Digital Single Market: Commission Proposes Free Flow of Non-Personal Data as Fifth Freedom of EU

The EU single market has dismantled borders between its Members by establishing the free movement of people, goods and services. Yet in the digital world, presumably one of the most open areas, location requirements concerning data still remain burdensome.

The location requirements constitute a form of legal obligation that enforces the location of data storage or other processing within the territory of a specific Member State. The Commission estimates that there are currently over 50 different regimes concerning data localisation in the EU. Vice-President for the Digital Single Market Andrus Ansip recently highlighted that, despite its importance and borderless feel, Europe’s digital economy is still strongly split along closed national lines.  

Being aware of these malfunctions, the Commission stated in the mid-term review of the 2015 Digital Single Market (DSM) strategy that moving from 28 national data markets to a single European market could contribute €415 billion per year to the EU economy, and the data economy’s share in the EU-wide GDP could go up to 4% by 2020. Therefore, in this Communication, presented on 10 May 2017, the Commission confirmed its plans to establish a principle of free data flow within the EU market.

As stated in the mid-term review, the DSM strategy aims to “make the EU's single market fit for the digital age” and the free flow of data should be considered as its “key part”. This document also declared that the establishment of the cross-border free flow of non-personal data should be based on the principle of porting data or availability of certain data for regulatory control purposes.

Not surprisingly, the DSM issues were presented among the key EU priorities in President Juncker’s 2017 State of the Union address, delivered on 13 September 2017. On the same day, the Commission presented its “Second Data Package” with the proposal for a Regulation on a framework for the free flow of non-personal data in the EU.

Choosing the form of a Regulation, the Commission clearly aims to ensure that free flow of non-personal data would be equally protected in all Member States, since, once adopted, the new data rules will not need to be transposed to the national legal orders of Member States and will become immediately enforceable.

Lastly, the Commission foresees that, the proposal together with the EU rules on personal data protection established by the General Data Protection Regulation (GDPR), would create a coherent legal framework for the secure EU dataspace.

Basis of the new Single Market freedom

This proposal, only 10 articles in length, covers both the substantive and institutional dimensions of the EU framework on the free flow of data.

Concerning its scope, according to Articles 1 and 2, the future Regulation would apply to storage or other processing of electronic data in the EU, excluding personal data. It would cover data provided as a service to users residing or having an establishment in the EU, regardless of whether the provider is established in the EU or not. The cases of data processing carried out by a natural or legal person residing or having an establishment in the EU for their own needs would also fall within the scope of the future act.

Article 4 should be treated as the key provision of the proposal. It aims to establish the new “freedom of the EU”. Article 4 foresees that Member States would only be allowed to invoke justifiable public security concerns to retain a barrier concerning the free location of data for storage or other processing. These would have to be justified as defined by EU law, most notably by Article 52 of the Treaty on the Functioning of the European Union (TFEU) and the principle of proportionality, laid down in article 5 of the Treaty on European Union (TEU). The significant character of Article 4 also highlights the fact that its construction mirrors key provisions of the TFEU, establishing freedoms of the single market.

More competences but fewer obligations

The proposal envisages new competences concerning data availability for the purpose of regulatory control conducted by competent authorities of the Member States. As a result, users would not be able to refuse to provide access to data to competent authorities on the basis that data is stored or otherwise processed in another Member State. In addition, it would also be possible for national authorities to request the assistance of an authority in another Member State, should all other applicable means to obtain access to the data be used.  

From the providers’ perspective, the proposal supports the development of self-regulatory schemes in relation to data porting.

It states that the Commission should facilitate the development of self-regulatory codes of conduct at Union level, in order to define guidelines on best practices in facilitating the switching of providers and to ensure that they provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage or processing is concluded.

In this perspective, the Commission would be required to review the development and effective implementation of such codes of conduct two years after the application date.

Institutional support of the free flow of data

The institutional part of the proposal establishes bodies that would support the functioning of the free flow of data.

Article 7 envisages that Member States would be obliged to set up single points of contact which, by cooperating with each other and with the Commission, would support proper application of the future Regulation.

Single points of contact would also be responsible for the requests for assistance to gain access to data in other Member States (they would have to be submitted through the single point of contact in that Member State, with a justification and legal basis explaining the reason for this application).  

In addition, the Regulation would also establish a specific Free Flow of Data Committee, providing assistance to the Commission. However, the proposal remains vague when it comes to the specific tasks or assignments of this new Committee.

UK and free flow of data

The possible introduction of the new freedom also poses a question concerning the post-Brexit status of the UK in relation to data flows.

The United Kingdom has the largest internet economy as a percentage of its GDP of all G20 countries. Moreover, as estimated by Innovate UK, the UK innovation agency, around 43% of all large EU digital companies are started in the UK, the digital sector is good for 24% of all UK exports and 75% of the UK’s cross-border data flows are with EU countries. All these factors underline why the UK is interested in retaining the status quo when it comes to data flows, independently of the other freedoms of the EU single market.

Concerning the topic of data flows, the UK government presented a position paper on 24 August 2017, focusing on personal data and omitting the flow of non-personal data. The UK stresses that its laws are fully aligned with the legal framework of the EU at the time of Brexit, guaranteeing that there is no need to stop or lose the current framework.

The UK already hopes to find an agreement with the EU during the negotiations so that any legal uncertainty during the process can be avoided. The best option for the UK would be an ‘adequacy decision’, which, as defined in Article 25(6) of Directive 95/46/EC is an act accepting “that a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into”. An adequacy decision would mean that data can flow freely from the EU to the UK and basically nothing would change in this regard after Brexit.

Lastly, the UK position paper concludes that without the adequacy decision between the EU and UK, data could still flow on the basis of the GDPR and the Data Protection Directive (DPD) framework. However, this alternative option would not be as wide ranging as an adequacy decision would be.

Next Steps

The European Parliament and the Council will now express their positions on the Commission’s Proposal before starting inter-institutional negotiations, with a view to reaching a first reading agreement.  

Additional Facts:

Official title:

Commission proposal for a Regulation on a framework for the free flow of non-personal data in the European Union COM(2017)495