After the final vote of the Council of the European Union earlier in November, the legislative process for the adoption of an EU Regulation on the free flow of non-personal data has finally come to an end.
Regulation (EU) no. 1807/2018 (Non-Personal Data Regulation or NPDR) will enter into force at the end of December 2018 and become directly applicable in the EU within six months after its publication in the Official Journal of the European Union.
This new piece of legislation aims to strengthen the principle of free circulation of non-personal data in the EU for the benefit of businesses and the public alike, with a view to foster the European data economy and the future Digital Single Market.
In other words, EU institutions are saying that everyone has the right to store and process data wherever they want in the EU, as long as such data is a non-personal nature and data protection rules are fully respected.
The new NPDR does not affect the current legal framework already established under the General Data Protection Regulation (GDPR) and the ePrivacy Directive. In fact, data protection levels are expected to remain completely unaffected by this new regulation coming into effect, so there will be likely no new regulatory obligations to comply with after the NPDR becomes fully applicable.
Why should non-personal data be regulated, do we really need a new regulation?
The goal of the NPDR is to advance the EU market for non-personal data and bring down all existing barriers to the free movement of such data across the EU. To do so, legislators deemed necessary to adopt a specific piece of legislation that could harmonize a generally unregulated sector into a consistent set of rules applicable at an EU level.
In fact, the NPDR was originally designed to set the basis for the promotion of the free flow of non-personal data as a fifth fundamental freedom of the EU, aside already existing ones concerning the free movement of persons, goods, services and capitals.
In particular, the NPDR has two main targets: data localization restrictions put in place by Member States’ authorities and vendor lock-in practices in the private sector. Such targets are expected to be eliminated (or at least largely reduced) thanks to the provisions of the NPDR, with an overall beneficial effect to the public sector and the European economic ecosystem.
For instance, the new rules will ban data localization restrictions imposed at a national level on the storing or processing of non-personal data, unless such restrictions are justified on grounds of public security.
In addition to that, the new regulation will also encourage the development of codes of conduct to make it easier for users of data processing services to switch cloud providers, port their non-personal data to other IT systems.
Which sectors will benefit the most from the NPDR and why?
In the Commission’s view, the NPDR is also designed to boost the data economy and, most importantly, facilitate the spread of new technologies, such as machine automation, the Internet-of-Things (IoT), robotics or Artificial Intelligence (AI), in various sectors and industries.
However, from a general point of view many sectors may benefit from the NPDR: from retail to financial services, from telemetrics to software development, from life sciences to customer care. In this regard, many EU countries are launching their own open data projects in order to facilitate access to non-personal datasets on a wider basis and allow the birth of innovative services and products.
All businesses and institutions need ‘quality data’ for training, research and development. In fact, it is believed that establishing a consistent framework for the free circulation of non-personal data can help the European technology ecosystem to thrive and, possibly, fill some gaps with the US one.
In practice, this means that NPDR may benefit all sectors and industries, irrespective of their actual use of non-personal data. Big data analytics is becoming fundamental for almost all economic activities, therefore it is essential to take into account the indications of the NPDR prior to start a business project.
Will NPDR boost EU’s AI market in the coming years?
As AI slowly enters every corner or of our everyday lives, it is difficult to predict whether the NPDR will support EU’s AI market in the coming years.
However, EU institutions already made clear in their joint communication presenting the European initiative on AI that will boost EU’s technological and industrial capacity and AI uptake across the economy, both by the private and public sectors.
This includes investments in research and innovation and, of course, better access to data, both of a personal and non-personal nature. The NPDR is aimed at facilitating such access to data, also to small and medium-size enterprises established in different countries, with a view to both EU’s initiative and the development of the Digital Single Market.
The objective of the regulation is to create legal certainty for businesses allowing them to process their data anywhere in the EU, while boosting operational efficiency for European businesses with cross-border operations.
In effect, as non-personal data become more and more important for the development of AI, so become legal issues. In particular, if we think about antitrust issues related to the collection, usage and processing of non-personal data by dominant firms or the protection of IP rights connected to trade secrets, confidential information or non-personal datasets essential to the performance of a certain service, the manufacturing of a product or other.
In addition, privacy concerns may still arise although the scope of the NPDR is different from that of the GDPR. For instance, where non-personal data goes through machine learning or deep learning processing, there is still a slight chance it can be linked to a specific subject thanks to the computational capabilities of AI itself.
All these matters are not addressed in the NPDR and are therefore left to lawyers and businesses to deal with. What is clear though is that AI can benefit from a thriving market of non-personal data, as long as it is balanced with data ethics and compliance with data protection principles.
What are the rules concerning the use of non-personal data in Italy?
The Italian Data Protection Code does not address the collection, usage and processing of non-personal data. In fact, non-personal data is most likely unregulated under Italian law.
Company information is also considered out of the scope of both the Italian Data Protection Code and the GDPR, therefore it falls under the category of non-personal data. However, to a certain extent, it is still subject to ePrivacy rules. In fact, it is unclear yet whether the overlap between GDPR and ePrivacy provisions will influence the notion of non-personal data for the purpose of the NPDR and its application in Italy.
With the exclusion of confidential information and business data, subject to a certain degree of protection from both a civil and contract law point of view, the applicable data protection legal framework does not apply to non-personal data as much as the GDPR does not influence the scope of the NPDR.
In conclusion, it could be said that non-personal data in Italy is disciplined on an ‘exceptional basis’ and, more generally, is not subject to any particular legal requirement concerning free circulation and localization. Only time will tell us how the new NPDR will affect this scenario.
Origanially published by JD Supra
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.