Is data really that important to a business?
A quick survey of the top companies by market capitalisation readily reveals that data is key.
Free flow of data
Global | Publication | February 2021
Prohibition on localization of data
Data location laws (in relation to industrial and non-personal data) can be restrictive (as in banking secrecy laws, which may require some types of data to remain onshore or to be “localized”) or liberalizing (as in laws that ban the prohibition of export of data from a locality). The laws governing this area vary widely according to jurisdiction.
EU
Within the EU the Regulation on Free Flow of Non-personal Data (2018/1807) was implemented in a bid to break down digital barriers within the EU,1 prohibiting data localization within a single EU member state unless localization is justified on grounds of public security.
The Regulation may:
- Operate to the advantage of digital service providers, such as cloud computing, which can no longer be prohibited by a member state from storing and processing industrial and non-personal data anywhere in the EU.
- Enable different user groups and stakeholders originating in different member states to join a single digital platform more easily.
- Give businesses more choice over the digital service provider they can use.
United Kingdom
The United Kingdom is in the process of negotiating various free trade agreements to replace the arrangements it benefitted from by virtue of EU membership. Some of these deal with the free flow of data. For example, over the course of negotiating a free trade agreement with Japan, the United Kingdom and Japan agreed not to require businesses to set up local servers, with the objective of encouraging the free flow of data.
United States
Although the US does not have any data localization requirements, healthcare data under the federal healthcare program, known as Medicare/SCHIP, is subject to an attestation requirement if it is being subcontracted to an offshore provider.
In addition, there may of course be private contractual arrangements in place that include data localization requirements or prohibitions on exporting data to certain countries to which a business may be subject.
China
The PRC Cybersecurity Law sets out data localization requirements requiring that any personal data and “critical data” collected during business operations of critical information infrastructure operators (CIIO) within China must be stored in China and must not be transferred abroad, unless: (1) such cross-border data transfer is made to the business-necessary extent; (2) the CIIO has completed a security assessment and used a third party agent to do so; and (3) the CIIO has reported the result of such assessment to the competent industrial regulator.
Such requirements only apply to CIIOs. CIIOs are entities engaged in telecommunications, media, energy, finance, transportation, postal services, water conservancy, emergency management and healthcare business, as well as operators of important information systems in social security, national defense, science, technology and other fields.
“Critical data” to which the requirements are subject normally refers to industrial data which, if leaked, would cause damage to China’s national security, economic development and public interest.
Australia
In Australia there is no general legislation prohibiting or requiring data localization.
Portability of data
The portability of data has historically concerned the ability of consumers to obtain copies of their own personal data from an existing service provider and use it to move that data (and therefore service provision) to another service provider. The focus of such measures was to avoid vendor lock-in.
EU
In the EU the concept of data portability is derived from the GDPR and its antecedents. Article 20 of the GDPR entitles individuals to obtain copies of personal data they have provided to a service provider (data controller) and to move that data to another service provider (a new data controller) – for example, personal data on a social media – and thereby avoid vendor lock-in.
The EU has since extended the idea to non-personal data. To prevent lock-in of customers by digital services providers, the EU Commission implemented the Regulation on free flow of non-personal data (2018/1807), calling for the development of self-regulatory codes of conduct to promote the portability of non-personal data in the hope that it would attract industry buy-in. Mandatory rules have not been provided for.
Portability of data would allow, for example, a business to switch cloud service provider without losing the data which it had supplied to the incumbent cloud service provider in order to receive their service.2
EU codes of conduct
Various switching codes of conduct are being developed under the Regulation. The SWIPO (Switching and Porting) Codes of Conduct Working Group has presented switching codes of conduct to the European Council and the EU Commission. The codes are intended to be evaluated by the European Commission before November 2022.
The codes of conduct are stated to be based on the principles of transparency and interoperability, taking due account of open standards. They are intended to reflect the following matters:
- Best practices for facilitating the porting of data in a structured, commonly used and machine-readable format, including open standard formats.
