Connect with us


#DigitalSingleMarket - Commission publishes guidance on free flow of non-personal data




We use your sign-up to provide content in ways you've consented to and to improve our understanding of you. You can unsubscribe at any time.

The European Commission has published a new guidance on the interaction of free flow of non-personal data with the EU data protection rules.

As part of the Digital Single Market strategy, the new Regulation on the free flow of non-personal data, which has started to apply in the member states, will allow data to be stored and processed everywhere in the EU without unjustified restrictions. The guidance aims to help users – in particular small and medium-sized enterprises – understand the interaction between these new rules and the General Data Protection Regulation (GDPR) - especially when datasets are composed of both personal and non-personal data.

Digital Single Market Vice President Andrus Ansip said: “By 2025 the data economy of the EU-27 is likely to provide 5.4% of its GDP, equivalent to €544 billion. However, that huge potential is limited if data cannot move freely. By removing forced data localization restrictions, we give more people and businesses the chance to make the most out of data and its opportunities. This guidance will now give full clarity on how free-flow of non-personal data interacts with our strong personal data protection rules.”


Digital Economy and Society Commissioner Mariya Gabriel said: “Our economy is increasingly driven by data. With the regulation on the free flow of non-personal data and the General Data Protection Regulation, we have a comprehensive framework for a common European data space and the free movement of all data within the European Union. The guidance that we are publishing today will help businesses, especially small and medium-sized enterprises, to understand the interaction between the two regulations.”

Together with the General Data Protection Regulation (GDPR), which started to apply one year ago, the new Regulation on the free flow of non-personal data provides for a stable legal and business environment on data processing. The new Regulation prevents EU countries from putting laws in place that unjustifiably force data to be held solely inside national territory. It is the first of its kind in the world. The new rules increase legal certainty and trust for businesses and make it easier for SMEs and start-ups to develop new innovative services, to make use of the best offers of data processing services in the internal market, and to expand business across borders.

Today's guidance gives practical examples on how the rules should be applied when a business is processing datasets composed of both personal and non-personal data. It also explains the concepts of personal and non-personal data, including mixed datasets; lists the principles of free movement of data and the prevention of data localisation requirements under both, the GDPR and the free flow of non-personal data Regulation; and covers the notion of data portability under the Regulation on the free flow of non-personal data. The guidance also includes the self-regulatory requirements set out in the two Regulations.



The Commission presented the framework for the free flow of non-personal data in September 2017 as part of President Jean-Claude Juncker's State of the Union address to unlock the full potential of the European Data Economy and the Digital Single Market strategy. The new Regulation applies since yesterday 28 May. As part of the new rules, the Commission was required to publish guidance on the interaction between this Regulation and the General Data Protection Regulation (GDPR), especially as regards datasets composed of both personal and non-personal data.

The free flow of non-personal data rules are in line with existing rules for the free movement and portability of personal data in the EU. They:

  • Ensure the free flow of data across borders: The new rules set a framework for data storing and processing across the EU, preventing data localisation restrictions. Member States will have to communicate any remaining or planned data localisation restrictions to the Commission, which in turn will assess if they are justifiable. The two Regulations will function together to enable the free flow of any data – personal and non-personal – thus creating a common European space for data. In the case of a mixed dataset, the GDPR provision guaranteeing free flow of personal data will apply to the personal data part of the set, and the free flow of non-personal data principle will apply to the non-personal part.
  • Ensure data availability for regulatory control: Public authorities will be able to access data for scrutiny and supervisory control wherever it is stored or processed in the EU. Member States may sanction users that do not provide upon request by a competent authority access to data stored in another Member State.
  • Encourage the development of codes of conduct for cloud services to facilitate switching between cloud service providers by the end of November 2019. This will make the market for cloud services more flexible and the data services in the EU more affordable.

More information

Commission publishes guidance on free flow of non-personal data - Questions and Answers

Guidance on the Regulation on the free flow of non-personal data

Free flow of non-personal data - Factsheet

A framework for the free flow of non-personal data in the EU – Questions and Answers

Regulation on the free flow of non-personal data

General Data Protection Regulation: one year on

Cloud stakeholder working groups on cloud switching and cloud security certification

Practical information about free flow of data on Your Europe portal


Greater protection, innovation and growth in the UK’s data sector as announced by the UK's Digital Secretary



The Information Commissioner’s Office (ICO) is set for an overhaul to drive greater innovation and growth in the UK’s data sector and better protect the public from major data threats, under planned reforms announced by the Digital Secretary Oliver Dowden

Bridget Treacy, partner (UK privacy and cybersecurity practice), Hunton Andrews Kurth, said: “The UK government has signalled an ambitious vision for reforming the UK’s data protection laws, simplifying the current regime, reducing red tape for business and encouraging data-led innovation. After careful analysis, the government believes it can significantly improve the UK’s data privacy regime and how it works in practice, while retaining high standards of protection for individuals. Far from attempting to replace the current regime, this looks like an attempt to fine tune it, making it better able to serve the needs of all stakeholders and a better fit for the digital age. 

