New guidance published on free flow of non-personal data

June 2, 2019

As part of its Digital Market Strategy, the European Commission has published guidance on the free flow of personal data.  The new Regulation (EU) 2018/1807 on the free flow of non-personal data, which started to apply in member states on 28 May 2019, seeks to remove obstacles to the free movement of non-personal data across member states and IT systems in Europe.

Together with the GDPR, the new Regulation on the free flow of non-personal data aims to provide for a stable legal and business environment on data processing. The new Regulation prevents EU countries from putting laws in place that unjustifiably force data to be held solely inside national territory. The aim of the new rules is to increase legal certainty and trust for businesses and make it easier for SMEs and start-ups to develop new innovative services, to make use of the best offers of data processing services in the internal market, and to expand business across borders.

The key points of the Regulation are:

  • Free movement of non-personal data across borders: every organisation should be able to store and process data anywhere in the European Union.
  • The availability of data for regulatory control: public authorities will retain access to data, also when it is located in another member state or when it is stored or processed in the cloud.
  • Easier switching of cloud service providers for professional users. The European Commission has started facilitating self-regulation in this area, encouraging providers to develop codes of conduct regarding the conditions under which users can port data between cloud service providers and back into their own IT environments.
  • Full consistency and synergies with the cybersecurity package, and clarification that any security requirements that already apply to businesses storing and processing data will continue to do so when they store or process data across borders in the EU or in the cloud.

The guidance to the Regulation aims to help users, in particular small and medium-sized enterprises, understand the interaction between the new Regulation and the General Data Protection Regulation, especially when datasets are composed of both personal and non-personal data.

The guidance gives practical examples on how the rules should be applied when a business is processing datasets composed of both personal and non-personal data. It also explains the concepts of personal and non-personal data, including mixed datasets; lists the principles of free movement of data and the prevention of data localisation requirements under both, the GDPR and the new Regulation; and covers the notion of data portability under the new Regulation. The guidance also includes the self-regulatory requirements set out in the two Regulations.