This study from London Economics points to restrictions of the free flow of data within the European Union. In the EU there are numerous legal and administrative requirements to localise data, especially in the form of compliance obligations aimed at ensuring regulatory oversight and access. Many believe, wrongly, that data storage and processing within national boundaries is mandatory or advised. (study reference: SMART 2015/0016)

The EU supported study "Facilitating cross border data flow in the Digital Single Market" investigated restrictions on the free flow of data within the EU by looking at 8 Member States (Czech Republic, France, Germany, Italy, Lithuania, Luxembourg, Spain and the United Kingdom).

Unnecessary requirements to maintain control over the location where data and documents physically reside are an obstacle to the free flow of data within the Single Market.

The study found thet legal restrictions of intra-EU data transfers exist mainly in the form of access regulation and notification requirements (e.g. by regulators, tax authorities) for specific types of information.  Evidence was found of internal company policies that are at least as restrictive as the legislation in place. Some businesses have strict ‘data residency’ requirements that are not based on any formal legal restrictions. Evidence of such restrictions has been found in Germany and France.

Location is seen by many market participants as a proxy for substantial assurances in terms of data access, privacy, audit, data integrity and law enforcement, despite the fact that technical security is not enhanced by local data storage.

However, functional requirements for data storage and processing within national boundaries arise from legitimate concerns about illegal access; accessibility of services and support (including language barriers); and latency and bandwidth. These cannot be dismissed and may justify location preferences.

An important finding is the widespread misinterpretation of the existing legal framework. Many market participants assume data storage and processing within national boundaries is mandatory or advised where it in fact is not.

The emphasis in public discourse on the loss of control over (personal) data appears to over-sensitize market participants when it comes to data processing in general. Part of the reluctance to take advantage of existing cross-border data services in the EU is likely to reflect this ‘cross-contamination’.

The study was conducted by London Economics from September 2015 to June 2016.

Findings of this study, together with analyses of the study "Measuring the economic impact of cloud computing in Europe" and the findings of the ongoing study "Cross-border data flow in the Digital Single Market: data location restrictions "  served towards the European Commission's activities in the policy area of data localisation restrictions, mainly in the Communication on Building a European Data Economy .

Related documents: