The fifth EU freedom–the free flow of non-personal data

Author: Tim Wright

Tim Wright, Partner, Fladgate LLP (


Many countries around the world have data localisation laws and regulations which restrict how and where data can be stored and transferred. Russia and China are well known examples but other such countries include Brazil, India, Australia, Korea, and Nigeria. Sometimes these laws and regulations are in the form of blanket bans; other times they apply only in specific sectors such as health and finance.

Towards the end of last year, the European Parliament and the Council formally signed Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union[1] in order to outlaw such practices. The Regulation will come into effect in May 2019. Alongside the General Data Protection Regulation (GDPR)[2], the new Regulation is intended to ensure a “comprehensive and coherent” approach to data movement across the EU.

As with the GDPR, the Regulation does not require implementation into local law by Member States.  Unlike GDPR however, and assuming Britain leaves the EU on 29 March 2019, the Regulation will not on that day form part of the Community acquis (i.e. the body of EU law) and so it will not be brought into domestic UK law by the European Union (Withdrawal) Act 2018[3].

Why is the new freedom needed?

The Commission says that the “free flow of non-personal data is a pre-requisite for a competitive data economy within the Digital Single Market” and will boost the data economy by enhancing the development of emerging technologies such as autonomous systems and artificial intelligence. Citing a Deloitte study[4], the Commission said that removing obstacles to data mobility could generate additional growth of up to 4% GDP by 2020. Deloitte found that data localisation requirements have a high impact on cloud adoption because they limit choice – companies may decide not to adopt cloud computing since the most economically efficient offer may not be available in their market, and cloud providers may face higher costs if they are forced to establish in locations with higher production costs.

When does it apply?

The Regulation applies to the processing of electronic data (apart from personal data) in the EU where it is (a) provided as a service to users resident or established in the EU, or (b) carried out by a person or entity resident or established in the EU for its own needs. It does not matter that the service provider processing the data is not established in the EU. All types of data processing are covered regardless of IT systems and infrastructure used and whether the processing is outsourced or handled inside the organisation.

The Regulation does not override the GDPR. For example, the GDPR will apply to the personal data within a database, which also contains non-personal data.

Prohibition against data localisation requirements

The Regulation defines data localisation requirements as those where the laws, regulations or administrative provisions of a Member State, or the general and consistent administrative practices of a Member State, including in the field of public procurement (but without prejudice to the requirements of the public procurement Directive[5]), require the processing of data in the territory of a specific Member State or hinder the processing of data in any other Member State. The only exception is where the requirements are “proportionate” and can be justified on “grounds of public security”. The Regulation will not stop a customer or vendor from specifying in a contract where the data is located – it simply means that the location can be anywhere in the EU.

Avoiding vendor lock-in

The Regulation also aims to tackle vendor lock-in practices in the private sector: “legal, contractual and technical issues hindering or preventing users of data processing services from porting their data from one service provider to another or back to their own information technology (IT) systems, not least upon termination of their contract with a service provider” (Recital 5). Accordingly, the Regulation requires the Commission to encourage and facilitate self-regulatory codes of conduct “based on the principles of transparency and interoperability and taking due account of open standards”, setting out best practices to enable switching between service providers.

The codes of conduct will set out minimum information requirements to be provided to professional users (i.e. anyone using or seeking data processing services in a business context), before a contract for data processing is concluded. This information, which must cover processes, technical requirements, timeframes and charges for switching to another service provider or porting data back in-house, will have to be “sufficiently detailed, clear and transparent.” The codes of conduct will no doubt set out in more detail what this means in practice.

Final Remarks

Anna Maria Corazza Bildt, the MEP who steered the Regulation through the European Parliament, referred to it as a “game changer” which will level the playing field to enable European companies to compete globally and provide “enormous efficiency gains for both companies and public authorities…[paving] the way for artificial intelligence, cloud computing and big data analysis“. Only time will tell whether the fifth freedom has quite the impact hoped for; it is however an important part of the Commission’s Digital Single Market Strategy which aims to build a competitive data economy across the EU.







For GDPR-related legal updates, please visit Fladgate Privacy Updates

View by date:

View by author:

Would you like to hear more?