Free flow of non-personal data: the proposal for the Regulation has been approved

Text of the proposal for the Regulation on the free flow of non-personal data in the EU

The unstoppable growth of the digital market entails that new digital technologies, such as cloud computing, artificial intelligence and the Internet of Things "produce" data that need to circulate within the European Union, whether they are personal or non-personal data.

Aware of this need, on 13 September 2017 the European Commission presented a proposal for a Regulation, which has already been approved by the European Parliament at its first reading.

The rationale of the Regulation is to introduce a new legislation that is complementary to the GDPR and aimed at improving the mobility of non-personal data across borders, in order to establish an internal market for services, data storage and processing activities that is more integrated and competitive. To date, in fact, some regulatory differences still remain between Member States in terms of storage, archiving (so-called hosting) and data processing, differences that significantly hinder the creation of a digital single market.

In other words, the objective of the Regulation is the free flow of data. It is worth pointing out that this liberalization is due to two inherent limitations in the proposal. On the one hand it refers only to non-personal data which are defined as "data different from those defined by art. 4 of the 2016/679 EU Regulation". On the other hand, it only concerns the movement of data within the borders of the European Union, leaving unchanged the rules that apply to extra-EU data exchange.

The Commission identifies two main obstacles to the full affirmation of the freedom of businesses and public administrations to choose where to store and manage their data: the unjustified restrictions on the location of data imposed by Member States’ public authorities and the limitations of the private market which impede the portability of data between computer systems.

In the proposal for the Regulation, the Commission addresses the issue through four lines of action.

1. The general principle of free flow of non-personal data between Member States is introduced, which guarantees that companies can freely choose where to process or store data. Any restrictions provided for by law must be carefully examined and will be legitimated only on the basis of public and national security requirements.
2. Competent authorities will have access to the data stored or processed in another Member State under the same access conditions guaranteed in their national territory.
3. The proposal encourages the self-regulatory development of codes of conduct that facilitate portability conditions, which may facilitate, for example, the act of changing a cloud service provider. It therefore seeks to constitute a sort of "right to portability" for non-personal data, on a par with what has already been expressed by the General Data Protection Regulation with reference to personal data. The need, for both types of data, is to ensure that the freedom of choice is ensured not only at the beginning of the relationship, but is also maintained and made technically possible during its performance.
4. A single contact point is set up for each Member State to ensure the effective application of the new rules on the free flow of non-personal data.

In conclusion, the proposal for a Regulation appears primarily aimed at companies and public administrations, with a lower impact on individual citizens. However, when viewed in light and in coordination with the European regulatory framework of data, the proposal takes on a more general relevance. In fact, thanks to this new formulation, some of the principles already embodied by the data protection Regulation, such as that of free circulation of data and data portability, would be reinforced and their range of action widened.