Non-personal data constitute, together with personal data, an important tool for the development of the digital economy within the Digital Single Market.
Even though the definition of “non-personal data” is derived by way of contrariwise reasoning to that of “personal data”, it is nevertheless an important means by which to foster the free flow of data within an economy increasingly characterised by digitalisation.
In order to identify non-personal data, they can be qualified according to their origin:
- anonymous ex-ante data: data that do not originally relate to an identified or identifiable natural person;
- ex-post anonymised data: data that were initially personal and were subsequently rendered non-personal through a process of anonymisation.
Artificial intelligence, mega data analysis, data generated within the framework of business processes, and precision agriculture data are just a few examples of non-personal data sources.
In recent years, thanks to technological development, companies, and public administrations have no longer only been in contact with the world of personal data but have also begun to interface with the collection and use of non-personal data, thus necessitating regulation of the matter.
The European Union has responded to this need by drafting Regulation (EU) 2018/1807 “on the framework applicable to the free movement of non-personal data in the European Union”.
This Regulation, the application of which will already start on 28 May 2019, is essential and has two main objectives: on the one hand, to ensure that non-personal data can be freely processed throughout the EU, and on the other hand, to prohibit restrictions on the movement of non-personal data on where data can be stored or elaborate.
Within the Regulation on non-personal data, three cornerstones can also be easily identified:
1. The principle of free movement of data within the European Union
Article 4 of the Regulation states that data localisation obligations are prohibited unless justified on grounds of public security and in full compliance with the principle of proportionality.
The article then set a “deadline” of 30 May 2021 for the following activities:
- On the one hand, Member States were to repeal any existing data localisation obligations established by national laws, regulations, or administrative provisions that do not comply with the general principle of free movement of data;
- On the other hand, the Member States that believed that measures containing data localisation obligations existed, were requested to communicate them to the European Commission in order to justify any requests to maintain them, provided that this is done under the principle of proportionality or for reasons of public security.
2. The principle of data availability for the competent authorities
Article 5 of the Regulation provides for the generic principle of “making data available to the competent authorities”, which will be able to exercise the right of access to data regardless of where they are stored or processed within the European Union.
Member states may also impose sanctions where there is a breach of an obligation to provide data under national and European law.
3. The implementation of codes of conduct
The European Commission, through Article 6, encourages and facilitates the drafting of self-regulatory codes:
- facilitation of change of service provider and portability of data in a structured format;
- minimum information requirements, which are necessary before the conclusion of a data processing contract;
- approaches to certification systems, quality management, information security, business continuity, and environmental management;
- communication roadmaps aimed at raising stakeholder awareness of Codes of conduct.
What are the prospects for non-personal data?
It is the Non-Personal Data Regulation itself that Article 8 sets the deadline of 29 November 2022 by which the European Commission must submit a report to the Parliament, the Council, and the European Economic and Social Committee on the proper implementation of the Regulation, and on the following issues:
- the application of the Regulation to mixed data sets, composed of personal and non-personal data;
- the implementation by the Member States of the principle of free flow of data;
- the development and effective implementation of self-regulatory codes by the Member States.
All that remains for us to do, therefore, is to wait and see whether market developments, the data economy, and increasing data processing requirements on a contractual level will prompt the European Commission to make changes to Regulation (EU) 2018/1807.