In September 2017, we published a blog that outlined the Commission’s proposal for a framework on this subject (you can view our blog here). In June 2018, we further reported that the European Parliament, Council of the European Union and the European Commission had reached a political agreement on the rules for the free flow of non-personal data (which is available here).

The legislative process has now taken a further step forward. On October 4, 2018, the European Parliament formally adopted, at first reading, the Commission’s proposal for a regulation on a framework for the free flow of non-personal data in the EU (the Regulation). This was followed, on November 9, 2018, by formal adoption of the Regulation by the Council without further amendments.

What is non-personal data?

Non-personal data is essentially any data that does not relate to an identified, or identifiable, natural person. Examples of non-personal data are set out in the recitals to the Regulation, which include aggregated and anonymised data sets used for big data analytics, data on precision farming that could help to monitor and optimise the use of pesticides and water, and data on maintenance needs for industrial machines.

What is the purpose of the Regulation?

As highlighted in our earlier blogs, a number of obstacles had previously been identified that were thought to impede the free flow of data in the European Digital Single Market. The Regulation aims to ensure the free flow of non-personal data within the EU by specifically addressing these obstacles.

Key provisions of the Regulation

  • Free flow of data across borders: The Regulation prohibits data localisation restrictions, thereby permitting organisations to store data anywhere in the EU. Member States have specified time limits to communicate to the Commission any remaining or planned data localisation restrictions that are justified on grounds of public security.
  • Data availability for regulatory control: The Regulation allows competent authorities to access data – for scrutiny and supervisory control – despite where it is stored and/or processed in the EU. It also allows Member States to sanction users that do not provide access to data stored in another Member State.
  • Portability of data: The Regulation encourages the creation of codes of conduct for service providers who process data (for example, cloud service providers) in order to facilitate switching between providers in a structured and transparent manner.

Next steps

The Regulation is being adopted under the ordinary legislative procedure – the EU’s main process for adopting new legislative acts. Once the Regulation has been signed by both the European Parliament and the Council of the European Union and published in the Official Journal of the European Union, it will become directly applicable in all Member States six months after publication.