Businesses in the European Union today base a large part of their activities on “data flows”, which, due to rapid technological progress and digitisation, are indispensable for contractual regulation and the identification of new economic opportunities in various sectors.
The EU policy of the Digital Single Market is in fact favouring the free circulation of both personal and non-personal data to foster and develop the “data economy” (for more information see the EU site Building a European data economy).
This process finds its cornerstones in two important regulations:
The first of these, also known as GDPR (“General Data Protection Regulation”) provides an intentionally broad definition of “personal data”, specifying that it is “any information relating to an identified or identifiable natural person”.
The regulation on non-personal data, on the other hand, defines non-personal data using contrarious reasoning concerning the definition of personal data, indicating that “non-personal data” is to be understood as “data other than personal data (...)”. This refers in particular to data that do not originally refer to an identified/identifiable natural person or data that initially arose as personal and were subsequently rendered anonymous.
In order to highlight this difference, reference can be made to Communication (2019) 250 final entitled “Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union” in which it is stated that “since the definition of personal data refers to “natural persons”, data sets containing names and contact data of legal persons are in principle non-personal data”. This does not detract from the fact that in processing the data of the legal person, one almost always ends up processing the data of the natural persons working for the legal person as well.
It often happens, therefore, that personal and non-personal data are collected in a mixed set of data (e.g., health data). It should then be pointed out that where a separation is possible, the reference regulations for each set of data (personal and non-personal) may be applied; where, on the other hand, the set of mixed data contains data that are “inextricably linked”, Article 2(2) of Regulation (EU) 2018/1807 provides that the GDPR applies to the entire set of mixed data, even in cases where personal data represent only a small part of it.
But what is the relationship between the two regulations?
Below, we will address three issues that we consider important, briefly analysing the points of contact or main differences between the regulation of personal data and the regulation of non-personal data.
The Free Movement of Data
Certainly, the common figure between the two regulations is the constant promotion of the principle of free movement of data within the territory of the European Union:
- the regulation on non-personal data is based on the principle of the free flow of personal data across borders and thus on the prohibition for states to impose “location obligations” on data “(...) unless justified on grounds of public security while respecting the principle of proportionality”. Furthermore, the rules of the regulation will not apply when data processing activities are conducted outside the territory of the EU.
- The Data Protection Regulation, on the other hand, stipulates that the free movement of data within the territory of the European Union may not be restricted or prohibited “on grounds relating to the protection of natural persons concerning the processing of personal data”, and that the data transfer rules will also apply in interactions with third countries, but imposes important restrictions on the transfer of personal data to states outside the territory of the EU or which do not ensure an adequate level of data protection.
Data portability
Both regulations regulate data portability by aiming to facilitate the transfer of data to avoid “vendor lock-in” practices, which occur when users cannot change their service provider because their data are locked in the provider’s system.
The right to data portability takes on different connotations depending on whether one is concerned:
- personal data, where portability refers to the relationship between the data subject and the data controller, i.e. in a “business-to-consumer” relationship;
- non-personal data, where data portability concerns “business-to-business” interactions between a professional user and a service provider.
Self-Regulatory Codes
The European Union, through its regulations on personal and non-personal data, encourages the drafting and subsequent adoption of codes of conduct and certification systems in the various economic sectors. Codes may be drawn up by trade associations, representative organisations, or data controllers, although in personal data, they require an approval process by the Italian Data Protection Authority according to Articles 40 and 41 of the GDPR.
Codes of conduct in non-personal data include those developed by the SWIPO working group, such as the IaaS or SaaS Codes (adherence to which is entirely voluntary).
As far as personal data are concerned, to date there are three codes approved by the Italian Data Protection Authority: “For information systems managed by private entities on consumer credit, reliability, and punctuality in payments”, the code “For the processing of personal data for commercial information purposes”, and the recently approved code “For the use of health data for educational and scientific publication purposes” proposed by the Veneto Region.