One year on from GDPR, a new EU regulation on the free flow of non-personal data comes into force next month. William Fry’s Technology Group has the details.
Formally adopted on 14 November 2018, the European Parliament and Council’s Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union is the follow-up to GDPR and is another major pillar in the EU’s drive to create a Digital Single Market. It will come into force in May 2019.
The data economy
The Digital Single Market strategy is a European Commission initiative that encapsulates its aim of ensuring broad access to online activities for individuals and businesses. A major factor in the Digital Single Market is what the EU identifies as the ‘data economy’, which aims to make the most efficient possible use of data to benefit EU member states’ economy and society.
The data economy already makes up about 2pc of the EU’s GDP and it is hoped that the new regulation will strengthen the associated infrastructure and processes leading to an increased development of the Digital Single Market.
Data localisation restrictions, and the legal uncertainty around them, were determined to have hampered choices in the public and private sector across the EU, stifling competition. This point was acknowledged when the European Commission launched the regulation, noting it would be a benefit to the competitiveness of European businesses and result in the modernisation of public services, developing an effective EU single market for data services.
What is non-personal data?
‘Non-personal data’ is defined as any data that doesn’t constitute personal data under Article 4 of GDPR.
This is a considerably broad definition and can include various datasets, both aggregated and anonymised, as well as industry-specific datasets such as data on precision farming that can be utilised to monitor and optimise agricultural practices, or data on maintenance needs for industrial machinery.
The new regulation in brief
The prominent change being introduced by Regulation (EU) 2018/1807 is that member states will be prohibited from enforcing data localisation in relation to the processing or storing of non-personal data. The aim of this is to promote the free movement of non-personal data across the EU without any interference from member states.
The only exemption from this prohibition comes in the form of restrictions on movement when necessary for public security. In order to avail of this exemption, the relevant member state must communicate any remaining or proposed data localisation policies to the European Commission along with their justifications for the restriction.
Unlike the one-stop-shop mechanism that exists under GDPR, this regulation provides that member states must make non-personal data available to any competent authority regardless of where in the EU the data is stored or processed. In order to effect this, the regulation contains a broad definition of a ‘competent authority’ in order to extend its scope to a wide range of bodies that exercise official duties, and it prohibits organisations from refusing to supply these authorities with the requested data.
The new regulation also places emphasis on the importance of self-regulation to the budding Digital Single Market and data economy. It will facilitate and encourage the development of industry-specific codes of conduct that will facilitate a structured and seamless sharing of data between service providers in a transparent manner. The aim of this self-regulatory approach is to work towards making it easier for customers to switch service providers and result in increased competition – something GDPR’s right to data portability has also encouraged.
Although this regulation is set to impact on a number of areas, some of the key benefits include:
- Facilitating cross-border business in the EU, as there will be less duplication of data storage facilities
- Increased stability for SMEs and start-ups, which will be able to enter new markets across borders
- Potential savings of up to 55pc for service providers and lower prices for users
- A competitive EU Digital Single Market for secure, reliable and affordable cloud services
- Enabling the scale-up of innovative data services across the EU
However, the regulation does not adequately address how it will interact with GDPR. While the purpose is relatively clear and its intentions are being welcomed, it does not account for the reality that many large datasets will inevitably contain a combination of both non-personal and personal data.
Though the incoming regulation does not address how organisations should approach such challenges, it should be noted that EU regulatory guidelines are expected to be published before it comes into effect in May 2019, so more clarity may emerge.
Get a head start on compliance
While the focus of the new rules is largely designed to prevent the introduction of new data localisation rules, it is also likely to impact some businesses. For those impacted, it would be prudent to consider a mechanism to conduct assessments of datasets to identify which are most likely to be in scope of the incoming regulation.
Businesses that have already implemented processes and procedures such as data mapping, data inventory and the maintenance of records of processing activities as part of GDPR readiness will have a head start in getting ready for the new law.
By David Cullen, Leo Moore and John O’Connor, with John Magee and Alex Towers contributing
David Cullen is head of the William Fry Technology Group in which Leo Moore, John O’Connor and John Magee are partners. Alex Towers is a solicitor in the group.
A version of this article originally appeared on the William Fry blog.