New proposals on the free flow of non-personal data will give greater certainty to businesses and consumers alike and create an EU data sector that is fit-for-purpose for the 21st century.

On 9 November, EU ministers adopted the Regulation on the free flow of non-personal data, following the adoption of the Regulation by the European Parliament in October. It is the latest step in an ongoing process that is bringing us closer to the completion of the EU Digital Single Market.

If a single market is not possible without the free flow of persons, goods, services and capital, it follows that a digital single market cannot exist without the free flow of data. Whether you are sending an email to a colleague, buying a sandwich with a bank card or managing a business relationship with a key customer, data will always be involved and is becoming a key asset for every business.

Our Digital Single Market strategy will ensure that European citizens and businesses can embrace the digital future as confidently as possible. This future will be built on data, and is increasingly becoming the foundation of our economy. The European data economy, which the Regulation on the free flow of non-personal data is helping to build, can bring us benefits in terms of the development of new technologies and the emergence of ecosystems around data. Let me explain how this will happen.

Firstly, thanks to the new General Data Protection Regulation (GDPR), rules on the free movement of personal data in the European Union have been clarified and citizens’ data is now guaranteed to be protected. Until recently however, there was no legislation dealing with the free flow of non-personal data in European legislation. At the same time, several Member States introduced legislation requiring certain data to be stored or processed within their national borders. These 'data localisation requirements' were hindering the development of the EU data economy by stopping the emergence of data innovation ecosystems across European borders. They were also creating inefficiencies by requiring companies active in multiple Member States to duplicate IT infrastructure.

Thanks to the new rules now in place, cloud computing in our societies will continue to grow in the near future. The cloud, which knows no geographic boundaries, offers companies virtually unlimited data storage and processing capacities at a lower cost than when data processing is kept in-house. It is impressive to see the reduction in costs that that the cloudcan bring: on average, European companies can make savings of at least 20%-50% in IT expenditure. At the same time, the flexibility and scalability of the cloud means less investment, fewer risks for businesses and better prospects for efficient digital transformation.

New forms of cloud computing are already being developed, and Europe is clearly taking the lead in this respect. An example is so-called 'edge computing', which is based on the idea of bringing the computing capacities as close as possible to the end-user. Another example is 'fog computing', which is based on federating the computation over a large number of machines connected to a network. These paradigm-breaking technologies mean a shift of data processing capacities from data centres to the 'edge' of a network. This can bring many advantages, especially with regard to the growing Internet of Things. The combination of these developments will probably culminate in a 'cloud continuum', meaning that virtually all digital activities will be based on the cloud.

Nevertheless, we are not there yet. Let us rewind to 2018. In order for Europeans to grasp the full opportunities of cloud technology, we need to work towards making the cloud even better. We must ensure that the European cloud market can function on the basis of free and open competition. Cloud customers will not be locked-in by their providers and there will be clear security requirements in place. The Regulation on the free flow of non-personal data helps to tackle these issues. Let me take you through its most important provisions.

The free flow of non-personal data principle

Article 4 of the Regulation prohibits EU Member States from putting in place data localisation requirements. In practice, this means that they may not introduce any new rule that requires data to be located on their own territory. The only exception to this, and only when this is justified, is on the basis of public security. Data localisation requirements in existing national rules will have to be repealed. Member States have a two year timeframe to finalise this. Should they consider that any of their data localisation requirements are justified on the basis of public security, they will have to notify the Commission.

An important aspect of this article is that it covers not only laws or regulation, but also administrative provisions and practices, like public procurement. Public procurement can introduce data localisation requirements that are often criticised by businesses as negatively impacting their capacity to offer cloud services across borders.

In addition, an issue which was much debated during the negotiation process is the fact that the Regulation covers data held by the public sector. This is good news because it will help the public sector across the European Union to benefit from data innovation, leading to more efficient and cheaper public services for European citizens.

For citizens and companies, it is now very clear that they can store and process data wherever they want on the territory of the European Union.

The data availability principle

A well-functioning market also means having in place a well-functioning system of monitoring and oversight. For that reason, Article 5 of the Regulation makes it clear that when data is stored or processed in a second Member State, this does not change the right of original competent authorities to have access to the data for regulatory control purposes. For example, a tax authority in one Member State will still have the right to access bookkeeping records when these are stored on a cloud server located in another Member State. If businesses abuse their right to data processing anywhere in the Union by not granting access to regulatory authorities, the authorities may sanction them.

