Pilar Ayuso, Cornelia Ernst, Francesc Gambús, Françoise Grossetête, Werner Langen, Rupert Matthews, Răzvan Popa, Dominique Riquet, Theodor Dumitru Stolojan

Substitutes under Rule 200(2) present for the final vote

Rosa D’Amato

FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION

59

+

ALDE

Fredrick Federley, Kaja Kallas, Angelika Mlinar, Morten Helveg Petersen, Dominique Riquet, Lieve Wierinck

ECR

Edward Czesak, Ashley Fox, Hans-Olaf Henkel, Zdzisław Krasnodębski, Rupert Matthews, Evžen Tošenovský

EFDD

Rosa D'Amato, Dario Tamburrano

ENF

Angelo Ciocca, Barbara Kappel

NI

David Borrelli

PPE

Pilar Ayuso, Cristian-Silviu Buşoi, Jerzy Buzek, Pilar del Castillo Vera, Christian Ehler, Francesc Gambús, Françoise Grossetête, Krišjānis Kariņš, Seán Kelly, Werner Langen, Janusz Lewandowski, Nadine Morano, Angelika Niebler, Paul Rübig, Massimiliano Salini, Algirdas Saudargas, Theodor Dumitru Stolojan, Vladimir Urutchev, Henna Virkkunen, Hermann Winkler

S&D

Zigmantas Balčytis, José Blanco López, Adam Gierek, Theresa Griffin, Eva Kaili, Jeppe Kofod, Peter Kouroumbashev, Miapetra Kumpula-Natri, Edouard Martin, Csaba Molnár, Dan Nica, Miroslav Poche, Răzvan Popa, Kathleen Van Brempt, Martina Werner, Flavio Zanonato, Carlos Zorrinho

VERTS/ALE

Reinhard Bütikofer, Jakop Dalunde, Rebecca Harms, Julia Reda, Claude Turmes

1

-

EFDD

Jonathan Bullock

4

0

ENF

Christelle Lechevalier

GUE/NGL

Cornelia Ernst, Paloma López Bermejo, Neoklis Sylikiotis

Key to symbols:

+  :  in favour

-  :  against

0  :  abstention

PROCEDURE – COMMITTEE RESPONSIBLE

Title

Free flow of non-personal data in the European Union

References

COM(2017)0495 – C8-0312/2017 – 2017/0228(COD)

Date submitted to Parliament

13.9.2017

 

 

 

Committee responsible

       Date announced in plenary

IMCO

23.10.2017

 

 

 

Committees asked for opinions

       Date announced in plenary

ITRE

23.10.2017

JURI

23.10.2017

LIBE

23.10.2017

 

Not delivering opinions

       Date of decision

JURI

2.10.2017

LIBE

23.10.2017

 

 

Rapporteurs

       Date appointed

Anna Maria Corazza Bildt

25.10.2017

 

 

 

Discussed in committee

23.1.2018

21.3.2018

24.4.2018

17.5.2018

Date adopted

4.6.2018

 

 

 

Result of final vote

+:

–:

0:

28

3

0

Members present for the final vote

John Stuart Agnew, Pascal Arimont, Carlos Coelho, Sergio Gaetano Cofferati, Daniel Dalton, Nicola Danti, Dennis de Jong, Pascal Durand, Liisa Jaakonsaari, Philippe Juvin, Nosheena Mobarik, Jiří Pospíšil, Virginie Rozière, Christel Schaldemose, Olga Sehnalová, Jasenko Selimovic, Mylène Troszczynski, Anneleen Van Bossuyt, Marco Zullo

Substitutes present for the final vote

Cristian-Silviu Buşoi, Birgit Collin-Langen, Roberta Metsola, Marc Tarabella, Sabine Verheyen

Substitutes under Rule 200(2) present for the final vote

Asim Ademov, Clara Eugenia Aguilera García, Klaus Buchner, Peter Liese, Emilian Pavel, Annie Schreijer-Pierik, Tomáš Zdechovský

Date tabled

6.6.2018

FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE

28

+

ALDE

Jasenko Selimovic

ECR

Daniel Dalton, Nosheena Mobarik, Anneleen Van Bossuyt

EFDD

Marco Zullo

PPE

Asim Ademov, Pascal Arimont, Cristian-Silviu Buşoi, Carlos Coelho, Birgit Collin-Langen, Philippe Juvin, Peter Liese, Roberta Metsola, Jiří Pospíšil, Annie Schreijer-Pierik, Sabine Verheyen, Tomáš Zdechovský

S&D

Clara Eugenia Aguilera García, Sergio Gaetano Cofferati, Nicola Danti, Liisa Jaakonsaari, Emilian Pavel, Virginie Rozière, Christel Schaldemose, Olga Sehnalová, Marc Tarabella

VERTS/ALE

Klaus Buchner, Pascal Durand

3

-

EFDD

John Stuart Agnew

ENF

Mylène Troszczynski

GUE/NGL

Dennis de Jong

0

0

 

 

Key to symbols:

+  :  in favour

-  :  against

0  :  abstention

Last updated: 8 June 2018
Legal notice - Privacy policy