EU Regulatory Data Protection: International data transfer rules for non-personal data
Global flows of personal data have been a source of geopolitical concern for many years now. The Court of Justice of the European Union's “Schrems II” judgement has revived the debate and organisations around the world now have to map personal data flows and conduct transfer impact assessments, while patiently awaiting the developments around the upcoming EU-US Data Privacy Framework.
Until now, these compliance challenges were essentially limited to personal data processing, so some organisations and sectors had to do more than others. Several legislative initiatives deriving from the EU Data Strategy contain, however, transfer restrictions for non-personal data that will complement the EU’s – already complex – personal data transfer framework under the General Data Protection Regulation (GDPR). And they will expand the topic of global data transfers to organisations that have been less affected so far.
The Data Governance Act (DGA), the proposed Data Act and the proposed Regulation on the European Health Data Space (EHDS) provide the first comprehensive set of rules aimed at protecting EU corporations, and the public sector, against intellectual property theft, industrial espionage and public interest considerations.
These new rules aim at ensuring that “protected” non-personal data is not transferred to countries outside the European Economic Area (EEA) without sufficient protection of intellectual property rights, trade secrets, confidentiality, and other EU interests.
In this article, we look at the upcoming data transfer restrictions for non-personal data that will apply to companies and public bodies that fall under the scope of these EU data initiatives.
Transfers or governmental access stemming from third-country (conflicting) laws
Both the Data Act and the DGA contain transfer restrictions to protect non-personal data in the EU from direct transfers or governmental access stemming from third-country legal frameworks containing transfer or access obligations. The EHDS also contains similar provisions for non-personal electronic health data.
These restrictions include the following.
Firstly, there is a general obligation to take all reasonable technical, legal and organisational measures to prevent international “transfer” or “governmental access” to non-personal data held in the EU where the transfer or governmental access would create “a conflict” with EU law or the relevant national law providing protection for data. The DGA’s recitals clarify that an EU or national law obligation to protect the data may stem from:
- fundamental right protection (eg right to security and effective remedy)
- protection of fundamental national security or defence interests of a Member State
- protection of commercially sensitive data (eg trade secrets)
- intellectual property rights
- contractual confidentiality obligations in accordance with such laws
Secondly, there are specific obligations relating to third-country access requests. A transfer of or access to non-personal data under the scope of the DGA or Data Act based on a third-country decision or judgement (from tribunals, courts, administrative authorities) is only allowed in two scenarios. And the addressee of a third-country access request will have to verify them. In particular, the transfer of or access to non-personal data is in these cases only allowed:
- based on an international agreement– such as a mutual legal assistance (MLAT) treaty – between the requesting country and an EU Member State: only in such cases the third-country decision or judgement can be “recognised or enforceable” in any manner; or
- if the third-country’s legal system complies with certain requirements, in cases where the addressee would put itself in conflict with EU or national law by complying with the third-country decision or judgement. The third-country system should set specific “quality conditions” for the decision or judgement (to be expressly motivated and be sufficiently specific). The system must also foresee a judicial review of the addressee’s reasoned objection and empower the issuing (or reviewing) court or tribunal to duly take into account the legal interest of the data provider under EU and EU Member States’ law.
In both scenarios, a data minimisation obligation applies to the addressee when complying with the request. Unless where the request serves law enforcement purposes (and only for as long as necessary to preserve the effectiveness of the law enforcement activity), the addressee must first inform the data holder of the third-country access request.
Under the DGA, this obligation is applicable to public sector bodies, re-users (under Chapter II), data intermediation services providers and recognised data altruism organisations. The Data Act proposal would impose these obligations on “providers of data processing services,” including cloud and edge services. Under the EHDS, digital health authorities, health data access bodies and data users (and for the general obligation, also the authorised participants) would be subject to these transfer obligations.
The transfer grounds set out above contain similarities with those under the GDPR, particularly with Article 48, which has been subject to interpretation issues since its adoption and notably with regard to the relation between Article 48 and the derogation grounds set out in Article 49. More specifically, the GDPR seems to allow that another transfer ground is relied upon in the absence of a relevant international agreement (as Article 48 is “without prejudice to other grounds for transfer” pursuant to Chapter V). But it has been questioned – for example by the EDPB and EDPS in their Joint Response on the US Cloud Act – whether any of the GDPR’s transfer grounds can in practice be relied on for direct requests of third-country governments.
Under the DGA and the Data Act proposal, the EU legislator seems to have resolved this issue by determining an alternative transfer ground (as set out under point (b) above) for scenarios where the third-country access requests is not based on an international agreement. This alternative transfer ground, however, requires the addressee to perform an assessment of the third countries’ legal system, like with Transfer Impact Assessments for personal data transfers under the GDPR.
