Free flow of non-personal data
AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.
Summary
Regulation (EU) 2018/1807 establishes the principle of the free movement of non-personal data within the EU by prohibiting unjustified data localisation requirements imposed by Member States. It also introduces rules to ensure data availability for competent authorities and encourages industry-led codes of conduct to facilitate switching and porting of data between service providers. The Regulation complements the GDPR for datasets that are non-personal or mixed (personal and non-personal).
Who is affected?
Member States (which must remove or avoid unjustified data localisation requirements) and businesses that store or process non-personal data in the EU, including providers of data processing services such as cloud and other digital infrastructure services. It also affects competent authorities that may request access to data for regulatory control purposes.
Scope
Applies to the processing of electronic data other than personal data in the EU, including mixed datasets, and addresses data localisation, regulatory access to data, and data portability/switching practices for data processing services.
Key Points
- Prohibits Member States from imposing data localisation requirements for non-personal data unless justified on grounds of public security and proportionate.
- Requires Member States to notify the Commission of any existing or new data localisation requirements and to make them publicly available.
- Ensures that competent authorities retain access to data for regulatory control purposes even when data is stored or processed in another Member State.
- Encourages the development of self-regulatory codes of conduct to facilitate switching and porting of data between data processing service providers (data portability).
- Clarifies interaction with the GDPR for mixed datasets: GDPR applies to the personal-data part, while this Regulation applies to the non-personal part.
Key Deadlines
- — Date of application
Related Regulations
Frequently Asked Questions
Who must comply with Regulation (EU) 2018/1807 on the free flow of non-personal data?
Member States, businesses that store or process non-personal data in the EU, and providers of data processing services such as cloud and digital infrastructure providers must comply. Competent authorities are also affected regarding their access to data for regulatory purposes.
What types of data are covered by this Regulation?
The Regulation covers electronic data other than personal data, including non-personal data and mixed datasets (datasets containing both personal and non-personal data). It does not apply to data that is exclusively personal data, which remains under the GDPR.
What are data localisation requirements and how does the Regulation address them?
Data localisation requirements are national rules that mandate data to be stored or processed within a specific country's borders. The Regulation prohibits such requirements for non-personal data unless they are justified on grounds of public security and are proportionate.
What obligations do Member States have under this Regulation?
Member States must remove or avoid introducing unjustified data localisation requirements and notify the European Commission of any such existing or new requirements, making them publicly available. They must also ensure that competent authorities can access data for regulatory control, regardless of where it is stored in the EU.
How does the Regulation facilitate data portability and switching between service providers?
The Regulation encourages the development of industry-led codes of conduct to make it easier for users to switch between data processing service providers and to port their data, enhancing competition and user choice.
What are the penalties for non-compliance with this Regulation?
The Regulation itself does not specify penalties but requires Member States to lay down rules on penalties applicable to infringements. These penalties must be effective, proportionate, and dissuasive.
How does this Regulation interact with the GDPR?
For mixed datasets containing both personal and non-personal data, the GDPR applies to the personal data portion, while Regulation (EU) 2018/1807 applies to the non-personal data portion. The two regulations are designed to complement each other.
What practical steps should businesses take to comply with this Regulation?
Businesses should review their data storage and processing arrangements to ensure they do not impose or adhere to unjustified data localisation requirements. They should also monitor developments in industry codes of conduct for data portability and be prepared to facilitate data switching and porting if requested.
Are there any exceptions to the prohibition on data localisation requirements?
Yes, Member States may impose data localisation requirements if they are justified on grounds of public security and are proportionate to the objective pursued. Any such requirements must be notified to the European Commission.
What is the timeline for compliance with this Regulation?
The Regulation has been in force since December 18, 2018. Member States and businesses have been required to comply since that date.
Key Terms
- Non-personal data
- Data that does not relate to an identified or identifiable natural person, such as aggregated statistics, anonymised datasets, or machine-generated data.
- Data localisation requirement
- A legal or administrative mandate requiring data to be stored or processed within a specific geographic territory, typically a Member State.
- Mixed dataset
- A dataset that contains both personal data (subject to GDPR) and non-personal data (subject to this Regulation).
- Data portability
- The ability for users to move or transfer their data from one service provider to another in a structured, commonly used, and machine-readable format.
- Competent authority
- A public authority or body empowered by law to access data for regulatory control or oversight purposes.
- Codes of conduct
- Industry-led, self-regulatory frameworks that establish best practices for facilitating data portability and switching between service providers.
- Public security exception
- A justification allowing Member States to impose data localisation requirements if necessary for public security and proportionate to the aim pursued.
- Data processing service provider
- Any entity offering services for the storage or processing of data, such as cloud computing or digital infrastructure providers.
- Regulatory control
- The ability of competent authorities to access and oversee data for the purposes of enforcing laws and regulations.
- Notification obligation
- The requirement for Member States to inform the European Commission of any existing or new data localisation requirements and to make these publicly accessible.