What is non-personal data and should I be worried about transfers of non-personal data?
A new regulation (2018/1807) on the free flow of non-personal data came into force on 28 May, 2019. Not as (in)famous as its big brother the GDPR, the passing of this regulation was largely unnoticed, but it can be equally important for businesses using data analytics in their business models (Internet of Things, artificial intelligence and machine learning, etc.).
What is the aim of the Regulation on non-personal data?
The digitization of our economy is accelerating. Electronic data are at the centre of all modern innovative economic systems and can generate great value when analyzed or combined with services and products (Internet of Things, artificial intelligence and machine learning, etc.).
The effective and efficient functioning of data processing is a fundamental building block in any data value chain. However, two types of obstacles to data mobility hamper the effective and efficient functioning of data processing and the development of the data economy in particular: (i) data localization requirements imposed by Member States; and (ii) contractual vendor lock-in practices in the private sector.
The aim of the new regulation (2018/1807) on the free flow of non-personal data (the "Regulation"), which entered into force on 28 May, 2019, is to lift these main obstacles and to boost the data economy through facilitating cross-border exchange of data by enabling companies to store non-personal information anywhere in the EU. However, this will not impede the competent authorities from accessing data on the basis that the data are processed in another Member State.
What is non-personal data?
Non-personal data in the framework of the Regulation on non-personal data is electronic information that cannot be traced back to an identified or identifiable natural person (or has been anonymized as such). Specific examples of non-personal data include aggregate and anonymised datasets used for big data analytics, data on precision farming that can help to monitor and optimise the use of pesticides and water or data on maintenance needs for industrial machines.
How does the Regulation interact with the GDPR?
In the case of a data set composed of both personal and non-personal data, the Regulation applies to the non-personal data part of the data set. Where personal and non-personal data in a data set are inextricably linked, the GDPR will have to be applied to the entire data set.
Any compliance issues?
Where the Regulation does not pose any immediate compliance risk for your company, it demonstrates the importance of delineating personal from non-personal data (even when the personal data might seem insignificant). A thorough analysis of the data flows remains necessary, especially for companies using data analytics in their business models (Internet of Things, artificial intelligence and machine learning, etc.).
If you are interested to learn more about the obligations under either the Regulation / GDPR or would have any questions, do not hesitate to contact the Brussels office of Dentons Europe LLP. Our professionals are available to provide any tailor-made advice at short notice.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.