- Companies and public authorities will have a wider choice of where to process data
- Data as 5th freedom in the single market, after persons, goods, services and capital
- Free flow will pave the way for artificial intelligence, cloud computing and big data analysis
Removing obstacles to the free movement of non-personal data within the EU for companies and public authorities is the key aim of a draft law approved by the Internal Market Committee.
The proposed rules would prevent any EU member state from imposing territorial restrictions or prohibitions on the storage or any other processing of non-personal data anywhere within the EU.
Data localisation restrictions that hamper data mobility, either directly or indirectly, take different forms in various sectors. They include, for example, supervisory authorities advising financial service providers to store their data locally, professional secrecy rules that entail local data storage or processing (e.g. on anonymised health research data), or broad regulations that require local storage of information generated by the public sector, including public procurement.
Public security exception
This draft EU law would prohibit national rules requiring that data be stored or processed in a specific member state. MEPs kept exceptions to a minimum by clarifying that any restrictions on the location of data would only be allowed “on an exceptional basis”, where justified on “imperative grounds of public security”.
Any remaining or future data localisation requirements would have to be communicated to the EU Commission and published online, in order to ensure transparency.
Access to and porting of data
The draft law ensures that competent authorities will have access to data stored or processed in another member state for regulatory control purposes, such as for inspection and audit, in order to be able to perform their tasks.
It also encourages the creation of codes of conduct to make it easier for professional users to switch cloud-service providers and transfer data back to their own IT systems. These codes of conduct should make clear that “vendor lock-in” (obstacles to the movement of data across IT systems) “is not an acceptable business practice”, say MEPs.
Mixed data sets
In the case of mixed (non-personal and personal) data sets, this regulation would apply to the non-personal data part of the set, MEPs clarify. The personal data would be subject to the new EU data protection rules (General Data Protection Regulation), applicable since 25 May 2018. Where personal and non-personal data in a mixed data set are inextricably linked, this regulation would apply “without prejudice to Regulation (EU) 2016/679” (GDPR), stipulate MEPs. The two regulations would thus complement each other.
Anna Maria Corazza Bildt (EPP, SE), who is steering this legislation through Parliament, said after the vote: “My vision is for an open, free and safe internet for all. With this regulation, we de facto establish data as the fifth freedom in the EU Single Market. By removing borders, burdens and barriers such as data localisation rules, we enable a level playing field for our European companies to compete globally”.
“It is a major step towards reducing data protectionism, which is threatening the digital economy. Enabling the free flow of data will boost GDP by as much as the two recent EU free trade agreements, with Canada and South Korea, put together. This regulation is truly a game changer, potentially providing enormous efficiency gains for both companies and public authorities. It will pave the way for artificial intelligence, cloud computing and big data analysis”.
The mandate to start negotiations with the Council was approved in the committee by 28 votes to three. Once it is green-lighted by Parliament at June’s plenary session, three-way (“trilogue”) talks between Parliament, Council and Commission can start. The first trilogue is scheduled for 14 June 2018.
The draft regulation on the free flow of non-personal data is one of a series of proposals in the Digital Single Market Strategy. It complements existing legislation for personal data (the GDPR), which provides for the free movement and portability of personal data within the EU.
Non-personal data includes, for instance, machine-generated data or commercial data, which are either non-personal in nature or anonymised.
With the emergence of new technologies such as cloud computing, big data, and artificial intelligence, the possibility to move data freely has become a key issue for European companies.