|
The proposed rules would prevent any EU member state from imposing territorial restrictions or prohibitions on the storage or any other processing of non-personal data anywhere within the EU.
Data localisation restrictions that hamper data mobility, either directly or indirectly, take different forms in various sectors. They include, for example, supervisory authorities advising financial service providers to store their data locally, professional secrecy rules that entail local data storage or processing (e.g. on anonymised health research data), or broad regulations that require local storage of information generated by the public sector, including public procurement.
Public security exception
This draft EU law would prohibit national rules requiring that data be stored or processed in a specific member state. MEPs kept exceptions to a minimum by clarifying that any restrictions on the location of data would only be allowed “on an exceptional basis”, where justified on “imperative grounds of public security”.
Any remaining or future data localisation requirements would have to be communicated to the EU Commission and published online, in order to ensure transparency.
Access to and porting of data
The draft law ensures that competent authorities will have access to data stored or processed in another member state for regulatory control purposes, such as for inspection and audit, in order to be able to perform their tasks.
It also encourages the creation of codes of conduct to make it easier for professional users to switch cloud-service providers and transfer data back to their own IT systems. These codes of conduct should make clear that “vendor lock-in” (obstacles to the movement of data across IT systems) “is not an acceptable business practice”, say MEPs. [...]