In December 2018, Regulation (EU) 2018/1807 on a Framework for the Free Flow of Non-Personal Data in the European Union was published in the Official Journal of the European Union. An integral part of the European Union’s Digital Single Market initiative, this Regulation aims to remove unjustified barriers to the movement of non-personal data in the EU and thus to assist in unlocking the potential of Europe’s Data Economy.
A primary principle of the Free Flow of Non-Personal Data Regulation is the removal of all unjustified legal and administrative data localisation requirements for non-personal data throughout the Union (Article 4). A data localisation requirement would most commonly be a law or administrative provision that would require data, in this case non-personal data, to be held within the Irish jurisdiction.
The Regulation ensures:
Free movement of non-personal data across borders: every organisation should be able to store and process data anywhere in the European Union
The availability of data for regulatory control: public authorities will retain access to data whether it is located in another Member State or when it is stored or processed in the cloud
The General Data Protection Regulation (GDPR) already provides for the free movement of personal data within the Union, alongside its goal of protecting personal data. Together with the GDPR, this Regulation will ensure a comprehensive and coherent approach to the free movement of all data in the EU.
Every individual, business or organisation has the right to use, collect, store, transfer or manage non-personal data, and to use data centres or cloud services anywhere within the EU.
This can help avoid any potential duplication of costs; for example, IT infrastructure can be centralised in one EU country, even if they operate in multiple countries
Non-personal data is information that cannot be linked to an identified or identifiable person, such as data which is:
generated as part of business processes (for example, business to business invoices)
generated by connected industrial devices (sensors communicating recorded data, such as for weather apps)
recorded for maintenance requirements (for example, industrial robots, streets, bridges etc.)
Personal data and mixed data sets
The rules for dealing with personal data differ from those for non-personal data. Personal and non-personal data are often collected and stored together; this is known as mixed data. If you handle mixed datasets, the same level of protection as personal data applies. The European Commission has published guidance for dealing with mixed data sets, which we have made available below.
Restrictions on free movement of data in the EU
In exceptional cases, EU countries may be able to restrict the location of certain data, but only if justified on the grounds of public security, for example, when data relates to ongoing counter-terrorism investigations, or when loss of data could risk a major traffic accident (such as for air traffic control data).
In the short term, a conclusive list of all justified data localisation requirements applying to non-personal data in Irish legislative and administrative provisions will be developed and published on a national online single information point (to be confirmed). This will provide legal certainty to businesses operating throughout the Union, which will be able to easily find information about all data localisation requirements applying to non-personal data operative in any Member State.
In the longer term, all data localisation requirements applying to non-personal data that cannot be justified under this Regulation will be required to be repealed by 30 May 2021. In addition to this, Member States will also be precluded from introducing any new data localisation requirements applying to non-personal data that cannot be justified under this Regulation.
Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union