Removing obstacles to the free movement of non-personal data within the EU for companies and public authorities is the key aim of a draft law approved by the Internal Market Committee. 

The proposed rules would prevent any EU member state from imposing territorial restrictions or prohibitions on the storage or any other processing of non-personal data anywhere within the EU. 

Data localisation restrictions that hamper data mobility, either directly or indirectly, take different forms in various sectors. They include, for example, supervisory authorities advising financial service providers to store their data locally, professional secrecy rules that entail local data storage or processing (e.g. on anonymised health research data), or broad regulations that require local storage of information generated by the public sector, including public procurement. 

Public security exception 

This draft EU law would prohibit national rules requiring that data be stored or processed in a specific member state. MEPs kept exceptions to a minimum by clarifying that any restrictions on the location of data would only be allowed “on an exceptional basis”, where  justified on “imperative grounds of public security”. 

Any remaining or future data localisation requirements would have to be communicated to the EU Commission and published online, in order to ensure transparency. 

Access to and porting of data 

The draft law ensures that competent authorities will have access to data stored or processed in another member state for regulatory control purposes, such as for inspection and audit, in order to be able to perform their tasks. 

It also encourages the creation of codes of conduct to make it easier for professional users to switch cloud-service providers and transfer data back to their own IT systems. These codes of conduct should make clear that “vendor lock-in” (obstacles to the movement of data across IT systems) “is not an acceptable business practice”, say MEPs.   

Mixed data sets 

In the case of mixed (non-personal and personal) data sets, this regulation would apply to the non-personal data part of the set, MEPs clarify. The personal data would be subject to the new EU data protection rules (General Data Protection Regulation), applicable since 25 May 2018.  Where personal and non-personal data in a mixed data set are inextricably linked, this regulation would apply “without prejudice to Regulation (EU) 2016/679” (GDPR), stipulate MEPs. The two regulations would thus complement each other.