Not cleared from scrutiny; further information requested; drawn to the attention of the Committee on Exiting the European Union Committee and the Culture, Media and Sport Committee
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions
Culture, Media and Sport
(38456), 5349/17 + ADD 1, COM(17) 9
4.1Data, often described as the “currency of the internet”, is a valuable resource that is of growing economic importance in the digital economy. Although an EU-level regulatory framework exists for personal data, no such framework exists for non-personal data. This creates legal uncertainty which may cause a number of problems. If these concerns are addressed at Member State level, this may fragment the Single Market and inhibit the growth of the EU’s data economy.
4.2As part of its Digital Single Market Strategy, the European Commission adopted on 10 January 2017 a Communication called “Building a European Data Economy”. The Communication concludes that a policy framework is needed that enables data to be used throughout the value chain for scientific, societal and industrial purposes, and outlines a number of distinct issues and possible solutions to them. Its adoption coincides with the launch of a wide-ranging stakeholder dialogue including a public consultation that will run until 26 April 2017.
4.3Four thematic areas of concern are identified. Some Member States have introduced ‘data localisation’ measures which require data to be stored on servers physically located in that Member State. The Communication explains that such measures are ineffective, clarifies that a “principle of free movement of data within the EU” (derived from the treaties and secondary law) applies to non-personal data in the Single Market, and urges Member States to take this into account when considering introducing restrictions. No regulatory action is proposed at this time, but the Commission states that it will launch infringement proceedings to address unjustified data location requirements and may bring forward further initiatives in this area in due course.
4.4The Communication also elaborates various less precisely defined concerns that relate to the competitive dynamics of the data economy. There are concerns that, in the absence of legal frameworks that clarify non-personal data ownership rights and data sharing requirements, dominant manufacturers and service providers may become ‘de facto’ owners of machine-generated data within supply chains, which could inhibit growth and competition and create lock-in effects. The Commission proposes to consult on a wide range of possible solutions to these concerns.
4.5Further competition-related concerns are raised in relation to the lack of data portability in the data economy. Data portability, underpinned by interoperability and common standards, can facilitate switching between online platforms, promote the concurrent use of multiple platforms (“multi-homing”) and encourage data exchange across platforms, which has the potential to enhance innovation. A lack of data portability can lead to lock-in effects and inhibit competition. Feedback is sought in relation to a range of possible interventions.
4.6The Commission also intends to consult on the adequacy of current rules on liability in the context of emerging digital technologies such as the internet of things (IoT) and autonomous connected systems (such as self-driving cars), which could lead to difficulty establishing liability when faults occur. It seeks views on possible solutions.
4.7The Minister of State for Digital and Culture (Matt Hancock) states that the Government will support action to restrict data localisation measures because doing so will reduce barriers to trade and the growth of businesses—particularly SMEs—and also endorses the proposed exception for national security and law enforcement, which may require data localisation in some cases. In relation to the many other possible regulatory interventions that are discussed, the Minister suggests that the Commission should only intervene where there is clear evidence that data markets are not functioning, and outlines a list of principles that should guide any further action.
4.8On Brexit, the Minister provides no specific analysis of the implications of leaving the EU for this area of rapidly developing policy, which, post-exit, has the potential to cause problems for sectors of the economy that rely on intra-EU transfers of non-personal data. techUK has publicly expressed concerns that the Free Flow of Data initiative could introduce data localisation requirements for service providers from third countries, effectively requiring digital businesses to relocate part of their operations to the EU.
4.9The Commission’s Communication does not make for reassuring reading in this regard: the focus throughout is very clearly on the free flow of data “within the EU”, not between the EU and third countries. These concerns may be amplified by the Commission’s continued delays in bringing forward concrete regulatory proposals, as a result of which the Government’s opportunity to shape any legislation in this area, pre-exit, is decreasing.
4.10We thank the Minister for his Explanatory Memorandum which provides an overview of the Commission’s Communication, “Building a European data economy”. Although the Communication is not a legislative proposal, we consider it politically important because it provides a strong indication of the Commission’s wide-ranging thinking in relation to future regulation of the data economy.
4.11The Communication explains that the Commission:
4.12Given the rapid digitisation of all sectors of the economy, the growing importance of data to many sectors, and the EU’s stated intention to use trade agreements to promote EU standards of data protection and digital regulation, we consider that the development of the EU acquis in relation to the data economy is likely to have significant implications for UK businesses post-exit.
4.13We ask the Minister to inform the Committee:
4.14We also ask the Minister to respond to the following questions about the implications of the Communication in light of the UK’s imminent exit from the EU:
4.15The Committee retains the document under scrutiny. We request responses to the above questions by 6 April 2017.
4.16We draw the Minister’s Explanatory Memorandum and our conclusions to the attention of the Committee on Exiting the European Union and the Culture, Media and Sport Committee.
