Discussions on the free flow of data are continuing. During a second structured dialogue meeting on 30 March, the Commission said that the main challenges that needed to be met included the lack of mutual trust, legal insecurity and a misconception of the current rules.
The flow of data is a sensitive subject in the EU. The directive on e-Commerce (2000/31/EC) focuses on the free movement of the information society and services between member states. Nonetheless, it allows the EU 28 to impose restrictions in certain conditions (public order, public health, public security, consumer protection, etc.).
At a time when cloud computing is in full expansion, the Commission would like to tackle unjustified restrictions regarding data location for storage or processing purposes.
According to our information, it has already submitted a draft regulation to the regulation examining committee (former impact assessment committee) but has not yet received the go-ahead because no justification for this approach has been received. Its approach is currently benefiting from the support of around 15 member states (Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Ireland, Lithuania, Luxembourg, Netherlands, Poland, Slovenia, Sweden, United Kingdom, Slovakia and Finland) that are co-signatories to an unofficial document at the end of 2015 supporting the free circulation of data (see EUROPE 11681). One group of countries, however, including France, would like to introduce prior requirements on data access, reliability and portability.
Gathering the evidence
In this context, the Commission launched a consultation on 10 January for public authorities in an effort to identify possible justifications for restrictions, the means the EU has for tackling unjustified restrictions, in addition to the perceived impact of removing these unjustified restrictions. It is also carrying out a structured dialogue with member states and has requested the Time.lex, Spark Legal Network et T4i2 contractors to carry out a study into data localisation restrictions.
The preliminary results unveiled on 20 March as part of a workshop indicate 41 localisation obligations for storage or processing purposes in 20 member states: 11 direct barriers, such as geographic storage criteria and national technical requirements; 30 indirect barriers, including accessibility required by controllers, prior authorisation systems, access denied to third parties, restrictions for subcontractors, generic technical criteria, compulsory use of specific infrastructure, as well as segregation and destruction criteria in certain situations.
The obstacles involving different areas are: Seven to do with financial data, seven related to health, Four involving registration of citizens and businesses, Four involving legal and classified data, Seven to do with taxation and accounts and 12 involving a variety of different areas.
The preliminary study identifies these kinds of practices to varying degrees in Germany, Austria, Belgium, Bulgaria, Croatia, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Czech Republic, Romania, Slovenia and Sweden.
The contractors also questioned 20 stakeholders (11 from industry, 3 from the financial sector, 2 from the health sector and 4 from the public sector) and assert that the respondents indicated that, “The Commission could propose a regulation opening data localisation in the EU, in combination with a notification process, when national legal restrictions have to be approved by the EU”.
A new structured dialogue with member states is planned for 5 May but could be subject to change. (Original version in French by Sophie Petitjean)