While the European Commission initially proposed a “ruling” system allowing companies to request an opinion of the competent authorities regarding the third countries’ legal framework when receiving a government request, the negotiations on the DGA ultimately resulted in an “accountability-driven” self-assessment approach.
In the Data Act proposal both the Council’s and the European Parliament’s March 2023 position still contained the option to ask for an opinion (and the Council even inserted an obligation when the request may impinge on national security and defence interests), though views differed on which authority should be competent to issue the opinion.
With the adoption of the Data Act approaching, it remains to be seen to what extent the European Commission’s attempt to shift the compliance burden in relation to non-personal data transfers to the authorities rather than to EU companies will survive the negotiations between the EU institutions.
Specific safeguards for transfers of non-personal Protected Data held by public sector bodies
The DGA sets out rules according to which public sector bodies need to make available for commercial and non-commercial re-use purposes, data protected by intellectual property rights, trade secrets or confidentiality as well as certain personal data falling outside the scope of the Open Data Directive (“Protected Data”), upon request of third parties.
For transfers of non-personal Protected Data, the DGA also imposes a notification obligation on the re-user to inform the public sector body of its intention to transfer the data at the time of requesting the re-use.
In such case, public sector bodies may only make the non-personal data available for re-use if either:
- the destination country has been declared “adequate” by the European Commission: If justified by a substantial number of requests for a destination country, the Commission may adopt GDPR-like adequacy decisions if the “legal, supervisory and enforcement arrangements” of that third country ensure “essentially equivalent protection” for intellectual property and trade secrets compared to the EU. As under the GDPR, the Commission must also assess enforcement practice and the effectiveness of judicial redress options.
- contractual commitments have been obtained from the re-user: The re-user must agree to comply with intellectual property rights and not to disclose confidential data without consent (or “permission” from legal persons) and to subject itself to the jurisdiction of the member state of the public sector body for related disputes.
The re-users may only transfer the data received to third countries for which these transfer requirements are met. The Commission has also been granted the powers to adopt – in addition to those under the GDPR – another set of model clauses for the transfer by re-users of non-personal data to a third country.
Specific data transfer regimes for ‘highly sensitive’ non-personal Protected Data held by public sector bodies
Aside from the requirements set out above, the DGA also puts in place a framework to establish specific data transfer regimes for “highly sensitive” non-personal data held by public sector bodies.
Where a transfer of certain categories of non-personal data would “put at risk public policy objectives” or “may lead to the risk of re-identification of anonymised data,” specific EU legislation may qualify those data categories as “highly sensitive,” in which case the Commission has been granted the powers to adopt delegated acts establishing a specific data transfer regime for transfers of such categories of data.
The Commission could decide to impose, for example, certain technical measures (eg the use of specific anonymization or aggregation techniques), limitations on access to the data in third countries or, “in exceptional circumstances,” even data localisation obligations to protect the public interest.
An example of such designation as “highly sensitive” can be found in the proposed EHDS for some categories of non-personal electronic health data.
Transparency
Finally, the Council’s March 2023 position on the Data Act also includes contractual transparency obligations on international access and transfer for providers of data processing services.
The Council in essence requires providers to publish certain information on their website (eg jurisdiction to which IT infrastructure is subject, description of relevant technical and organisational measures) and reference the website in the contractual agreements.
Conclusion
An increased EU focus on the protection of non-personal data provided for in foreign countries might increase the pressure on certain countries to improve protection and also incentivise the development of new services in the EEA, ultimately benefitting European companies. It’s also worth noting that these obligations have a different foundation than the GDPR’s data transfer framework – protecting mainly the interests of corporations and public bodies that share non-personal data based on these new EU regulations to enhance trust.
It remains to be seen whether these data transfer restrictions will succeed in facilitating non-personal data sharing. Especially given the context in which certain transatlantic personal data transfers have been challenged under the GDPR, it’s striking that the EU legislator has introduced similar obligations, that partly build on the GDPR, and which are still surrounded by a substantial amount of legal uncertainty.
At this point, many criteria set out by these new provisions are still unclear and the assessments to be made by organisations, at least under the DGA and the EHDS, are far from straightforward for EU organisations. For example, whether the transfer creates “a conflict” with EU laws or whether the third country’s legal system complies with the transfer conditions.
Other practical concerns may arise where a dataset contains both personal and non-personal data or where the distinction may be complex to make both from a legal and/or technical perspective.
One might also wonder why foreign trade secrets and intellectual property rights protection is only determinative for a transfer to proceed in relation to non-personal data, while personal data can benefit from the same protection.
The Data Act is still under intensive negotiation, in particular, regarding the protection of non-personal data when transferred outside the EEA.