This document is an excerpt from the EUR-Lex website
Free flow of non-personal data in the European Union
SUMMARY OF:
WHAT IS THE AIM OF THE REGULATION?
- It aims to ensure that electronic data, apart from personal data, can be processed freely throughout the EU.
- It bans restrictions on where the data can be stored or processed.
KEY POINTS
The regulation applies to the processing of non-personal data1 which is:
- provided as a service to users living in the EU;
- conducted by an individual, company or organisation in the EU for its own needs.
The regulation bans measures known as localisation requirements2, restricting data processing to a specific territory in the EU, except on public security grounds.
EU countries must:
- inform the European Commission immediately of any potential new data localisation requirement;
- by , repeal any unjustified localisation requirements or notify the Commission of any it believes are justified;
- establish a national online single information point containing all up-to-date localisation requirements;
- appoint a single contact point to liaise and cooperate with counterparts in other EU countries and the Commission, particularly on assistance requests.
Public authorities may request access to data located in another EU country, or stored or processed in the cloud, and required for their official duties.
The Commission must:
- publish links to the national online single information points on its website and update regularly a consolidated list of localisation requirements;
- by , provide guidance on the interaction between the regulation and Regulation (EU) 2016/679 on the processing and transfer of personal data, especially data with both personal and non-personal information;
- by , report to the European Parliament, the Council and the European Economic and Social Committee on how the regulation is being applied.
The Commission encourages the creation of EU-level self-regulatory codes of conduct. These should:
- be developed in close cooperation with interested parties, such as small- and medium-sized enterprise associations, start-ups, users and cloud service providers;
- be completed by so they can be implemented by ;
- cover
- best practices when switching service providers or porting data3
- minimum information requirements for professional users before signing a data-processing contract
- certification schemes to enable comparisons between data-processing products and services for professionals
- communication to raise awareness of the codes of conduct.
FROM WHEN DOES THE REGULATION APPLY?
It applies from . As mentioned in the summary, there are specific deadlines in the regulation that must be met such as the repeal, by , of any unjustified localisation requirements.
BACKGROUND
The new rules are designed to make it easier to do business across borders in the EU and to create a single market for data storage and processing services, such as cloud computing.
The ability to choose a data service provider anywhere in the EU should lead to more innovative data-driven services and more competitive prices for businesses, consumers and public administrations.
With a favourable regulatory environment, it is estimated the data economy could be worth 4% of EU GDP (gross domestic product) by 2020.
For more information, see:
- Free flow of non-personal data (European Commission).
KEY TERMS
- Non-personal data: any information not linked to an identified or identifiable individual, that is any data other than personal data as defined in point (1) of Article 4 of the General Data Protection Regulation (GDPR).
- Localisation requirements: any legal or administrative measure which states that data processing must take place in a specific EU territory.
- Porting data: transferring data from one service provider to another, or back to a company’s own servers.
MAIN DOCUMENT
Regulation (EU) 2018/1807 of the European Parliament and of the Council of on a framework for the free flow of non-personal data in the European Union (OJ L 303, , pp. 59-68)
last update