The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), which we discussed in a previous blog, became applicable from 28 May 2019. Together with the General Data Protection Regulation (EU) 2016/679 (GDPR), the two regulations now provide a “comprehensive framework for a common European data space and free movement of all data within the European Union”. The European Commission has published practical guidance to help users understand the interaction between these two regulations.
Personal, non-personal or mixed data?
The Commission’s guidance addresses the concepts of personal and non-personal data covered by each of the regulations. While personal data is defined in the GDPR, non-personal data is defined in the Free Flow of Non-Personal Data Regulation by opposition, as “data other than personal data as defined in point 1 of Article 4” of the GDPR. Non-personal data is categorised by origin as: (1) data that originally did not relate to an identified or identifiable natural person, or (2) data that were initially personal data, but were later made anonymous. Note that anonymisation of personal data is different to pseudonymisation, the latter being processing of data that can ultimately be attributed to a person with the use of additional information.
In most everyday situations, a data set is likely to be a mixed data set consisting of both personal and non-personal data. The guidance provides examples of mixed data sets, for example a company’s tax record, mentioning the name and telephone number of the managing director of the company. In case of a mixed data set, the guidance sets the approach as follows:
- The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the set;
- The GDPR applies to the personal data part of the set;
- If the non-personal data and the personal data are “inextricably linked”, the data protection rights and obligations arising under the GDPR will apply fully to the whole mixed dataset, even if the personal data represents a small part of the set.
While the term “inextricably linked” is not defined in any of the regulations, the guidance refers to situations where separating the personal and non-personal data “would either be impossible or considered by the controller to be economically inefficient or not technically feasible”. For example, in some instances, separating a dataset may require a company to incur duplicate costs (for example, by having to purchase separate software to deal with two types of data) or it may decrease the value of the dataset considerably. In other cases, it may prove impossible to point to the dividing line between the different categories of data, as this becomes more blurred with new technological developments. For this reason, neither regulation requires businesses to separate the datasets they process.
No data localisation requirements
The Free Flow of Non-Personal Data Regulation provides for a general prohibition on data localisation requirements – whether these are direct (for example, an obligation to store data on servers in a specific geographic location) or indirect (for example, using technological facilities that have the effect of hindering the processing of data outside a specific location). An exception can arise on grounds of public security but this must be proportional to the purpose that needs to be achieved.
Self-regulation to support the free flow of data
In line with the Free Flow of Non-Personal Data Regulation, the Commission encourages industry players to develop self-regulatory codes of conduct at EU level to foster a competitive data economy. Such codes of conduct should address the porting of data in order to avoid vendor lock-in practices where users cannot switch between service providers because their data is ‘locked in’ the provider’s system. The European Data Protection Board has already published Guidelines on Codes of Conduct and Monitoring Bodies for consultation, as discussed in our previous blog.
The guidance provides helpful information to businesses regarding the interplay between GDPR and the Free Flow of Non-Personal Data Regulation. Together, the two regulations aim to achieve free movement of data, by eliminating data localisation requirements, upholding data portability requirements and encouraging industries to develop codes of conduct to foster the free movement of data. This should make it easier, in particular, for small and medium sized businesses to expand across borders and develop new innovative services.