The European regulation on the "Free Flow of Data

On November 28, 2018, Regulation 2018/1807 of November 14, 2018, establishing a framework applicable to the free flow of non-personal data in the European Union, commonly known as the Free Flow of Data Regulation, was published in the Official Journal of the European Union.

Purpose and scope of application

The purpose of this regulation is to ensure the free flow of data other than personal data within the Union, by establishing rules regarding data location requirements, data availability for competent authorities and data porting for business users.

This Regulation will apply to natural or legal persons who provide data processing services to users residing or having an establishment in the Union, including those who provide services in the Union without having an establishment there. It will therefore not apply to data processing services that take place outside the Union or to the location requirements for such data.

Key points

This text lays down an essential principle, which is that data localization requirements are prohibited, unless they are justified on grounds of public security in accordance with the principle of proportionality. A data localization requirement is any obligation, prohibition, condition, limitation or other requirement laid down by law, regulation or administrative provision of a Member State or resulting from general and consistent administrative practice in a Member State and bodies governed by public law, in particular in the field of public procurement.

The free flow of data in the Union will play an important role in data-driven growth and innovation.
In the case of a data set consisting of both personal and non-personal data, this Regulation applies to the non-personal data in the set. Where personal data and non-personal data in a set are inextricably linked, this Regulation is without prejudice to the application of the GDPR.

Member States will have an obligation of transparency. They will be obliged to publish details of all data location requirements, established in a general legislative, regulatory or administrative provision and applicable in their territory, through a single national online information point which they will maintain, or provide updated details of such location requirements to a central information point established under another Union act.

Member States will provide the European Commission with the address of their single point of contact. The Commission will publish on its website the links to these information points, as well as a regularly updated consolidated list of all data localization requirements, with a summary of information on these requirements.

Upcoming deadlines

The regulation will apply six months after the date of publication, which is May 27, 2019.

And no later than May 29, 2019, the European Commission will publish guidelines on the interaction between this Regulation and the GDPR, particularly with respect to data sets consisting of both personal and non-personal data.