Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (the Regulation) is the follow up to the General Data Protection Regulation (GDPR) and is another major pillar in the EU’s drive to create a “Digital Single Market” (the Digital Single Market). It will come into force in May 2019.
Why is the Regulation being introduced?
The Digital Single Market strategy is an EU Commission initiative that encapsulates its aim of ensuring broad access to online activities for individuals and businesses. A major factor in the Digital Single Market is what the EU identifies as the “Data Economy” which aims to make the most efficient possible use of data to benefit the EU member states’ economy and society. The Data Economy already makes up about 2% of the EU’s GDP and it is hoped that the Regulation will strengthen the associated infrastructure and processes leading to an increased development of the Digital Single Market.
Data localisation restrictions, and the legal uncertainty around them, was determined to have hampered choices in the public and private sector across the EU, stifling competition. This point was acknowledged when the EU Commission launched the regulation, noting it would be a benefit to the competitiveness of European businesses and result in the modernisation of public services, developing an effective EU single market for data services.
What is non-personal data?
“Non-Personal Data” is defined as any data that doesn’t constitute personal data under Article 4 of GDPR. This is a considerably broad definition and can include various data sets both aggregated and anonymised as well as industry specific datasets such as data on precision farming that can be utilised to monitor and optimise agricultural practices or data on maintenance needs for industrial machinery.
What are the key points of the Regulation?
The prominent change being introduced by the Regulation is that member states will be prohibited from enforcing data-localisation in relation to the processing or storing of non-personal data. The aim of this is to promote the free movement of non-personal data across the EU without any interference from member states.
The only exemption from this prohibition comes in the form of restrictions on movement when necessary for public security. In order to avail of this exemption, the relevant member state must communicate any remaining or proposed data-localisation policies to the European Commission along with their justifications for the restriction.
Unlike the one-stop shop mechanism that exists under GDPR, the Regulation provides that member states must make non-personal data available to any competent authority regardless of where in the EU the data is stored or processed. In order to effect this, the Regulation contains a broad definition of a ‘competent authority’ in order to extend its scope to a wide range of bodies that exercise official duties and it prohibits organisations from refusing to supply competent authorities with the requested data.
The new Regulation also places emphasis on the importance of self-regulation to the budding Digital Single Market andData Economy. The Regulation will facilitate and encourage the development of industry-specific codes of conduct that will facilitate a structured and seamless sharing of data between service providers in a transparent manner. The aim of this self-regulatory approach is to work towards making it easier for customers to switch service providers and result in increased competition, something GDPR’s right to data portability has also encouraged, click here to view our previous article on this point.
What are the envisioned benefits?
Although the Regulation is set to impact on a number of areas, some of the key benefits include:
- facilitating cross border business in the EU as there will be less duplication of data storage facilities;
- increased stability for SMEs and start-ups who will be able to enter new markets across borders;
- potential savings of up to 55% for service providers and lower prices for users;
- a competitive EU Digital Single Market for secure, reliable and affordable cloud services; and
- enabling the scale-up of innovative data services across the EU.
What are the potential challenges?
The Regulation does not adequately address how it will interact with GDPR. While the purpose of the Regulation is relatively clear, and its intentions are being welcomed, it does not account for the reality that many large datasets will inevitably contain a combination of both non-personal and personal data and the Regulation does not address how organisations should approach such challenges. However, it should be noted that EU regulatory guidelines are expected to be published before the Regulation is given effect in May 2019, so more clarity may emerge.
Possible pre-emptive steps
While the focus of the new rules is largely designed to prevent the introduction of new data localisation rules, it is also likely to impact some businesses. For those impacted, it would be prudent to consider a mechanism to conduct assessments of datasets to identify which are most likely to be in scope of the incoming Regulation. Businesses that have already implemented processes and procedures such as data mapping, data inventory and the maintenance of records of processing activities as part of GDPR readiness will have a head start in getting ready for the new law.
For further information, please contact any member of the William Fry Technology Group or your usual William Fry contact.
Contributed by: John Magee and Alex Towers.