Explanatory Memorandum to COM(2017)495 - Framework for the free flow of non-personal data in the EU

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

New digital technologies, such as cloud computing, big data, artificial intelligence and the Internet of Things (IoT) are designed to maximise efficiency, enable economies of scale and develop new services. They offer benefits to users, such as agility, productivity, speed of deployment and autonomy, e.g. through machine learning 1 .

As indicated in the 2017 Communication 'Building a European Data Economy' 2 , the value of the EU data market was estimated in 2016 at almost EUR 60 billion, showing a growth of 9.5% compared to 2015. According to a study, the EU data market could potentially amount to more than EUR 106 billion in 2020 3 .

1.

To unlock this potential, the proposal aims to address the following issues:


·Improving the mobility of non-personal data across borders in the single market, which is limited today in many Member States by localisation restrictions or legal uncertainty in the market;

·Ensuring that the powers of competent authorities to request and receive access to data for regulatory control purposes, such as for inspection and audit, remain unaffected; and

·Making it easier for professional users of data storage or other processing services to switch service providers and to port data, while not creating an excessive burden on service providers or distorting the market.

The Mid-Term Review on the implementation of the Digital Single Market Strategy (DSM Strategy) 4 announced a legislative proposal on a EU free flow of data cooperation framework.

The general policy objective of the initiative is to achieve a more competitive and integrated internal market for data storage and other processing services and activities by addressing the above areas. In this proposal, data storage and other processing is used in a broad sense, encompassing the usage of all types of IT systems, whether located on the premises of the user or outsourced to a data storage or other processing service provider 5 .

Consistency with existing policy provisions in the policy area

The proposal pursues the objectives set out in the DSM Strategy 6 , its recent mid-term review, as well as the Political Guidelines for the current European Commission 'A New Start for Europe: My Agenda for Jobs, Growth, Fairness and Democratic Change' 7 .

This proposal focuses on provision of data hosting (storage) and other processing services, and is coherent with existing legal instruments. The initiative pursues the creation of an effective EU single market for such services. It is thus consistent with the E-commerce Directive 8 which aims at a comprehensive and effective EU single market for the broader categories of information society services, and with the Services Directive 9 which furthers the deepening of the EU single market for services in a number of sectors.

A number of relevant sectors are expressly excluded from the ambit of application of such legislation (i.e. E-commerce and Services Directives), so that only the general provisions of the Treaty would be applicable to the totality of data hosting (storage) and other processing services. However, the existing barriers to these services cannot be effectively removed solely by relying on direct application of Articles 49 and 56 of the Treaty on the Functioning of the European Union (TFEU), since, on the one hand, addressing them on a case-by-case basis through infringement procedures against the Member States concerned would be extremely complicated for national and Union institutions, and, on the other hand, the lifting of many barriers requires specific rules tackling not only public but also private barriers and calls for the setting up of administrative cooperation. Moreover, the ensuing enhancement of legal certainty seems to be particularly important for users of new technologies 10 .

Since this proposal concerns electronic data other than personal data, it does not affect the Union data protection legal framework, in particular Regulation 2016/679 (GDPR) 11 , Directive 2016/680 (Police Directive) 12 and Directive 2002/58/EC (ePrivacy Directive) 13 , which ensure a high level of protection for personal data and the free movement of personal data within the Union. Together with that legal framework, the proposal aims to put in place a comprehensive and coherent EU framework enabling free movement of data in the single market.

The proposal will require the notification of draft measures on data localisation under the Transparency Directive 2015/1535 14 for enabling the assessment whether such localisation restrictions are justified.

Regarding cooperation and mutual assistance between competent authorities, the proposal foresees that all such mechanisms should apply. Where no cooperation mechanisms exist, the proposal introduces measures aimed at enabling competent authorities to exchange and access data stored or otherwise processed in other Member States.

Consistency with other Union policies

In light of the DSM, this initiative intends to reduce barriers to a competitive data-driven economy in Europe. In line with the DSM mid-term Review Communication, the Commission is exploring separately the issues of accessibility and re-use of public and publicly funded data and privately held data which are of public interest and liability in cases of damage caused by data-intensive products 15 .

