Official Journal of the European Union

C 227/78

Opinion of the European Economic and Social Committee on the ‘Proposal for a Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union’

(COM(2017) 495 final — 2017/0228(COD))

(2018/C 227/12)




European Parliament, 23.10.2017

Council of the European Union, 24.10.2017

Legal basis

Article 114 of the Treaty on the Functioning of the European Union

Section responsible

Transport, Energy, Infrastructure and the Information Society

Adopted in section


Adopted at plenary


Plenary session No


Outcome of vote



1.   Conclusions and recommendations

1.1.    Conclusions


The EESC, in several previous opinions, has already agreed that there is a need for a legislative initiative on the free flow of non-personal data, since this is a basic prerequisite for securing the objectives of the Digital Agenda and of achieving the Digital Single Market.


This Commission proposal today represents the most important legal aspect of the future of European policy for developing the data economy and its repercussions on economic growth, scientific research, the fostering of new technologies, particularly in the domain of artificial intelligence, cloud computing, metadata and the Internet of Things (IoT), industry and services in general and public services in particular.


The EESC considers, however, that the proposal is rather overdue, over and above the fact that the limited nature of its scope of application, the fluidity and lack of assertiveness of the mechanisms laid down and, most of all, the lack of ambition and political will and determination are likely to undermine its objectives.


Indeed with regard to the first and most important objective — to improve the cross-border mobility of non-personal data in the single market — the EESC, unlike the Commission does not consider it to be sufficient merely to require Member States to notify it, only 12 months after the entry into force of the Regulation — which is not due to happen before the end of 2018 in the best case scenario — of ‘any draft act that contains a new data localisation requirement or modifies an existing data localisation requirement’, with a view to obliging Member States to ‘ensure that any data localisation requirement that is not in compliance’ with the rule on the non-prohibition or non-restriction of free flow of the data concerned ‘is repealed’, except for reasons of public security.


With regard to its second objective of ‘ensuring that the powers of competent authorities to request and receive access to data for regulatory control purposes, such as for inspection and audit, remain unaffected’, the EESC does not agree that the proposal should be limited, putting forward only a procedure for cooperation between competent authorities of each Member State, with the creation of a network of single contact points to liaise with the single points of contact of other Member States and the Commission regarding the application of this Regulation.


Finally, in relation to its third objective of ‘making it easier for professional users of data storage or other processing services to switch service providers and to port data’, the EESC rejects the proposal that the Commission limit itself to undertaking to ‘encourage and facilitate the development of self-regulatory codes of conduct at Union level’, a matter for which only legislative measures should consequently be considered. It does not even consider drafting ‘guidelines’ on the development of the aforementioned self-regulatory codes.


For all these reasons, the EESC cannot endorse the current version of the document. The EESC is only willing to endorse this proposal if and insofar as the latter is amended in accordance with the suggestions outlined in this document and is clearly understood as a highest common standard acceptable to both Member States and stakeholders, but always viewed as a first step in the future development of more ambitious ways of securing genuinely free movement of non-personal data in the European Union’s digital market.


The EESC’s endorsement is also on condition that these developments take due account of the international aspects of a global economy, of which this initiative should necessarily be a part.

1.2.    Recommendations


To this end, the EESC recommends that the Commission revisit its proposal with a view to bringing it significantly closer to the terms defined by option 3 which the EESC favours, moving away from the selected sub-option 2a.

Moreover, the Committee strongly urges the Commission to incorporate in particular in its proposal the suggestions outlined in points 3.4.1 (date of entry into force), 3.4.2 (the absence of an obligatory procedure in cases of non-compliance), 3.6 (the absence of guidelines for drawing up codes of conduct), 3.7 (failure to take into account the classification of metadata) and 3.8 (failure to take account of the global, trans-European nature of the digital economy), especially as regards the need to provide for a specific procedure for cases where Member States do not comply.


The EESC also urges the Commission to look favourably upon the various proposals for improvement it has made, especially those relating to the various articles of the draft regulation under analysis.


It likewise strongly recommends that the Commission incorporate in its proposal the amendments suggested in the stance adopted by the December Council Presidency, with which the EESC agrees, because of the intrinsic improvements they would bring and the fact that they could make the proposal viable.

