The Council of the European Union has just adopted the Regulation on the free flow of non-personal data. The European Parliament already agreed to the proposal on 4 October. Both institutions are now sending a clear message to Europe: you have the right to store and process your data wherever you want in the EU, as long as personal data protection rules are fully respected.

arrows placed in a circle

The free flow of non-personal data Regulation prohibits EU countries’ governments from putting in place unjustified data localisation restrictions, on the grounds that these represent a form of protectionism for which there is no place in a true single market. This will create legal certainty for businesses, with reassurance that they can process their data anywhere in the EU. This will increase trust in cloud computing and counter vendor lock-in, resulting in a more competitive cloud computing market and a boost of operational efficiency for European businesses that operate across borders.

The free flow of non-personal data Regulation does not change anything about the application of the General Data Protection Regulation, as it does not cover personal data. Data protection levels in the EU will therefore be completely unaffected.

With the adoption by both the Council and the European Parliament, the negotiation process is now finished. The Regulation will enter into force at the end of December 2018, and start to apply six months later.

How will the new regulation influence the free movement of non-personal data?

The Commission, Parliament and Council were able to reach strong common positions on the most important issues, such as:

  • Free flow of data across borders: the three institutions agreed on a strong principle of free flow of non-personal data, prohibiting data localisation restrictions in all cases, except if proportionate and duly justified by public security. On top of this, Member States will have to communicate any data localisation restrictions to the Commission.
  • Data availability for regulatory control: This principle will make sure that competent authorities will be able to access data for supervisory control wherever it is stored or processed in the EU. Member States may sanction users that do not provide access to data stored in another Member State, but as a rule they may not deviate from the free flow principle.
  • Switching cloud service providers: The Regulation requires cloud service providers and cloud users to jointly develop codes of conduct that will make it easier to switch clouds service providers. This will make the European cloud market more competitive and lead to lower prices. The codes must be developed and implemented by mid-2020.