The digitisation of the economy is accelerating. Information and Communications Technology is no longer a specific sector, but the foundation of all modern innovative economic systems and societies. Electronic data are at the centre of those systems and can generate great value when analysed or combined with services and products. At the same time, the rapid development of the data economy and emerging technologies such as Artificial Intelligence, Internet of Things products and services, autonomous systems, and 5G are raising novel legal issues surrounding questions of access to and reuse of data, liability, ethics and solidarity. Work should be considered on the issue of liability, in particular through the implementation of self-regulatory codes and other best practices, taking into account recommendations, decisions and actions taken without human interaction along the entire value chain of data processing. Such work might also include appropriate mechanisms for determining liability, for transferring responsibility among cooperating services, for insurance and for auditing.
(2)
Data value chains are built on different data activities: data creation and collection; data aggregation and organisation; data processing; data analysis, marketing and distribution; use and re-use of data. The effective and efficient functioning of data processing is a fundamental building block in any data value chain. However, the effective and efficient functioning of data processing, and the development of the data economy in the Union, are hampered, in particular, by two types of obstacles to data mobility and to the internal market: data localisation requirements put in place by Member States' authorities and vendor lock-in practices in the private sector.
(3)
The freedom of establishment and the freedom to provide services under the Treaty on the Functioning of the European Union (‘TFEU’) apply to data processing services. However, the provision of those services is hampered or sometimes prevented by certain national, regional or local requirements to locate data in a specific territory.
(4)
Such obstacles to the free movement of data processing services and to the right of establishment of service providers originate from requirements in the laws of Member States to locate data in a specific geographical area or territory for the purpose of data processing. Other rules or administrative practices have an equivalent effect by imposing specific requirements which make it more difficult to process data outside a specific geographical area or territory within the Union, such as requirements to use technological facilities that are certified or approved within a specific Member State. Legal uncertainty as to the extent of legitimate and illegitimate data localisation requirements further limits the choices available to market players and to the public sector regarding the location of data processing. This Regulation in no way limits the freedom of businesses to conclude contracts specifying where data are to be located. This Regulation is merely intended to safeguard that freedom by ensuring that an agreed location can be situated anywhere within the Union.
(5)
At the same time, data mobility in the Union is also inhibited by private restrictions: legal, contractual and technical issues hindering or preventing users of data processing services from porting their data from one service provider to another or back to their own information technology (IT) systems, not least upon termination of their contract with a service provider.
(6)
The combination of those obstacles has led to a lack of competition between cloud service providers in the Union, to various vendor lock-in issues, and to a serious lack of data mobility. Likewise, data-localisation policies have undermined the ability of research and development companies to facilitate collaboration between firms, universities, and other research organisations with the aim of driving innovation.
(7)
For reasons of legal certainty and because of the need for a level playing field within the Union, a single set of rules for all market participants is a key element for the functioning of the internal market. In order to remove obstacles to trade and distortions of competition resulting from divergences between national laws and to prevent the emergence of further likely obstacles to trade and significant distortions of competition, it is necessary to adopt uniform rules applicable in all Member States.
(8)
The legal framework on the protection of natural persons with regard to the processing of personal data, and on respect for private life and the protection of personal data in electronic communications and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (3) and Directives (EU) 2016/680 (4) and 2002/58/EC (5) of the European Parliament and of the Council are not affected by this Regulation.
(9)
The expanding Internet of Things, artificial intelligence and machine learning, represent major sources of non-personal data, for example as a result of their deployment in automated industrial production processes. Specific examples of non-personal data include aggregate and anonymised datasets used for big data analytics, data on precision farming that can help to monitor and optimise the use of pesticides and water, or data on maintenance needs for industrial machines. If technological developments make it possible to turn anonymised data into personal data, such data are to be treated as personal data, and Regulation (EU) 2016/679 is to apply accordingly.
(10)
Under Regulation (EU) 2016/679, Member States may neither restrict nor prohibit the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union for non-personal data except when a restriction or a prohibition is justified by public security reasons. Regulation (EU) 2016/679 and this Regulation provide a coherent set of rules that cater for free movement of different types of data. Furthermore, this Regulation does not impose an obligation to store the different types of data separately.
