Publication date: 21/01/2019
Data is an important asset for many companies. For this reason, several legal initiatives regulating data have recently been observed. As far as personal data is concerned, the GDPR is without a doubt still on top of our mind. However, those who work with non-personal data should now acknowledge the new and specific EU rules that have been issued.
On 14 November 2018, the European Parliament and Council have adopted regulation (EU) 2018/1807 (hereafter the “Regulation”) on the free flow of non-personal data. The Regulation will come into force across all EU Member States as of the end of May 2019. Companies operating with a business model based on non-personal data should examine the extent to which they can benefit from the Regulation or how it could affect their activities.
Scope of application
The Regulation applies to the processing of electronic nonpersonal data, such as aggregate and anonymised datasets used for big data analytics, or maintenance data for industrial machines. Typically, IoT (“Internet of Things”) applications, artificial intelligence and machine learning generate massive amounts of non-personal data.
The Regulation’s scope of application is further limited, in the sense that the Regulation only applies to processing activities which are: (i) supplied as a service to users residing or having an establishment in the EU, regardless of whether the service provider is established in the EU or not; or (ii) performed by a natural or legal person residing or having an establishment in the EU for its own needs.
Main problems to resolve
Competition between EU data service providers is reduced. Two types of obstacles hinder the effective and efficient functioning of data processing:
- Data localisation requirements put in place by Member States’ authorities, requiring that data service providers (i.e. cloud service providers) only store data within the Member State; and
- Vendor lock-in practices, where legal, contractual and technical issues hinder data portability from one service provider to another.
To remedy the above obstacles, the Regulation introduces the following measures:
- Data localisation restrictions imposed by public authorities are prohibited, except for public security purposes and as far as is proportionate. In principle, legal requirements limiting data processing to within the territory of a Member State will therefore no longer be allowed.
- In the few cases where restrictions are still allowed, Member States must publish information regarding the restriction in its territory via a national single information point.
- Data stored outside a Member State must remain accessible to public authorities, enabling them to perform regulatory and supervisory controls.
- Cloud service providers are stimulated to develop selfregulatory codes of conduct, agreeing on (e.g.) the porting of data in a structured and commonly used machine-readable format, and to provide business information for switching service providers, all taking into account obligations of confidentiality, amongst other things. The drafting of such codes should be completed by May 2020. They will have great impact on (the drafting of) cloud service agreements.
Ultimately, the goal is to make it easier for businesses to operate across borders in the EU by eliminating the duplication of data storage facilities. Moreover, as competition between service providers will increase, prices for data storage and processing are expected to decrease.