- Minimum information requirements to ensure that professional users are provided with sufficiently detailed, clear and transparent information regarding the processes, technical requirements, timeframes and charges that apply in case a professional user who wishes to switch to another service provider or to port data back to its own IT systems.
- Approaches to certification schemes that facilitate the comparison of data processing products and services for professional users.
- Communication roadmaps taking a multi-disciplinary approach to raise awareness of the codes of conduct among relevant stakeholders.
In addition, the EU’s Self-Regulatory Working Group has issued recommendations for a European cloud certification scheme. The scheme:
- Addresses security requirements, conformity assessment methodologies and assurance levels, substantially in line with the EU’s Cybersecurity Act.
- Is designed to demonstrate equivalence of security requirements and to facilitate the cross-border storing and processing of data, and to provide comparison of cloud service providers with respect to security, in each case in order to assist decision-making when switching providers.
Where a consumer wishes to switch, there are also consumer protection laws that apply to prevent lock-in in Europe.3
As at the date of publication, Singapore has released a draft Amendment Bill to amend Singapore’s Personal Data Protection Act 2012. One of the proposed changes is the introduction of the data portability right for individuals, giving them the ability to request the transmission of their data to another service provider, enabling consumers to switch service providers more easily.
There is no similar data portability for businesses.
Footnotes
1
Article 4.
2
The EU’s Article 29 Working Party has issued guidelines on this specific point and applies a broad definition in relation to personal data. Not only data "actively and knowingly" provided by the data subject are to be covered by the scope of the right to data portability, but also data provided "by virtue of the use of a service or a device." Examples for the latter would be "raw data generated by a smart meter" or heartbeats recorded by a fitness tracker. On the other hand, data created by the data controller on the basis of data provided by the data subject (the Article 29 Working Party refers to them as "inferred data" or "derived data") would fall outside the scope of the right to data portability in respect of personal data.
3
Commission Staff Working Document on the Free Flow of Data and Emerging Issues of the European Data Economy SWD(2017) 2 final.
The myriad ways in which data may be used
The value that can be gained from data by businesses will inevitably lead to an increase in the use of data to improve daily operations and to develop new products, services and processes.
Nature of data, ownership, and control
In many jurisdictions pure information, or data, is not considered to be property. This is because a claim to property in intangible information presents obvious definitional difficulties.
Ways of protecting data
There is a patchwork of different rights, intellectual property rights and contract rights that may apply to data. Understanding the way in which these rights come into play enables a business to understand how its data assets can be protected.
Disruptive technology data: case studies
Disruptive technologies, such as AI, IoT, AVs, distributed ledger technology (DLT), cryptocurrencies and smart contracts, generate many different forms of data. What are the particular characteristics of such data, and to what extent can intellectual property rights or other rights protect them?
The regulatory environment for data
In this section, we review the EU’s position with regards to industrial and non-personal data and look at whether other jurisdictions have similar initiatives.
Free flow of data
Data location laws (in relation to industrial and non-personal data) can be restrictive (as in banking secrecy laws, which may require some types of data to remain onshore or to be “localised”) or liberalising (as in laws that ban the prohibition of export of data from a locality).
Data for re-use
In furtherance of the objective of leveraging existing datasets paid for by public funds, a number of jurisdictions have sought to make public sector information (PSI) available to industry.
Antitrust / competition law data issues
The exclusive possession or control of data can have antitrust / competition law considerations, giving rise to access disputes.
Contractual considerations in sharing data
The uncertain nature of intellectual property rights in data means that “contract is king” in data transactions.
Managing Data
Data is an incredibly valuable resource for businesses, enabling organisations to effectively operate and to make business improvements. In order to exploit this value most effectively, businesses must invest in good data management.
Liability
Errors, incompleteness or biases within data may flow through, and be amplified by, data analytics process outputs upon which a business's strategic and investment decisions may depend, potentially causing business losses. In this section we deal with liability arising out of use of data / datasets that are in some respect sub-optimal.