(11)
In order to create a framework for the free flow of non-personal data in the Union and the foundation for developing the data economy and enhancing the competitiveness of Union industry, it is necessary to lay down a clear, comprehensive and predictable legal framework for the processing of data other than personal data in the internal market. A principle-based approach that provides for cooperation among Member States, as well as self-regulation, should ensure that the framework is flexible enough to take into account the evolving needs of users, service providers and national authorities in the Union. In order to avoid the risk of overlaps with existing mechanisms, thereby avoiding higher burdens both for Member States and businesses, detailed technical rules should not be established.
(12)
This Regulation should not affect data processing in so far as it is carried out as part of an activity which falls outside the scope of Union law. In particular, it should be recalled that, in accordance with Article 4 of the Treaty on European Union (‘TEU’), national security is the sole responsibility of each Member State.
(13)
The free flow of data within the Union will play an important role in achieving data-driven growth and innovation. Like businesses and consumers, Member States' public authorities and bodies governed by public law stand to benefit from increased freedom of choice regarding data-driven service providers, from more competitive prices and from a more efficient provision of services to citizens. Given the large amounts of data that public authorities and bodies governed by public law handle, it is of the utmost importance that they lead by example by taking up data processing services and that they refrain from making data localisation restrictions when they make use of data processing services. Therefore, public authorities and bodies governed by public law should be covered by this Regulation. In this regard, the principle of the free flow of non-personal data for which this Regulation provides should apply also to general and consistent administrative practices and to other data localisation requirements in the field of public procurement, without prejudice to Directive 2014/24/EU of the European Parliament and of the Council (6).
(14)
As in the case of Directive 2014/24/EU, this Regulation is without prejudice to laws, regulations, and administrative provisions which relate to the internal organisation of Member States and that allocate, among public authorities and bodies governed by public law, powers and responsibilities for the processing of data without contractual remuneration of private parties, as well as the laws, regulations and administrative provisions of Member States that provide for the implementation of those powers and responsibilities. While public authorities and bodies governed by public law are encouraged to consider the economic and other benefits of outsourcing to external service providers, they might have legitimate reasons to choose self-provisioning of services or insourcing. Consequently, nothing in this Regulation obliges Member States to contract out or externalise the provision of services that they wish to provide themselves or to organise by means other than public contracts.
(15)
This Regulation should apply to natural or legal persons who provide data processing services to users residing or having an establishment in the Union, including those who provide data processing services in the Union without an establishment in the Union. This Regulation should therefore not apply to data processing services taking place outside the Union and to data localisation requirements relating to such data.
(16)
This Regulation does not lay down rules relating to the determination of applicable law in commercial matters and is therefore without prejudice to Regulation (EC) No 593/2008 of the European Parliament and of the Council (7). In particular, to the extent that the law applicable to a contract has not been chosen in accordance with that Regulation, a contract for the provision of services is, in principle, governed by the law of the country of the service provider's habitual residence.
(17)
This Regulation should apply to data processing in the broadest sense, encompassing the usage of all types of IT systems, whether located on the premises of the user or outsourced to a service provider. It should cover data processing of different levels of intensity, from data storage (Infrastructure-as-a-Service (IaaS)) to the processing of data on platforms (Platform-as-a-Service (PaaS)) or in applications (Software-as-a-Service (SaaS)).
(18)
Data localisation requirements represent a clear barrier to the free provision of data processing services across the Union and to the internal market. As such, they should be banned unless they are justified on grounds of public security, as defined by Union law, in particular within the meaning of Article 52 TFEU, and satisfy the principle of proportionality enshrined in Article 5 TEU. In order to give effect to the principle of free flow of non-personal data across borders, to ensure the swift removal of existing data localisation requirements and to enable, for operational reasons, the processing of data in multiple locations across the Union, and since this Regulation provides for measures to ensure data availability for regulatory control purposes, Member States should only be able to invoke public security as a justification for data localisation requirements.
(19)
The concept of ‘public security’, within the meaning of Article 52 TFEU and as interpreted by the Court of Justice, covers both the internal and external security of a Member State, as well as issues of public safety, in order, in particular, to facilitate the investigation, detection and prosecution of criminal offences. It presupposes the existence of a genuine and sufficiently serious threat affecting one of the fundamental interests of society, such as a threat to the functioning of institutions and essential public services and the survival of the population, as well as the risk of a serious disturbance to foreign relations or the peaceful coexistence of nations, or a risk to military interests. In compliance with the principle of proportionality, data localisation requirements that are justified on grounds of public security should be suitable for attaining the objective pursued, and should not go beyond what is necessary to attain that objective.