The importance of this article lies in the fact that it will significantly raise trust in the public sector, regarding the use of cloud services. When a business processes its data in the cloud, it often does not know where the data will be located in the EU. This article solves the regulatory concerns that may have emerged around this fact, which is inherent to the cloud technology.

Self-regulation on switching and porting

Article 6 of the Regulation contains a self-regulatory provision to facilitate the development of self-regulatory codes of conduct making the switching of cloud service providers easier. It ensures that providers give sufficiently detailed, clear and transparent information to professional users on the terms and conditions applicable before a contract for cloud data storage and processing is concluded.

These codes of conduct have the main goal of countering vendor lock-in to cloud service providers. This way, we will make sure that cloud service providers who have assisted customers porting their data into their services, will also help them to port the data outwards (to another cloud service provider or back to their on-premise systems).

As there are increasing amounts of data in our society, there need to be clear and fair agreements between cloud customers and cloud service providers. We need clarity regarding which processes, costs and timeframes will apply when cloud customers wish to switch providers. Moving all your personal information from one PC to another is not easy – but imagine how complicated it must be for a business to carry over terabytes of data. Depending on the amount of data stored, this can cost many million of euros. That is why the codes of conduct must be quite detailed and at least address different aspects, such as various technical and process information like the location of any data back-up, the available data formats and supports, the required IT configuration and minimum network bandwidth.

In order to develop these codes of conduct, the Commission has already facilitated the set-up of a working group called 'SWIPO' (for SWItching and POrting). This working group will initially agree on two different codes which will cater for the needs of different available cloud services. One code will be developed for the cloud services that offer only storage space (Infrastructure-as-a-Service). The second code will be developed for cloud services that offer cloud solutions in the form of ready-to-use applications (Software-as-a-Service). A third code for so called Platform-as-a-Service cloud services will follow later.

By 2022, the application of these codes of conduct will be evaluated by the Commission. It will assess whether sufficient progress has been made to counter vendor lock-in and creating a more fluid market. If this goal is not attained, the Commission may come up with additional rules.

EU cloud security certification

Trust and security are key requirements for cloud adoption. The Working Group on Cloud Service Provider Certification (CSPCERT), which is another self-regulatory work stream facilitated by the Commission, will develop the requirements for a possible future European cloud security certification scheme. The main goal of this work is to improve clarity for cloud customers on the security level of the service provided. Currently, there are so many certification schemes available on the market, that their functionality in providing trust and legal certainty is seriously undermined.

When it goes ahead, this new EU cloud security certification scheme would be specifically developed in the framework of the Commission's proposal for a Cybersecurity Act, which is currently being negotiated by EU Council of Ministers and the European Parliament. The Cybersecurity Act indeed proposes a European ICT certification framework in which the cyber agency ENISA will play a key role. It will make it possible to have different European cybersecurity certification schemes addressing different technologies including cloud services. CSPCERT's work should be seen as preparing input to a future ICT certification scheme for cloud, which will be put forward by the Commission to ENISA. In this way, ENISA will have high quality and balanced input from industry for its work already early on in its processes.

A sustainable green cloud

As nearly all our digital activities will be based on the cloud in the future, it is essential that cloud computing becomes as sustainable as possible. That is why cloud service providers should take their responsibility and continue work on improving production processes, for example by making their cooling systems for data centres more efficient.

While planning the transition from cloud computing to 'green' cloud computing, we should also keep in mind the recent developments of edge and fog computing, which no longer rely on data centres . In order to make the future of computing more energy-efficient, it will be important that the very core of the cloud, the chips and processors on which it is based, become more sustainable.

This is where the work that the Commission is doing on developing a low power processor for the purpose of High Performance Computing (HPC) is crucial. The European Processor Initiative brings together 23 partners from 10 different countries with the aim of developing a low power microprocessor. This processor will significantly cut energy consumption of chips. In order to make the shift to a green cloud, deploying this chip not only in HPC but also in any cloud infrastructure will be key.

With the combination of cloud activities and energy efficient, low consuming processing technologies combined, we are opening the future for a better, safer, greener, cheaper and fairer European cloud, that will be help build our European data economy further.