New EU Rules for the Free-Flow of Non-Personal Data on the Horizon
For many organisations, GDPR compliance has demanded significant time and resources in recent years. Indeed, GDPR compliance continues to prove time-consuming for many organisations, but as this shifts towards a ‘business-as-usual’ activity, the new EU regulation on the free flow of non-personal data (the “Regulation”) will require the close attention of many organisations.
The Regulation’s primary aim is to help expand and integrate the EU data economy as part of the EU’s wider strategic goal of a digital single market. It was published in the Official Journal of the EU on 28 November 2018 and is scheduled to apply in all Member States from late May 2019. For those organisations that (understandably) focussed on GDPR preparation and compliance throughout 2018 it is now time to assess the impact of the Regulation on their business and to take appropriate action.
In this briefing, we explain the concept of non-personal data and the key rules of the Regulation. We also provide some insight into the primary challenge that it presents for many organisations and discuss next steps organisations can take to prepare for the Regulation.
What is non-personal data?
Somewhat unusually, the Regulation defines non-personal data by reference to what it is not. In effect, non-personal data is any data that is not personal data under Article 4 of the GDPR (i.e. information relating to an identified or identifiable living natural person).
The Recitals to the Regulation provide further colour on the nature of non-personal data by providing a number of examples, including:
- aggregated and anonymised datasets used for big data analytics;
- data on precision farming that can help to monitor and optimise the use of pesticides and water; and
- data on maintenance needs for industrial machines.
What are the key rules introduced by the Regulation?
Free movement of non-personal data within the EU
The Regulation prohibits Member States from introducing data-localisation restrictions with respect to the storage and/or processing of non-personal data. Data localisation restrictions come in many forms and include legislative requirements that data generated in a particular country, or relating to residents or corporates of that country, be processed and stored in that country. The effect of this prohibition is that organisations will be able to process and store non-personal data anywhere in the EU without interference or restriction by Member States.
There is an exemption to this prohibition where a Member State is able to demonstrate that data localisation restrictions are justified on grounds of public security. To try and avail of this exemption, the Member State must communicate any remaining or proposed data localisation restrictions to the European Commission, together with the justification for such restriction.
Data availability for regulatory authorities
The Regulation aims to mitigate a potential regulatory impediment to the free-flow of non-personal data within the EU by safeguarding access to such data for competent authorities regardless of the location of the relevant data in the EU. In order to do this, the Regulation:
- broadly defines the concept of competent authority so as to cover a wide-range of bodies that exercise official duties in the EU; and
- prohibits organisations from refusing to supply a competent authority with requested non-personal data on grounds that such data is stored in a Member State other than the competent authority’s home state.
By way of example, this means that in practice the Regulation should facilitate access (on request) by a local Member State regulator to non-personal data processed by an organisation under its jurisdiction but which is located in a Member State outside of that regulator’s jurisdiction.
Porting of data
The Regulation also encourages self-regulation by promoting the development of industry-specific codes of conduct that facilitate structured, transparent and seamless data sharing between service providers. In turn, it is hoped that this will make it simpler for customers to switch service providers and consequently drive efficiency and competition in the data economy.
Primary challenge presented by the Regulation
Many organisations will accept that the objective of the Regulation is laudable – expand and integrate the EU data economy for the benefit of customers and suppliers. However, the practical challenges that the Regulation presents may be less warmly greeted by organisations across the EU.
Data is becoming an increasingly important asset for many organisations and the manipulation of large datasets is an ever more important aspect of driving organisational efficiencies and performance. However, large datasets can be a complex mix of information – some of which may be personal data and some of which may not be personal data. The Regulation fails to adequately account for this practical reality. It is designed to apply to non-personal data only and does not substantively address the practical challenge of its application to mixed datasets nor how it interacts with the GDPR in such circumstances.
It is expected that EU regulatory guidance on how to handle mixed datasets (including the interaction between the Regulation and the GDPR) will be issued prior to May 2019. However, before such guidance is published (and possibly even after its publication), organisations may struggle to square the regulatory circle presented by the Regulation and determine next steps to take towards compliance.
Some organisations may choose to wait until there is regulatory guidance on the Regulation before undertaking any ‘heavy lifting’ on their compliance efforts. However, taking some steps now may alleviate the pain of working towards compliance with the Regulation when time is running particularly short.
At this point, organisations may wish to carry out an initial assessment to identify their main datasets that are likely to be subject to the Regulation (either in whole or in part). In doing this, organisations could decide to avoid engaging in detailed data analysis akin to data mapping exercises conducted by some organisations as part of their GDPR preparedness. Instead, identifying the relevant datasets and understanding – at least at a high level – the type of information within that dataset that may be subject to the Regulation may well prove to be a useful first step.
From this point, organisations will be able to act more swiftly in response to regulatory guidance on the Regulation. Prompt action may also assist organisations in beginning to understand the types of steps it may be able to take to delineate personal data and non-personal data in its datasets for the purpose of the Regulation and the feasibility of these steps, to the extent that they become necessary.