Six months after the General Data Protection Regulation ('GDPR') entered into application, the European Parliament and the Council adopted Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union ('FFDR'). The FFDR entered into application on 28 May 2019.
Framework for the free flow of all data in the EU
Together, the two regulations establish a legal framework for the free flow of all data in the EU and aim to create a basis for developing the data economy and enhancing the competitiveness of the data industry in the EU. Where the GDPR ensures the free flow of personal data, the FFDR aims to ensure the free flow of data other than personal data.
FFDR: non-personal data and mixed datasets
The FFDR applies to the processing of electronic data other than personal data in the EU, where (1) the data originally does not relate to an identified or identifiable natural person or (2) the data which was initially personal data was later anonymised.
The FFDR also regulates the status of mixed datasets, composed of both personal and non-personal data, which represent the majority of datasets used in the data economy today. In a dataset composed of both personal and non-personal data, the FFDR applies to the non-personal data part of the dataset and the GDPR applies to the personal data part of the dataset.
However, where personal and non-personal data in a dataset are inextricably linked, the data protection rights and obligations stemming from the GDPR fully apply to the whole mixed dataset, also when personal data represents only a small part of the dataset.
Principles: Free flow of data and removal of direct or indirect data localisation requirements
One of the purposes of the FFDR is to avoid vendor lock-in practices. These practices occur when users cannot switch between service providers because their data is 'locked' in the provider's system, for instance due to a specific data format or contractual arrangements, and cannot be transferred outside of the vendor's IT system. Porting data without hindrance is important since it allows users to freely choose between providers of data processing services and thus ensures effective competition in the market.
To this end, the FFDR:
- prohibits, as a rule, EU Member States from imposing requirements on where data should be localised. Exceptions to this rule may only be justified on grounds of public security in compliance with the proportionality principle
- establishes a cooperation mechanism to ensure that competent authorities continue to be able to exercise any rights they have to access data that is being processed in another EU Member State
- provides incentives for industries, with the support of the Commission, to develop self-regulatory codes of conduct on switching service providers and porting data.
Six months after the General Data Protection Regulation ('GDPR') entered into application, the European Parliament and the Council adopted Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union ('FFDR'). The FFDR entered into application on 28 May 2019.
Framework for the free flow of all data in the EU
Together, the two regulations establish a legal framework for the free flow of all data in the EU and aim to create a basis for developing the data economy and enhancing the competitiveness of the data industry in the EU. Where the GDPR ensures the free flow of personal data, the FFDR aims to ensure the free flow of data other than personal data.
FFDR: non-personal data and mixed datasets
The FFDR applies to the processing of electronic data other than personal data in the EU, where (1) the data originally does not relate to an identified or identifiable natural person or (2) the data which was initially personal data was later anonymised.
The FFDR also regulates the status of mixed datasets, composed of both personal and non-personal data, which represent the majority of datasets used in the data economy today. In a dataset composed of both personal and non-personal data, the FFDR applies to the non-personal data part of the dataset and the GDPR applies to the personal data part of the dataset.
However, where personal and non-personal data in a dataset are inextricably linked, the data protection rights and obligations stemming from the GDPR fully apply to the whole mixed dataset, also when personal data represents only a small part of the dataset.
Principles: Free flow of data and removal of direct or indirect data localisation requirements
One of the purposes of the FFDR is to avoid vendor lock-in practices. These practices occur when users cannot switch between service providers because their data is 'locked' in the provider's system, for instance due to a specific data format or contractual arrangements, and cannot be transferred outside of the vendor's IT system. Porting data without hindrance is important since it allows users to freely choose between providers of data processing services and thus ensures effective competition in the market.
To this end, the FFDR:
- prohibits, as a rule, EU Member States from imposing requirements on where data should be localised. Exceptions to this rule may only be justified on grounds of public security in compliance with the proportionality principle
- establishes a cooperation mechanism to ensure that competent authorities continue to be able to exercise any rights they have to access data that is being processed in another EU Member State
- provides incentives for industries, with the support of the Commission, to develop self-regulatory codes of conduct on switching service providers and porting data.