This post is part of a series on personal and non-personal data written by our intern Adithya Ramani. In light of the developments in the Indian internet regulatory space, with the introduction of the Personal Data Protection Bill, 2019 in Parliament, and the formation of the Gopalakrishnan ‘Committee for Non-Personal Data’ earlier this year, this piece attempts to examine a few of the key issues in the EU Regulation on the free flow of non-personal data The subsequent posts will explore more such fundamental concepts, and also delve into contemporary judicial decisions in internet governance space.
Introduction
Electronic data is at the centre of all modern economic systems and can generate great value when analysed or combined with services and products. ‘Free flow of data’ represents a scenario in which there are no barriers to cross-border data flows. While that is yet to materialize, positive efforts have been taken in the European Union with the adoption on 14 November 2018 of the Regulation on the free flow of non-personal data (“Regulation”)¹. This adds to the General Data Protection Regulation (“GDPR”) which stipulates free movement of personal data within the European Union (“EU”). In general, data protection laws achieve two objectives — one, to facilitate the free flow of data, and the other to provide minimum protections for personal data². This post aims to explain how the Regulation deals with data localisation, cross border data flows, and mixed datasets.
Non-Personal Data
Non-personal data in particular has not been defined in the Regulation, and it is only defined as all data that is not ‘personal data’ as defined under Article 4(1) of the GDPR. Thus, it becomes important to identify what comes under non-personal data. Non-personal data in the framework of the Regulation is electronic information that cannot be traced back to an identified or identifiable natural person (or has been anonymized as such).³
Data Localisation
‘Data Localisation Requirements’ have historically been a fetter to free flow of data⁴. These requirements act as a hindrance for the flow of both personal and non-personal data. In essence, data localisation refers to restrictions on the flow of data across national borders.
The Regulation provides for a general prohibition of data localisation requirements in the EU⁵. It sets the framework for data processing and storing across the EU. EU Member States (“Member States”) will have to inform the Commission of any remaining or planned data localisation restrictions in specific situations of public sector data processing. The only exception to localisation requirements in the Regulation is on the ground of ‘public security’ as defined in Article 52 of the Treaty on the Functioning of the European Union (TFEU)⁶.
Cross-Border Access of Non-Personal Data
The Regulation provides for cross-border access of non-personal data to competent authorities, for specified purposes. Competent authority is defined as “any other entity authorised by national law to perform a public function or exercise public authority” that has the power to access data for the performance of its official duties under national or EU law⁷. The Regulation also states that it shall not affect the powers of competent authorities to directly access data, and that direct access to data may not be refused on the basis that such data is located in another Member State⁸. Article 5 of the Regulation, together with Article 7, establishes a framework under which a competent authority from one Member State can request the assistance of a competent authority from another Member State to procure access to non-personal data⁹.
The pre-conditions for requesting data by the competent authority are:
1. After requesting access to a user’s data, a competent authority does not obtain access
2. No specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States¹⁰.
Mixed Datasets
Another challenge in the Regulation involves mixed data sets that contain both personal and non-personal data. Examples of mixed datasets include a company’s knowledge of IT problems and solutions based on individual incident reports, or a research institution’s anonymised statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions.
In theory, the GDPR will apply to the part of the data that contains personal data and the Regulation will apply to the parts of the data containing non-personal data. The Regulation also clarifies that where personal and non-personal data in a dataset are ‘inextricably linked’, it should not prejudice the application of the GDPR and that it does not “impose an obligation to store the different types of data separately”¹². However, in practice it would be very difficult to separately identify the part of the dataset containing non-personal data and applying the Regulation only to that part. This also creates a loophole for Member States to apply data localisation requirements on grounds other than public security, since if the data sets are inextricably linked, the Regulation cannot prejudice GDPR, thus allowing Member States to apply data localisation to the mixed datasets¹³.
Conclusion
Since a lot of countries have not come out with their own regulations on non-personal data, the Regulation offers the only legislative guidance in this area. Further, despite some of the challenges mentioned above, the Regulation remains an important step in the elimination of restrictions to cross-border data flows and their negative impact on business. Companies expect cost reductions to be the main benefit of eliminating data localisation requirements¹⁴. Particularly for small and medium enterprises and start-ups, prohibition of data localisation will reduce the cost to establish their business. Mixed datasets are the point of interaction between GDPR and the Regulation, and the broad definition of ‘personal data’, makes it difficult to apply the Regulation to mixed datasets. Hence, it is imperative to further clarify the scope of ‘personal data’ in GDPR, and clarify how it would interact with the Regulation on non-personal data, particularly in cases of mixed data sets. This could eliminate a lot of uncertainty associated with the applicability of the Regulation and will assist in a better analysis on the impact of having free low of non-personal data.
Adithya Ramani is a final year law student at Symbiosis Law School, NOIDA. He is currently interning with the Esya Centre and can be reached at adithyaramani18[at]gmail.com.
The views, thoughts, and opinions expressed in the text belong solely to the author, and are not attributable to the Esya Centre.
[1] Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, OJ L 303.
[2] P De Hert and S Gutwirth, ‘Data Protection in the Case Law of Strasbourg and Luxemburg.
[3]Communication from the Commission to the European Parliament and the Council , Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union, COM(2019) 250 final on 29–5–2019, Page 6.
[4] Julien Debussche and Jasmien César, ‘Big Data & Issues & Opportunities: Free Flow of Data’.
[5] Regulation on a framework for the free-flow of non-personal data, Article 4 ‘Free Movement of data within the union’.
[6] Regulation on a framework for the free-flow of non-personal data, Recital 12.
[7] Regulation on a framework for the free-flow of non-personal data, Article 3 ‘Definitions’.
[8] Regulation on a framework for the free-flow of non-personal data, Article 5 ‘Data availability for competent authorities’.
[9] Ibid, read with Article 7 ‘Procedure for cooperation between authorities’.
[10] Ibid.
[11] Commission’s guidance on Free Flow of Non-Personal Data,Q&A, available at https://ec.europa.eu/commission/presscorner/detail/en/MEMO_19_2750
[12] Regulation on a framework for the free-flow of non-personal data, Recital 10 and Article 2 ‘Scope’.
[13] European Digital Rights, ‘Feedback on the Free Flow of Non-personal Data’ (EDRi 2017) 1 https://edri.org/files/freeflowdata_consultation_EDRi_20180122.pdf
[14] Inge Graef, Thomas Tombal, ‘Limits and Enablers of Data Sharing An Analytical Framework for EU Competition, Data Protection and Consumer Law’.
