After just two working meetings, the European Parliament and Council managed to reach an informal agreement on 19 June on the free flow of non-personal data. The new text prohibits unjustified data localisation except for public security reasons.
The Vice President responsible for the Single Digital Market, Andrus Ansip, stated, “Data localisation restrictions are signs of protectionism for which there is no place in a single market. After free movement of people, goods, services and capital, we have made the next step with this agreement for a free flow of non-personal data to drive technological innovations and new business models and create a European data space for all types of data”.
Compromise closely scrutinised
The future regulation still needs to be formally approved by co-legislators and strongly resembles what had been presented by the European Commission in September 2017. It prohibits localisation requirements except in exceptional circumstances that respect the proportionality principle and only if they are justified by imperative public security reasons. The Member States will have to inform the Commission of any data localisation restrictions they intend to maintain or introduce in specific situations limited to processing data from the public sector. The compromise also explains that the future regulation will not have any impact on the application of the General Data Protection Regulation (GDPR) because it does not cover personal data.
Contrary to what the Council was calling for, the text applies to the public sector. According to one source at the Commission, "During the meeting on 19 June, the co-legislators discussed what happens when a public authority has its own storage centre and private cloud. A regulation in a member state involving the private management of an authority for example, if the government has built a data processing centre and has decided to store in its data at this body - is not affected. If a public body outsources its storage services, however, it is covered and localisation requirements are not permitted”.
Data portage
The text does not strictly speaking regulate data portage but it does call on the cloud industry to adopt codes of conduct that cover good practices for changing provider and minimum information requirements, 18 months after the date of publication of the new regulation. Our Commission source explained that the drafting of these codes is currently being undertaken. (Original version in French by Sophie Petitjean)