Free flow of data

Global Publication February 2021

Prohibition on localization of data

Data location laws (in relation to industrial and non-personal data) can be restrictive (as in banking secrecy laws, which may require some types of data to remain onshore or to be “localized”) or liberalizing (as in laws that ban the prohibition of export of data from a locality). The laws governing this area vary widely according to jurisdiction.


Within the EU the Regulation on Free Flow of Non-personal Data (2018/1807) was implemented in a bid to break down digital barriers within the EU,1 prohibiting data localization within a single EU member state unless localization is justified on grounds of public security.

The Regulation may:

  • Operate to the advantage of digital service providers, such as cloud computing, which can no longer be prohibited by a member state from storing and processing industrial and non-personal data anywhere in the EU.
  • Enable different user groups and stakeholders originating in different member states to join a single digital platform more easily.
  • Give businesses more choice over the digital service provider they can use.

United Kingdom

The United Kingdom is in the process of negotiating various free trade agreements to replace the arrangements it benefitted from by virtue of EU membership. Some of these deal with the free flow of data. For example, over the course of negotiating a free trade agreement with Japan, the United Kingdom and Japan agreed not to require businesses to set up local servers, with the objective of encouraging the free flow of data.

United States

Although the US does not have any data localization requirements, healthcare data under the federal healthcare program, known as Medicare/SCHIP, is subject to an attestation requirement if it is being subcontracted to an offshore provider.

In addition, there may of course be private contractual arrangements in place that include data localization requirements or prohibitions on exporting data to certain countries to which a business may be subject.


The PRC Cybersecurity Law sets out data localization requirements requiring that any personal data and “critical data” collected during business operations of critical information infrastructure operators (CIIO) within China must be stored in China and must not be transferred abroad, unless: (1) such cross-border data transfer is made to the business-necessary extent; (2) the CIIO has completed a security assessment and used a third party agent to do so; and (3) the CIIO has reported the result of such assessment to the competent industrial regulator.

Such requirements only apply to CIIOs. CIIOs are entities engaged in telecommunications, media, energy, finance, transportation, postal services, water conservancy, emergency management and healthcare business, as well as operators of important information systems in social security, national defense, science, technology and other fields.

“Critical data” to which the requirements are subject normally refers to industrial data which, if leaked, would cause damage to China’s national security, economic development and public interest.


In Australia there is no general legislation prohibiting or requiring data localization.


Portability of data

The portability of data has historically concerned the ability of consumers to obtain copies of their own personal data from an existing service provider and use it to move that data (and therefore service provision) to another service provider. The focus of such measures was to avoid vendor lock-in.


In the EU the concept of data portability is derived from the GDPR and its antecedents. Article 20 of the GDPR entitles individuals to obtain copies of personal data they have provided to a service provider (data controller) and to move that data to another service provider (a new data controller) – for example, personal data on a social media – and thereby avoid vendor lock-in.

The EU has since extended the idea to non-personal data. To prevent lock-in of customers by digital services providers, the EU Commission implemented the Regulation on free flow of non-personal data (2018/1807), calling for the development of self-regulatory codes of conduct to promote the portability of non-personal data in the hope that it would attract industry buy-in. Mandatory rules have not been provided for.

Portability of data would allow, for example, a business to switch cloud service provider without losing the data which it had supplied to the incumbent cloud service provider in order to receive their service.2


EU codes of conduct

Various switching codes of conduct are being developed under the Regulation. The SWIPO (Switching and Porting) Codes of Conduct Working Group has presented switching codes of conduct to the European Council and the EU Commission. The codes are intended to be evaluated by the European Commission before November 2022.

The codes of conduct are stated to be based on the principles of transparency and interoperability, taking due account of open standards. They are intended to reflect the following matters:

  • Best practices for facilitating the porting of data in a structured, commonly used and machine-readable format, including open standard formats.
  • Minimum information requirements to ensure that professional users are provided with sufficiently detailed, clear and transparent information regarding the processes, technical requirements, timeframes and charges that apply in case a professional user who wishes to switch to another service provider or to port data back to its own IT systems.
  • Approaches to certification schemes that facilitate the comparison of data processing products and services for professional users.
  • Communication roadmaps taking a multi-disciplinary approach to raise awareness of the codes of conduct among relevant stakeholders.


In addition, the EU’s Self-Regulatory Working Group has issued recommendations for a European cloud certification scheme. The scheme:

  • Addresses security requirements, conformity assessment methodologies and assurance levels, substantially in line with the EU’s Cybersecurity Act.
  • Is designed to demonstrate equivalence of security requirements and to facilitate the cross-border storing and processing of data, and to provide comparison of cloud service providers with respect to security, in each case in order to assist decision-making when switching providers.

Where a consumer wishes to switch, there are also consumer protection laws that apply to prevent lock-in in Europe.3


As at the date of publication, Singapore has released a draft Amendment Bill to amend Singapore’s Personal Data Protection Act 2012. One of the proposed changes is the introduction of the data portability right for individuals, giving them the ability to request the transmission of their data to another service provider, enabling consumers to switch service providers more easily.

There is no similar data portability for businesses.


1   Article 4.

2   The EU’s Article 29 Working Party has issued guidelines on this specific point and applies a broad definition in relation to personal data. Not only data "actively and knowingly" provided by the data subject are to be covered by the scope of the right to data portability, but also data provided "by virtue of the use of a service or a device." Examples for the latter would be "raw data generated by a smart meter" or heartbeats recorded by a fitness tracker. On the other hand, data created by the data controller on the basis of data provided by the data subject (the Article 29 Working Party refers to them as "inferred data" or "derived data") would fall outside the scope of the right to data portability in respect of personal data.

3   Commission Staff Working Document on the Free Flow of Data and Emerging Issues of the European Data Economy SWD(2017) 2 final.