ARTICLE14 November 2017

A framework for free flow of non-personal data in the European Union

The Confederation of Swedish Enterprise welcomes this regulation with its aim to ensure the free data flow within the European Union. Europe can no longer afford to keep the Digital Single Market held back by protectionism and fragmentation, says Göran Norén, Head of Department, Industrial Affairs and Carolina Brånby, Digital Policy expert.

Göran Norén, Head of Department, Industrial Affairs.

Data flows are a fundamental component of global value chains and a key ingredient in building European competitiveness through a data-driven economy. It is therefore essential that data can flow freely between member states and is not restricted by forced localisation measures. Data transfers are highly important for both small and large companies and across sectors. Trade across borders is not possible without the accompanying movement of data. Any exception to a ban on forced data localisation needs to be well-justified and proportionate. Potential restrictions on the movement of data should be governed by technical requirements for maintaining security levels and accessibility for national authorities. Improving the cross-border flow of non-personal data, while making sure that the power of competent authorities to inspect and audit is maintained, is crucial for guaranteeing competition on equal terms.

Better regulation

The Confederation of Swedish Enterprise emphasizes the importance of ongoing efforts in the area of better regulation, including fitness check evaluations. The proposed regulation on the free flow of non-personal data, combined with the General Data Protection Regulation provides a comprehensive European framework for data flows. Considering this, it is unfortunate if the European Union and/or individual Member States increase the accumulated regulatory burden by introducing overlapping legislation. The current deliberations on the ePrivacy Regulation risk going in this direction, adding new and contradictory provisions to sectors already regulated under the GDPR.

We are critical of Recital 25, providing that IT-providers comply with any and all security requirements that are applied in the member state of residence or establishment of the natural or legal persons whose data is concerned. Such security requirements are already regulated in the NIS Directive. The Confederation opposes a proposal which stipulates both the principle of residence and establishment for regulatory application because of the inhibitory burden it creates, particularly for SMEs.

Security

The regulation proposes a ban on forced data localisation unless such measures are justified on grounds of public security. For such an approach to be effective, a clear definition of ‘public security’ is necessary, and should be introduced in Article 3. Such a definition should be aligned with Article 23.1 of the General Data Protection Regulation, which refers to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Regulatory certainty is a prerequisite for business investments, and without a clear understanding of what measures would be permissible, the effect of this regulation becomes insignificant.

We support the proposal in Article 4.4 which establishes that Member States shall make the details of any data localisation requirements applicable in their territory publicly available online via a single information point which they shall keep up-to-date.

Data porting

The Commission self-regulatory approach to data porting and the switching of service providers is constructive and positive. However, the singular focus on Codes of Conduct is too narrow, considering there are many other ways to incentivize self-regulation. The contractual freedom is a crucial principle for businesses, and it is therefore preferable to promote the exchange of best-practices, standards and industry agreements. The Commission should interfere in commercial and contractual contexts such as proposed in Recital 21 and Article 6.

The deadlines for the introductions of abovementioned Codes of Conduct, as proposed in Article 6.2 and 6.3, are too narrow and their purpose questionable. The impact assessment does not show evidence of market failure or any other sign that mandatory codes of conduct would strengthen the market.

In conclusion

The movement of data deserves to be a fifth freedom in a European Digital Single Market. The proposed regulation has the potential of guaranteeing the free flow of data, key in the process towards European leadership of the global digital economy. Europe can no longer afford to keep the Digital Single Market held back by protectionism and fragmentation.

Written byCarolina BrånbyGöran Norén
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Publisher and editor-in-chief Anna Dalqvist