For many companies across Europe who are busy tackling compliance ahead of the new data protection rules which GDPR will bring into force in May 2018, it may be hard to see past the issue of personal data.
However, the unrestricted movement of non-personal data across borders and technology systems in the EU is also considered a key building block of the EU’s Digital Single Market strategy. Indeed, it’s considered to be the most important factor for the EU’s data economy to unleash its full potential.
Personal data is defined by the EU as “any information relating to an identified or identifiable natural person”, so non-personal data is anything that falls outside of this remit, be that financial systems, weather or system logs data, for example.
Current data localisation restrictions by Member States’ public authorities and so-called ‘vendor lock-in practices’ (obstacles to the movement of data across IT systems) are considered to prevent businesses from embracing digital opportunities, including the use of data-driven technologies and services relating to data-storage, data-transfer and analytics. Legal uncertainty and lack of trust cause additional barriers to the free flow of non-personal data.
In practice, these obstacles means a business may not:
- Be or feel free to make full use of cloud services
- Choose the most cost-effective locations for IT resources
- Switch between service providers
- Port its data back to its own IT systems
However, on 19 September 2017, the Commission proposed a draft regulation to try to tackle these barriers. The proposal will now be considered by the EU Parliament and Council.
The key elements of the new draft rules are:
Removal of unjustified or disproportionate national rules that hamper or restrict companies in choosing a location for storage or processing of their data. Member States will have to notify the Commission of new or existing data localisation requirements.
Ensuring that competent authorities may have access to data stored or processed in another Member State in order to be able to perform their tasks in line with their regulatory mandate, just as they do when the data is stored in their own territory. As a matter of principle, the storage or other processing of data abroad may not be used as a ground to refuse access to data to national regulators.
Encouragement for the development of self-regulatory codes of conduct in order to make it easier to switch cloud service providers, for example, by informing users about the terms and conditions under which they can port data outside their IT environments.
Establishment of a single point of contact per Member State to liaise with other Member States’ contact points and the Commission to ensure the effective application of the new rules on the free flow of non-personal data.
Additionally, with the regulation, the Commission proposes a new principle that abolishes data localisation requirements while ensuring access rights to competent authorities for regulatory control. The benefits of which include:
- Economic growth
- A more competitive and integrated market for data storage and data processing services
- Better “cross-border” use of existing technologies
- Promotion and advance of legal clarity in the EU
It is also expected that the free flow of non-personal data would enable businesses to fully embrace cloud services and centralise IT operations, rather than have to duplicate data at several locations.
In addition, it would make it easier for businesses, particularly SMEs and start-ups, to develop new innovative services, scale up and enter new markets.
Moreover, removing existing data localisation measures is expected to drive down the cost of data services, provide companies with greater flexibility in organising their data management and data analytics, while expanding their use and choice of providers. The strategy is expected to contribute to additional growth of EU GDP by £8 billion per year.
The draft regulations have been broadly welcomed by the IT industry. CISPE, the trade association of cloud computing infrastructure companies in Europe, has described the proposed new rules as: “A major step forward for Europe’s cloud industry.”
It is worth noting however that once the UK is no longer part of the EU, there is a risk that UK business will suffer unless a deal can be struck with the EU on the cross-border flow of non-personal data.
More work to do
In its synopsis report of the data economy consultation, conducted prior to the publication of the regulation, the Commission suggested that B2B data access and reuse, as well as liability, are emerging issues that require further analysis.
Almost half of all companies that responded to the consultation had experienced problems in accessing data held by others. Around a third of respondents thought that neither existing competition law, nor legislation on unfair contract terms or unfair commercial practices fully addressed the problems.
However, the main concern identified by respondents was how to maximise and organise access to and re-use of data, rather than a question of data ownership. Most respondents strongly supported non-regulatory measures such as fostering the use of APIs or guidance to promote data sharing.
In addition, although the majority of respondents believed that the current product liability regime is adequate to deal with the challenges resulting from emerging technologies like IoT and autonomous systems, some specific stakeholder groups, mainly consumers and lawyers, thought an overhaul would be beneficial and necessary.
We expect to hear more from the Commission on these issues in spring 2018.