Although the EU GDPR regulates international transfers of personal data, several recently enacted EU laws regulate international transfers of non-personal data, which is data that is not “personal data” under the GDPR. In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, such as anonymized data or data on industrial equipment, and significantly expand the types of data subject to international transfer restrictions. Masu. Some of this legislation has been recently enacted, and other legislation on this topic is going through the legislative process but has not yet been adopted. This blog post provides an overview of current and emerging EU law regarding international transfers of non-personal data.
data localization
Regulation 2018/1807 on the flow of non-personal data prohibits Member States from adopting data localization requirements ─ for example, requesting the processing of data within the territory of a particular Member State or preventing the processing of data in another Member State – justified on the grounds of “public safety according to the principle of proportionality” and notified to the European Commission unless it is. . This regulation applies directly to all EU member states from 28 May 2019 onwards. The prohibition on data localization applies to non-personal data processed by:
- Organizations established within or outside the EU that provide electronic data processing services (for examplecloud computing services) are carried out within the EU (for examplevia servers located in the EU) to users in the EU.
- Organizations established within the EU that process electronic data within the EU according to their own needs.
Please note that the prohibition on data localization in this Regulation applies to the laws of individual EU Member States. It does not prevent the EU from implementing data localization requirements.
Transfer of non-personal data outside the EU
The Data Governance Act (applicable from 24 September 2023), the Data Act (applicable from 12 September 2025) and the upcoming European Health Data Space (still in draft) contain restrictions on transfers . Non-Personal Data Outside the EU.
Restrictions on the transfer of non-personal data appear to have two main purposes. First, it aims to protect the EU’s intellectual property, confidential information and trade secrets. For example, Article 20 of the Data Governance Act states:[i]To maintain fair competition and an open market economy, illegal access to protected data of a non-personal nature, especially non-personal data representing trade secrets as well as content protected by intellectual property rights, is prohibited. It is most important to protect from Leads to intellectual property theft and industrial espionage. ”
Although at first glance this appears to be the primary purpose, it is clear that this restriction has a secondary purpose: to prevent non-personal data from becoming personal data through re-identification. In this regard, Article 24 of the Data Governance Act provides:[i]Building trust in reuse mechanisms may require imposing stricter conditions on certain types of non-personal data that may be identified as sensitive in certain areas in the future. . [EU] Legislative acts regarding transfers to third countries (…). Conditions should address the identified risks related to the sensitivity of such data, including in terms of the risks of re-identification of individuals. ” This is supported by the provisions of his proposed EHDS, as explained below.
Below is a summary of the legal restrictions on international remittances.
| data governance law | data method | Draft European Medical Data Space* | |
| What non-personal data is covered? | Data held by EU public authorities and protected for the following reasons: (i) commercial secrets, including business secrets, professional secrets, and trade secrets; (ii) Statistical confidentiality. (iii) protection of third party intellectual property rights; | Data held by providers of data processing services within the EU. | Electronic health data. Defined as “data about health and genetic data in electronic form.” |
| Who is it for? | Natural or legal persons granted the right to reuse non-personal data held by public sector bodies, public sector bodies, intermediary service providers and recognized “data altruism” organizations. | Providers of data processing services (for example., cloud computing provider) in the EU. | Digital health authorities, health data access authorities, authorized participants in cross-border infrastructures, and health data users. |
| Which of the following applies to transfer restrictions? | |||
| If the transfer of non-personal data may violate EU or Member State law;, the law requires reasonable technical, legal and organizational measures to be taken to prevent international transfers or governmental access to non-personal data held within the EU. For example, the transfer may give rise to a conflict with EU or Member State law with respect to the protection of fundamental rights and freedoms of individuals, national security or defence, the protection of commercially sensitive data or the protection of intellectual property rights. There is a gender. | X | X | X |
| If non-personal data is requested by a court, tribunal or administrative authority outside the EU;, such a decision will only be enforceable under the following conditions: The data request is based on an international agreement (such as a mutual legal assistance treaty). Alternatively, if following the decision risks putting the destination in conflict with her EU or Member State law, the transfer can take place if the non-EU country’s system meets certain conditions. These conditions are: (i) There is a reason for the decision and it is necessary to show why the decision is proportionate. (ii) the request for data disclosure must be of a specific nature (for example, establishing a sufficient nexus to a specific suspect or violation). (iii) the recipient’s reasoned objection should be subject to review by a non-EU court or tribunal; (iv) A non-EU court or tribunal with jurisdiction to consider a data disclosure request must be able to take into account the legal interests of the Data Provider, which are protected by EU and Member State law. When complying with a non-EU directive, the relevant entity must: (i) provide only the “minimum acceptable data” to the requesting non-EU entity; (ii) notify the data owner of the existence of a request from a third country authority for access to its data before acting on the request; However, only if the request is for law enforcement purposes and is necessary. Maintain the effectiveness of law enforcement operations. | X | X (unlike data governance laws or EHDS), the recipient of a request must be aware that these conditions are met, especially if the recipient believes that the decision may relate to trade secrets or other commercially sensitive matters. (You may seek the opinion of the relevant regulatory authority as to whether the transfer is likely to result in the re-identification of an individual). ) | X (Recent council versions have removed this obligation.) |
| If the transfer concerns non-personal sensitive data or data protected by intellectual property rights;In such cases, the data recipient contractually undertakes to respect intellectual property rights and confidentiality obligations and submits to the jurisdiction of the courts or tribunals of the sending subject’s Member State in respect of any disputes relating to compliance with data disclosure. Must be accepted. or the non-EU country is recognized by the European Commission as having legal, supervisory and enforcement arrangements that ensure the protection of intellectual property and trade secrets in a manner substantially equivalent to the protection afforded by EU law; Must be. These arrangements must be effectively applied and enforced and provide effective legal remedies. | X (This transfer restriction applies only to data transfers from public authorities to repeat users.) | Not applicable | Not applicable |
| If the EU adopts “specific” legislation that classifies certain non-personal data held by public sector bodies as “sensitive”; This data can only be transferred internationally in accordance with “special conditions” set out in the European Commission’s delegated legislation. | X (Data Governance Law does not classify any data as “sensitive” data, although other EU laws provide that it can.) | Not applicable | X (Draft EHDS proposes to classify certain anonymized (and therefore non-personal) health data that is within the scope of the regulations made available by health data access authorities as “highly sensitive” However, this is only in situations where transfers take place outside the EU. There is a risk that non-personal data may be re-identified and become personal data by means “beyond the reasonable means that could be used.” ) |
*The information on the draft EHDS in this table takes into account the January 16, 2024 working document. EU institutions are negotiating the final draft. The final draft provisions regarding international transfers of non-personal data may differ from those shown in the table.
***
The Covington team regularly advises on legal issues related to international transfers of data, including developments related to international transfers of non-personal data under EU law, including data laws, data governance laws, and data governance laws. We will continue to monitor and report. Learn more about European Health Data Space on the Inside Privacy blog. We would be happy to answer any questions you may have regarding this topic.
(This blog post was drafted with contributions from Diane Valat.)
