The European Commission has published on 13/09/2017 a proposal for a regulation “on a framework for the free flow of non-personal data in the EU”. The proposal aims to establish the principle of free movement of non-personal data through removing unjustified national localisation measures.

It will also create a notification procedure that would limit future unjustified localisation measures. Justified localisation measures would only be permitted in the interests of public security.  It also bans refusal of access to data by the request of authorities on grounds of it being stored elsewhere. It encourages codes of conduct for business-to-business data porting conditions.

Agoria’s position

Agoria welcomes the proposal for a Flee Flow of Data Regulation.

Unjustified national localisation measures should no longer restrict the free movement of data. 

Main comments :

Scope & definitions 

Article 2.1 : The regulation should also apply to datasets which include both personal and non-personal data that cannot be unbundled because it is too difficult or too costly to unbundle such data.

Article 2.2 : We recommend clarifying that all unjustified Member States activities are covered (not just federal/national level, but also regional and local rules).

Article 3 : A definition of what public security means in the context of localizing non-personal data is needed. We would propose to take inspiration from article 23(1)(d) of the GDPR (strictly limited to “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguard against and the prevention of threats to public security”).

Articles  3.3 & 3.5 : It should be clarified that public procurement rules are ‘administrative provisions’. Recital 4 could also elaborate and specifically refer to public procurement.

There is no need for new security requirements which would overlap with existing rules and provisions of the Directive on security of network and information systems (NIS directive). And only the security requirements of where the data is being processed and stored should apply (>< recital 25).

Free movement of data

Agoria welcomes the obligations to notify data localization requirements but Article 4.2 should be more explicit about the power of the Commission. While directive 2015/1535 had some success in lowering and restricting national legislation that creates single market barriers in the area of products, it is recognized that notifications of such barriers continues to grow…and that these barriers continue to legally exist.

In case Member states may set up data localization requirements, Agoria fully supports transparency obligations (Article 4.4).

It is also important to define in detail the minimum legal, economic and organizational requirements that should be met by the ‘single information points’ Article 7 should be strengthened by clarifying the Commission’s powers as to the possible failure of a single information point.

Data availability for regulatory control

Agoria agrees with the provision related to the access to data by competent authorities of data stored/processed in another Member State. The scope of this provision should not be broadened to be used beyond access for regulatory control and include unreasonable measures on government access to data (Article 5).

Data porting

Agoria welcomes the proposal to develop self-regulatory codes of conduct. However the one-year deadline for all data service providers to effectively implement these codes of conduct should be extended considering the time that is usually needed for drafting such self-regulation.