“Taking a fresh look at international data flows is long overdue, and here it will be interesting to see how creative the UK government is prepared to be. Global data flows are an inevitable part of global commerce and the Covid-19 pandemic highlighted the need for global collaboration in research and innovation. The UK government wants to enable trusted and responsible data flows, without reducing protection for individuals, and without needless red tape. A more agile, flexible, risk-based and outcomes-driven approach for determining adequacy may improve data protection overall. But here the government will need to take particular care, assuming it wishes to retain the UK’s adequacy status in the EU.


“It appears that even the Information Commissioner’s Office will be the subject of reform, with proposals to modernize the governance structure of the data protection regulator, set clear objectives and to ensure greater transparency and accountability. The ICO is a highly respected data protection regulator, offering much admired global leadership on difficult issues. Care will be needed to ensure the ICO’s much vaunted and highly valued independence are not compromised by the proposed reforms.

“Overall, this looks like a thoughtful attempt to improve the UK’s existing data protection regime, not through radical change, but by building on and fine tuning the existing framework to make it a better fit for our digital age. Organizations should welcome the opportunity to contribute to this consultation.”

Bojana Bellamy, president of Hunton Andrews Kurth’s Centre for Information Policy Leadership (CIPL), a pre-eminent global information policy think tank located in Washington, DC, London and Brussels said: “The UK government vision is a positive development and is much needed to address the opportunities and challenges of our digital age. The plans should be welcomed in both the U.K. and in the EU. This is not about lowering the level of data protection or getting rid of GDPR, it is about making the law actually work in practice, more effectively and in a way that creates benefits for all – organisations using data, individuals, regulators and the UK society and economy. Laws and regulatory practices need to evolve and be agile just like the technologies they are trying to regulate. Countries that create the flexible and innovative regulatory regimes will be better placed to respond to the Fourth Industrial Revolution we are witnessing today.


“There is no doubt that some aspects of the GDPR do not work well, and some areas are unhelpfully obscure. For example, the rules for data use in scientific and industrial research and innovation are cumbersome to locate and analyse, hindering use and sharing of data for these beneficial purposes; it is difficult to use personal data for training AI algorithms to avoid bias; individuals’ consent to data processing has been rendered meaningless through over-use; and international data flows have become mired in red tape.

“The UK government’s bold vision to simplify the current data protection regime, reduce red tape, put more onus on organisations to manage and use data responsibly, and to reinforce the pivotal role of the UK privacy regulator is the right way forward. It achieves both effective protection for individuals and their data and enables data driven innovation, growth and societal benefits. Other governments and countries should follow the UK lead.

“It is high time to revamp the rules for international data flows and the UK Government is absolutely right to focus on enabling trusted and responsible data flows. Businesses in all sectors will welcome a more seamless regime for data transfers and adequacy decisions in respect of more countries. Corporate data privacy officers divert too much resource to addressing the legal technicalities of data flows from the EU, especially in the aftermath of the EU Schrems II judgement. Consumers and businesses would be better served by organisations focusing on privacy by design, risk impact assessments and building comprehensive privacy management programmes fit for the new digital economy. 

“It is encouraging that the government recognizes the UK Information Commissioner’s Office as a key digital regulator in the UK, with a critical remit of protecting both individuals’ information rights and enabling responsible data driven innovation and growth in the UK. The ICO has been a progressive regulator and influencer in the global regulatory community. The ICO must be given the resources and tools to be strategic, innovative, engaging early on with organisations using data and encouraging and rewarding best practices and accountability.”

Continue Reading


New rules on open data and reuse of public sector information start to apply



17 July marked the deadline for member states to transpose the revised Directive on open data and reuse of public sector information into national law. The updated rules will stimulate the development of innovative solutions such as mobility apps, increase transparency by opening the access to publicly funded research data, and support new technologies, including artificial intelligence. A Europe fit for the Digital Age Executive Vice President Margrethe Vestage said: “With our Data Strategy, we are defining a European approach to unlock the benefits of data. The new directive is key to make the vast and valuable pool of resources produced by public bodies available for reuse. Resources that have already been paid by the taxpayer. So the society and the economy can benefit from more transparency in the public sector and innovative products.”

Internal market Commissioner Thierry Breton said: “These rules on open data and reuse of public sector information will enable us to overcome the barriers that prevent the full re-use of public sector data, in particular for SMEs. The total direct economic value of these data is expected to quadruple from €52 billion in 2018 for the EU Member States and the UK to €194 billion in 2030. Increased business opportunities will benefit all EU citizens thanks to new services.”