2.   Brief summary and general background

2.1.    Summary of the proposal and the thinking behind it


The Commission justifies the necessity and proportionality of this proposed regulation (1) on the basis of the following arguments:

‘Improving the mobility of non-personal data across borders in the single market, which is limited today in many Member States by localisation restrictions or legal uncertainty in the market’,

‘Ensuring that the powers of competent authorities to request and receive access to data for regulatory control purposes remain unaffected’, and

‘Making it easier for professional users of data storage or other processing services to switch service providers and to port data’.


The Commission believes that this proposed regulation complies with the subsidiarity rule in that, by ensuring the free movement of data within the Union, it aims to guarantee ‘the smooth functioning of the internal market for the abovementioned services which is not limited to the territory of one Member State and the free movement of non-personal data within the Union [and which] cannot be achieved by the Member States at national level, as the core problem is cross-border data mobility’.


However, it also considers it proportional in that it ‘seeks a balance between EU regulation and public security interests of Member States — as well as a balance between EU regulation and self-regulation by the market’.

2.2.    Policy and legal context


From a legal viewpoint, the Commission considered three options, summarised in the Explanatory Memorandum, summing up the ex ante impact assessment studies and the stakeholder consultations carried out during preparation of the legislative text (2), which can be encapsulated as follows:

Option 1 consisted of guidelines and/or self-regulation to address the different identified problems and entailed strengthening of enforcement vis-à-vis different categories of unjustified or disproportionate data localisation restrictions imposed by Member States.

Option 2 would lay down legal principles concerning the different identified problems and would envisage the designation by Member States of single points of contact and creation of an expert group, to discuss common approaches and practices, and provide guidance on, the principles introduced under the option.

Option 3 consisted of a detailed legislative initiative, to establish, inter alia, pre-defined (harmonised) assessments of what constitutes (un)justified and (dis)proportionate data localisation restrictions and a new data porting right.


Given the differences with the Regulatory Scrutiny Board, which issued two negative opinions on the Commission’s proposals, and although the majority of stakeholders consider the legislative initiative option (option 3) to be the most suitable one, purely for reasons of political strategy the following sub-option was then devised:

Sub-option 2a — ‘to allow for the assessment of a combination of legislation establishing the free flow of data framework and the single points of contact and an expert group as well as self-regulatory measures addressing data porting’.

The Commission deems that this option ‘would ensure the effective removal of existing unjustified localisation restrictions and would effectively prevent the future ones’, would ‘also promote cross-border and cross-sector use of data storage or other processing services and the development of the data market’ and would consequently ‘help transform the society and economy and open up new opportunities for European citizens, businesses and public administrations’.


To that end, it put forward a proposal for a regulation which could ‘ensure that uniform rules for the free flow of non-personal data are applicable throughout the Union at the same time’, which would turn out to be ‘particularly important to remove existing restrictions and prevent new ones to be enacted by Member States.


The present proposal is rooted in recent digital technological developments which allow for large quantities of data to be stored and used increasingly efficiently, generating economies of scale and benefiting users with rapid access, increased connectivity and greater autonomy.

In its communication on Building a European Data Economy the Commission (3) specifically denounced the link between obstacles to the free movement of data and the delay in developing the European market. Hence the need the Commission felt to put forward a proposal with a legal framework which did away with the idea of ‘border controls’.

It should be noted that only around half of the Member States endorsed the Non-paper on the Free Flow of Data initiative (4); neither Germany nor France nor any of the southern EU countries endorsed this paper.

This subject was revisited in the Commission communication on the Mid-Term Review of the Digital Single Market Strategy — A Connected Digital Single Market for All (5), where the Commission announced the publication in 2017 of two legislative initiatives, one on the Free flow of non-personal data across borders, which is the subject of this opinion — and another on the accessibility and re-use of public and publicly funded data and data collected using public funds, which is still under preparation at the Commission.

Lastly, the EESC’s opinion Digital Single Market: Mid-term review (6)‘considers that the European data economy is one of the sectors in which the gap between the EU and global digital innovation leaders is clearest’ and to this end ‘supports the proposal to establish a legislative framework, provided that this framework is also geared to cloud computing, artificial intelligence and the Internet of Things, takes account of contractual freedom — removing obstacles to innovation — and receives appropriate EU funding’, which would equate to option 3.

This Commission proposal today represents the most important legal aspect of the future of European policy for developing the data economy and its repercussions on economic growth, scientific research, the fostering of new technologies, particularly in the domain of artificial intelligence, cloud computing, metadata and the Internet of Things (IoT), industry and services in general and public services in particular (7).

