While the EU GDPR controls the global transfer of individual information, numerous just recently enacted EU laws control the global transfer of non-personal information, which is any information that is not “individual information” under the GDPR. Simply put, these brand-new laws use to information that does not connect to a recognized or recognizable natural individual, consisting of anonymized information and information about commercial devices, considerably broadening the kinds of information topic to global transfer constraints. A few of this legislation has actually been enacted just recently, and other legislation on this subject is making its method through the legal procedure however has yet to be embraced. In this post, we describe the present and upcoming EU legislation on the global transfer of non-personal information.
Guideline 2018/1807 on the circulation of non-personal information restricts Member States from embracing information localization requirements â e.g., needing the processing of information in the area of a specific Member State or avoiding the processing of information in another Member State â unless they are warranted on premises of “public security in compliance with the concept of proportionality” and they are alerted to the Commission. This policy is straight suitable in all EU Member States considering that Might 28, 2019. The information localization restriction uses to non-personal information processed by:
- entities developed inside or (extraterritorially) outside the EU who supply electronic information processing services ( e.g., cloud computing services) which are performed in the EU ( e.g., by means of servers found in the EU) to users in the EU;
- entities developed in the EU who process electronic information in the EU for their own requirements.
Keep in mind that the information localization restriction in this Guideline uses to specific EU Member States’ laws; it does not prevent the EU from carrying out information localization requirements.
Transfers of Non-Personal Data Beyond the EU
The Information Governance Act (which uses since September 24, 2023), the Data Act (which will use since September 12, 2025), and the upcoming European Health Data Area (which is still in draft type) include constraints on the transfer of non-personal information outside the EU.
The constraints on transfers of non-personal information appear to serve 2 primary functions. Initially, they are meant to secure EU copyright, secret information and trade tricks. For instance, Recital 20 of the Information Governance Act supplies that “[i] n order to maintain reasonable competitors and the free market economy it is of the utmost significance to secure secured information of non-personal nature, in specific trade tricks, however likewise non-personal information representing content safeguarded by copyright rights from illegal gain access to that might result in copyright theft or commercial espionage.”
While, at very first sight, this might seem the main goal, it is clear that the constraints serve a secondary goal, which is to avoid non-personal information from ending up being individual information through re-identification. In this regard, Recital 24 of the Information Governance Act supplies that “[i] n order to construct rely on re-use systems, it might be required to connect more stringent conditions for particular kinds of non-personal information that might be determined as extremely delicate in future particular [EU] legal acts, with regard to the transfer to 3rd nations (…). The conditions ought to represent the dangers determined in relation to the level of sensitivity of such information, consisting of in regards to the danger of the re-identification of people.” This is substantiated by the arrangements in the proposed EHDS, as talked about listed below.
Listed Below, we have actually summed up the constraints on global transfers in the laws in which they appear.
|Information Governance Act
|Draft European Health Data Area *
|What Non-Personal Data is Covered?
|Information held by public sector bodies in the EU that is safeguarded on premises of: (i) business privacy, consisting of service, expert and business tricks; (ii) analytical privacy; and (iii) the defense of copyright rights of 3rd parties.
|Information held by suppliers of information processing services in the EU.
|Electronic health information, specified as “information worrying health and hereditary information in electronic format”.
|Who Is Covered?
|Public sector bodies, natural or legal individuals who have actually been given the right to re-use non-personal information held by public sector bodies, intermediary company, and acknowledged “information selflessness” companies.
|Service providers of information processing services ( e.g, cloud computing suppliers) provided in the EU.
|Digital health authorities, health information gain access to bodies, licensed individuals in cross-border facilities, and health information users.
|Which of the Following Transfer Limitations Use?
|If transfers of non-personal information would produce a dispute with EU or Member State law, then the law needs the application of sensible technical, legal and organizational steps to avoid the global transfer of or governmental access to non-personal information kept in the EU. For instance, transfers might produce a dispute with EU or Member State law concerning the defense of the basic rights and flexibilities of people, nationwide security or defense, the defense of commercially delicate information, or the defense of copyright rights.
|If non-personal information is asked for by non-EU courts, tribunals, and administrative authorities, then such a choice is just enforceable under the list below conditions: the information demand is based upon a worldwide arrangement (such as a shared legal support treaty); orif adhering to the choice would run the risk of putting the addressees in dispute with EU or Member State law, the transfer can happen offered the non-EU nation’s system fulfills particular conditions. These conditions are that: (i) the choice must be reasoned and suggest why it is proportional; (ii) the ask for information disclosure ought to specify in nature ( e.g, developing an enough link to particular thought individuals or violations); (iii) the addressee’s reasoned objections ought to undergo evaluate by a non-EU court or tribunal; and (iv) the non-EU court or tribunal that has jurisdiction to evaluate the information disclosure demand ought to have the ability to consider the legal interests of the “information service provider” that are safeguarded under EU and Member State law. When adhering to the non-EU order, the pertinent entities ought to: (i) just supply the “minimum quantity of information allowable” to the asking for non-EU entities; and (ii) notify the information holder about the presence of a demand of a third-country authority to access its information before adhering to its demand, other than in cases where the demand serves police functions and just for as long as this is required to maintain the efficiency of the police activity.
|X (Unlike the Information Governance Act and the EHDS, the addressee of the demand might look for the viewpoint of the pertinent regulator regarding whether these conditions are fulfilled, in specific where the addressee thinks about that the choice might connect to service tricks and other commercially delicate information, in addition to to content safeguarded by copyright rights, or where the transfer might result in re-identification of people.)
|X (Current Council variations eliminate this responsibility.)
|If the transfer issues non-personal personal information or information safeguarded by copyright rights, then: the information recipient ought to contractually devote to regard copyright rights and any privacy responsibilities, in addition to accept the jurisdiction of the courts or tribunals of the Member State of the sending entity with regard to any conflict associated to compliance with the information disclosure; orthe non-EU nation need to have been acknowledged by the European Commission as having legal, supervisory and enforcement plans that guarantee the defense of copyright and trade tricks in a way considerably comparable to the defense paid for by EU law. These plans need to be successfully used and imposed and need to attend to efficient legal treatments.
|X (This transfer limitation just uses to information transfers from public sector bodies to re-users.)
|If the EU embraces a “particular” law that categorizes particular non-personal information held by public sector bodies as “extremely delicate,” then this information can just be moved worldwide based on the “unique conditions” put down in European Commission’s delegated acts.
|X (The Information Governance Act does not categorize any information as “extremely delicate”; however it supplies that other EU laws might do so.)
|X (The draft EHDS proposes to categorize as “extremely delicate” particular anonymized (and therefore non-personal) health information falling within the scope of the Guideline provided by health information gain access to bodies, however just in those scenarios where the transfer outside the EU would produce a danger that the non-personal information might be re-identified by methods “beyond those fairly most likely to be utilized” and therefore ended up being individual information.)
* The info on the draft EHDS in this table takes into consideration the January 16, 2024 working file. The EU organizations are working out a last draft. The last draft’s arrangements on global transfers of non-personal information might vary from what is displayed in the table.
The Covington group frequently encourages on legal problems associated with the global transfer of information, and will continue to keep an eye on and report on advancements associated with the global transfer of non-personal information under EU laws, consisting of the Data Act, the Data Governance Act, and the European Health Data Area, on our Within Personal privacy blog site. We more than happy to address any concerns you might have on this subject.
( This post was prepared with the contribution of Diane Valat.)