Amongst the ten European Commission priorities for 2015-19 was a desire to provide a single framework for the free flow of data across national borders. In addressing this requirement the European Commission have said, “the internet and digital technologies are transforming our world. But existing barriers online means citizens miss out on goods and services, internet companies and start-ups have their horizons limited, and businesses and governments cannot fully benefit from digital tools. It’s time to make the EU single market fit for the digital age – tearing down regulatory walls and moving from 28 national markets to a single one. This could contribute 415 billion euro per year to our economy and create 3.8 million jobs.”
Removing restrictions on data flows within the European Union is therefore a central part of the digital single market strategy and complimentary policy instruments within the Commission’s Digital Agenda as well as the Cloud Computing Strategy, the implementation of the General Data Protection Regulation and the European Cyber Security Strategy.
Cloud services are a cornerstone of the digital single market but the 2014 Trusted Cloud Europe report found that the development of cloud services in Europe is hampered by persisting uncertainties related to legal, technical, operational or economic issues. In particular barriers persist despite general single market legislation and instruments such as Directive 1995/46/EC, which specifically provides that Member States should neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection of privacy with respect to the processing of personal data.
In publishing the proposal for a Regulation on a framework for the free flow of data in the European Union, the European Commission intends to:
- Improve the free flow of data across borders in the single market which is limited today in many Member States by localisation restrictions or legal uncertainty
- Ensure that businesses continue to adequately control data in order to maintain trust as a key element of the data economy
- Make it easier to switch service providers and where possible to port data since this is key to the development of the competitive cloud market in the EU
- Further develop the security of data and cloud services in order to enhance trust.
The proposed Regulation is drafted so as to ensure consistency with existing legal instruments such as the eCommerce Directive and the Services Directive and the General Data Protection Regulation and the ePrivacy Directive and also anticipate the Network Information Security Directive to enhance cyber resilience of cross border storage and processing of data.
The introduction to the proposed Regulation highlights the research and evidence gathering that was carried out from 2015 through to 2017 in order to identify examples of actual or perceived restrictions on the free flow of data within the European Union. One of the studies (SMART 2015/2016) by London Economics Europe, Carsa and Charles Russell Speechlys entitled “Facilitating Cross Border Data Flow in the Digital Single Market” was a study in which I was personally involved as contributing legal expert and there were many examples found across EU Member States of localisation in certain sectors such as health care. That study said that, “The ubiquitous nature of data results in its varied application across virtually all industry sectors. Most industries use cloud services in some capacity to streamline business processes, improve market access, and maintain relevancy in today’s quick‐evolving business landscape. On-demand access to cloud services can reduce capital expenditure and fosters innovative business models and services across all industries. Small businesses stand to benefit especially from the cloud, as it allows them to access high-performance IT solutions that would otherwise be out of their reach. Overall, it is assumed that European businesses and public administrations can obtain significant efficiency gains from wide-scale adoption of cloud computing.”
The study found that a number of Member States including France have special regulations with regards to the outsourcing of the hosting activity of health data whereas other Member States have localisation restrictions on tax and business data, and certain personal data in the financial services sector in Luxembourg is effectively unable to be processed outside Luxembourg.
Whilst research projects into the free flow of data highlighted many Member States requirements for adequate data controller to data processor contracts although these hampered the cloud services industry they were not fundamental issues. However the General Data Protection Regulation raises the bar in relation to the requirement of mandatory contractual clauses in controller to processor agreements that will continue to place burdens on the use of cloud services.
Whilst the focus of the proposed Regulation is very much on the movement of electronic data, the proposed Regulation does not address restrictions on manual data and in addition the proposed Regulation does not override the requirements of the General Data Protection Regulation when the data concerned is personal data.
The proposed Regulation consists of a number of Articles:
Article 1 specifies the objective of the proposal. The Regulation introduces a common approach in the Union ensuring the free movement of data by laying down rules for the availability of data to competent authorities, and security of data storage and processing.
Article 2 specifies the scope of application of the Regulation. The Regulation applies to electronic data stored and/or further processed within the Union, and to users established in the Union. The Regulation is without prejudice to the GDPR, the ePrivacy Directive, the eCommerce Directive and the Police Directive. Finally, the Regulation does not apply to activities which fall outside the scope of Union Law.
Article 3 provides for the definition of the following terms: ‘a competent authority’, ‘data storage’, ‘further processing’, ‘provider’, which means a data storage and processing service provider; ‘data localisation requirement’, ‘user’ and the concept of ‘professional user’.
