As of May 29, 2019, the European Commission has published guidelines largely devoted to the interaction between the Free Flow of Data regulation and the GDPR, particularly with respect to "mixed" data sets, i.e., composed of personal and non-personal data.

This text should increase the flow of data between member states, promote the development of emerging technologies such as artificial intelligence, increase competition, and create jobs. It constitutes the fifth pillar of the European Union (EU), after the free movement of goods, persons, services and capital.

As mentioned in my January 18, 2018 article, the European Commission was required to publish guidelines** by May 29, 2019, which it did on the last day of the deadline. These guidelines largely address the interaction between this Regulation and the GDPR***, particularly with respect to data sets consisting of both personal and non-personal data, so-called "mixed data." The principle of free movement of both types of data is affirmed in both regulations.

 

Mixed data

With respect to such mixed data, the Free Flow of Data Regulation provides that it applies to the non-personal data set. The guidelines state that where personal and non-personal data are inextricably linked, this regulation is without prejudice to the application of the GDPR. In other words, the data protection rights and obligations of the GDPR apply to the entire mixed data set, even when personal data is only a small part of the data set. This principle, which is in line with the Charter of Fundamental Rights of the European Union, aims to avoid a decrease in the value of the data set, to provide legal certainty to individuals and businesses. This principle is essential for the data economy.

 

Prohibition of data localization requirements

One of the central points of the regulation is that it prohibits a state from imposing the storage and processing of data on its territory or another EU territory. The issue of free flow of data and the removal of data localization requirements is another point raised by the Commission's guidelines. The regulation states that "data localization requirements are prohibited unless they are justified on grounds of public security in accordance with the principle of proportionality.

Thus, a Member State wishing to maintain a data location on its territory will have to publish the details of the data location through a single national online information point, with up-to-date information. The Commission will soon publish the links to these information points on the Your Europe portal.

 

Other points discussed

The guidelines also encourage adherence to codes of conduct regarding the protection of personal data, data porting, which may be subject to certification, as well as the security of cross-border data processing, mainly operated by cloud services.

 

Evaluation of the implementation of the regulation.

The Commission will evaluate the implementation of the Regulation by 29 November 2019. This evaluation will cover the impact on the free flow of data in Europe, the application of the regulation, in particular to mixed datasets on the effective implementation of the repeal of existing restrictive measures on data localization and the effectiveness of the codes of conduct on data porting and switching cloud providers.

 

Conclusion

These guidelines underline the importance attached by the European Commission to legal certainty and trust in data processing, so that the EU can fully exploit the data, with subsequent value chain creation. The Free Flow of Data Regulation and the RGPD lay the foundations for the free flow of data within the EU, with the aim of fostering the competitiveness of data within the digital single market.

CNIL European Commission compliance compliance mixed data free flow of data data localization