Free flow of data

Prohibition on localization of data

Data location laws (in relation to industrial and non-personal data) can be restrictive (as in banking secrecy laws, which may require some types of data to remain onshore or to be “localized”) or liberalizing (as in laws that ban the prohibition of export of data from a locality). The laws governing this area vary widely according to jurisdiction.

EU

Within the EU the Regulation on Free Flow of Non-personal Data (2018/1807) was implemented in a bid to break down digital barriers within the EU,¹ prohibiting data localization within a single EU member state unless localization is justified on grounds of public security.

The Regulation may:

• Operate to the advantage of digital service providers, such as cloud computing, which can no longer be prohibited by a member state from storing and processing industrial and non-personal data anywhere in the EU.
• Enable different user groups and stakeholders originating in different member states to join a single digital platform more easily.
• Give businesses more choice over the digital service provider they can use.

United Kingdom

The United Kingdom is in the process of negotiating various free trade agreements to replace the arrangements it benefitted from by virtue of EU membership. Some of these deal with the free flow of data. For example, over the course of negotiating a free trade agreement with Japan, the United Kingdom and Japan agreed not to require businesses to set up local servers, with the objective of encouraging the free flow of data.

United States

Although the US does not have any data localization requirements, healthcare data under the federal healthcare program, known as Medicare/SCHIP, is subject to an attestation requirement if it is being subcontracted to an offshore provider.

In addition, there may of course be private contractual arrangements in place that include data localization requirements or prohibitions on exporting data to certain countries to which a business may be subject.

China

The PRC Cybersecurity Law sets out data localization requirements requiring that any personal data and “critical data” collected during business operations of critical information infrastructure operators (CIIO) within China must be stored in China and must not be transferred abroad, unless: (1) such cross-border data transfer is made to the business-necessary extent; (2) the CIIO has completed a security assessment and used a third party agent to do so; and (3) the CIIO has reported the result of such assessment to the competent industrial regulator.

Such requirements only apply to CIIOs. CIIOs are entities engaged in telecommunications, media, energy, finance, transportation, postal services, water conservancy, emergency management and healthcare business, as well as operators of important information systems in social security, national defense, science, technology and other fields.

“Critical data” to which the requirements are subject normally refers to industrial data which, if leaked, would cause damage to China’s national security, economic development and public interest.

Australia

In Australia there is no general legislation prohibiting or requiring data localization.

Portability of data

The portability of data has historically concerned the ability of consumers to obtain copies of their own personal data from an existing service provider and use it to move that data (and therefore service provision) to another service provider. The focus of such measures was to avoid vendor lock-in.

EU

In the EU the concept of data portability is derived from the GDPR and its antecedents. Article 20 of the GDPR entitles individuals to obtain copies of personal data they have provided to a service provider (data controller) and to move that data to another service provider (a new data controller) – for example, personal data on a social media – and thereby avoid vendor lock-in.

The EU has since extended the idea to non-personal data. To prevent lock-in of customers by digital services providers, the EU Commission implemented the Regulation on free flow of non-personal data (2018/1807), calling for the development of self-regulatory codes of conduct to promote the portability of non-personal data in the hope that it would attract industry buy-in. Mandatory rules have not been provided for.

Portability of data would allow, for example, a business to switch cloud service provider without losing the data which it had supplied to the incumbent cloud service provider in order to receive their service.²

In addition, the EU’s Self-Regulatory Working Group has issued recommendations for a European cloud certification scheme. The scheme:

• Addresses security requirements, conformity assessment methodologies and assurance levels, substantially in line with the EU’s Cybersecurity Act.
• Is designed to demonstrate equivalence of security requirements and to facilitate the cross-border storing and processing of data, and to provide comparison of cloud service providers with respect to security, in each case in order to assist decision-making when switching providers.

Where a consumer wishes to switch, there are also consumer protection laws that apply to prevent lock-in in Europe.³

Singapore

As at the date of publication, Singapore has released a draft Amendment Bill to amend Singapore’s Personal Data Protection Act 2012. One of the proposed changes is the introduction of the data portability right for individuals, giving them the ability to request the transmission of their data to another service provider, enabling consumers to switch service providers more easily.

There is no similar data portability for businesses.