Article 4 establishes the principle of free movement of data across border within the Union. This principle prohibits any restriction to the localisation of data for storage and/or further processing within the Union for reasons other than national security.
Furthermore, it imposes the obligation to notify draft acts that would introduce new data localisation requirements in accordance with the procedures set out in Directive (EU) 2015/1535, and to abolish existing unjustified restrictions within one year after the start of application of the Regulation. If a Member State considers that a data localisation requirement for reasons of national security should remain in force, it will have to notify the corresponding measure to the Commission, together with a justification for maintaining such requirement.
Moreover, Article 4 provides that Member States make information on any data localisation requirements freely available via a single online information point accessible to the public and up-to-date. Member States will inform the Commission of the location of those single information points, which will disclose such information in a central place on a Commission website.
Article 5 aims to ensure data availability for regulatory control by competent authorities. To this effect, users may not refuse to provide access to data to competent authorities on the basis that data is stored and/or further processed in another Member State or on the basis of contractual clauses they have entered into. Finally, without prejudice to existing mechanisms of cooperation, where a competent authority has exhausted all existing means to obtain access to the data, that competent authority may request the assistance of an authority in another Member State in accordance with Article 8.
Article 6 states that service providers should provide information prior to the conclusion of a contract for data storage or processing. Such information would include the following details: processes and location of any data back-up; available data formats and supports; required IT configuration and minimum network bandwidth; time required prior to initiating the porting process and the time during which the data will remain available for porting; and guarantees for accessing data in the case of the bankruptcy of the provider.
The Regulation provides for the adoption of codes of conduct detailing the conditions of data porting by market players through self-regulation. Nonetheless, if sufficient self-regulatory measures were not put in place within a reasonable period of time, it should remain possible for the Commission to establish the conditions for the porting of data in an implementing act.
Article 7 provides that; to the extent that common EU operational or contractual requirements applicable to the security and integrity of data storage and/or further processing are needed for the functioning of this Regulation, any necessary implementing measures for that purpose shall be adopted in accordance with Article 16(8) of Directive 2016/1148.
In order to contribute to a smooth cooperation across Member States on the issues addressed by this Regulation, Article 8 requires each Member State to designate a single contact point responsible for coordinating the application of this Regulation in the Member State concerned as well as liaising with the contact points of other Member States and the Commission regarding the application of this Regulation. In this latter respect, Article 8 provides for a specific procedure of assistance between competent authorities with a view to obtain access to data through the designated single point of contact.
Article 9 establishes the EU Free Flow of Data Policy Group (FFDPG) which shall advise and assist the Commission in its work to ensure a consistent application of this Regulation in Member States. It will also exchange experience and good practice and at the Commission’s request, give opinions and develop guidelines. The Group will be composed of the single points of contact referred to in Article 8 and will be chaired by a representative of the Commission.
According to Article 10 the Commission shall be assisted by the Free Flow of Data Committee within the meaning of Regulation (EU) No 182/2011.
Article 11 stipulates a review within five years after the applicability and a report thereof to be presented to the European Parliament, the Council and the European Economic and Social Committee.
Article 12 provides for the entry into force on the twentieth day following that of the Regulation’s publication in the Official Journal of the European Union and for its start of application six months after the day of publication the Regulation.
Whilst the proposed Regulation seeks to prevent barriers to the free movement of data, it remains to be seen whether all data will be freed from such restrictions. Article 4(1) says, “Location of data for storage and/or further processing within the Union shall not be restricted to the territory of a specific Member State, and storage and/or further processing in any other Member State shall not be prohibited, unless a measure restricting the location of the data to the territory of a specific Member State or a measure prohibiting the storage and/or further processing in any other Member State such restriction or prohibition (hereinafter a ‘data localisation requirement’ is justified on grounds of public security.” This appears to provide for localisation to still remain for certain types of special categories of personal data like health data! “Public security” may cover a multitude of scenarios.
Finally, there is the issue of how Brexit may impact on the ability of the United Kingdom to benefit from the proposed Regulation. If the proposed Regulation is effective before the UK leaves the EU then it is possible that the UK will implement it in full. However, even if the proposed Regulation is effective before Brexit, the plain fact is that the UK will no longer be in the EU and as such will be outside the application of the rules on free movement of data. Given that the proposed Regulation is intended to strengthen the EU’s position as a data storage and data hub and “a single market fit for the digital age”, by the same token the UK will be outside that single market, and at a disadvantage. On the other hand, the UK could use its strong cloud and hosting experience and business to offer direct competition to the EU?