3.   General comments


The EESC notes the objective of this initiative, which it has already supported in many previous opinions, since it is a basic prerequisite for securing the objectives of the Digital Agenda and of achieving the digital single market.


It does, however, feel it must express its disappointment at the overly limited scope of the initiative, the lukewarm nature of its proposals, the vagueness and lack of assertiveness in the announced mechanisms and, especially, the lack of political ambition, will and determination.

Let us now look more closely.


With the idea of a ‘free flow’ of non-personal data, the Commission is intending to counter the majority of those policies and practices in force in the Member States which create, impose or authorise barriers in relation to the localisation of data for storing or otherwise processing such kinds of data which it, also quite rightly, believes must not be prohibited or restricted, except where warranted for reasons of public security (8), by establishing rules on:


data localisation requirements;


data availability for competent authorities;


data porting for professional users.


With a view to the first of the abovementioned points — data localisation requirements — the Commission has deemed it sufficient, in an initial phase, to require Member States to notify it of ‘any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement’.


Only 12 months after the regulation enters into force — which is not to occur before the end of 2018 — Member States will be obliged to ‘ensure that any data localisation requirement that is not in compliance’ with the rule on the non-prohibition or non-restriction of free flow of the data concerned ‘is repealed’, except where they consider it to be warranted for reasons of public security. In this case, the Member State concerned should notify the Commission, giving its reasons for deeming the measure to be in compliance with the rule concerned and for considering that it should remain in force.


No specific procedure is being established for cases where Member States do not comply.


As regards the second point, on data availability for competent authorities, the proposal does not alter the powers of competent authorities to request and receive access to data for the performance of their official duties in accordance with Union or national law.

It nevertheless adds an important stipulation:‘Access to data by competent authorities may not be refused on the basis that the data is stored or otherwise processed in another Member State’.


However, in seeking to guarantee that this right is implemented, the proposal confines itself to putting forward a cooperation procedure between the bodies responsible in each Member State, along the lines of others existing in different domains, in order to create a network of single points of contact to liaise with the contact points of the other Member States and with the Commission regarding application of the regulation, without, however, assessing the effectiveness of these points of contact or the viability of the costs involved.


Nevertheless, in the end, application by the requested authority of the coercive measures needed to obtain access to any premises of a natural or legal person, including the equipment and resources for storage or other data processing, will always come under the procedural law of each Member State.


That is to say, in the very likely event of lack of compliance, the only recourse will be through Member States’ ordinary courts and subject to the notoriously lengthy procedures of the legal system, its exorbitant costs and uncertainty about the outcome.


Lastly, on the third point — data porting for professional users — the Commission will confine itself to ‘encourag[ing] and facilitat[ing] the development of self-regulatory codes of conduct at Union level, in order to define guidelines on best practices in facilitating the switching of providers and to ensure that they provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded’, in relation to a series of genuinely structural and essential issues (9).


Therefore it is a highly questionable approach to simply leave up to self-regulation mechanisms the regulation of fundamental aspects which only should be dealt with by legislative measures.

The EESC, although it has always advocated co-regulation as a particularly important supplementary resource as part of the Union’s legal framework, does not agree that standards and principles which are essential to the consistency and harmonisation of Union law should be left simply up to self-regulation, without any guidelines or guiding parameters.

More serious, especially as regards porting, has been the limitation of responsibility and the introduction of periods of loyalty for data subjects, with the possibility of deleting content in the event of non-compliance.


More questionable still is the fact that the Commission has not at the very least proposed a co-regulation mechanism in line with the model and parameters defined previously by the EESC (10).

To this end, the EESC deems that the regulation in hand should at least lay down a series of basic rules inherent to contractual relations between service providers and users, as well as a blacklist of prohibited clauses as a result of the limitation of the right to porting, in keeping with the parameters set out in its opinion on self-regulation and co-regulation in particular.


It is however inadmissible that the Commission should not even have proposed devising ‘guidelines’ for drafting the codes of conduct referred to in the proposed regulation, as has been done in other domains, with the EESC’s support.

In fact, as regards data porting, some companies’ conduct has been damaging to users’ rights, namely limitations on data ownership or on intellectual property of the content of cloud services, consent to the collection and processing of data — introduction of presumed consent rules — as well as hidden payments or the right to suspend a service based on a company’s unilateral decision.


