Today a silent revolution takes place in Europe, a revolution with the potential to deliver additional revenue worth tens of billions of euros to sectors all across the European economy: it is the day on which the free flow of on-personal data Regulation starts to apply in Europe.

This revolution is silent because most Europeans will not notice it right away. But it is very important, because today we are launching a true common European data space: a seamless digital area on such a scale that it will enable the development of new value added products and services and help to complete the European data economy.

Together with the General Data Protection Regulation (GDPR), the new Free Flow of Non-personal Data Regulation ensures that both personal and non-personal data can from now on be stored and processed anywhere in the EU. This Regulation does exactly what European legislation should do: it opens up new possibilities for people and businesses by creating more value at European level than just the sum of its parts.

Navigating Europe's data flows

The new opportunities for businesses are infinite. Once free flow of data is in place, the next step will be adding value, e.g. through re-use of data for research or businesses, B2B data sharing, or enhancing production processes by big data analytics and artificial intelligence. In a way, it is like our rivers and channels: only when water flows through them can we navigate our inland vessels and conduct cross-border trade throughout Europe.

From today, businesses will be able to organise their IT infrastructures more efficiently, for example by centralising their data processing activities in one Member State, or by using innovative cloud services to work flexibly from wherever they want on the continent. According to a 2016 study, by migrating to the cloud, an average business will be able to save 20% to 50% of its IT expenditure.

However, European businesses will only start capitalising on the new European common data space if they have trust in data services like cloud computing. Top-notch data protection and security standards are essential for building this trust. For this reason, the GDPR puts adequate data protection rules for personal data in place for Europe.
One important fact is that the datasets used by businesses and consumers are mostly composed of both personal data and non-personal data. That is why today the Commission is also publishing Guidance on Mixed Datasets. With this guidance, we make it clear that the new Regulation on the Free Flow of Non-personal Data does not affect at all the solid personal data protection regime offered by the GDPR. It also does not require businesses to separate datasets, which could be a difficult and costly exercise. With the guidance on mixed datasets published, businesses can now comfortably start putting the data economy in Europe to their advantage.

Allowing data in the cloud to flow freely

Another key concern addressed by the Free flow of non-personal data Regulation is ‘vendor lock-in’ by cloud service providers. The use of cloud computing should remain as efficient as possible, also in the future. This means that users of cloud services should be able to switch to another provider whenever they want and port their data in the easiest possible way. To achieve this, cloud service providers and users are currently working together to develop Codes of Conduct on the porting of data to switch providers. The Commission is closely monitoring the progress on these Codes. It is only logical that we should put pressure on cloud providers to open their gates. Imagine if banks would made it difficult for clients to get their money out; imagine if they handed back a customer’s funds in a safe locked with a code that only the bank had, and if the safe contained a disorganised mixture of many different currencies. This would mean a complete loss of trust in the financial sector! We do not want that to happen in the digital economy.

This is why our actions are meant to boost trust in cloud computing. Another example of this is the self-regulatory work facilitated by the Commission on preparing for a future European cloud security certification scheme. Such a scheme could be adopted under the European cybersecurity certification framework established by the EU Cybersecurity Act, in which the EU agency for cybersecurity – ENISA - will play a key role. Currently there are so many certification schemes available on the market that their role in providing trust and legal certainty is seriously undermined. A European cloud security certification scheme will add clarity to users and reduce costs, notably for small and medium size cloud service providers, by creating a single certification process that will provide them with EU-wide visibility. So today, as we witness the start of application of the Free flow of non-personal data Regulation, it is a key step towards our goal of accomplishing free flows and secure data flows in Europe.