The policy intervention also builds upon the Digitising European Industry (DEI) policy package that included the European Cloud initiative 16 aiming to deploy a high capacity cloud solution for storing, sharing and re-using scientific data. Furthermore, the initiative builds upon the revision of the European Interoperability Framework 17 , which aims to improve digital collaboration between public administrations in Europe and will benefit directly from the free flow of data. It contributes to the EU's commitment to an open Internet 18 .

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

This proposal falls within the area of shared competence in accordance with Article 4(2)(a) TFEU. It aims to achieve a more competitive and integrated internal market for data storage and other processing services by ensuring the free movement of data within the Union. It lays down rules relating to data localisation requirements, the availability of data to competent authorities and data porting for professional users. The proposal is based on Article 114 TFEU which is the general legal basis for the adoption of such rules.

Subsidiarity

The proposal complies with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). The objective of this proposal to ensure the smooth functioning of the internal market for the abovementioned services which is not limited to the territory of one Member State and the free movement of non-personal data within the Union cannot be achieved by the Member States at national level, as the core problem is cross-border data mobility.

Member States are able to reduce the number and range of their own data location restrictions, but are likely to do so to different extents, and under different conditions, or not at all.

However, divergent approaches would lead to multiplication of regulatory requirements across the EU single market, and tangible additional costs for enterprises, especially small and medium-sized enterprises (SMEs).

Proportionality

The proposal complies with the principle of proportionality as set out in Article 5 TEU, as it consists of an effective framework that does not go beyond what is necessary to solve the identified problems and is proportionate to achieve its objectives.

In order to remove obstacles to the free flow of non-personal data within the Union limited by localisation requirements and enhance trust in cross-border data flows as well as data storage and other processing services, the proposal will rely to a high degree on existing EU instruments and frameworks: the Transparency Directive for notifications of draft measures on data localisation requirements, different frameworks ensuring data availability for regulatory control by Member States. It is only in the absence of other cooperation mechanisms, and when other means of access have been exhausted, that the cooperation mechanism of the proposal will be used to address issues of data availability for national competent authorities.

The proposed approach to movement of data across Member States' borders and across service providers / in-house IT systems seeks a balance between EU regulation and public security interests of Member States as well as a balance between EU regulation and self-regulation by the market.

Specifically, in order to alleviate the difficulties of professional users to switch service providers and port data, the initiative encourages self-regulation by codes of conduct on information to be provided to users of data storage or other processing services. Also, the modalities of switching and porting should be addressed through self-regulation to define best practices.

The proposal recalls that security requirements imposed by national and Union law should also be ensured when natural or legal persons outsource their data storage or other processing services, including in another Member State. It also recalls the implementing powers conferred upon the Commission by the Network and Information Security Directive in order to address security requirements which also contribute to the functioning of this Regulation. Finally, even though the proposal would necessitate action on the part of the public authorities of the Member States due to the notification / review requirements, the transparency requirements and the administrative cooperation, the proposal is designed to minimise such action to the most important cooperation needs and hence avoid unnecessary administrative burden.

By establishing a clear framework accompanied by cooperation between and with Member States, as well as by self-regulation, this proposal aims to enhance legal certainty and increase trust levels, while staying relevant and effective in the long term because of the flexibility of the cooperation framework, based on the single points of contact in Member States.

The Commission intends to set up an expert group to advise it on matters covered by this Regulation.

Choice of the instrument

The Commission puts forward a proposal for a Regulation which can ensure that uniform rules for the free flow of non-personal data are applicable throughout the Union at the same time. This is particularly important to remove existing restrictions and prevent new ones to be enacted by Member States, to guarantee the legal certainty to the concerned service providers and users and thereby increase trust in cross-border data flows as well as data storage and other processing services.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Stakeholder consultations

During a first round of evidence gathering, a public consultation on the regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy was carried out in 2015. Two thirds of respondents – with an even distribution across all stakeholder groups, including SMEs – found that restrictions on the localisation of data have affected their business strategy. 19 Other information gathering activities consisted of meetings and events, targeted workshops with key stakeholders (e.g. the Cloud Select Industry Group) and dedicated workshops in the context of studies.

