The European Commission will propose legislation later this year to get rid of national restrictions that prevent data from moving between EU countries, following calls from more than a dozen member states to crack down.
Andrus Ansip, the EU’s technology policy chief, has been pushing for legislation guaranteeing the “free flow of data” for months. In January, he published a non-binding communication paper outlining some of the Commission’s concerns but legal advisers were not convinced there should be a new law outlining how companies can move data across the bloc.
Now Ansip has secured a victory and promised to propose legislation by autumn, he announced today (10 May) as part of a review of the Commission’s two-year-old digital single market initiative.
The decision to introduce legislation will go over well with many EU member states and a range of tech companies that want the Commission to intervene and strike down national restrictions on non-personal data—or data that cannot be traced to a specific person, which is protected by tougher EU privacy laws.
Germany and France have opposed new rules on data flows, but Germany recently warmed up to the plans for legislation.
One Commission official said that the EU executive did new research since its plans were softened in January. Data restrictions and requirements to store data in only one member state is a “growing problem, internationally and in the EU,” the source said.
A new EU law would “help member states” and give companies firm legal ground so they know where they can store data.
Some officials said that could encourage companies to open data storage centres in member states where they don’t have them already—if national laws requiring some data to be stored locally are struck down. One official said there are around 50 data localisation restrictions in national laws around the EU.
A Polish diplomat said “we have been waiting for this long enough. New barriers are on the rise. We should tackle them in a comprehensive way – the key is how, not where, we store our data in the EU.”
Poland was one of 15 EU countries that wrote a letter to Commission President Jean-Claude Juncker last week asking for legislation to get rid of so-called data localisation requirements.
The Commission wants its new legislation to get rid of those restrictions, except in cases when member states’ laws require data to be stored in one country for national security reasons.
Officials involved in planning the new legislation argue it is needed because companies increasingly rely on data analysis as a major source of their revenue. Data can make up 4% of the EU’s GDP by 2020, or €739 billion, according to Commission figures.
IBM said in a statement today that the Commission needs to come out with a “strong, unambiguous proposal that will outlaw unnecessary data localisation”.
Another industry source suggested that the new legislation would be more symbolic as a message to countries outside the EU like China that have legal restrictions on how non-personal data can cross borders. But rules applying only to data flows within the EU would likely not create big commercial gains for companies, the source said.
The Commission closed a public consultation on the free flow of data two weeks ago but has not yet published a summary of the results.
Commission officials suggested that the legislation could force some member states to change their national laws.
“The Commission could also initiate infringement procedures if it finds evidence that current rules on the free movement of services are not properly implemented,” a new document from the EU executive on the digital single market review reads.
Some officials suggested that could have an effect on Germany’s controversial draft law, which would force social media platforms to remove posts including hate speech or face steep fines of up to €50 million. The bill also includes two restrictions requiring data to be stored in Germany.
The Commission is required to either wave through or ask Germany to respond to its concerns about the draft bill by next month. But Commission sources said they could still take Germany to court after the law is passed, potentially on the basis of a new EU data flow law or if legal analysts determine it violates EU platform liability rules or laws protecting fundamental rights.
Ansip told reporters today that he would not yet comment on the German bill. But he said that other EU countries are considering new legislation affecting hate speech on online platforms.
“We have to take this common EU-wide approach when we are talking about the notice and action principle, about hate speech,” he said, referring to EU rules affecting how internet companies respond to notifications about hate speech and remove the content.
Separately from the data flow legislation, the Commission also announced today that it will introduce an initiative in spring 2018 to encourage public authorities to share data, including from public transport systems.
The Commission is also analysing whether it will create new rules on liability for products using a lot of data and on companies’ abilities to access commercial data. That has sparked concerns in the car industry over how it will affect vehicles that produce an increasing amount of data and use internet functions. The Commission is expected to announce next year whether it will take further action.