PURPOSE: to remove obstacles to the free movement of non-personal data in the EU.
LEGISLATIVE ACT: Regulation (EU) 2018/1807 of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union.
CONTENT: this Regulation aims to ensure the free flow of data other than personal data within the Union by laying down rules relating to data localisation requirements, the availability of data to competent authorities and the porting of data for professional users.
The new Regulation is designed to boost the data economy and the development of emerging technologies such as artificial intelligence, products and services related to the Internet of Things and autonomous systems and 5G that raise new legal issues regarding access to data and their reuse, liability, ethics and solidarity.
Principle of free movement of data within the Union
The Regulation prohibits restrictions related to the location of data imposed by Member States on the geographical location of the storage or processing of non-personal data, unless justified on grounds of public security.
Member States shall immediately communicate to the Commission any draft act introducing a new data localisation requirement or amending an existing data localisation requirement. By 30 May 2021 at the latest, any existing data localisation requirements shall be repealed.
Data availability for competent authorities
Competent authorities shall retain the power to request access to data for the performance of their official duties, in accordance with Union or national law. Access to data by the competent authorities may not be refused on the grounds that the data are processed in another Member State.
Where, after requesting access to a user's data, a competent authority does not obtain access and if no specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States, that competent authority may request assistance from a competent authority in another Member State.
Member States may impose effective, proportionate and dissuasive sanctions in the event of failure to provide data.
Codes of conduct
The Regulation encourages the development of codes of conduct to facilitate the procedure for users to switch providers and port data back to its own IT systems.
Codes of conduct shall be comprehensive and shall cover at least those aspects that are essential during the data porting process, such as (i) the processes used and location of data backups, (ii) the available data formats and supports, (iii) the required IT configuration and minimum network bandwidth, (iv) the time required prior to initiating the porting process and the length of time during which the data will remain available for porting, and (vi) data access guarantees in the event of the service provider going bankrupt.
The Commission shall encourage service providers to complete the development of codes of conduct by 29 November 2019 and to effectively implement them by 29 May 2020. It shall have to ensure that codes of conduct are developed in close cooperation with all stakeholders, including SME and start-ups and cloud service providers.
Mixed data
In the case of a mixed data set, i.e. a data set composed of both personal and non-personal data, the Regulation shall apply to the non-personal data part of the data set.
Where personal and non-personal data in a data set are inextricably linked, this Regulation shall not prejudice the application of Regulation (EU) 2016/679.
Each Member State shall have to designate a single contact point to liaise with the single contact points of the other Member States and the Commission regarding the application of the Regulation.
ENTRY INTO FORCE: 18.12.2018.
APPLICATION: from 18.6.2019.