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (38456), 5349/17 + ADD 1, COM(17) 9.
4.17The Commission’s Communication describes a variety of challenges and possible solutions that relate to the data economy. These are:
4.18The Commission’s concerns and possible solution to each of these issues is summarised below.
4.19One of the main barriers to the movement of data is “data localisation”. This is the practice whereby a public authority requires that data must be stored on servers physically located in that member state. These restrictions range from requirements by supervisory authorities that financial service providers store their data locally, the implementation of professional secrecy rules and sweeping regulations requiring the local storage of archived information generated by the public sector.
4.20Data localisation measures can undermine obligations under the free movement of services and the free establishment provisions of the EU Treaties and secondary legislation. For example, businesses operating in more than one Member State may be required to store and process data in more than one location. Data localisation also hampers the adoption of cloud computing which is a more energy efficient use of IT resources. It is estimated that the removal of data localisation restrictions would result in combined annual GDP gains for Member States of up to €8 billion (£6.82 billion).
4.21The trend, both globally and in Europe, is towards more data localisation, and the Communication notes that these measures are typically justified on the grounds of security or privacy. Where personal data is concerned, such concerns are not justifiable, as the General Data Protection Regulation (GDPR) provides a fully harmonised EU level framework for personal data protection and prohibits restrictions on the free movement of personal data within the Union for reasons connected with the protection of personal data. However, the GDPR does not apply to non-personal data, meaning that Member States currently have more scope to introduce restrictions on the flow of non-personal data.
4.22The Communication explains that data localisation measures are often introduced due to a misconception that localised services are automatically safer than cross-border services. In fact, geographic restrictions are ineffective in this regard as state-of-the-art security systems and effective ICT management are the means by which data is effectively protected. In fact, the Communication concludes that locating data storage facilities in multiple Member States is likely to improve security by permitting these facilities to act as back-ups for one another.
4.23To address concerns about data localisation, the Communication states that any Member State action affecting data storage or processing should be guided by a “principle of free movement of data within the EU”. This principle, it asserts, is effectively “a corollary of their obligations under the free movement of services and the free establishment provisions of the Treaty and relevant secondary legislation”, and as a consequence “any current or new data location restrictions would need to be carefully justified under the Treaty and relevant secondary law to verify that they are necessary and proportionate to achieve an overriding objective of general interest, such as public security”.
4.24However, the Communication notes that data localisation requirements may be justified and proportionate in some contexts, especially before effective cross-border cooperation arrangements are put in place, such as ensuring the secure treatment of certain data pertaining to critical energy infrastructure, the availability of electronic evidence (e.g. as localised copies of datasets) for law enforcement authorities, or local storage of data held in certain public registers.
4.25The Communication concludes that, following the results of its dialogue with stakeholders and its evidence gathering, it will, where needed, launch infringement proceedings to address unjustified data location requirements (under free movement of services and the free establishment principles in the Treaty and secondary legislation) and will if necessary take forward further initiatives in this area.
4.26The issue of data localisation is of particular relevance to UK-EU trade post-exit, because non-personal data flows underpin service provision in a wide range of sectors, and many UK service sectors are deeply integrated with the Single Market. In this regard, it may be cause for concern that the Communication places the emphasis on facilitating the flow of data within the EU specifically, not globally (the principle is the “free movement of data within the EU”). The Communication also emphasises that the EU will seek to use future trade agreements to set rules for digital trade:
“The EU data protection rules cannot be subject of negotiations in a free trade agreement. As explained in the Communication on exchanging and protecting personal data in a globalised world dialogues on data protection and trade negotiations with third countries have to follow separate tracks. Beyond this, as indicated in the Trade for All Communication, the Commission will seek to use EU trade agreements to set rules for e-commerce and cross-border data flows and tackle new forms of digital protectionism in full compliance with and without prejudice to the EU’s data protection rules.”
4.27Ever-increasing amounts of data, both personal and non-personal, are being generated by machines or processes based on emerging technologies, such as the internet of things (IoT).
4.28The Communication argues that, in order for the data economy to flourish, market players must have ready access to large and diverse data sets. However, evidence suggests that data generators tend not to share their data with other players, including those in supply chains, thus keeping valuable data in organisational silos. The exchange of data remains limited.
4.29The Communication also highlights that frameworks do not exist at the national or EU level for access to and use of non-personal, machine generated data. Some data may satisfy specific conditions within individual Member States to qualify as an intellectual property right, database right or a trade secret, but raw machine-generated data would not generally meet the conditions at EU level.
4.30The Commission suggests that some manufacturers or service providers may become the de facto “owners” of the data that their machines or processes generate, even if those machines are owned by the user. This can lead to lock-in effects, because “the user is effectively prevented by the manufacturer from authorising usage of the data by another party”. The Commission suggests that, where such lock-in effects arise, the de facto owner of the data may use its position to impose unfair standard contract terms on the users or through technical means, such as proprietary formats or encryption.
