Legal provisions of COM(2017)495 - Framework for the free flow of non-personal data in the EU - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2017)495 - Framework for the free flow of non-personal data in the EU.
document	COM(2017)495
date	November 14, 2018

Article 1 - Subject matter
Article 2 - Scope
Article 3 - Definitions
Article 4 - Free movement of data within the Union
Article 5 - Data availability for competent authorities
Article 6 - Porting of data
Article 7 - Procedure for cooperation between authorities
Article 8 - Evaluation and guidelines
Article 9 - Final provisions

Article 1 - Subject matter

This Regulation aims to ensure the free flow of data other than personal data within the Union by laying down rules relating to data localisation requirements, the availability of data to competent authorities and the porting of data for professional users.

Article 2 - Scope

1. This Regulation applies to the processing of electronic data other than personal data in the Union, which is:

(a)	provided as a service to users residing or having an establishment in the Union, regardless of whether the service provider is established or not in the Union; or

(b)	carried out by a natural or legal person residing or having an establishment in the Union for its own needs.

2. In the case of a data set composed of both personal and non-personal data, this Regulation applies to the non-personal data part of the data set. Where personal and non-personal data in a data set are inextricably linked, this Regulation shall not prejudice the application of Regulation (EU) 2016/679.

3. This Regulation does not apply to an activity which falls outside the scope of Union law.

This Regulation is without prejudice to laws, regulations, and administrative provisions that relate to the internal organisation of Member States and that allocate, among public authorities and bodies governed by public law defined in point (4) of Article 2(1) of Directive 2014/24/EU, powers and responsibilities for the processing of data without contractual remuneration of private parties, as well as the laws, regulations, and administrative provisions of Member States that provide for the implementation of those powers and responsibilities.

Article 3 - Definitions

For the purposes of this Regulation, the following definitions apply:

(1)	‘data’ means data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679;

(2)

‘processing’ means any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3)	‘draft act’ means a text drafted for the purpose of being enacted as a law, regulation or administrative provision of a general nature, the text being at the stage of preparation at which substantive amendments can still be made;

(4)	‘service provider’ means a natural or legal person who provides data processing services;

(5)

‘data localisation requirement’ means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions of a Member State or resulting from general and consistent administrative practices in a Member State and in bodies governed by public law, including in the field of public procurement, without prejudice to Directive 2014/24/EU, which imposes the processing of data in the territory of a specific Member State or hinders the processing of data in any other Member State;

(6)

‘competent authority’ means an authority of a Member State or any other entity authorised by national law to perform a public function or to exercise official authority, that has the power to obtain access to data processed by a natural or legal person for the performance of its official duties, as provided for by Union or national law;

(7)	‘user’ means a natural or legal person, including a public authority or a body governed by public law, using or requesting a data processing service;

(8)	‘professional user’ means a natural or legal person, including a public authority or a body governed by public law, using or requesting a data processing service for purposes related to its trade, business, craft, profession or task.

Article 4 - Free movement of data within the Union

1. Data localisation requirements shall be prohibited, unless they are justified on grounds of public security in compliance with the principle of proportionality.

The first subparagraph of this paragraph is without prejudice to paragraph 3 and to data localisation requirements laid down on the basis of existing Union law.

2. Member States shall immediately communicate to the Commission any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement in accordance with the procedures set out in Articles 5, 6 and 7 of Directive (EU) 2015/1535.

3. By 30 May 2021, Member States shall ensure that any existing data localisation requirement that is laid down in a law, regulation or administrative provision of a general nature and that is not in compliance with paragraph 1 of this Article is repealed.

By 30 May 2021, if a Member State considers that an existing measure containing a data localisation requirement is in compliance with paragraph 1 of this Article and can therefore remain in force, it shall communicate that measure to the Commission, together with a justification for maintaining it in force. Without prejudice to Article 258 TFEU, the Commission shall, within a period of six months from the date of receipt of such communication, examine the compliance of that measure with paragraph 1 of this Article and shall, where appropriate, make comments to the Member State in question, including, where necessary, recommending the amendment or the repeal of the measure.

4. Member States shall make the details of any data localisation requirements laid down in a law, regulation or administrative provision of a general nature and applicable in their territory publicly available via a national online single information point which they shall keep up-to-date, or provide up-to-date details of any such localisation requirements to a central information point established under another Union act.

5. Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish the link(s) to such point(s) on its website, along with a regularly updated consolidated list of all data localisation requirements referred to in paragraph 4, including summarised information on those requirements.