Lastly, the Commission promises, without any other alternative of a legislative nature, to ‘review the development and effective implementation of such codes of conduct and the effective provision of information by providers no later than two years after the start of application of the regulation’. And then what?


Moreover, confining this proposal to the three situations referred to above does not take into account growing concerns about metadata, deemed to be non-personal data, which, apart from a few exceptions, ought to benefit from the same protection as personal data, namely in terms of the access, correction, deletion and objection rights of the subject.


In fact, companies devoted to analysing metadata carry out forward and proactive data-based analyses, identifying trends and conditions for companies to be able to adopt decisions in the future.


Moreover, it is not clear whether the future regulation only applies to data obtained in electronic format, since Article 3(2) defines storage as any storage of data in electronic format, and Article 2 itself refers to the regulation applying to ‘the storage or other processing of electronic data’. A case in point would be an anonymous questionnaire carried out in the physical presence of data subjects and stored physically: the implication of the afore-mentioned definition might be that this would not be covered by the regulation.


On the other hand, with the Internet of Things, the proliferation of electronic appliances, particularly household electronics devices that collect and cross-check non-personal data, may in future give rise to a variety of questions on security and privacy; for this reason the European Commission should crucially have done more to deal with non-personal data, safeguarding people’s fundamental rights.


Lastly, and taking into account the grey zone between personal and non-personal data — since certain data can easily become personal — maintaining completely separate arrangements for this type of data may lead to bodies trying to qualify the data obtained as non-personal in order to thus evade enforcement of Regulation (EU) 2016/679 of 27 April 2016.


Moreover, the proposal does not take due account of the global, trans-European nature of the digital economy, being concerned only with regulating the internal market and neglecting the fact that this market exists within a global market, with no guarantee that other countries and continents follow the rules that it is now trying to implement and without the power to impose them in international negotiations.


For all the above reasons, the EESC is not in favour of sub-option 2a proposed by the Commission without valid or consistent arguments to the detriment of option 3, which has the EESC’s support.


Should the proposal incorporate the EESC’s suggested amendments as well as those resulting from the Council Presidency’s position set out in its declaration of 19 December 2017, which the EESC endorses, the EESC would be willing to support this proposal, thus amended, provided that it is clearly understood as a highest common standard acceptable to both Member States and stakeholders, and also with a view to future moves towards more ambitious ways of securing genuinely free movement of non-personal data in the European Union’s digital market.

4.   Specific comments

4.1.    Article 2 — Scope


The EESC has questions about the nature of indent (a), and what is meant by ‘provided as a service to users’, particularly whether free or paid legal transactions are involved.

In fact it is important to highlight that today there are a variety of services provided for free, including Google Analytics. Nevertheless, the fact that these companies do not require users to pay for these services has allowed them to introduce unfair terms in their service provision contracts, avoiding responsibility if data is lost, mislaid or destroyed, or even assuming the right to delete data without the data subject’s consent.


On the other hand, the EESC feels it that, along the lines of Regulation (EU) 2016/679, the regulation in hand must also apply to a country outside the European Union where the legislation of a Member State applies under private international law.

4.2.    Article 3 — Definitions

4.2.1.   The concept of ‘non-personal data’

There is no Aristotelian type of definition of the concept of non-personal data; all that can be said is that it concerns, prima facie, data other than personal data, defining it in the negative, as can be inferred from the 7th Whereas clause of the Preamble and from Article 1 of the proposal.

However, more in-depth analysis reveals that this concept only excludes personal data subject to specific legal protection, i.e. protection currently accorded in the EU under Regulation (EU) 2016/679 of 27 April 2016, Directive (EU) 2016/680 of the same date, Directive 2002/58/EC of 12 July 2002 (11) and the national legislation transposing these legislative acts.

Thus this proposal seems to cover not only data relative to legal persons (and which, in contrast to the view expressed repeatedly by this Committee, does not enjoy the same protection as that granted to natural persons, whereas it does in several national legal systems), but also ‘anonymous’ personal data, to which only one reference is found, in the 26th Whereas clause of the General Data Protection Regulation.

