Documents considered by the Committee on 29 November 2017 Contents

4Free flow of non-personal data

Committee’s assessment

Legally and politically important

Committee’s decision

Not cleared from scrutiny; further information requested; drawn to the attention of the Committee for Digital, Culture, Media and Sport and the Committee for Exiting the European Union

Document details

Proposal for a Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union

Legal base

Article 114 TFEU, ordinary legislative procedure, QMV

Department

Digital, Culture, Media and Sport

Document Number

(39028), 12244/17 + ADDs 1–3, COM(17) 495

Summary and Committee’s conclusions

4.1Data storage and data processing are integral elements of the data value chain that underpins the operation of digital technologies such as cloud-computing and the Internet of Things (IoT). Ensuring the smooth functioning of these markets is therefore important to the creation of a Digital Single Market.

4.2In its May 2015 Digital Single Market Strategy85 and a subsequent communication published in January 2017 (Building a European Data Economy),86 the European Commission identified that the provision of these services was being impeded within the European Union by a variety of regulatory issues and businesses practices. On 13 September 2017, after repeated delays, the Commission finally adopted its proposal for a Regulation governing the free flow of non-personal data (hereafter ‘the Regulation’).87

4.3The most significant barrier the Commission identifies to the flow of non-personal data within the Union is the imposition by public authorities of so-called “data localisation requirements” – requirements for data storage and data processing services to locate data within their territory. Other rules and practices, such as mandating the use of technological facilities approved in a particular country, may have an equivalent effect. These requirements fragment the single market and increase the cost of doing business in Europe, thereby making it more difficult for businesses to compete within and scale their operations across the European market.

4.4Restrictive measures of this kind can currently be applied to non-personal data flows because the EU’s data protection regime – which guarantees the free flow of personal data inside the EU, subject to harmonised data protection standards — relates exclusively to personal data. Furthermore, the principle-based provisions of the Services Directive 2006/123,88 which require restrictions on the treaty-based freedom to provide services to be proportionate, necessary and justified, in practice allow Member States sufficient scope to continue to apply these restrictions.

4.5The Commission has also determined that data mobility within the EU is inhibited by certain private restrictions: legal, contractual and technical issues hindering or preventing users of data storage or other processing services from porting their data from one service provider to another, including upon termination of their contract with a service provider.

4.6To address these concerns, the proposed Regulation aims to:

4.7The proposed Regulation also requires Member States to designate a ‘single point of contact’ to deal with issues concerning the application of the Regulation when adopted, and establishes a free flow of data comitology committee.

4.8On 12 October 2017, the Minister of State of the Department for Digital, Culture, Media and Sport (Matt Hancock) provided the Committee with an explanatory memorandum in relation to the Commission’s proposal.90 The Minister states that the Government welcomes the Commission’s proposal, and that it has consistently called for it to tackle unjustified data localisation, which can be anti-competitive, recognising the need for limited exemptions. The Minister indicates that the Government will seek further clarification in relation to numerous aspects of the proposal.

4.9The Government does not provide any substantive analysis of how the proposal will be affected by the UK’s withdrawal from the European Union, instead employing the usual boilerplate about continuing to negotiate, implement and apply EU legislation for as long as the UK remains a member.

4.10We thank the Government for its explanatory memorandum. We welcome the fact that our previously expressed concerns – that a regulation which liberalised intra-EU non-personal data flows could simultaneously erect barriers for businesses established in third countries, such as the UK once it has left the European Union—appear to have been unfounded.

4.11We ask the Government to provide the Committee with updates in relation to each of the points in its explanatory memorandum on which it states that it will be seeking further clarification from the Commission, which include various aspects of Article 4 (Free movement of data within the Union), Article 5 (Data availability for competent authorities), and Article 6 (Data porting).

4.12Given the imprecise drafting of Article 4(3), which does not specify the mechanism for assessing notified exemptions, we particularly wish to know whether the Government is confident that the proposed Regulation’s provisions are sufficient to require Member States to repeal existing data localisation requirements other than where genuine public security grounds exist, or whether, as drafted, countries will in practice be free to obstruct proper implementation of the Regulation once adopted on the basis of tenuous and weakly justified public security grounds.

4.13In­­ relation to Brexit, we regret the lack of substantive analysis from the Government of the implications of the UK’s impending withdrawal from the European Union in relation to the proposed Regulation, and urge it to provide a thorough analysis of these implications in future explanatory memoranda.

4.14To help us evaluate these implications in relation to the current proposal, we ask for responses to the following Brexit-related questions:

4.15We ask for a response to the above questions, and any further updates on progress in Council, by 17 January 2018, or sooner if progress in Council requires it. In the meantime we retain the proposal under scrutiny and draw this chapter to the attention of the Committee for Digital, Culture, Media and Sport and the Committee for Exiting the European Union.

Full details of the documents

Proposal for a Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union: (39028), 12244/17 + ADDs 1–3, COM(17) 495.

The proposal

Non-personal data

4.16The European Commission’s Free Flow of Data initiative forms part of the Digital Single Market agenda and seeks to remove barriers to the free flow of non-personal data in the Single Market.

4.17Non-personal data refers to electronic data that is not of a personal nature.93 Data storage and other processing of non-personal data is used in a broad sense, encompassing the usage of all types of IT systems, whether located on the premises of the user or outsourced to a data storage or other processing service provider.

