Free movement of non-personal data in the European Union
Principle of free movement of data
The principle of free movement of data has been defined as the "fifth freedom" of the EU single market, along with the freedom of movement of goods, services, people and capital. The free flow of data, both personal and non-personal, is an essential requirement to boost the growth of the data economy within the European Union and the use of cloud computing, so it is necessary to ensure that companies and public administrations can store and process data anywhere in the EU. In this way, the principle of free movement of non-personal data is linked to the principle of free movement of personal data already established in the General Data Protection Regulation (Regulation (EU) 2016/679), ensuring a comprehensive and coherent approach to the free movement and portability of data in the European Union.
Regulation (EU) 2018/1807 (Free Flow of non-personal Data)
El Regulation (EU) 2018/1807 on a framework for the free movement of non-personal data in the European Union (known as Free Flow of non-personal Data) is part of the European Commission's Digital Single Market Strategy.
Prohibition of restrictions on the location of data
The aim of the regulation is to establish measures aimed at removing obstacles, both technical and legal, to the free movement of non-personal data (such as those generated on the Internet of Things or Artificial Intelligence) between EU Member States, and prohibits EU Member States from imposing restrictions or requirements on the location of data in their regulations, except where justified for reasons of public security.
As a result, the regulation provides legal certainty for companies that, from now on, will be able to process their data in any EU country. To this end, by 30 May 2021 at the latest, Member States shall repeal the location requirements existing in laws, regulations or administrative provisions or arising from administrative practices of a general nature, which are not justified on grounds of public security.
Availability of data for competent authorities
On the other hand, the regulation establishes the principle of data availability. This principle ensures that the competent authorities of the Member States continue to have access to the data, even when they are located in another country, for monitoring purposes.
The State Secretariat for Digitisation and Artificial Intelligence is the single national contact point that acts as a link with the single contact points of the other Member States and the European Commission. Requests from another Member State for assistance in obtaining access to data may be sent to ffod@digital.gob.es.
Data portability
Finally, the regulation also seeks to make it easier for professional users to easily change cloud service providers or transfer data to their own information systems. To this end, it encourages self-regulation in the area of data portability, encouraging suppliers and users to jointly develop codes of conduct at EU level.
Such codes of conduct must define a set of good practices and the detailed, clear and transparent information that providers must provide to their users before a contract is concluded. The SWIPO (Cloud Switching and Porting Data) working group is responsible for developing the aforementioned codes, in principle having been foreseen for Infrastructure as a Service (IaaS) cloud services and for Software as a Service (SaaS) cloud services.
Provisions that include requirements for locating non-personal data
No non-personal data localization requirements have been identified.
Calendar
- December 18, 2018: Entry into force of the Regulation.
- May 28, 2019: Date of application of the Regulation. Entry into force of all obligations that do not have a date stipulated in the Regulation.
- May 30, 2021: Deadline for the implementation of the obligations set out in Article 4.3.