Free flow of non-personal data and GDPR (Loyens & Loeff)
Publication date: 19/06/2019
The new Regulation 2018/1807 on the free flow of non-personal data in the EU is applicable since 28 May 2019. The main goal pursued by Regulation 2018/1807 is to boost the data economy by facilitating the cross-border exchange of data. Below, we will shed some light on the interaction between this new Regulation and the GDPR.
Purpose behind facilitating the free flow of non-personal data
Allowing data to be stored and processed in the entire EU without unjustified restrictions aims at facilitating the life of businesses by making it easier for them to develop new services, to make use of the best offers with respect to data processing services, and to expand their business across borders.
The new rules outlined in Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union (the ‘Regulation’) serve this goal and moreover supplement the existing set of rules for the free movement and portability of personal data in the EU, as laid down by Regulation 2016/679 (the ‘GDPR’).
Scope of the Regulation
The Regulation applies to the processing of electronic data other than personal data, within in the EU, which is:
- provided as a service to users residing or established in the EU, regardless of whether the service provider is established or not in the EU; or
- carried out by a natural or legal person residing or established in the EU for his/her own needs.
In the case of a mixed dataset, i.e. a dataset composed of both personal and non-personal data, the Regulation applies to the non-personal data part of the dataset. If the personal and non-personal data are inextricably linked, then the Regulation applies without prejudice to the application of the GDPR.
Prohibition of data localisation requirements
The Regulation prohibits data localisation requirements in local legislation of the EU Member States, unless they are justified on grounds of public security and in compliance with the proportionality principle. It also introduces an obligation on the Member States to make the details of any such requirements available via a national online single information point, and to inform the European Commission of the address of such single information point (see Your Europe portal).
Data availability for competent authorities and portability of data
The Regulation does not affect the powers of the competent authorities to request, obtain or access data for the performance of their official duties in compliance with EU and national law. Access to data may not be refused to the competent authorities on the basis that the data are processed in another Member State.
With respect to the portability of data, the European Commission will encourage and facilitate the development of self-regulatory codes of conduct at EU level in order to build a more competitive data economy.
Guidance from the European Commission on the interplay with the GDPR
A Guidance published by the European Commission focuses on the interplay between the new Regulation on the free flow of non-personal data and the GDPR. It addresses in particular:
- the concepts of personal and non-personal data and the concept of mixed datasets;
- the principles of free movement of data and the prohibition of data localisation requirements; and
- data portability.
With respect to non-personal data, it is important to note that these data can be classified by origin as:
- data which originally did not relate to an identified or identifiable natural person, e.g. data on weather conditions generated by machines; or
- data which used to be personal data but were (properly) anonymised and therefore do not qualify as personal data anymore.
In most real-life situations, a dataset is however very likely to be composed of both personal and non-personal data (a mixed dataset). Examples of mixed datasets include a company’s tax records, mentioning the name and telephone number of the managing director of the company. This can also include a company’s knowledge of IT problems and solutions based on individual incident reports, or a research institution’s anonymised statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions.
In practice, it would be challenging and impractical, if not impossible, to split such mixed datasets. The Guidance therefore explains that, where the non-personal data part and the personal data parts are inextricably linked, the data protection rights and obligations stemming from the GDPR fully apply to the entire mixed dataset, including in cases where personal data represents only a small part of the dataset. The Guidance also explains the concept of being inextricably linked and provides practical examples on the application of the above rules.
According to the European Commission, there are moreover no contradictory obligations under the GDPR and the new Regulation, as both enable the free movement of all data within the EU. Furthermore, the new Regulation contains no obligations for businesses and does not limit the contractual freedom of businesses enabling them to choose the location for processing their data.