4.18Personal data flows are separately regulated by the EU’s Data Protection Directive (DPD) which will be replaced by the General Data Protection Regulation (GDPR) when its provisions become directly applicable on 4 May 2018. Since the present proposal applies only to data of a non-personal nature, it does not affect the Union data protection legal framework, of which the GDPR is the most important element.

Aims

4.19According to the Commission, the general policy objective of the initiative is to achieve a more competitive and integrated internal market for data storage and other processing services and activities, by tackling impediments to the free flow of non-personal data.

4.20To reduce barriers to the functioning of the digital economy, which is heavily dependent on data and cross-border data flows, the proposal aims to:

4.21The Commission concludes that the proposal will have a positive effect on competition as it will stimulate innovation in data storage or other processing services, attract more users to them and make it considerably easier, particularly for new and small service providers, to enter new markets. The proposal will also promote cross-border and cross-sector use of data storage or other processing services and the development of the data market.

Provisions

4.22The main provisions of the proposed Regulation are summarised below:

Subsidiarity, proportionality, cost

4.23The Commission’s subsidiarity assessment, which is developed in the Impact Assessment and summarised in the Communication, concludes that the proposal is justified because the free movement of non-personal data within the Union cannot be achieved by the Member States at national level, as the core problem is cross-border data mobility.

4.24In relation to the subsidiarity implications of the data porting requirements, the communication states that the proposed approach would not require any disclosure of IPR-protected information and – importantly for the UK, in the context of its impending departure from the EU – would not preclude foreign operators from accessing the EU market, would not treat foreign providers differently from EU providers or other foreign providers.

4.25On proportionality, the Commission states that the proposed Regulation seeks to strike a balance between EU regulation and public security interests of Member States, through the exemption on data localisation requirements for reasons of public security. The Commission states that it also seeks to strike a balance between EU regulation and self-regulation by the market in relation to the proposals for data porting, with self-regulation through industry codes of conduct being the preferred approach.

4.26The communication states that the burden on Member States’ public authorities will be approximately €33,000 annually to sustain the single points of contact and between €385 and €1,925 for the preparation of notifications.

Explanatory Memorandum

4.27On 12 October 2017, the Minister of State of the Department for Digital, Culture, Media and Sport (Matt Hancock) provided the Committee with an explanatory memorandum in relation to the Commission’s proposal.94

4.28The Minister states that the Government welcomes the Commission’s proposal, and observes that it has consistently encouraged the Commission to legislate to address the practice of unjustified data localisation, recognising the need for limited exemptions. He adds that the Government has argued that data localisation can be anti-competitive, operating as de facto trade barriers which limit growth and stifle innovation.

4.29The Minister does not raise any issues with the Commission’s subsidiarity assessment, which states that the free movement of non-personal data within the EU is essentially a problem of cross-border data mobility and, as such, cannot be effectively achieved by Member States at national level. Member States could address domestic data localisation practices, but this would lead to a divergence of approach, resulting in varying regulatory requirements. This would result in additional costs for businesses.

4.30The Minister indicates that the Government will seek clarification about the following aspects of Article 4 (Free movement of data within the Union):

4.31The Minister also indicates that he will seek further clarification regarding Article 5 (Data availability for competent authorities):

4.32The Minister also indicates that he will seek further clarification regarding Article 6 (Data porting). He specifically seeks:

4.33The Minister says that the Government will underline the importance of aligning any code of conduct for the porting of non-personal data with the data portability requirements for personal data as set out in the General Data Protection Regulation, and will seek clarification from the Commission on the potential impact on businesses, including SMEs.

4.34The Minister observes that the Commission Regulatory Scrutiny Board twice issued a negative opinion on the impact assessment associated with the proposal, and on the second occasion noted a lack of evidence to support a new right to cloud services portability. The Commission stresses that the proposed measures in relation to data porting are, in acknowledgment of the Board’s second opinion, less burdensome − specifically, self-regulatory measures have substituted the previously envisaged new right of data porting.

4.35Instead of an analysis of the policy implications of Brexit in relation to the proposed Regulation, the Government provides a paragraph of boilerplate:

“On 23 June 2016, the EU referendum took place and the people of the United Kingdom voted to leave the European Union. The government respected the result and triggered Article 50 of the Treaty on European Union on 29 March 2017 to begin the process of exit. Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period the government will continue to negotiate, implement and apply EU legislation.”

Previous Committee Reports

None. The previous Committee scrutinised the European Commission’s earlier communication on the same subject (Building a European Data Economy 5349/17). Fortieth Report HC 71–xxxvii (2016–17), chapter 12 (25 April 2017); Thirty-fourth Report HC 71–xxxii (2016–17), chapter 4 (8 March 2017).


91 According to Politico Pro Morning Tech Europe (Paywall), the European Parliament’s Internal Market Committee (IMCO) was allocated the free flow of data file but the Industry, Research and Energy (ITRE) Committee is eager to get co-ownership. IMCO is expecting a challenge from ITRE, according to IMCO Chairwoman Anneleen Van Bossuyt.

92 Politico.eu, Internal discord dashes EU hopes of digital leadership in trade (Paywall) 10 September 2017.

93 Article 3 of the proposal defines non-personal data as data other than personal data as referred to in Article 4(1) of Legislation (EU) 2016.679 “i.e. the General Data Protection Regulation (GDPR). Article 4(1) of the GDPR states that personal data means any information relating to an identified and identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identity, such as a name, description, number, location date an online identifier or to one or more factors, specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.




1 December 2017