European industry does not really appreciate the tone the discussions have taken on the free flow of non-personal data. This is because on Monday 18 December, member states were supposed to discuss a new compromise put on the table by the Estonian Presidency of the Council of the European Union expanding the number of exceptions to public policy.
The draft regulation presented in September 2017 stipulated that the localisation of data for storage of processing could not be limited to the territory of a single member state, except for public security reasons. Any draft act from a state introducing another localisation requirement should be notified to the European Commission with an appropriate explanation. Similarly, any existing limit on free movement should be the subject of an appropriate justification in order to be maintained.
On 5 December, however, the French Senate adopted its recent recommendation denouncing the legislative proposal’s lack of compliance with the subsidiarity principle. The resolution highlights weaknesses in the impact study carried out by the European Commission, which it considers “does not justify the proposed initiative”. It emphasises that the benefits from the lifting of national localisation obligations that had been hoped for the European economy are poor, “0.06% of GDP”. It concludes that “the EMs can only be justified when invoking public safety, public order and public health to impose a data localisation obligation on their territory”.
A few days later, the Estonian Presidency published a draft compromise expanding the derogations to the regulation: therefore, it has stipulated that derogations are allowed when they are justified for the following imperative public security or public policy reasons… or involve activities relating to the “obligations" of an official authority. The following is also mentioned within the clause, “it should be noted that Union law does not impose a standard scale of values with regard to assessing conduct that could be considered contrary to public security or public policy".
Response from industry
As soon as this compromise was published in the French press (contexte.com), European industry responded by calling on the member states to “resist the temptation to water down the proposal”. The press release co-signed by Allied for Startups, BusinessEurope, The Software Alliance (BSA) and CCIA Europe, calls on the Council not to expand the derogation linked to public security included in the legislative proposal. “Efforts to broaden the scope of the exception to include all “public sector data,” and permit exceptions for any ‘public policy’ would pave the way for data localisation requirements to proliferate across the EU and therefore rendering the Regulation effectively irrelevant”. They call for the definition of a threat to public security as “a genuine and sufficiently serious threat to a fundamental interest of society”. (Original version in French by Sophie Petitjean)