Entry into force of the European Regulation on non-personal data
Over the past year we have heard constantly and extensively about personal data, their defence and protection, and all the regulatory applications that have followed the issuing of the GDPR. Exactly one year after the entry into force of the General Privacy Regulations, on 28 May this year, Regulation (EU) 2018/1807 on the free movement of non-personal data in the European Union came into force. Nine articles and thirty-nine recitals to break down the current cross-border barriers to the free movement of non-personal data in Europe: what are they? That particular category of data consists of all information, which cannot be linked to an identified or identifiable person; essentially, electronic information which cannot be traced back to an identified or identifiable natural person (or anonymous as such), used for big data analysis, in precision agriculture (pesticides and water) or in IoT technology (recital 9).
The processing and storage of data, which is at the core of ongoing technological progress and of all innovations, born and nascent, has encountered quite a few obstacles, due to a data location tax by Member States and legal expedients by private companies to make it difficult or at least costly to switch to another supplier. The new Regulation wanted to remedy, by facilitating cross-border exchange, for a more fluid and faster digital data economy, while not preventing the competent authorities from requesting or obtaining access to it, in accordance with EU or national law.
A primary issue in this legislation has been the ‘data location requirements’, i.e. those obligations imposed by Member States on companies to host data centers in the national territory of a Member State, together with the obligation to process data at national level, which, of course, have hindered the emergence of innovation hubs, multiplying IT infrastructures in several Member States, with a significant increase in data storage costs.
The new Regulation has said enough and has provided for Member States to stop imposing requirements to locate or process data at national level, but to allow the emergence of more efficient and centralized data storage, perhaps through cloud services, which provide centralized storage space for large data sets, (unless justified on public security grounds, in compliance with the principle of proportionality under EU law, ex Article 4.1).
Moreover, in order to facilitate the change of supplier by users, and bypass what is called “vendor lock-in” practices, the Regulation, so to speak, “advocates” the development of self-regulatory codes of conduct, by EU companies, based on the principles of transparency, interoperability and open standards, to indicate:
- the processes used and the location of data backups,
- available data formats and support,
- the time needed before starting the transfer process and the time of data availability during the migration.
If you come across a so-called “mixed” data set, i.e. consisting of personal and non-personal data, which cannot be managed separately, the Regulation clarifies the prevalence of the applicability of GDPR over the entire data set!
A combined use of the EU Regulation 2016/679 and 2018/1807 is starting the progress of the so-called “data-economy”.
By 30 May 2021, Member States will have to repeal any data location requirements that are not justified on public security grounds in accordance with the principle of proportionality, as unrestricted data portability is one of the pillars of competition in the market for data processing services, and while the Regulation does not legislate in any way on cyber security, it emphasizes and focuses attention on the responsibilities of businesses in the prevention, security, storage and processing of data in cross-border contexts.
All Rights Reserved
Raffaella Aghemo, Lawyer