Recently, much attention has been paid to the new EU General Data Protection Regulation (GDPR) that provides for the protection and free movement of personal data. The European Commission has now passed a proposal for a directly applicable regulation on the free movement of non-personal data. Together with the EU regulation on personal data protection, it will allow for the free movement of all types of data in the EU internal market.
Entities operating in the EU encounter various territorial restrictions on the storing of data files. For instance, confidentiality and professional secrecy regulations in healthcare, e.g., provide that data be stored and processed exclusively in the medical professional’s home state. Also, legal regulations of some EU member states stipulate that public sector entities store their data exclusively in the territory of the state. Finally yet importantly, there are recommendations of supervisory authorities in the financial sector regarding the storage of data at the place of financial companies’ registered offices.
Vendor lock-ins constitute yet another obstacle companies may come across, as providers of cloud services try to make transfers of uploaded data to a competitor impossible. All of the above, together with the legal uncertainty, explains why companies cannot, or feel they cannot, use cloud services of various providers across the European Union and transfer data back to their servers or between competing data storage providers. They hence believe they cannot freely chose the most cost-effective location for their files.
The proposed solution should finally eliminate these problems. EU member states should not in any manner be able to force companies to store or process non-personal data in the territory of a concrete state, except for reasons of national security. It should also be easier for companies to transfer uploaded files between various data storage providers. The European Union will encourage the creation of codes of conduct providing detailed conditions for the transfer of data files.
The proposal also deals with the issue of regulatory supervision by various national authorities: by placing the data in another state companies will not avoid regulatory supervision; in cooperation with authorities of other member states, national supervisory authorities will still have access to the needed data, even if it is stored in the territory of another member state.
The draft regulation now has to go through the EU legislative process. It is hard to estimate how long this may take, but, considering the political consensus, we do not expect major obstructions.