The European Commission is gearing up for its presentation in the next few weeks of its legislative proposal on the free flow of data. The draft regulation leaked by the Politico website prohibits unfair data localisation and promotes self-regulation on the question of access.
The free flow of data is one of the favourite subjects of Vice President Andrus Ansip: he has so far presented two impact studies both of which were revised by the regulatory control committee on impact assessment (28 September 2016 and 25 August 2017).
We should not be discouraged, however, because Mr Ansip has been bolstered by a hard core of 14 member states (see EUROPE 11681) and strong support from his country (which currently occupies the rotating Presidency of the Council) and he is preparing to present a draft regulation on the matter this autumn. He is arguing that the general regulation on data protection (2016/679), which already contains a raft of rules on processing personal data in the EU, does not apply to impersonal data when it involves industrial or automatically generating data nor to barriers to the free flow of personal data outside of the area of data protection, such as taxation and accounting legislation. Last July, he obtained the agreement in principle from the Ministers for Telecommunications (see EUROPE 11832).
Content analysis
The draft text unveiled by the press prohibits any restrictions on data localisation for storage and/or subsequent processing of this data within the Union, except for reasons linked to national security. It is particularly focused on four different areas: data localisation conditions, their availability to the appropriate authorities, contractual transparency relating to storage access and security and data processing. It makes it incumbent on member states to provide notification of the national rules they introduce on localisation requirements and any unfair restrictions that exist a year after application of the said regulation. It also explains that member states that wish to maintain contrary provisions would be obliged to provide notification and justification to the Commission. These provisions would be included in a “single online point of information” that is freely accessible.
Portability excluded
In an effort to overcome the misgivings expressed by France, the draft text does not provide rules on the portability of cloud computing services. The draft text indicates, “The proposal is less stringent and more proportionate as it does not create a new right of cloud services portability and relies on self- regulation facilitated by the Commission”. The text also indicates that the initial idea consisted of introducing an obligation incumbent on providers to facilitate switches or access to users’ data. The leaked text mentions the adoption of codes of conduct two years after its entry into force, which outline the data access conditions by market actors through the free flow of data. Nonetheless, it stipulates that if self-regulation measures are not implemented “in a reasonable time”, it will still be possible for the Commission to determine the conditions for this access by way of act of implementation.
It should also be pointed out that the Commission is seeking to reassess the rules five years after they have been implemented. (Original version in French by Sophie Petitjean)