The European Union continues to roll out regulations in furtherance of the EU Digital Single Market, a strategy that covers digital marketing, e-commerce, and telecommunications. The GDPR went into force in May 2018, the new ePrivacy Regulation is planned for 2019, and on Friday, 9 November 2018, a new milestone was reached when the Council of the European Union approved another regulation that provides a framework for the free flow of non-personal data in the EU (the Regulation). The EU Parliament already approved the Regulation on 4 October 2018.

Background

Electronic data are at the center of modern, innovative economic systems and societies. You could say a new “data economy” is emerging.

Besides personal data (the protection of which has strongly improved with the GDPR), non-personal data are becoming a greater source of value. Non-personal data includes data sets used for big data analytics with the aim of improving website functionality. In this respect, clickstream data are analyzed and used to make desired improvements.

At the moment, effective and efficient functioning of non-personal data processing and the development of the data economy in the EU are hampered by national laws. For example, member states use data localization requirements mandating that data be stored on a device that is physically present within the borders of a specific country. Furthermore, “vendor lock-in” practices in the private sector limit the free flow of non-personal data. “Vendor lock-in” is a situation in which a customer who uses a product or service cannot easily transition to the products or services of a competitor.

The Regulation aims to remove these restrictions and to provide for free movement of non- personal data within the EU by applying the following provisions:

Scope

The Regulation applies to the processing of electronic data other than personal data in the EU. “Processing” of data covers a wide range of data operations, such as collecting, filing, storing, using, and transferring. Such data processing should be provided by service providers to users residing or having an establishment in the EU, regardless of whether or not the provider is established in the EU. The data processing may also be carried out by a natural or legal person for their own needs, and residing or having an establishment in the EU.

Free movement of data within the EU

The data localization requirements shall no longer apply: under the Regulation, the location of non-personal data for storage or processing within the EU shall not be restricted to the territory of a member state. As such, free movement of data should be established. In practice, this means that a cloud service provider in the EU may decide for itself where it stores non-personal data.

Porting of data

To eliminate vendor lock-in practices, the Regulation provides for and encourages the development of codes of conduct for service providers. With these codes of conduct, consumers should be able to switch to other service providers more easily. Such codes of conduct focus, for example, on the provision of sufficient and clear information to consumers before a contract is concluded.

Single points of contact

Each member state shall appoint a single point of contact regarding the application of the Regulation. Such point of contact shall liaise with the designated points of contact in the other member states to discuss any issues regarding the Regulation.

Conclusion

The Regulation is another step towards the Single Digital Market and the free flow of data. It should make it easier for service providers to store and process non-personal data within the EU, while consumers should be able to switch between service providers more easily. It remains to be seen whether the Regulation will make a difference, considering that many data sets will contain both non-personal data and personal data, and a completely different regulation (the GDPR) applies for the latter.

The Regulation will be published in the Official Journal of the EU within a couple of weeks. Six months after the date of publication, the Regulation enters into force without further required implementation.