The proposal of the EU Regulation on Free Flow of Data – a short commentary on the leaked draft

Without doubt, the free flow of data is at the heart of the European Commission(EC)'s digital single market mission. The EC's Communication on free flow of data in January 2017 forecasted a new regulatory framework[1] and the first package has just arrived. The draft Regulation on free flow of data was leaked earlier this month.[2] Based on the experience from the past, the official version should be out in a couple of weeks.[3]

The proposal for the Regulation on free flow of data tackles the »easiest« part of the EC project, as the issues of liabilities and accessibility of data will be addressed in a separate document (page 3 of the leaked proposal).
In this proposal, the EC steps back from the data protection/privacy issues, making it clear that the focus is on non-personal data. Although it may be debatable when data is non-personal, the point is that this regulation seeks to address different problems than privacy-related regulations.
The text of the leaked regulation focuses on four areas with a common goal to “unlock the potential of data”:
       Mobility of data across borders in the single market;
       Portability of data;
       Responsibility of private parties to provide data for regulatory control;
       Security of data and cloud services.

Two points deserve a detailed analysis: provisions related to localization measures and those related to the new information duty. The first point will be of a special interest for the EU member states (MSs). The second one will be relevant for an even larger audience, notably for the global data (storage) service providers.
I.      Localization measures 
In relation to data mobility, the EC imposes a new duty on member states to identify localization measures and to notify the Commission of any new ones. Localization does not necessarily come as a legal rule but can emerge in lots of different forms. For instance, data localization may result from a requirement forcing local hiring or local purchasing of the information and communication technology (ICT) equipment.[4] Obviously, not all localization measures are easy to spot, so the MSs should carefully consider how to embark upon this challenge. Another novelty in the regulation is the EU Free Flow of Data Policy Group, which will consist of single contact points in the MSs. Again, the MSs will have to consider which state body should be entrusted the new task (or potentially form a new body). Long story short, the proposal’s mission is to get all MSs on the same page. When it comes to national digital agendas, differences are obvious. For Slovenia and the Netherlands, the countries I am more familiar with, I can definitely say that this is the case. While the Netherlands has a long history of cyber security policy and has allocated substantial resources to tackle the issues,[5] Slovenia has been lagging behind.[6] The proposed changes in the EU law are a good starting point for those MSs that are stuck with their cyber strategies.
II.     Informing users – a new duty for data service providers

The proposal for the regulation becomes more interesting when it sets the rules for providers of data services. Certainly, data mobility is inhibited not only due to state-imposed measures but also because of the measures imposed by the private sector. Such restrictions can be legal, contractual or technical – basically anything that prevents users of data storage and processing services from porting the data. However, the regulation does not impose any portability duty. The recitals express the expectation that portability will emerge as some sort of self-regulation. If the plan fails, the guidance will be provided by the European Commission. The soft measure is in line with the outcomes of the public consultation on the free flow of data, where many respondents expressed hesitation in relation to the right on data portability.[7]
Nevertheless, the regulation should be taken up in a serious manner. Article 6 imposes a new duty on data (storage) service providers, namely to inform users about their terms of service. Prior to the conclusion of a contract, the following five elements will have to be put forward:
  •        process and location of data back-ups;
  •        available data formats and supports;
  •        required IT configuration and minimum network bandwidth;
  •        time required prior to initiating the porting process and the time during which the data will remain available for porting;
  •        guarantees for accessing data in the case of a bankruptcy of the provider.
The proposal introduces the notion of a user and a professional user but only explains the former. This is obviously a flaw (compare page 8 and Article 3) which will be hopefully corrected in the official version. Based on the text it is safe to assume that the latter is a legal or natural person that uses or requests a data storage and/or processing service as part of professional activities (e.g. a sole proprietor or an SME).
The providers that fall under the umbrella of the new regulation are numerous – anyone who provides data storage or/and data processing services in the EU or to a user from the EU could potentially fall under the scope of the Regulation, including those who provide services in the Union from a third country without an establishment in the Union (Recital 7). As an illustration, a US company that has no establishment in the EU but provides services to a user from the EU, has to comply with the EU law as well.
All in all, the European Commission firmly sticks to its DSM ambition – high level of privacy, security and open market for digital services all across the EU. It is true that the new rules probably put pressure on the traditional approach to legal jurisdiction, but this approach is nothing new. Rather, it has become a modus operandi of the EU legislator.
Considering the fast-paced development of the European policy and law in the area of data economy, the question arises how MSs and companies should prepare for the upcoming regulation. Below I list some recommendations.

Tips for the member states:
  •        Identify a body that has adequate expertise to analyze and monitor data localization requirements;
  •        Start reviewing possible localization measures;
  •       Consider which state body should take part in the ongoing EU discussion on the free flow of data.

Tips for data service and storage providers:
  •        Review terms and make sure all the topics from Article 6 are adequately addressed;
  •        Consider the most appropriate standards to facilitate portability of data.








[3] It took a couple of weeks to publish the proposal for e-Privacy regulation in January 2017, after the leak in December 2016.
[4] Hill, The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders, 2014
[6] Only under the pressure of the upcoming NIS directive, the Slovenian government has taken steps toward establishing a national cyber security authority.
The proposal of the EU Regulation on Free Flow of Data – a short commentary on the leaked draft The proposal of the EU Regulation on Free Flow of Data – a short commentary on the leaked draft Reviewed by Helena Uršič on 11:06 AM Rating: 5

No comments:

Theme images by merrymoonmary. Powered by Blogger.