(20)
In order to ensure the effective application of the principle of free flow of non-personal data across borders, and to prevent the emergence of new barriers to the smooth functioning of the internal market, Member States should immediately communicate to the Commission any draft act that introduces a new data localisation requirement or modifies an existing data localisation requirement. Those draft acts should be submitted and assessed in accordance with Directive (EU) 2015/1535 of the European Parliament and of the Council (8).
(21)
Moreover, in order to eliminate potential existing barriers, during a transitional period of 24 months from the date of application of this Regulation, Member States should carry out a review of existing laws, regulations or administrative provisions of a general nature laying down data localisation requirements and communicate to the Commission any such data localisation requirement that they consider being in compliance with this Regulation, together with a justification for it. This should enable the Commission to examine the compliance of any remaining data localisation requirements. The Commission should be able, where appropriate, to make comments to the Member State in question. Such comments could include a recommendation to amend or repeal the data localisation requirement.
(22)
The obligations to communicate existing data localisation requirements and draft acts to the Commission established by this Regulation should apply to regulatory data localisation requirements and draft acts of a general nature, but not to decisions addressed to a specific natural or legal person.
(23)
In order to ensure the transparency of data localisation requirements in the Member States laid down in a law, regulation or administrative provision of a general nature for natural and legal persons, such as service providers and users of data processing services, Member States should publish information on such requirements on a national online single information point, and regularly update that information. Alternatively, Member States should provide up-to-date information on such requirements to a central information point established under another Union act. In order to appropriately inform natural and legal persons of data localisation requirements across the Union, Member States should notify to the Commission the addresses of such single information points. The Commission should publish this information on its own website, along with a regularly updated consolidated list of all data localisation requirements in force in Member States, including summarised information on those requirements.
(24)
Data localisation requirements frequently stem from a lack of trust in cross-border data processing, deriving from the presumed unavailability of data for the purposes of the competent authorities of the Member States, such as for inspection and audit for regulatory or supervisory control. Such lack of trust cannot be overcome solely by the nullity of contractual terms prohibiting lawful access to data by competent authorities for the performance of their official duties. Therefore, this Regulation should clearly stipulate that it does not affect the powers of competent authorities to request or obtain access to data in accordance with Union or national law, and that competent authorities cannot be refused access to data on the basis that the data are processed in another Member State. Competent authorities could impose functional requirements to support access to data, such as requiring that system descriptions are to be kept in the Member State concerned.
(25)
Natural or legal persons who are subject to obligations to provide data to competent authorities can comply with such obligations by providing and guaranteeing effective and timely electronic access to the data to competent authorities, regardless of the Member State in the territory of which the data are processed. Such access can be ensured through concrete terms and conditions in contracts between the natural or legal person subject to the obligation to provide access and the service provider.
(26)
Where a natural or legal person is subject to an obligation to provide data and fails to comply with that obligation, the competent authority should be able to seek assistance from competent authorities in other Member States. In such cases, competent authorities should use specific cooperation instruments in Union law or under international agreements, depending on the subject matter in a given case, such as, in the area of police cooperation, criminal or civil justice or in administrative matters respectively, Council Framework Decision 2006/960/JHA (9), Directive 2014/41/EU of the European Parliament and of the Council (10), the Convention on Cybercrime of the Council of Europe (11), Council Regulation (EC) No 1206/2001 (12), Council Directive 2006/112/EC (13) and Council Regulation (EU) No 904/2010 (14). In the absence of such specific cooperation mechanisms, competent authorities should cooperate with each other with a view to providing access to the data sought, through designated single points of contact.
(27)
Where a request for assistance entails obtaining access to any premises of a natural or legal person including to any data processing equipment and means, by the requested authority, such access must be in accordance with Union law or national procedural law, including any requirement to obtain prior judicial authorisation.
(28)
This Regulation should not allow users to attempt to evade the application of national law. It should therefore provide for the imposition, by Member States, of effective, proportionate and dissuasive penalties on users which prevent competent authorities from receiving access to their data necessary for the performance of the competent authorities' official duties under Union and national law. In urgent cases, where a user abuses its right, Member States should be able to impose strictly proportionate interim measures. Any interim measures requiring the re-localisation of data for longer than 180 days following the re-localisation would deviate from the free movement of data principle for a significant period and should, therefore, be communicated to the Commission for the examination of their compatibility with Union law.
