With this new legislative act, the European legislature aims to remove existing data localization requirements and enable storage of data in multiple locations across the EU.
On November 14, 2018, the European Parliament and the Council of the EU approved a legislative reform banning data localization restrictions. The new Regulation (EU) 2018/1807 ("regulation"), published in the Official Journal of the European Union on November 28, 2018 and therefore applicable in all EU Member States as of May 2019, creates a framework for the free flow of electronic non-personal data in the EU and promotes the idea of a data economy and enhanced competitiveness of the EU industry.
Prohibition of data localization: This new framework forms part of the EU's digital single market strategy and responds to the need for removing obstacles to data mobility and the internal single market which affect trade and distort competition. In particular, the new regulation prohibits data localization requirements put in place by EU Member States regarding the storing or processing of non-personal data. An exception to the general prohibition applies where data localization restrictions are justified on grounds of public security.
Enabling new technologies: From a business perspective, the regulation enables the rapid development of the data economy and emerging technologies, such as artificial intelligence, Internet of things products and services, autonomous systems, and 5G, as all these technologies are based on data and require the free flow of data within the European Union in order to achieve data-driven economic growth and innovation.
Practical implications: Specific examples of non-personal data include aggregate and anonymized data sets used for big data analytics, data on precision farming that can help to monitor and optimize the use of pesticides and water, or data on maintenance needs for industrial machines. Companies with business models involving non-personal data should assess to what extent they may benefit from the new regulation. Those companies currently using personal data may want to explore the possibility of applying anonymization techniques to their data sets.
Self-regulation: Focusing on vendor lock-in practices in the private sector, the new regulation promotes market player self-regulation through the development of codes of conduct which allow users to switch between service providers without hindrance.
The European Commission is expected to publish guidance on how to handle data sets composed of both personal and non-personal data to allow companies to better understand the interaction between the new regulation and the General Data Protection Regulation.
For further information on policy reviews to identify potential gaps and enhance coverage for cyber risks, please contact your principal Firm representative or the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Undine von Diemar
Cristina Bosch Rivero, an associate in the Brussels Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.