In order to ensure consistency, concordance and legal clarity of the EU’s legislative acts, and given the imprecise wording of the text, the EESC highlights the need for an express definition of non-personal data to be given in this regulation, not as a subsidiary or generic definition to the definition in Regulation (EU) 2016/679, since many courts have had different interpretations of what is meant by personal and non-personal data.

4.3.    Article 4 — Free movement of data within the Union


Out of concern for legal certainty and security, the EESC believes that deadlines should be set for Member States for notifying measures which entail maintaining or introducing rules which, for reasons of public security, might run counter to this regulation.


It is also important for the European Commission to notify the other Member States to see whether these measures will, or will not, have a direct or indirect impact on the movement of non-personal data in their countries.

4.4.    Article 9 — Review


The Commission has undertaken to carry out a review of this Regulation and present a report on the main findings to the European Parliament, the Council and the European Economic and Social Committee only five years after it enters into force.


Since it is expected that the latter will not occur before the end of 2018 in the best case scenario, the Committee deems it more appropriate for this review to be carried out within three years, given the manifestly fragile nature of the mechanism and the rapidly changing nature of the subject it deals with.

4.5.    The Council presidency position


While this opinion was being drawn up, the European Council presidency issued an amended text on 19 December which made substantial amendments (12) to the Commission’s proposal, precisely along the lines of the EESC’s current recommendations.


This concerns the following, set out in brief:


Article 2 — scope — and Recitals 7a and 8a: clarification of what remains outside the scope of the regulation;


Article 3 — definitions: introduction of a new paragraph 2a clarifying the meaning of ‘processing’;


Article 3(5): explicit inclusion of administrative practices in the definition of ‘data localisation requirement’ and consequent amendment to Article 4(1);


Article 5(2a): establishment of a binding obligation to provide data and, under Article 5(3a) a provision for Member States to impose sanctions on users in case of fraud linked to the provision of data, as recommended in this opinion;


Article 6: establishing guidelines on drawing up codes of conduct;


Article 7: a definition of the role of ‘single points of contact’ and speeding up the process of communication between authorities;


the deletion of Article 8, thus removing the Free Flow of Data Committee;


various articles: improving compatibility with the Transparency Directive (13);


recitals 10 and 10a: providing necessary details on the issue of mixed data sets and anonymous data, as called for in this opinion;


recital 12a: clarifying the concept of public security set out in Article 4, based on Court of Justice case-law, as recommended in this opinion.


The EESC comes out clearly in favour of all the Presidency’s suggestions and strongly urges the Commission, European Parliament, and Member States to take them into proper consideration.

Brussels, 15 February 2018.

The President of the European Economic and Social Committee

Georges DASSIS

(1)  COM(2017) 495 final, 13.9.2017.

(2)  See document SWD(2017) 304 final.

(3)  See COM(2017) 9 final, 10.1.2017, and accompanying working document SWD (2017) 2 final, of the same date, on which the EESC delivered its opinion Building a European Data Economy (OJ C 345, 13.10.2017, p. 130).

(4)  http://www.brukselaue.msz.gov.pl/resource/76f021fe-0e02-4746-8767-5f6a01475099:JCR

(5)  COM(2017) 228 final of 10 May 2017 and the attached Working Document, SWD (2017) 155 final.

(6)  Digital Single Market: Mid-term review (not yet published in OJ).

(7)  COM(2017) 495 final, Explanatory Memorandum p. 4.

(8)  This concept is laid down in Article 4(2) of the TEU as being the sole responsibility of the Member States, but for a definition reference must be made to the case-law of the Court of Justice — see for all purposes the Judgment of the Court of Justice of 21 December in Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-Och Telestyrelsen and Secretary of State for the Home Department v Tom Watson, Peter Brice and Geoffrey Lewis, in http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1513080243312&uri=CELEX:62015CJ0203 (paragraphs 11 and 88/89) and of the Human Rights Court.

(9)  See Article 6(1)(a) and (b).

(10)  See information report INT/204 of 25.1.2005 on the Current state of co-regulation and self-regulation in the Single Market and own-initiative opinion Self-regulation and co-regulation (OJ C 291, 4.9.2015, p. 29).

(11)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37), recast by the Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (COM(2016) 590 final, 12.10.2016), and by the Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (COM(2017) 10 final — 2017/0003 (COD)).

(12)  Interinstitutional file: 2017/0228 (COD) 15724/1/17REV 1 of 19 December 2017.

(13)  OJ L 294, 6.11.2013, p. 13.