Article 5 - Data availability for competent authorities

1. This Regulation shall not affect the powers of competent authorities to request, or obtain, access to data for the performance of their official duties in accordance with Union or national law. Access to data by competent authorities may not be refused on the basis that the data are processed in another Member State.

2. Where, after requesting access to a user's data, a competent authority does not obtain access and if no specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States, that competent authority may request assistance from a competent authority in another Member State in accordance with the procedure set out in Article 7.

3. Where a request for assistance entails obtaining access to any premises of a natural or legal person, including to any data processing equipment and means, by the requested authority, such access must be in accordance with Union law or national procedural law.

4. Member States may impose effective, proportionate and dissuasive penalties for failure to comply with an obligation to provide data, in accordance with Union and national law.

In the case of abuse of rights by a user, a Member State may, where justified by the urgency of accessing the data and taking into account the interests of the parties concerned, impose strictly proportionate interim measures on that user. If an interim measure imposes re-localisation of data for a duration that is longer than 180 days following re-localisation, it shall be communicated within that 180-day period to the Commission. The Commission shall, in the shortest possible time, examine the measure and its compatibility with Union law, and, where appropriate, take the necessary measures. The Commission shall exchange information with the single points of contact of Member States referred to in Article 7 on experience gained in this regard.

Article 6 - Porting of data

1. The Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level (‘codes of conduct’), in order to contribute to a competitive data economy, based on the principles of transparency and interoperability and taking due account of open standards, covering, inter alia, the following aspects:

(a)	best practices for facilitating the switching of service providers and the porting of data in a structured, commonly used and machine-readable format including open standard formats where required or requested by the service provider receiving the data;

(b)

minimum information requirements to ensure that professional users are provided, before a contract for data processing is concluded, with sufficiently detailed, clear and transparent information regarding the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another service provider or port data back to its own IT systems;

(c)

approaches to certification schemes that facilitate the comparison of data processing products and services for professional users, taking into account established national or international norms, to facilitate the comparability of those products and services. Such approaches may include, inter alia, quality management, information security management, business continuity management and environmental management;

(d)	communication roadmaps taking a multi-disciplinary approach to raise awareness of the codes of conduct among relevant stakeholders.

2. The Commission shall ensure that the codes of conduct are developed in close cooperation with all relevant stakeholders, including associations of SMEs and start-ups, users and cloud service providers.

3. The Commission shall encourage service providers to complete the development of the codes of conduct by 29 November 2019 and to effectively implement them by 29 May 2020.

Article 7 - Procedure for cooperation between authorities

1. Each Member State shall designate a single point of contact which shall liaise with the single points of contact of other Member States and the Commission regarding the application of this Regulation. Member States shall notify to the Commission the designated single points of contact and any subsequent change thereto.

2. Where a competent authority in one Member State requests assistance from another Member State, pursuant to Article 5(2), in order to obtain access to data, it shall submit a duly justified request to the latter's designated single point of contact. The request shall include a written explanation of the reasons and the legal bases for seeking access to the data.

3. The single point of contact shall identify the relevant competent authority of its Member State and transmit the request received pursuant to paragraph 2 to that competent authority.

4. The relevant competent authority so requested shall, without undue delay and within a timeframe proportionate to the urgency of the request, provide a response communicating the data requested, or informing the requesting competent authority that it does not consider that the conditions for requesting assistance under this Regulation have been met.

5. Any information exchanged in the context of assistance requested and provided under Article 5(2) shall be used only in respect of the matter for which it was requested.

6. The single points of contact shall provide users with general information on this Regulation, including on the codes of conduct.

Article 8 - Evaluation and guidelines

1. No later than 29 November 2022, the Commission shall submit a report to the European Parliament, to the Council and to the European Economic and Social Committee evaluating the implementation of this Regulation, in particular in respect of:

(a)	the application of this Regulation, especially to data sets composed of both personal and non-personal data in the light of market developments and technological developments which might expand the possibilities for deanonymising data;

(b)	the implementation by Member States of Article 4(1), and in particular the public security exception; and

(c)	the development and effective implementation of the codes of conduct and the effective provision of information by service providers.

2. Member States shall provide the Commission with the necessary information for the preparation of the report referred to in paragraph 1.

3. By 29 May 2019, the Commission shall publish informative guidance on the interaction of this Regulation and Regulation (EU) 2016/679, especially as regards data sets composed of both personal and non-personal data.

Article 9 - Final provisions

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply six months after its publication.

This Regulation shall be binding in its entirety and directly applicable in all Member States.