While personal data flow is governed by GDPR, what are the new rules for the free flow of non-personal data? In this article, first published on Lexis®PSL Information Law, Robert Bond explains what the new European regulation by the Council of the EU will do to ‘bring down barriers to the free movement of non-personal data within the EU’.

The Council of the European Union has adopted a new Regulation on framework for the free flow of non-personal data (the new Regulation) which will boost the data economy and enhance the development of emerging technologies, such as cross-border autonomous systems and artificial intelligence (AI). The rules intend to ‘bring down barriers to the free movement of non-personal data within the EU’, which is ‘key for growth and creating jobs’. The rules ban localisation restrictions imposed by Member States on the geographical location for storing or processing non-personal data, unless such restrictions are justified on grounds of public security.

What is the purpose of the new Regulation? How will this be accomplished and from when will it apply?

The new Regulation is designed to boost the data economy and the development of emerging technologies such as AI and cross-border autonomous systems by ensuring the free flow of non-personal data. This is essential for the growth of the digital economy and in order to provide more flexibility for businesses.

The new Regulation bans data localisation restrictions imposed by Member States on the geographical location for storing or processing non-personal data, unless such restrictions are justified on grounds of public security. The new Regulation is a response to the free movement of data processing services and to the right of establishment of service providers which originates from requirements in the laws of Member States to locate data in a specific geographical area or territory for the purpose of data processing. Other rules or administrative practices have had an equivalent effect by imposing specific requirements that make it problematic to process data outside of particular geographical area or territory within the EU.
The new Regulation will enter into force on the 20th day following that of its publication in the Official journal of the European Union and will apply six months after its publication.

What is the relationship between the new Regulation and data protection laws relating to personal data?

The legal framework for the protection of natural persons with regard to the processing of personal data, as well as the protection of personal data in electronic communications including the General Data Protection Regulation (EU) 2016/679 (the GDPR) and Directives (EU) 2016/680/eu and 2002/58/EC are not affected by the new Regulation.

To what extent may Brexit affect the impact of the new regulation in the UK?

Since the draft Withdrawal Agreement confirms that EU law will continue to apply to the UK, the new Regulation, once it has come into force, will be binding on the UK as it will come into force during the withdrawal period. This assumes that the draft Withdrawal Agreement comes into effect.
Assuming the Regulation applies in the UK, what are the implications for UK public bodies, private businesses and their advisers?

The free flow of data within the EU plays an important role in achieving data driven innovation. Public bodies stand to benefit from increased freedom of choice regarding data driven service providers and for more competitive pricing and more efficient provision of services. The new Regulation stresses the utmost importance that public bodies can lead by example in taking up data processing services and equally refraining from imposing data localisation restrictions when using such services. The new Regulation requires that public authorities and bodies should adhere to the principle of the free flow of non-personal data through general and consistent administrative practices.

Article 1 of the new Regulation aims to ensure the free flow of data other than personal data within the EU by setting out rules relating to data localisation requirements, the availability of data to public bodies and the porting of data for professional users.

Article 2 sets out its scope and states that it applies to the processing of electronic data other than personal data in the EU which is either:

• provided as a service to users residing or having an establishment in the EU, regardless of whether the service provider is established in the EU or not
• carried out by a natural or legal person residing or having an establishment in the EU for its own requirements

Article 4 imposes a requirement that data localisation must be prohibited unless justified on the grounds of public security. This also requires Member States to communicate to the Commission draft legislation that introduces new data localisation requirements or makes changes to an existing data localisation.

Article 6 relates to the porting of data and encourages the development of self-regulatory codes of conduct in order to contribute to a competitive data economy based on principles of transparency and interoperability, as well as taking account of open standards. The porting of data is intended to allow business and individuals to benefit from the switching of service providers and benefits both public authorities and business users.

The challenge of the new Regulation is that, while it sets out a range of procedures designed to ensure the free flow of non-personal data, in a sense the devil is still in the detail.