The public sector produces, collects and disseminates data in many areas, for example geographical, legal, meteorological, political and educational data. The new rules, adopted in June 2019, ensure that more of this public sector information is easily available for re-use, thus generating value for the economy and society. They result from a review of the former Directive on the re-use of public sector information (PSI Directive). The new rules will bring the legislative framework up to date with recent advances in digital technologies and further stimulate digital innovation. More information is available online.  


Continue Reading


EU can be €2 trillion better off by 2030 if cross-border data transfers are secured



DigitalEurope, the leading trade association representing digitally transforming industries in Europe and which has long list of corporate members including Facebook are calling for an overhaul of the General Data Protection Regulation (GDPR). A new study commissioned by the lobby shows that policy decisions on international data transfers now will have significant effects on growth and jobs across the whole European economy by 2030, impacting Europe’s Digital Decade goals.

Overall, Europe could be €2 trillion better off by the end of the Digital Decade if we reverse current trends and harness the power of international data transfers. This is roughly the size of the entire Italian economy any given year. The majority of the pain in our negative scenario would be self-inflicted (around 60%). The effects of the EU’s own policy on data transfers, under the GDPR and as part of the data strategy, outweigh those of restrictive measures taken by our major trade partners. All sectors and sizes of the economy are impacted across all Member States. Data-reliant sectors make up around half of EU GDP. In terms of exports, manufacturing is likely to be hit the hardest by restrictions on data flows. This is a sector where SMEs make up a quarter of all exports. "Europe stands at a crossroads. It can either set the right framework for the Digital Decade now and facilitate the international data flows that are vital to its economic success, or it can slowly follow its current trend and move towards data protectionism. Our study shows that we could be missing out on around €2 trillion worth of growth by 2030, the same size as the Italian economy. The growth of the digital economy and the success of European companies is dependent on the ability to transfer data. This is especially so when we note that already in 2024, 85 per cent of the world’s GDP growth is expected to come from outside the EU. We urge policymakers to use the GDPR data transfer mechanisms as it was intended, namely to facilitate – not to hinder – international data flows, and to work towards a rule-based agreement on data flows at the WTO." Cecilia Bonefeld-Dahl
Director General of DIGITALEUROPE
Read the full report here Policy recommendations
The EU should: Uphold the viability of GDPR transfer mechanisms, for example: standard contractual clauses, adequacy decisions Safeguard international data transfers in the data strategy Prioritise securing a deal on data flows as part of the WTO eCommerce negotiations
Key findings
In our negative scenario, which reflects our current path, Europe could miss out on: €1.3 trillion extra growth by 2030, the equivalent to the size of the Spanish economy; € 116 billion exports annually, the equivalent to Sweden’s exports outside the EU, or those of the ten smallest countries of the EU combined; and 3 million jobs. In our optimistic scenario, the EU stands to gain: €720 billion extra growth by 2030 or 0.6 per cent GDP per year; €60 billion exports per year, over half coming from manufacturing; and 700,000 jobs, many of which are highly skilled. The difference between these two scenarios is €2 trillion in terms of GDP for the EU economy by the end of the Digital Decade. The sector that stands to lose the most is manufacturing, suffering a loss of €60 billion in exports. Proportionately, media, culture, finance, ICT and most business services, such as consulting, stand to lose the most – about 10 per cent of their exports. However, these same sectors are those that stand to gain the most should we manage to change our current direction. A majority (around 60 per cent) of the EU’s export losses in the negative scenario come from an increase in its own restrictions rather than from third countries’ actions. Data localisation requirements could also hurt sectors that do not participate heavily in international trade, such as healthcare. Up to a quarter of inputs into the provision of healthcare consist of data-reliant products and services. In the major sectors affected, SMEs account for around a third (manufacturing) and two-thirds (services such as finance or culture) of turnover. Exports by data-reliant manufacturing SMEs in the EU are worth around €280 billion. In the negative scenario, exports from EU SMEs would fall by €14 billion, while in the growth scenario they would increase by €8 Data transfers will be worth at least €3 trillion to the EU economy by 2030. This is a conservative estimate because the model’s focus is international trade. Restrictions on internal data flows, e.g. internationally within the same company, mean this figure is likely much higher.
More information on the study
The study looks at two realistic scenarios, closely aligned with current policy debates. The first, ‘negative’ scenario (referred to throughout the study as the ‘challenge scenario’) takes into account current restrictive interpretations of the Schrems II ruling from the Court of Justice of the EU, whereby data transfer mechanisms under the GDPR are made largely unusable. It also takes into account an EU data strategy that places restrictions on the transfers of non-personal data abroad. Further afield, it considers a situation where major trade partners tighten restrictions on the flow of data, including through data localisation. The study identifies sectors in the EU that rely heavily on data, and calculates the impact of restrictions to cross-border transfers on the EU economy up to 2030. These digitising sectors, across a variety of industries and business sizes, including a large proportion of SMEs, make up half of EU GDP.
Read the full report here

Continue Reading