Out-Law / Your Daily Need-To-Know

EU rules impacting non-personal data in force

Out-Law News | 19 Dec 2018 | 12:27 pm | 1 min. read

New rules that seek to end unjustified 'data localisation' and that promote greater access to and use of non-personal data have come into force in the EU.

There is, though, a six month delay before the new Regulation on the free flow of non-personal data takes effect in EU member states on 18 June 2019.

The new rules ban governments in the EU from imposing measures that require organisations to process non-personal data "in the territory of a specific member state", or which "hinders the processing of data in any other member state" unless those measures can be "justified on grounds of public security in compliance with the principle of proportionality".

EU countries will have to notify the European Commission of new plans to impose data localisation requirements, and will also need to justify to the Commission why any existing requirements should be allowed to continue. They will have until 30 May 2021 to repeal non-compliant existing requirements.

The new regulation also requires the Commission to "encourage and facilitate the development of self-regulatory codes of conduct" at EU level to "contribute to a competitive data economy". The codes need to be based on the principles of transparency and interoperability and take due account of open standards.

Among the codes that are envisaged under the regulation is a code setting out "best practices for facilitating the switching of service providers and the porting of data in a structured, commonly used and machine-readable format including open standard formats where required or requested by the service provider receiving the data".

The Commission has until 29 May 2019 to publish "informative guidance" on the interaction of the new Regulation on the free flow of non-personal data with the General Data Protection Regulation (GDPR), which concerns the processing of personal data. That guidance should address the interaction between the two frameworks "especially as regards data sets composed of both personal and non-personal data", according to the new rules.

In a statement, the Commission said: "[The new Regulation on the free flow of non-personal data] will allow public and private sector bodies to store and process non-personal data anywhere in the EU in the most efficient and cost-effective way, as well as raise trust in cloud computing and make it easier for customers to switch or end their cloud contracts."

"Furthermore, from now on, it will no longer be possible for member states to compel businesses to store data in a particular location. Wherever data is stored in the EU (whether in a cloud or locally), competent authorities in all member states will retain any right they currently already have to request access for regulatory and supervisory control," it said.

The GDPR and non-personal data Regulation "will function together to enable the free flow of all data in the EU, creating a single European space for data", according to the Commission.