European Commission’s Proposal for a Regulation over Free Flow of Non-Personal Data
Since last year, the European Commission has done a series of thorough studies and impact assessment regarding the barriers to cloud computing in regarding the priority of a Digital Single Market. The goal for a Digital Single Market is to bring down barriers and unlock online opportunities. Per a study done by Deloitte, obstacles to data mobility is expected to generate an additional growth of up to 4 percent GDP by 2020. Cloud computing is a crucial driver for growth in the EU. Amongst data security and data protection, data localization has been identified as a high impact factor on cloud adoption. Data localization limits users’ choice when choosing a provider, increases production cost for business, and users face the risk of vendor lock-in.
To “achieve a more competitive and integrated EU market for data storage and/or processing services and activities,” the European Commission proposed a regulation over free flow of non-personal data, in hopes to “reduce the number and range of data localization restrictions, enhance legal certainty; facilitate cross-border availability of data for regulatory control purposes; improve the conditions under which users can switch data storage and/or processing service providers or port their data back to their own IT systems; and enhance trust in and the security of cross-border data storage and/or processing.”
Now, this does sound familiar to the GDPR’s new right to data portability that data subject has the right to receive his/her personal data which he/she provided to the controller or have the right to transmit those data to another controller. Except this new proposed regulation is focusing on the non-personal data, or for a business, its their production data. For traditional IT structure, the concept will be easier to illustrate. However, with cloud computing where data is distributed or located in different data centers around the world, data localization would require the data stay in the cloud of its own country. For a greater perspective, it limits many benefits of cloud computing, such as the high availability, the backup and disaster-recovery strategy, etc. Furthermore, with the technology growing so fast, the "internet of things" is hotter than ever; connected devices, connected cars and others, everything seamlessly operated behind the scene. It is no doubt that free flow of data plays a critical role. While a majority of member states welcomed the fact that the proposal does not create a new right of portability of non-personal data stored in the cloud similar to what already exists in the GDPR for personal data, the discussion brought up whether GDPR should prevail in cases the business data involves a set of personal and non-personal data, and is not easily distinguishable from one another, e.g. a tax preparation service, or a staffing agency. But then again, it will not be an uncommon situation, never seen, that multiple regulations apply to same scenario. The definition might be further fine toned, but it doesn’t have any foreseeable conflict with the GDPR. Of course, the free flow of non-personal data also has exceptions, such as public security reasons.
In this proposed regulation, Article 6 on "porting of data" is specific for the data portability.
Last December, the European Commission hosted a "cloud stakeholders" meeting to have industry players actively contribute and develop a concrete, practical and actionable self-regulatory code of conduct, similar to the "model-contract-clauses" concept, on data portability as described in Article 6, which the Commission “encourages service providers and professional users to develop and implement self-regulatory codes of conduct on (a) best practices for facilitating data porting and (b) information requirements on data porting conditions (including technical and operational requirements), which providers should make available to their professional users in a sufficiently detailed, clear and transparent manner before a contract is concluded.”
During the meeting, a study done by IDC/Arthur’s Legal presented the current status of the data portability at the SLA- and MSA-contract level, as well as the portability legal lifecycle. Last year, research done by Carnegie Mellon University, focusing on data portability in the cloud under GDPR, also pointed out the technical aspects of the topic.
The proposal for a "Free Flow of Data Regulation" was published in September 2017. The proposal is currently under negotiation between the European Parliament, the Council of the EU and the European Commission.
If you want to comment on this post, you need to login.