While the EU GDPR regulates the international transfer of personal data, several recently enacted EU laws regulate the international transfer of non-personal data, which is any data that is not “personal data” under the GDPR. In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, including anonymized data and data about industrial equipment, significantly expanding the types of data subject to international transfer restrictions. Some of this legislation has been enacted recently, and other legislation on this topic is making its way through the legislative process but has yet to be adopted. In this blog post, we outline the current and forthcoming EU legislation on the international transfer of non-personal data.
Regulation 2018/1807 on the flow of non-personal data prohibits Member States from adopting data localization requirements ─ e.g., requiring the processing of data in the territory of a particular Member State or preventing the processing of data in another Member State ─ unless they are justified on grounds of “public security in compliance with the principle of proportionality” and they are notified to the Commission. This regulation is directly applicable in all EU Member States since May 28, 2019. The data localization prohibition applies to non-personal data processed by:
- entities established inside or (extraterritorially) outside the EU who provide electronic data processing services (e.g., cloud computing services) which are carried out in the EU (e.g., via servers located in the EU) to users in the EU;
- entities established in the EU who process electronic data in the EU for their own needs.
Note that the data localization prohibition in this Regulation applies to individual EU Member States’ laws; it does not preclude the EU from implementing data localization requirements.
Transfers of Non-Personal Data Outside of the EU
The Data Governance Act (which applies as of September 24, 2023), the Data Act (which will apply as of September 12, 2025), and the forthcoming European Health Data Space (which is still in draft form) contain restrictions on the transfer of non-personal data outside the EU.
The restrictions on transfers of non-personal data appear to serve two main purposes. First, they are intended to protect EU intellectual property, confidential information and trade secrets. For example, Recital 20 of the Data Governance Act provides that “[i]n order to preserve fair competition and the open market economy it is of the utmost importance to safeguard protected data of non-personal nature, in particular trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to intellectual property theft or industrial espionage.”
While, at first sight, this may appear to be the primary objective, it is clear that the restrictions serve a secondary objective, which is to prevent non-personal data from becoming personal data through re-identification. In this respect, Recital 24 of the Data Governance Act provides that “[i]n order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non-personal data that may be identified as highly sensitive in future specific [EU] legislative acts, with regard to the transfer to third countries (…). The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re-identification of individuals.” This is borne out by the provisions in the proposed EHDS, as discussed below.
Below, we have summarized the restrictions on international transfers in the laws in which they appear.
|Data Governance Act
|Draft European Health Data Space*
|What Non-Personal Data is Covered?
|Data held by public sector bodies in the EU that is protected on grounds of: (i) commercial confidentiality, including business, professional and company secrets; (ii) statistical confidentiality; and (iii) the protection of intellectual property rights of third parties.
|Data held by providers of data processing services in the EU.
|Electronic health data, defined as “data concerning health and genetic data in electronic format”.
|Who Is Covered?
|Public sector bodies, natural or legal persons who have been granted the right to re-use non-personal data held by public sector bodies, intermediary service providers, and recognized “data altruism” organizations.
|Providers of data processing services (e.g., cloud computing providers) offered in the EU.
|Digital health authorities, health data access bodies, authorized participants in cross-border infrastructures, and health data users.
|Which of the Following Transfer Restrictions Apply?
|If transfers of non-personal data would create a conflict with EU or Member State law, then the law requires the implementation of reasonable technical, legal and organizational measures to prevent the international transfer of or governmental access to non-personal data held in the EU. For example, transfers could create a conflict with EU or Member State law regarding the protection of the fundamental rights and freedoms of individuals, national security or defense, the protection of commercially sensitive data, or the protection of intellectual property rights.
|If non-personal data is requested by non-EU courts, tribunals, and administrative authorities, then such a decision is only enforceable under the following conditions:the data request is based on an international agreement (such as a mutual legal assistance treaty); orif complying with the decision would risk putting the addressees in conflict with EU or Member State law, the transfer can take place provided the non-EU country’s system meets certain conditions. These conditions are that: (i) the decision should be reasoned and indicate why it is proportionate; (ii) the request for data disclosure should be specific in nature (e.g., establishing a sufficient link to specific suspected persons or infringements); (iii) the addressee’s reasoned objections should be subject to review by a non-EU court or tribunal; and (iv) the non-EU court or tribunal that has jurisdiction to review the data disclosure request should be able to take into account the legal interests of the “data provider” that are protected under EU and Member State law. When complying with the non-EU order, the relevant entities should: (i) only provide the “minimum amount of data permissible” to the requesting non-EU entities; and (ii) inform the data holder about the existence of a request of a third-country authority to access its data before complying with its request, except in cases where the request serves law enforcement purposes and only for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
|X (Unlike the Data Governance Act and the EHDS, the addressee of the request may seek the opinion of the relevant regulator as to whether these conditions are met, in particular where the addressee considers that the decision may relate to business secrets and other commercially sensitive data, as well as to content protected by intellectual property rights, or where the transfer may lead to re-identification of individuals.)
|X (Recent Council versions remove this obligation.)
|If the transfer concerns non-personal confidential data or data protected by intellectual property rights, then:the data recipient should contractually commit to respect intellectual property rights and any confidentiality obligations, as well as accept the jurisdiction of the courts or tribunals of the Member State of the transmitting entity with regard to any dispute related to compliance with the data disclosure; orthe non-EU country must have been recognized by the European Commission as having legal, supervisory and enforcement arrangements that ensure the protection of intellectual property and trade secrets in a manner substantially equivalent to the protection afforded by EU law. These arrangements must be effectively applied and enforced and must provide for effective legal remedies.
|X (This transfer restriction only applies to data transfers from public sector bodies to re-users.)
|If the EU adopts a “specific” law that classifies certain non-personal data held by public sector bodies as “highly sensitive,” then this data can only be transferred internationally subject to the “special conditions” laid down in European Commission’s delegated acts.
|X (The Data Governance Act does not classify any data as “highly sensitive”; but it provides that other EU laws may do so.)
|X (The draft EHDS proposes to classify as “highly sensitive” certain anonymized (and thus non-personal) health data falling within the scope of the Regulation made available by health data access bodies, but only in those circumstances where the transfer outside the EU would create a risk that the non-personal data could be re-identified by means “beyond those reasonably likely to be used” and thus become personal data.)
* The information on the draft EHDS in this table takes into account the January 16, 2024 working document. The EU institutions are negotiating a final draft. The final draft’s provisions on international transfers of non-personal data may differ from what is shown in the table.
The Covington team regularly advises on legal issues related to the international transfer of data, and will continue to monitor and report on developments related to the international transfer of non-personal data under EU laws, including the Data Act, the Data Governance Act, and the European Health Data Space, on our Inside Privacy blog. We are happy to answer any questions you may have on this topic.
(This blog post was drafted with the contribution of Diane Valat.)