EU Governments to Negotiate With Parliament Over Digital Economy Data Transfer Law

Council of EUThe Council of the European Union (EU Council), which represents the governments of the 28 EU member countries, has decided to open negotiations with the European Parliament on a new law to ease the flow of non-personal data. The draft regulation, which was issued by the European Commission—the EU’s executive branch--in September, is designed to strengthen the EU digital economy and single digital market.

The regulation would exclusively cover non-personal data so as not to overlap with new EU privacy laws, including the General Data Protection Regulation (GDPR), which already allows for the free flow of personal data within the EU. The GDPR takes effect May 25, 2018. 

Types of data considered to be “non-personal” are rather limited due to the GDPR’s expansive definition of “personal data,” which includes any information that could identify a person directly or indirectly, including online identifier data. The draft regulation doesn’t define “non-personal data,” but explains it as any data that isn’t considered personal.

The draft regulation includes a provision that would limit an EU member country’s ability to demand that data be stored on servers within its borders. It would allow such data localization only if the country set out a public security basis for the requirement. 

“The primary objective of the initiative seems to be to address data localization/residency requirements that are popping up under national laws,” Lothar Determann, privacy partner at Baker McKenzie LLP in Palo Alto, told Bloomberg Law. Determann said that aggregate, statistical data, for example, could fall under the category of non-personal data, “but there are currently no meaningful legal restrictions on the free flow of aggregate, statistical data.”

However, given the public security exception, it is also possible that the proposed regulation could ultimately be a way for the EU to impose its own bloc-wide localization law under the guise of “free flow of data,” Determann said.

The European Parliament hasn’t adopted its position on the regulation. The EU Council and the Parliament would need to agree on the legislation to enact it.

The EU Council opinion is balanced and recognized “the importance of ensuring that non-personal data can flow freely within Europe’s single market,” Guido Lobrano, the senior director of global policy for Europe at the Information Technology Industry Council, a tech trade group whose membership includes Alphabet Inc.’s Google, Intel Inc., Microsoft Corp., McAfee Inc., and Twitter Inc., among many other industry leaders, said in a statement.

The free flow of non-personal has been a top priority for Estonia during its term as EU president.

“Data is at the heart of all modern economies and societies and can generate immense value. Seamless data mobility saves costs for businesses, especially for start-ups and small and medium-sized businesses, and is essential for many next-generation digital services,” Urve Palo, Estonian minister for entrepreneurship and information technology said in a statement.



To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.

By George R. Lynch