How does the EU Deal with the Free Flow of Non-Personal Data?
We are sure that most of you will now be familiar with the General Data Protection Regulation (‘GDPR’), but do you know how the European Union (and thus the EEA) enables the free flow of non-personal data to take place? In this article we will be exploring the legal basis for this, and the merits of it.
The European Commission, in its recent Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union (‘the Guidance’), recognised that ‘in an increasingly data-driven economy, data flows are at the core of business processes in companies of all sizes and in all sectors’.
In order to facilitate cross-border transfers of non-personal data within the EU, and thus to be able to boost the digital economy, the European Parliament and the Council adopted the Free Flow of Non-Personal Data Regulation 2018/1807 (‘FFD’) in November 2018, which came into effect at the end of May 2019.
Free movement of personal data is governed by GDPR, but this new regulation, the FFD, now governs free movement of non-personal data, by imposing a general prohibition against data localisation requirements for non-personal data. An exemption to this rule arises if a Member State could justify this on the grounds of public security, if this is in compliance with the proportionality principle.
There is a cooperation mechanism to make sure that competent authorities continue to be able to exercise any rights they have to access data that is being processed in another Member State.
There are incentives planned for industry to develop self-regulatory codes of conduct on the switching of service providers and the porting of data, which is to be undertaken with the support of the European Commission. These codes of conduct are to be developed by 29 November 2019 and will be implemented by 29 May 2020.
Clearly, in some instances, there will be an overlap between processing of non-personal data and personal data, and the purpose of the Guidance is to deal with this complexity. Data which is not personal might include matters such as data on weather conditions or data which was personal data, but was thereafter anonymised. An example of a mixed data base might be a customer relationship management service (‘CRM’), which both contains personal data and data regarding purchases. The 2018 regulation would apply to the non-personal data, allowing the free flow of that data within the EU and the EEA, in conjunction with GDPR, which would regulate the personal data aspects of the data flow.
In essence this new Regulation means that it is open for organisations to decide where in the EU they chose to process their data, thus enabling the Digital Single Market to operate more effectively. It is anticipated that with new, lower, costs for data services and greater flexibility, this could help boost the EU GDP by 4% by 2020.