One to Watch in 2021: Free Flow of Non-Personal Data within the EUFriday, 23 October 2020
By the deadline of 30 May 2021, all EU Member States are expected to have repealed any existing measures that inhibit the free flow of non-personal data within the EU.1 Although much of the focus in recent years surrounded the storage and processing of personal data under the General Data Protection Regulation (GDPR), it is important that the obligations relating to non-personal data within the EU are not forgotten.
What is non-personal data and how is it regulated?
Non-personal data, as the term suggests, is any data that does not constitute personal data under the GDPR. This covers a broad range of data and includes data which did not originally relate to an identified or identifiable natural person, such as data on maintenance needs for industrial machines, as well as data which was originally personal data, but was later made anonymous such as aggregated and anonymised data sets and more specific data sets for certain industry sectors.
Regulation (EU) 2018/1807 (the “Regulation”) introduced a framework on the free flow of non-personal electronic data in the EU. It aims to promote competition and support the EU’s objective of a digital single market. Part of this strategy aims to enhance access to online activities for businesses and individuals, with a view to placing the EU at the forefront of the digital marketplace.
Why will non-personal data matter in 2021?
The Regulation envisages the free movement of non-personal data across the EU without any interference from Member States. After the deadline of 30 May 2021, any existing measure in a Member State that contains a “data localisation” requirement is prohibited as it may hinder the free flow of non-personal data.
Data localisation is broadly defined under the Regulation and it extends to public authorities and bodies governed by public law (including the area of public procurement). At its simplest, data localisation means any law or measure that requires the collection, processing, and/or storage of non-personal data inside a particular country.
The only exception to the data localisation prohibition is where the restriction is justified in the interests of public security. Any such justification needs to adhere to the principle of proportionality and should be communicated to the European Commission by the Member State in advance of the May 2021 deadline.
How to prepare
If you are part of a public authority or body that is required to assist in the implementation of the Regulation, then the May 2021 deadline applies to your organisation. You may be required to review all legislative and administrative provisions under your organisation’s aegis and identify any measures that hinder the free flow of non-personal data in the EU.
Should your organisation be undertaking such a review, you may be liaising with a specific State Agency who will make an overall determination as to whether or not there is any justification on public security grounds to keep the data localisation requirements after the deadline. If you are involved in such a process or are making plans to review the requirements in the coming months, it is important to bear in mind that the overall determination will need to be made well in advance of the May 2021 deadline.
ByrneWallace will continue to monitor the position as the preparations for the Regulation continue. For further information, please contact Seán O’Donnell, Mary Jane Fegan or Orla Donovan from the ByrneWallace Litigation & Dispute Resolution Team or your usual ByrneWallace contact.
1 Regulation (EU) 2018/1807 of the European Parliament and of the Council dated 14 November 2018 which came into force in May 2019.