Implementation of the Regulation (EU) 2018/1807 on a Framework for the Free Flow of Non-Personal Data in the European Union

In December 2018, Regulation (EU) 2018/1807 on a Framework for the Free Flow of Non-Personal Data in the European Union was published in the Official Journal of the European Union. An integral part of the European Union's Digital Single Market initiative, this Regulation aims to remove unjustified barriers to the movement of non-personal data in the EU and thus to assist in unlocking the potential of Europe’s Data Economy.

A primary principle of the Free Flow of Non-Personal Data Regulation is the removal of all unjustified legal and administrative data localisation requirements for non-personal data throughout the Union (Article 4). A data localisation requirement would most commonly be a law or administrative provision that would require data, in this case non-personal data, to be held within the Irish jurisdiction.

The Regulation ensures:

• Free movement of non-personal data across borders: every organisation should be able to store and process data anywhere in the European Union
• The availability of data for regulatory control: public authorities will retain access to data whether it is located in another Member State or when it is stored or processed in the cloud

The General Data Protection Regulation (GDPR) already provides for the free movement of personal data within the Union, alongside its goal of protecting personal data. Together with the GDPR, this Regulation will ensure a comprehensive and coherent approach to the free movement of all data in the EU.

Every individual, business or organisation has the right to use, collect, store, transfer or manage non-personal data, and to use data centres or cloud services anywhere within the EU.

This can help avoid any potential duplication of costs; for example, IT infrastructure can be centralised in one EU country, even if they operate in multiple countries.

Non-personal data is information that cannot be linked to an identified or identifiable person, such as data which is:

• generated as part of business processes (for example, business to business invoices)
• generated by connected industrial devices (sensors communicating recorded data, such as for weather apps)
• recorded for maintenance requirements (for example, industrial robots, streets, bridges and so on)

Personal data and mixed data sets

The rules for dealing with personal data differ from those for non-personal data. Personal and non-personal data are often collected and stored together; this is known as mixed data. If you handle mixed datasets, the same level of protection as personal data applies. The European Commission has published guidance for dealing with mixed data sets, which we have made available below.

Restrictions on free movement of data in the EU

In exceptional cases, EU countries may be able to restrict the location of certain data, but only if justified on the grounds of public security, for example, when data relates to ongoing counter-terrorism investigations, or when loss of data could risk a major traffic accident (such as for air traffic control data).

In the short term, a conclusive list of all justified data localisation requirements applying to non-personal data in Irish legislative and administrative provisions will be developed and published on a national online single information point (to be confirmed). This will provide legal certainty to businesses operating throughout the Union, which will be able to easily find information about all data localisation requirements applying to non-personal data operative in any Member State.

In the longer term, all data localisation requirements applying to non-personal data that cannot be justified under this Regulation will be required to be repealed by 30 May 2021. In addition to this, Member States will also be precluded from introducing any new data localisation requirements applying to non-personal data that cannot be justified under this Regulation.

If you have any questions in relation to the Regulation, and/or their obligations, please do not hesitate to contact Karen Tighe at karen.tighe@decc.gov.ie or 0874441207 or John Uhlemann at john.uhlemann@decc.gov.ie

For more information visit the European Union website.

Restrictions Identified

Following a thorough review of national legislation and administrative provisions by government departments and agencies under their remit, one data restriction has been identified.

As the primary provider of legal services to the government, the Office of the Attorney General (AGO) has access to significant amounts of non-personal data that would come within the scope of 'public security' and which should be retained in the Irish jurisdiction. Furthermore, as that data is not separable from other legal content that might not fall within the meaning of public security (given that it is all stored within single systems), the entire legal content datasets of the Office should fall within the public security exemption provided for by the Regulation.

This restriction was notified to the European Commission on the 31 May 2021 as being within the ambit of national security, which is beyond the scope of EU law in accordance with Article 4 TFEU and is permissible under this Regulation.