(29)
The ability to port data without hindrance is a key factor in facilitating user choice and effective competition on markets for data processing services. The real or perceived difficulties in porting data cross-border also undermine the confidence of professional users when taking up cross-border offers, and thereby their confidence in the internal market. Whereas individual consumers benefit from existing Union law, the ability to switch between service providers is not facilitated for those users who act in the course of their business or professional activities. Consistent technical requirements across the Union, whether concerning technical harmonisation, mutual recognition or voluntary harmonisation, also contribute to developing a competitive internal market for data processing services.
(30)
In order to take full advantage of the competitive environment, professional users should be able to make informed choices and to easily compare the individual components of various data processing services offered in the internal market, including in respect of the contractual terms and conditions of porting data upon the termination of a contract. In order to align with the innovation potential of the market and to take into account the experience and expertise of the service providers and professional users of data processing services, the detailed information and operational requirements for data porting should be defined by market players through self-regulation, encouraged, facilitated and monitored by the Commission, in the form of Union codes of conduct which might include model contractual terms and conditions.
(31)
In order to be effective and to make switching between service providers and data porting easier, such codes of conduct should be comprehensive and should cover at least the key aspects that are important during the process of porting data, such as the processes used for, and the location of, data back-ups; the available data formats and supports; the required IT configuration and minimum network bandwidth; the time required prior to initiating the porting process and the time during which the data will remain available for porting; and the guarantees for accessing data in the case of the bankruptcy of the service provider. The codes of conduct should also make clear that vendor lock-in is not an acceptable business practice, should provide for trust-increasing technologies, and should be regularly updated in order to keep pace with technological developments. The Commission should ensure that all relevant stakeholders, including associations of small and medium-sized enterprises (SMEs) and start-ups, users and cloud service providers are consulted throughout the process. The Commission should evaluate the development, and the effectiveness of the implementation, of such codes of conduct.
(32)
Where a competent authority in one Member State requests assistance from another Member State in order to obtain access to data pursuant to this Regulation, it should submit, through a designated single point of contact, a duly justified request to the latter's designated single point of contact, which should include a written explanation of the reasons and the legal bases for seeking access to the data. The single point of contact designated by the Member State whose assistance is requested should facilitate the transmission of the request to the relevant competent authority in the requested Member State. In order to ensure effective cooperation, the authority to which a request is transmitted should without undue delay provide assistance in response to a given request or provide information on difficulties experienced in fulfilling such request, or on its grounds for refusing it.
(33)
Enhancing trust in the security of cross-border data processing should reduce the propensity of market players and the public sector to use data localisation as a proxy for data security. It should also improve the legal certainty for companies as regards compliance with the applicable security requirements when they outsource their data processing activities to service providers, including to those in other Member States.
(34)
Any security requirements related to data processing that are applied in a justified and proportionate manner on the basis of Union or national law in compliance with Union law in the Member State of residence or establishment of the natural or legal persons whose data are concerned should continue to apply to processing of that data in another Member State. Those natural or legal persons should be able to fulfil such requirements either themselves or through contractual clauses in contracts with service providers.
(35)
Security requirements set at national level should be necessary and proportionate to the risks posed to the security of data processing in scope of the national law in which these requirements are set.
(36)
Directive (EU) 2016/1148 of the European Parliament and of the Council (15) provides for legal measures to boost the overall level of cybersecurity in the Union. Data processing services constitute one of the digital services covered by that Directive. According to that Directive, Member States are to ensure that digital service providers identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use. Such measures should ensure a level of security appropriate to the risk presented, and should take into account the security of systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards. These elements are to be further specified by the Commission in implementing acts under that Directive.
(37)
The Commission should submit a report on the implementation of this Regulation, in particular with a view to determining the need for modifications in the light of technological or market developments. That report should in particular evaluate this Regulation, especially its application to data sets composed of both personal and non-personal data, as well as the implementation of the public security exception. Before this Regulation starts to apply, the Commission should also publish informative guidance on how to handle data sets composed of both personal and non-personal data, in order that companies, including SMEs, better understand the interaction between this Regulation and Regulation (EU) 2016/679, and to ensure that both Regulations are complied with.
(38)
This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and should be interpreted and applied in accordance with those rights and principles, including the rights to the protection of personal data, the freedom of expression and information and the freedom to conduct a business.
(39)
Since the objective of this Regulation, namely to ensure the free flow of data other than personal data in the Union, cannot be sufficiently achieved by the Member States, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective,