A second round of evidence gathering, from end 2016 until the second half of 2017, included a public consultation launched in the context of the Communication Building a European Data Economy on 10 January 2017. According to responses to the public consultation, 61.9% of stakeholders believed that data localisation restrictions should be removed. A majority of participating stakeholders (55.3% of respondents) believe that legislative action is the most appropriate instrument to tackle unjustified localisation restrictions, with a number of them calling explicitly for a Regulation 20 . IT service providers of all sizes, established both within and outside the EU, show the highest support for regulatory action. Stakeholders also identified negative impacts of data localisation restrictions. Next to increased costs for business, these are on the provision of a service to private or public entities (69.6% of all participating stakeholders responding identified this impact as high) or the ability to enter a new market (73.9% of responding stakeholders identified this impact as high). Stakeholders from all different backgrounds respond to these questions in similar percentages. The public online consultation also showed that the problem with switching providers is widespread, as 56.8% of SME respondents indicated that they experienced difficulties when intending to switch.

The structured dialogue meetings with Member States facilitated a common understanding of the challenges. 16 Member States have explicitly called for a legislative proposal in a letter addressed to President Tusk.

The proposal takes on board a number of concerns signalled by Member States and industry, in particular, the need for a cross-cutting free movement of data principle providing for legal certainty; making progress on data availability for regulatory purposes; making it easier for professional users to switch data storage or other processing service providers and port data by encouraging more transparency on the applicable procedures and conditions in contracts, but not imposing specific standards or obligations on service providers at this stage.

Collection and use of expertise

Legal and economic studies have been relied on for various aspects of data mobility, including data localisation requirements 21 , switching providers / data porting 22 and data security 23 . Further studies have been commissioned on the impacts of cloud computing 24 and cloud uptake 25 , as well as on the European data market 26 . Studies have also been carried out examining co- or self-regulatory actions in the cloud computing sector 27 . The Commission also relied on additional external sources, including market reviews and statistics (e.g. Eurostat).

Impact assessment

An impact assessment was carried out for this proposal. The following set of options was considered in the impact assessment: a baseline scenario (no policy intervention) and three policy options. Option 1 consisted of guidelines and/or self-regulation to address the different identified problems and entailed strengthening of enforcement vis-à-vis different categories of unjustified or disproportionate data localisation restrictions imposed by Member States. Option 2 would lay down legal principles concerning the different identified problems and would envisage the designation by Member States of single points of contact and creation of an expert group, to discuss common approaches and practices, and provide guidance on, the principles introduced under the option. A Sub-option 2a was also considered to allow for the assessment of a combination of legislation establishing the free flow of data framework and the single points of contact and an expert group as well as self-regulatory measures addressing data porting. Option 3 consisted of a detailed legislative initiative, to establish, inter alia, pre-defined (harmonised) assessments of what constitutes (un)justified and (dis)proportionate data localisation restrictions and a new data porting right.

On 28 September 2016, the Regulatory Scrutiny Board delivered its first opinion on the Impact Assessment and asked for its resubmission. This was subsequently revised and resubmitted to the Regulatory Scrutiny Board on 11 August 2017. In its second opinion, the Regulatory Scrutiny Board noted the widening of the scope, following the Commission Communication (2017)9 on Building a European Data Economy, as well as the additional material on stakeholder views and on the shortcomings of the current framework. The Board, however, issued a second negative opinion on 25 August 2017, noting in particular lacking evidence in support of a new right to cloud services portability. In line with its operational practices, the Board considered its opinion as final.

The Commission considered it opportune to table a proposal while further improving its impact assessment analysis to take due account of the comments expressed by the Regulatory Scrutiny Board in its second opinion. The scope of the proposal is limited to the free flow of non-personal data in the European Union. In line with the Board's finding that the evidence seems to point towards a less stringent option as regards data porting, the preferred option initially put forward in the Impact Assessment to have an obligation for providers to facilitate the switching or porting of users' data has been abandoned. Instead, the Commission retained a less burdensome option, consisting in self-regulatory measures facilitated by the Commission. The proposal is proportionate and less stringent as it does not create a new right of porting between data storage or other processing service providers but relies on self-regulation for transparency on the technical and operational conditions relating to portability.

The proposal has also taken account of the Board's opinion in order to ensure that there is no overlap or duplication with the review of the mandate of the European Union Agency for Network and Information Security (ENISA) and the creation of a European ICT cybersecurity framework.

