January 10, 2017
The EU Single Market, where people, goods, services and capital flow freely, has fuelled economic growth and made European businesses operate more effectively. It has attracted investment and allowed European companies to scale-up. Given the everincreasing digitisation of European business, a fully functioning Digital Single Market has the potential to further improve the overall efficiency of Europe’s economy, stimulate competition and trade, raise quality and reduce prices for producers as well as consumers.
How should concerns over data privacy and the free flow of data be addressed? The General Data Protection Regulation addressed primarily personal data. The European Commission now adopted a Communication “Building a European Data Economy” that addresses non-personal data flows. Initial industry reactions have noted their disappointment with the Communication. This snapshot looks into the potential of the EU’s data economy and provides an overview of the Communication.
Europe’s economy is undergoing a transformation from a traditional model to a datadriven economy where data analysis facilitates the optimisation of business processes and decisions, innovation as well as predicting future events. Today, an increasing number of companies across all sectors and of all sizes are producers of digital data and are affected by decisions made at EU level. For example, the new generation of connected and self-driving cars send around 25 gigabytes of data to the cloud every hour. The free movement of data has become an essential part of this transformation and a resource for economic growth, innovation, productivity, competitiveness and jobs as well as exchange of knowledge between universities.
According to the European Commission, the value of the EU data economy amounted to €272 billion in 2015 (almost 2% of EU GDP) and is growing annually by almost 6%. Its value could further increase to €643 billion by 2020, representing 3.17% of overall EU GDP. A real Single Market on data storage and processing has yet to be realised: two-thirds of all demand for “ICT-related” services are sourced locally within each Member State, while only 18% is sourced from the rest of the EU.
However, as the global policy environment inclines towards “data nationalism” and digital “border checks”, data localisation and other restrictions have become a non-tariff barrier to trade. The most common restrictions are company records, accounting and tax data, banking, telecommunications, gambling, healthcare as well as public procurement data. An ever-increasing number of such restrictions imposed by EU Member States on processing and the transfer of data to another State threaten to fragment Europe’s Single Market and its digital transformation towards global competitiveness.
Companies prefer to build centres for data storage and processing primarily in countries with a stable power grid as well as rich renewable energy sources and a cold-climate to reduce costs and carbon emissions while cooling the servers down. The cost difference of operating data centres can be substantial within the EU, with the most expensive country being twice as expensive as the cheapest one. Unjustified intraEU data location requirements force companies to invest in multiple data centres, which results in negative economic and environmental footprints.
This leads to a major misallocation of resources and impairs the freedom to establish and to provide services (especially in the case of smaller firms and start-ups with limited resources), which obviously runs counter to the objectives of EU’s Digital Single Market initiatives aiming to bring down cross-border market barriers and help SMEs and start-ups scale up in Europe.
Removing existing data localisation rules would save the EU economy €52 billion per year (0.37% of GDP) and even create an estimated €8 billion of additional economic activity annually (0.06% of GDP). These figures number will increase with further digitalisation of the European economy.
All in all, it is vital to ensure that data can move freely across borders, both within and outside the EU, by removing all unjustified barriers to the free flow of data. Europe can benefit significantly from new data-driven technologies if the right future-proof regulatory framework is established and so the EU institutions have an important enabling role to play.
How are non-personal data flows regulated in the EU?
The Digital Single Market strategy includes various initiatives such as a European Cloud as well as preventing unjustified geoblocking and cross-border content portability. The European Commission recognised the importance of the data economy in its Communication towards a thriving data-driven economy, supporting and accelerating the transition towards a Big Data model in Europe.
The European Parliament repeatedly called for a curb on forced data localisation and in 2016, ministers from 14 Member States (and later even 16, thus representing the majority within EU28) urged for the removal of unjustified barriers to data flows. Moreover, the Court of Justice of the European Union has reiterated in several rulings that Member States can apply data localisation restrictions only on a non-discriminatory basis and under the condition of national security concerns. States must prove that it is necessary to have recourse to this derogation.
In addition, the Court of Justice of the European Union (CJEU) has reiterated in several rulings related to the four freedoms of movement that Member State can apply data localisation restrictions only on non-discriminatory basis and under the strict condition of national security concerns. The Member States should also prove that it is necessary to have recourse to this derogation.
