Is data really that important to a business?
A quick survey of the top companies by market capitalisation readily reveals that data is key.
We use cookies and other similar technology to collect data about you to allow us to deliver our online services, measure our website audience and improve your browsing experience. Full details on the cookies we use are set out in our Cookies policy. Please click OK to signify your consent to our use of cookies.
You can withdraw your consent by clicking “manage cookies” and following the instructions shown.
Global | Publication | February 2021
Data location laws (in relation to industrial and non-personal data) can be restrictive (as in banking secrecy laws, which may require some types of data to remain onshore or to be “localized”) or liberalizing (as in laws that ban the prohibition of export of data from a locality). The laws governing this area vary widely according to jurisdiction.
EU
Within the EU the Regulation on Free Flow of Non-personal Data (2018/1807) was implemented in a bid to break down digital barriers within the EU,1 prohibiting data localization within a single EU member state unless localization is justified on grounds of public security.
The Regulation may:
United Kingdom
The United Kingdom is in the process of negotiating various free trade agreements to replace the arrangements it benefitted from by virtue of EU membership. Some of these deal with the free flow of data. For example, over the course of negotiating a free trade agreement with Japan, the United Kingdom and Japan agreed not to require businesses to set up local servers, with the objective of encouraging the free flow of data.
United States
Although the US does not have any data localization requirements, healthcare data under the federal healthcare program, known as Medicare/SCHIP, is subject to an attestation requirement if it is being subcontracted to an offshore provider.
In addition, there may of course be private contractual arrangements in place that include data localization requirements or prohibitions on exporting data to certain countries to which a business may be subject.
China
The PRC Cybersecurity Law sets out data localization requirements requiring that any personal data and “critical data” collected during business operations of critical information infrastructure operators (CIIO) within China must be stored in China and must not be transferred abroad, unless: (1) such cross-border data transfer is made to the business-necessary extent; (2) the CIIO has completed a security assessment and used a third party agent to do so; and (3) the CIIO has reported the result of such assessment to the competent industrial regulator.
Such requirements only apply to CIIOs. CIIOs are entities engaged in telecommunications, media, energy, finance, transportation, postal services, water conservancy, emergency management and healthcare business, as well as operators of important information systems in social security, national defense, science, technology and other fields.
“Critical data” to which the requirements are subject normally refers to industrial data which, if leaked, would cause damage to China’s national security, economic development and public interest.
Australia
In Australia there is no general legislation prohibiting or requiring data localization.
The portability of data has historically concerned the ability of consumers to obtain copies of their own personal data from an existing service provider and use it to move that data (and therefore service provision) to another service provider. The focus of such measures was to avoid vendor lock-in.
EU
In the EU the concept of data portability is derived from the GDPR and its antecedents. Article 20 of the GDPR entitles individuals to obtain copies of personal data they have provided to a service provider (data controller) and to move that data to another service provider (a new data controller) – for example, personal data on a social media – and thereby avoid vendor lock-in.
The EU has since extended the idea to non-personal data. To prevent lock-in of customers by digital services providers, the EU Commission implemented the Regulation on free flow of non-personal data (2018/1807), calling for the development of self-regulatory codes of conduct to promote the portability of non-personal data in the hope that it would attract industry buy-in. Mandatory rules have not been provided for.
Portability of data would allow, for example, a business to switch cloud service provider without losing the data which it had supplied to the incumbent cloud service provider in order to receive their service.2
Various switching codes of conduct are being developed under the Regulation. The SWIPO (Switching and Porting) Codes of Conduct Working Group has presented switching codes of conduct to the European Council and the EU Commission. The codes are intended to be evaluated by the European Commission before November 2022.
The codes of conduct are stated to be based on the principles of transparency and interoperability, taking due account of open standards. They are intended to reflect the following matters:
In addition, the EU’s Self-Regulatory Working Group has issued recommendations for a European cloud certification scheme. The scheme:
Where a consumer wishes to switch, there are also consumer protection laws that apply to prevent lock-in in Europe.3
As at the date of publication, Singapore has released a draft Amendment Bill to amend Singapore’s Personal Data Protection Act 2012. One of the proposed changes is the introduction of the data portability right for individuals, giving them the ability to request the transmission of their data to another service provider, enabling consumers to switch service providers more easily.
There is no similar data portability for businesses.
A quick survey of the top companies by market capitalisation readily reveals that data is key.
The value that can be gained from data by businesses will inevitably lead to an increase in the use of data to improve daily operations and to develop new products, services and processes.
In many jurisdictions pure information, or data, is not considered to be property. This is because a claim to property in intangible information presents obvious definitional difficulties.
There is a patchwork of different rights, intellectual property rights and contract rights that may apply to data. Understanding the way in which these rights come into play enables a business to understand how its data assets can be protected.
Disruptive technologies, such as AI, IoT, AVs, distributed ledger technology (DLT), cryptocurrencies and smart contracts, generate many different forms of data. What are the particular characteristics of such data, and to what extent can intellectual property rights or other rights protect them?
In this section, we review the EU’s position with regards to industrial and non-personal data and look at whether other jurisdictions have similar initiatives.
Data location laws (in relation to industrial and non-personal data) can be restrictive (as in banking secrecy laws, which may require some types of data to remain onshore or to be “localised”) or liberalising (as in laws that ban the prohibition of export of data from a locality).
In furtherance of the objective of leveraging existing datasets paid for by public funds, a number of jurisdictions have sought to make public sector information (PSI) available to industry.
The exclusive possession or control of data can have antitrust / competition law considerations, giving rise to access disputes.
The uncertain nature of intellectual property rights in data means that “contract is king” in data transactions.
Data is an incredibly valuable resource for businesses, enabling organisations to effectively operate and to make business improvements. In order to exploit this value most effectively, businesses must invest in good data management.
Errors, incompleteness or biases within data may flow through, and be amplified by, data analytics process outputs upon which a business's strategic and investment decisions may depend, potentially causing business losses. In this section we deal with liability arising out of use of data / datasets that are in some respect sub-optimal.