In addition to the existing freedoms -free movement of people, services, goods and capital- the European Union will acquire a ‘fifth freedom’: the free flow of data. The General Data Protection Regulation (GDPR), which came into force on May 25 2018, harmonizes the European legislation with respect to personal data. In adopting the new Regulation for the free flow of non-personal data, the European Union also regulates the free flow of such data. Examples of non-personal data are data streams between devices, depersonalized statistics and data on maintenance needs for machines. Ovidius briefly explains the most important changes.

Why is this regulation necessary?

The modern society is highly digital oriented. The digital internal market is experiencing a significant growth and data are a significant part of that. Data, or distributing data, are no longer a byproduct, but a core service or product. However, under the current legal framework, Member States can set restrictions to the processing and storage of data at certain locations, for example, allowing such processing and storage only within their own territory. These national regulations undermine the functioning of the internal market. The new regulation, which has been adopted by the European Parliament early October 2018, aims to level the playing field between the Member States by removing national obstacles to the free flow of data.

What will change?

The most important change in the regulation are the restrictions on the location of data. Under the regulation, Member States can no longer limit the non-personal data flow by means of their national legislation, except if such requirements are necessary on grounds of public safety. Furthermore, Member States must report their national data location requirements to the European Commission, who will publish these online. In addition, the regulation allows the local authorities of Member States to access data processed and stored in different Member States, such for the purpose of audit, enforcement or inspection. Furthermore, the regulation provides for the possibility to create codes of conduct for market players in order for consumers to easier switch cloud-service providers.

New regulation and GDPR

Both regulations are a part of the Digital Single Market-strategy of the European Commission. However, each regulation serves a different purpose. The GDPR deals with personal data and the new regulation with non-personal data. To determine which regime is applicable, it should be assessed whether the relevant data falls under the broad definition of personal data of the GDPR. If you are not sure whether it concerns personal or non-personal data, be ‘better safe, than sorry’ and abide by the stricter regulations of the GDPR.