“...Data should be able to flow freely between locations, across borders and within a single data space ... in Europe, data flow and data access are often held up by localisation rules or other technical and legal barriers.” - Digital Single Market VP Andrus Ansip
In its communication Tuesday, the Commission vowed to take appropriate enforcement actions where needed, and, if necessary, take further initiatives to address unjustified or disproportionate data location restrictions.
Carlo Piltz, an information technology and data protection lawyer with JBB in Berlin, said the Commission’s comment – “Sometimes restrictions are imposed by Member States in the belief that supervisory authorities can more easily scrutinise locally stored data” – raises an interesting point on data localization and free flow of data.
“From my point of view, this refers to the obligations under the new German data retention law to store personal data only in Germany. The German government explicitly reasoned this obligation with the possibility for German data protection authorities to review the data retention process. And then the Commission informs in its Communication: 'Commission will, where needed, launch infringement proceedings to address unjustified or disproportionate data location measures.' So let’s see if the Commission will launch such a proceeding involving Germany,” he said.
The Commission also launched a consultation that will run until 26 April 2017. It seeks views on possible policy and legal responses in relation to data access and transfer; non-personal machine-generated data; liability related to data-based products and services; and data portability.
The first question on localisation of data for storage and/or processing purposes sets the tone: “The main objective of this part of the questionnaire is to get detailed insights into the extent, nature and impacts of data localisation restrictions within the EU and what could constitute limited, justified grounds for such restrictions without unduly jeopardising the free movement of data within the EU (except for restrictions to the free movement of personal data for reasons connected with the protection of natural persons with regard to the processing of personal data).”
Question two deals with access to and re-use of non-personal data – whether and to what extent digital non-personal machine-generated data are traded and exchanged. The third section is on liability, particularly in relation to the emerging internet of things and robotics, while question four delves into portability of non-personal data, interoperability and standards. Essentially the Commission wants to understand the nature and magnitude of any barriers to accessing data and ways of tackling those barriers.
Cornelia Kutterer, Director European Government Affairs and Digital Policy, Microsoft welcomed the communication: “Microsoft’s business is built on trusted data flows, underpinned by our belief that privacy is a fundamental right. Trust is what empowers our customers in Europe to use the intelligent cloud to digitally transform and grow their business – trust between them and us, and between their customers and partners. By enhancing the mechanisms for global data transfers and customizing solutions that safeguard people’s privacy, the Commission is protecting citizens’ rights while maximizing opportunities for innovation, growth and job creation.”
“By enhancing the mechanisms for global data transfers and customizing solutions that safeguard people’s privacy, the Commission is protecting citizens’ rights while maximizing opportunities for innovation, growth and job creation.” Microsoft Director of European Government Affairs and Digital Policy Cornelia Kutterer
But others pointed out potential problems. Pirate Party MEP Julia Reda said that in the communication, the Commission is taking steps towards a new copyright-like protection for raw data.
The discussion document produced by the Commission considers a “data producer’s right: A right to use and authorise the use of non-personal data could be granted to the data producer, i.e. the owner or long-term user (i.e. the lessee) of the device.”
According to the Commission this approach could potentially clarify the current legal situation and give “more choice to the data producer, by opening up the possibility for users to utilise their data and thereby contribute to unlocking machine-generated data.”
“This is the final bad idea,” said Reda. “It would have far-reaching dire consequences and must be rejected. This idea would protect any series of ones and zeros like creative works are protected today. This would create immense transactional costs and huge legal uncertainty for anyone creating and re-using data, such as researchers or innovative startups. Dealing with pure data such as access logs, sensor data or measurements would become as complex as dealing with copyrighted works is today.”
“In the age of the internet of things, it is becoming increasingly important to guarantee that users have access to data they create through their use of a device or service. A right to data portability to another service is also overdue – the Commission should redouble the portability efforts outlined today. A new intellectual property right for data is, however, a badly misguided approach. The Commission would be replicating the database protection debacle. The globally unique European intellectual property right for databases didn’t just fail to fulfill its goal of stimulating the EU data economy, but in fact today frequently stands in the way of the innovative use of data,” she added.
The EU data economy could employ 7.4 million people by 2020 according to Commission figures, but with its strict privacy regime, the EU cannot afford to sit back and take a hands-off approach. The feedback from the consultation will feed into any future legislative proposals.
Read the full communication here.