Coming on the heels of the General Data Protection Regulation (GDPR), which tackles personal data protection, the new rules, which primarily affect businesses and business users of data storage or data processing services, are intended to create a common European data space, a foundational plank of the Digital Single Market strategy.
The agreement is a big deal as it is intended to break down localisation barriers blocking the free flow of data. In a briefing document, the Commission notes:
Currently, data localisation restrictions by Member States' public authorities and obstacles to the movement of data across IT systems (so-called vendor lock-in practices) prevent business and organisations in the EU from capturing economic, social and business opportunities. Legal uncertainty and lack of trust cause additional barriers to the free flow of non-personal data.
In practice, this means a business may not be or feel free to make full use of cloud services, choose the most cost-effective locations for IT resources, switch between service providers or port its data back to their own IT systems. With the principle of free flow of non-personal data, businesses can avoid duplication of data at several locations, may feel more confident to enter new markets, and scale up their activities more easily.
The Commission concedes that there may be some circumstances where data localisation restrictions might be justifiable, but perceives “a trend of unjustified data localisation requirements both in Europe and globally”. Vice-President for the Digital Single Market Andrus Ansip says:
Data localisation restrictions are signs of protectionism for which there is no place in a single market. After free movement of people, goods, services and capital, we have made the next step with this agreement for a free flow of non-personal data to drive technological innovations and new business models and create a European data space for all types of data."
The new free flow of non-personal data rules will:
- Ensure the free flow of data across borders by setting down a framework for data storing and processing across the EU, prohibiting data localisation restrictions.
- Member States will have to communicate to the Commission any remaining or planned data localisation restrictions to the Commission in limited specific situations of public sector data processing.
- While GDPR is there to handle personal data protection, there may be occasions when there is a mixed data set combining both personal and non-personal data. The new rules are intended to complement GDPR and for both to be applied appropriately.
- Public authorities will be able to access data for scrutiny and supervisory control wherever it is stored or processed in the EU.
- Member States may sanction users that do not provide access to data stored in another Member State
- Encourage creation of codes of conduct for cloud services to facilitate switching between cloud service providers under clear deadlines. This, argues the Commission, will make the market for cloud services more flexible and the data services in the EU more affordable.
The Commission argues that the new rules could help boost Europe's economy by generating an estimated growth of up to 4% GDP by 2020. Commissioner for Digital Economy and Society Mariya Gabriel says:
Data is the backbone of today's digital economy and this proposal will help to build a common European data space. The European data economy can become a powerful driver for growth, create new jobs and open up new business models and innovation opportunities. With this agreement we are one step closer to completing the Digital Single Market by the end of 2018.
All of which just leaves the B-word to be factored in - Brexit. The rules will roll out before the end of the proposed transition period for the UK to leave the EU. The UK Government has made clear that it will mirror data protection legislation with that of the EU during this period.
But Prime Minister Theresa May has also made it clear that the UK will be leaving the Digital Single Market. There is speculation this week that the UK might try to remain in the Single Market for goods, but not services, which would have implications for the international cloud services industry.
For now, there’s no issue but once full Brexit happens, it’s a different story. The Commission is quite clear:
The Regulation on a framework for the free flow of non-personal data in the European Union only covers data mobility within the EU
Data protection and data sovereignty has become one of the sticks used by the Commission’s chief Brexit negotiator Michel Barnier, who this week at the EU Agency for Fundamental RightS, said:
The UK has decided to leave the EU, its institutions, structures and safeguards. It will be a third country outside Schengen and outside the EU's legal order. This is a fact. Facts have consequences...Our future relationship will also have to be based on strong data protection. There is no possibility for the EU to compromise on data protection. This stems from EU primary law. The UK's data protection standards will therefore have to remain in line with ours, and confirmed by an adequacy decision from the EU. Such a decision can only be taken once we are able to assess the new UK legal framework
A good day for the EU Digital Single Market project; another European development that U.S. cloud services providers need to factor into doing business in the region; and another reminder of the coming headache for the UK as the Brexit clock ticks down.