The impact assessment showed that the preferred option, sub-option 2a, would ensure the effective removal of existing unjustified localisation restrictions and would effectively prevent the future ones, as a result of a clear legal principle combined with the review, notification and transparency, while at the same time enhancing legal certainty and trust in the market. The burden on Member States' public authorities would be modest, leading to approximately EUR 33.000 annually in terms of human resources cost to sustain the single points of contact as well as a yearly cost of between EUR 385 and EUR 1925 for the preparation of notifications.

The proposal will have a positive effect on competition as it will stimulate innovation in data storage or other processing services, attract more users to them and make it considerably easier, particularly for new and small service providers, to enter new markets. The proposal will also promote cross-border and cross-sector use of data storage or other processing services and the development of the data market. Therefore, the proposal will help transform the society and economy and open up new opportunities for European citizens, businesses and public administrations.

Regulatory fitness and simplification

The proposal applies to citizens, national administrations and to all enterprises, including micro-enterprises and SMEs. All enterprises can benefit from the provisions addressing obstacles to data mobility. In particular, SMEs will benefit from the proposal, as free movement of non-personal data will directly reduce their costs and favour a more competitive market position. Exempting SMEs from the rules would undermine their effectiveness, as SMEs represent an important part of the providers of data storage or other processing and drivers of innovation in those markets. Since, in addition, costs resulting from the rules are not likely to be substantial, micro-enterprises or SMEs should not be excluded from their scope of application.

Fundamental rights

The proposed Regulation respects fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union. The proposed Regulation should positively impact on the freedom to conduct a business (Article 16) as it would contribute to eliminating and preventing unjustified or disproportionate barriers to the use and provision of data services, such as cloud services, as well as configuration of in-house IT systems.

4. BUDGETARY IMPLICATIONS

A moderate administrative burden for Member States' public authorities will emerge, caused by the allocation of human resources for the cooperation between Member States through the single points of contact, and for complying with the notification, review and transparency provisions.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

A comprehensive evaluation will take place five years after the start of application of the rules with a view to assessing their effectiveness and proportionality. This evaluation will be conducted in line with the Better Regulation Guidelines.

It will notably need to examine whether the Regulation contributed to reducing the number and range of data localisation restrictions and to enhancing legal certainty and transparency of remaining (justified and proportionate) requirements. The evaluation will also have to assess whether the policy initiative has contributed to improving the trust in free flow of non-personal data, whether the Member States can reasonably have access to data stored abroad for regulatory control purposes and whether the Regulation has led to the improvement of transparency on conditions for data porting.

It is planned that the single points of contact of the Member States should serve as a valuable source of information during the ex-post evaluation phase of the legislation.

Specific indicators (as proposed in the impact assessment) would serve to measure progress in those areas. It is also planned to use Eurostat data and the Digital Economy and Society Index. A special edition of Eurobarometer may also be considered for this purpose.

Detailed explanation of the specific provisions of the proposal

Articles 1 to 3 specify the objective of the proposal, the scope of application of the Regulation and the definitions applicable for the purposes of the Regulation.

Article 4 establishes the principle of free movement of non-personal data in the Union. This principle prohibits any data localisation requirement, unless it is justified on grounds of public security. Furthermore, it provides for the review of existing requirements, notification of remaining or new requirements to the Commission and transparency measures.

Article 5 aims to ensure data availability for regulatory control by competent authorities. To this effect, users may not refuse to provide access to data to competent authorities on the basis that data is stored or otherwise processed in another Member State. Where a competent authority has exhausted all applicable means to obtain access to the data, that competent authority may request the assistance of an authority in another Member State, if no specific cooperation mechanism exists.

Article 6 states that the Commission shall encourage service providers and professional users to develop and implement codes of conduct detailing the information on data porting conditions (including technical and operational requirements) that providers should make available to their professional users in a sufficiently detailed, clear and transparent manner before a contract is concluded. The Commission will review the development and effective implementation of such codes within two years after the start of application of this Regulation.

Pursuant to Article 7, each Member State shall designate a single point of contact who shall liaise with the points of contact of other Member States and the Commission regarding the application of this Regulation. Article 7 also provides for procedural conditions applicable to the assistance between competent authorities envisaged under Article 5.

According to Article 8 the Commission shall be assisted by the Free Flow of Data Committee within the meaning of Regulation (EU) No 182/2011.

Article 9 stipulates a review within five years after the start of application of the Regulation.

Article 10 provides that the Regulation will start to apply six months after the day of its publication.