In order to enhance the digital growth of the European Union, the Commission has proposed a new regulation to govern the free flow of non-personal data in the EU (COM(2017)495). In combination with the already existing rules on personal data protection under the General Data Protection Regulation (the “GDPR”), the proposed legal framework is important for creating a common European data space, which is one of the key elements of the EU’s Digital Single Market strategy. The aim of the new proposal is to enable unrestricted movement of non-personal data across borders within the EU.
At the moment, there are some obstacles standing in the way of a truly functional Digital Single Market. Data localisation restrictions and difficulties in movement of data across IT systems (so-called vendor lock-in) along with complex and incoherent regulation create a lack of trust and concerns about cross-border availability of data.
As an answer to the above-mentioned issues, the free flow framework proposes a new principle where Member States can no longer oblige organisations to store or process data within their national borders. As a result of this free movement of non-personal data across borders, the competent authorities would also be able to exercise their rights of access to data regardless of where within the EU it is stored or processed. In addition, the proposition encourages the development of self-regulatory codes of conduct in order to make it easier for businesses to switch cloud service providers and to port data back to users’ own IT systems.
According to the Commission, the free flow of non-personal data has the potential to significantly boost European competitiveness in the global market. By removing data circulation barriers, it is possible to clear the way for new digital markets in data storage and processing. The aim is to increase legal certainty and trust by creating a clear, comprehensive, and predictable set of rules. The benefits of these measures include, for instance, lower costs and more flexibility for data services, since businesses and organisations will be able to move their in-house IT resources to the most cost-effective locations. Additionally, the proposition would make it easier for SMEs and start-ups to develop new data-driven innovations and encourage them and other businesses to enter new markets across the national borders and use more cloud services. The estimated additional growth of EU GDP as a result of these new measures could be up to EUR 8 billion per year.
When moving and processing data, it is always essential to take security features into account. With this proposition, security requirements on data storage and processing would also remain applicable when businesses store or process data in another Member State or when outsourcing data processing to cloud service providers. Together with this draft regulation on the free flow of non-personal data, the Commission has also presented a new cybersecurity framework to better anticipate, respond, and counter cyber threats.
The Commission is suggesting a 12-month time limit for Member States to repeal data localisation requirements. It should be noted that due to current public procurement legislation, significant changes in mandatory requirements of upcoming tendering competitions should not be necessary. However, in practice the situation may be very different. In addition, if contracting authorities choose to change their localisation requirements mid-contract, such changes should be subjected to analysis, as other tenderers could have submitted a lower bid during the initial tendering competition, had they been aware of such modifications of localisation requirements.
The draft proposal has now been submitted to the European Parliament and Council for review and preparation of their respective positions. Hannes Snellman’s IP & TMT team will closely observe the future procedure of the framework and keep you updated on the process. Stay tuned!
Managing Associate at Hannes Snellman
Counsel at Hannes Snellman