All in all, a coherent EU-wide regulatory framework for intra-EU data flows is missing and so the Commission has had a strong mandate to present an ambitious proposal. To that end, the European Commission published a Communication entitled “Building a European Data Economy” that aims to remove barriers to data flows and to increase the availability and use of data as well as to foster new data analytics models
The Commission starts from the premise that while the General Data Protection Regulation (GDPR) allows for the free movement of personal data within the EU, there are currently no common rules among Members States for sharing, accessing and transferring “non-personal data”. Particular emphasis on the definition of non-personal data indicates that anonymization and de-identification techniques will gain even more importance. The Communication states that GDPR takes precedence over any new rules that would impact personal data protection. Overall, five key objectives are set out:
The Commission underlines that the number of national measures for data localisation impeding the EU Single Market is growing and needs to be addressed. It calls for the principle of the free movement of data within the EU, and refers to existing services rules and enforcement instruments, implying that no further binding rules are needed. The Commission has launched a public consultation until 26 April 2017 to define next steps.
The Commission highlights current difficulties in this area, such as limited access to data, “de-facto ownership” and lock-in effects as well as a weak legal framework. It thus launches a public consultation (combined with FFoD) and a dialogue on incentivizing businesses to share data and to better use Application Programming Interfaces. The Communication also refers to the revision of the Database Copyright Directive and how data control rights should address contract rules by default. The Commission also touches upon data producers’ and users’ rights to exploit their data as well as access to data in public interest and access against remuneration.
EU rules on liability seem to be difficult to apply to emerging technologies. The Communication thus looks into reforming liability rules, likely to accommodate future algorithms, Artificial Intelligence, the Internet of Things and autonomous machines. Since this area has never been regulated at EU level, a public consultation concerning liability for defective products will run until 26 April 2017 and its results should clarify whether there is a need to revise the Product Liability Directive.
Given a lack of guidelines, the Commission intends to explore ways to develop recommended contract terms to facilitate switching of service providers; develop further data portability rights; and organize sector-specific experiments on standards in order to test the proposed recommendations, following a wide stakeholder consultation to be announced at a future date.
Finally, the Commission plans to organize dedicated 5G-based trials for testing data access and liability in a real-life environment through research projects (e.g. Horizon 2020). Trials in the area of cooperative, connected and automated mobility – of which a strategy is being prepared together with the High Level Group GEAR 2030 – are under consideration.
Overall, businesses expressed their disappointment as this long-awaited (and repeatedly postponed) Communication is purely a non-binding declaration that loosely defines the target principles that the Commission wants to achieve. The Communication therefore does not bring more legal certainty to the fast moving environment of industries dealing with data in Europe. While a stakeholder dialogue has been launched, starting with the two public consultations that will feed into the Commission’s future initiative on the European Data Economy later in 2017, the industry will continue to urge the Commission to promptly present binding instruments to eliminate barriers to the free flow of data.
In contrast, emerging issues surrounding access and transfer of data (including data ownership), liability as well as portability, interoperability and standards are predominantly prescriptive and consumer-focused in the Communication and might thus lead to costly implementation in case of future binding legislation. Future consultation should however provide more evidence as to whether any legislative intervention is needed.
For now, the Commission has postponed any decision until after the wide stakeholder and public consultations, and is buying more time, due in part to political pressure from Germany and France; but also due to existing political clashes among EU Member States regarding national security as well as the failure to implement relevant parts of the 2006 Services Directive.
Despite the call of industry and majority of Member States, the issue of data flows will not be regulated in a binding way any time soon, or at least not before the upcoming elections in key Member States this year. The value of the current Communication will therefore primarily rely on the consequent results of the ongoing public consultations as well as on whether Member States will take into consideration recommendations in the mid- and long-term.
Europe cannot miss the boat and will need to provide business with the right tools to drive competitiveness in the coming decades. A favourable enabling legislative environment will be critical to drive the widespread uptake of a cross-border digital and, in particular, a data-focused economy. Ultimately, if EU legislation manages to address the underlying uncertainties, companies, governments and consumers stand to benefit.
 IDC: European Data Market Study, SMART 2013/0063 (2016)
 WTO-OECD: Trade in Value Added (TiVA) Database (2015)
 Strict data localisation (local storage, processing and access) and conditional flow regimes
 ECIPE: Unleashing Internal Data Flows in the EU – An Economic Assessment of Data Localisation Measures in the EU Member States (November 2016)
 European Commission: A Digital Single Market Strategy for Europe (May 2015)
 Court of Justice of the European Union: European Commission versus Italy (C-239/06; 2009); ZZ v UK Secretary of State of the Home Department (C-300/11; 2013)
 Some rules will also be affected by the e-Privacy regulation proposed in January 2017