4.31The Communication states that these situations are currently dealt with under contract law, and notes that this approach, in combination with targeted competition enforcement, might be a sufficient response. However, it also notes that “where the negotiation power of the different market participants is unequal, market-based solutions alone might not be sufficient to ensure fair and innovation-friendly results, facilitate easy access for new market entrants and avoid lock-in situations”.
4.32The Commission concludes that it wishes to explore ways in which the trading of machine generated data can be facilitated in a way that addresses the unequal bargaining power of companies, whilst simultaneously ensuring that participants’ legitimate interests and investments are protected.
4.33It believes that the dialogue should focus on how to achieve the following high-level objectives, a number of which are potentially in tension with one another:
4.34Furthermore, the Commission intends to discuss the following possible solutions through stakeholder dialogues and public consultation:
4.35The Commission places a strong emphasis on the sectoral dimension of these issues. It states that it intends to gather more information “on the functioning of the data markets by sector” and states that “sector-specific discussions will be held with relevant stakeholders in the data value chain”.
4.36The Communication argues that current rules on liability do not take into account the complexity of emerging data-driven technologies such as the internet of things (IoT) or autonomous connected systems (such as self-driving cars). When an error in an automated system results in some form of damage, there could be difficulties in establishing fault. The Commission states that “the issue of how to provide certainty to both users and manufacturers of such devices in relation to their potential liability is therefore of central importance to the emergence of a data economy”.
4.37The Commission plans to consult on the adequacy of current rules on liability and evaluate the effectiveness of the EU Product Liability Directive. Potential solutions outlined in the Communication are either risk-based approaches to establishing liability, or voluntary or mandatory insurance schemes.
4.38Data portability is the ability to transfer data between different systems. In principle, this increases choice and reduces costs for consumers who wish to switch service providers or use multiple providers. However, there are at present no obligations to guarantee even a minimum level of data portability in relation to non-personal data, even for widely used online services such as cloud hosting providers.
4.39Questions of data portability are closely related to questions of data interoperability (i.e. the principle by which multiple digital services can seamlessly exchange data) which requires the establishment of technical standards for different platforms. The Commission concludes that in the case of online platforms, data interoperability can facilitate not only switching, but also the concurrent use of several platforms (known as “multi-homing”) and widespread cross-platform data exchange, which has the potential to enhance innovation.
4.40The Commission proposes to consult stakeholders on these issues and possible solutions including, but not limited to, developing recommended contract terms to facilitate switching of service providers developing further data portability rights and introducing sector-specific experiments in standards.
4.41Before deciding on possible solutions to data access and liability issues, the Commission proposes using EU research and innovation funding to test them in a real-life environment. The Communication points to projects already underway in several Member States to develop connected and automated vehicles and its intention to work with a group of Member States to create a legal testing framework to conduct experiments on the basis of harmonised rules on data access and liability.
4.42The Minister of State for Digital and Culture (Matt Hancock) provides a short summary of the Government’s view of the policy implications of the document. He states that the Government is supportive of the free flow of data initiative insofar as it is aimed at reducing barriers:
“The Government supports the Commission’s efforts to reduce barriers to the free flow of data. In particular, we endorse its efforts to limit the ability of Member States to use data localisation measures, which go against the principles of the Single Market; for example, businesses operating in more than one Member State may be required to store and process data in more than one location. This could be prohibitively expensive—especially for startups or small and medium sized enterprises wishing to enter new markets—and so reduce competition.”
4.43The Minister states that the Government supports the proposed exception to this rule, which would permit restrictions to the free flow of data on national security and law enforcement grounds:
“The Government also endorses the exception that a Member State can still require data related to national security and law enforcement to be retained solely within its borders. Furthermore, the Government considers that EU legislation prohibiting data localisation should protect the ability of Member State law enforcement authorities to access data for legitimate needs, as permitted by their particular domestic legislation. It should ensure that when companies exercise that right of the free flow of data they do not hinder the important principle that law enforcement agencies may have the right and ability to access data lawfully, no matter where it is stored.”
4.44In relation to the range of other issues covered in the Communication, the Government expresses the view that “the Commission must have clear evidence that data markets are not functioning before acting”, and provides a list of principles that the Commission should take into account when considering potential market failures and how to respond. These points are:
4.45The Minister states that “the Government will engage constructively with the Commission and other relevant stakeholders to push these points”.
10 European Commission, Public consultation on Building the European data economy (10 January 2017)
11 Antony Walker, deputy CEO, techUK, Oral evidence to the House of Lords EU Internal Market Sub-Committee (20 October 2016) .
12 Antony Walker, deputy CEO, techUK, Oral evidence to the House of Lords EU Internal Market Sub-Committee (20 October 2016)
13 €1 = £0.85305 as at 3 March 2017
10 March 2017