The Data Act or the final piece to create a comprehensive legal framework for international transfers of data
With the Data Act proposal the European Commission introduces new rules to govern international transfers of and access to non-personal data protected by IP and trade secrets held by cloud services providers, upon request by non-EU/EEA governments (Article 27). Following the Data Governance Act (Articles 5 and 30)*, this constitutes the final piece to elaborate a comprehensive legal framework for international transfers of data, which builds on the GDPR rules (Chapter V). Against this background, this post aims to present the future EU regulatory landscape in relation to international transfers of data. While it exposes the rationale behind these new rules, it also points out potential legal interoperability issues.
The legal framework governing international transfers of data
The legal framework regulating the data economy is increasingly based on the premise that there exists a clear distinction between personal and non-personal data, the latter category covering data subject to intellectual property rights (‘IPRs’) or trade secrets protection as well as non-protected data (machine generated data).
When it comes to international transfers of data, so far the focus has mainly been on personal data to preserve individuals’ right to personal data protection in accordance with the EU Charter (Article 8), especially based on the GDPR (see Chapter V). In that regard, Chapter V GDPR lays down strict rules, whether international transfers are carried out for general purposes (e.g. commercial, research) or in response to requests by non-EU/EEA governments for law enforcement and other legitimate purposes (Article 48 GDPR). In the latter case, the GDPR aims to prevent disproportionate access or transfer of personal data in a context where criminal investigations increasingly rely on digital evidence and certain non-EU/EEA governments enacted laws compelling companies under their jurisdiction to grant them access to data regardless of the storage location.
In contrast, there are currently no statutory provisions regulating international transfers of non-personal data. In this context, the rights and interests of holders of data covered by IPRs and trade secrets may be jeopardized in case of disproportionate transfer or access requests by non-EU/EEA governments addressed to cloud services providers processing their data in the EU. The absence of regulation of such transfers is problematic as, like individuals’ right to personal data protection, rights of holders of data covered by IPRs or trade secrets shall be preserved in accordance with the fundamental right to property under the EU Charter (Article 17).
To complement the existing EU legal framework applicable to the data economy, the European Commission adopted the Data Governance Act proposal (November 2020) followed by the Data Act proposal (February 2022), two major legislative initiatives under the 2020 European strategy for data with a particular focus on non-personal data. These proposals introduce GDPR-like rules to govern international transfers of non-personal data protected by IP rights or trade secrets, in the context of (i) transfers or access requests by non-EU/EEA governments as well as (ii) transfers initiated by re-users of data covered by third parties’ rights that are held in public databases.
New GDPR-like rules to govern international transfers of non-personal data
First, the Data Governance Act proposal introduces GDPR-like rules to govern international transfers of non-personal data covered by third parties’ rights that are held in public databases. These rules are part of a mechanism under which a re-user (natural or legal person) may be granted by the public sector the right to re-use non-personal data that are held in public databases and protected by third parties’ IPRs or trade secrets (and that fall outside of the scope of the Open Data Directive). However, to respect the rights and interests of the data rights holders, the re-user may only transfer the data to non-EU/EEA countries under strict conditions, including a GDPR-like adequacy system. According to the proposed rules (Article 5), data may be transferred to a non-EU/EEA country by the re-user under the condition that the relevant country offers an essentially equivalent level of IPRs and trade secrets protection. Alternatively, the transfer may only take place according to an accountability system, under which the re-user contractually commits to protect the rights and interests of the rights’ holder of the data, even after the data is transferred (for more details on this mechanism, see here).
Second, when it comes to international transfers upon request by non-EU/EEA governments of non-personal data held in the EU covered by IP rights and trade secrets, both the Data Governance Act and the Data Act proposals introduce GDPR-like rules. The Data Act mandates cloud services providers to prevent transfer of or deny access to non-personal data held in the EU where such a transfer or access would create a conflict with EU law. In practice, similarly to the mechanism under the GDPR (Article 48), transfers will have to be blocked and access denied, unless based on an international agreement such as a mutual legal assistance treaty. While the GDPR provides for alternative legal basis in case of absence of an international agreement as Article 48 contains a “without prejudice” clause (“without prejudice to other grounds for transfer” pursuant to Chapter V), so far it is still not clear what are, in practice, the other grounds for data transfers or disclosures to foreign governments (see, for instance Christakis). The Data Act however provides for an explicit alternative. In the absence of a relevant treaty, the transfer or access may only happen under the condition that the third country offers sufficient rule of law guarantees, namely that:
(a) the third-country system requires the reasons and proportionality of the decision to be set out, and it requires the court order or the decision, as the case may be, to be specific in character, for instance by establishing a sufficient link to certain suspected persons, or infringements;
(b) the reasoned objection of the addressee is subject to a review by a competent court; and
(c) the competent court issuing the order or reviewing the decision of an administrative authority is empowered under the law to take duly into account the relevant legal interests of the provider of the data protected by Union law or national law of the relevant Member State.
The same mechanism is introduced under the Data Governance Act for data sharing intermediaries and re-users of data held in public databases. When it comes to the assessment of the rule of law guarantees however, the two proposals differ. While the Data Act, as adopted by the Commission, lays down a possibility to ask the opinion of relevant competent bodies or authorities to assess the third country’s rule of law, the Data Governance Act’s political negotiations resulted in adopting a self-assessment approach, deleting the reference to any institution’s opinion on this matter. It is very likely that the same self-assessment approach will also be agreed during the political negotiations on the Data Act. This would mean that cloud service providers would be left with the responsibility to decide, in the absence of a relevant international agreement, whether foreign governments requesting access to or transfer of the clients’ data provide sufficient rule of law guarantees (see figure below for a comparison between the two regimes, in the current state of affairs).
With the introduction of these new rules to govern international transfers of non-personal data, the EU will complement the GDPR, by creating a comprehensive legal framework for international transfer of data while ensuring a high level of IP protection. While IP and trade secrets laws are subject to a minimum standard of protection at international level under the World Trade Organization TRIPS Agreement, the implementation of the protection highly varies from a country to another, in particular with regard to enforcement and effective legal remedies. With that in mind, the proposed new rules conditioning international transfers of protected non-personal data seek to ensure that:
- Protected non-personal data will not be transferred to a country that does not provide IPRs and trade secrets protection according to the European standard, especially in case of international transfers of non-personal data covered by third parties’ rights that are held in public databases; and
- foreign governments with insufficient rule of law guarantees may not get access to valuable non-personal data held in the EU in the context of criminal/foreign intelligence investigation in order to protect European businesses from IP theft or industrial espionage.
As mentioned in a previous blogpost, these new rules may impact the legal system of certain third countries. In particular, they might push third countries to align their IP and trade secrets protection regimes on the EU standard to access the (potential) future market of data processing services in relation to protected non-personal data held in EU public databases. They might also incentivize third countries to offer better rule of laws guarantees in order to speed up cross-border data access or transfer in the context of criminal proceedings (less likely).
Legal interoperability – can the different rules on international transfers of data be efficiently implemented?
By adopting a GDPR-like regime to increase the level of protection of intellectual property – another fundamental right that, together with the right to data protection, is increasingly affected by data sharing – the EU would increase the overall level of protection of data.
However, it remains to be seen how, in practice, the different rules will be implemented in a context where personal and non-personal data are increasingly hard to distinguish (see for instance Graef, Gellert and Husovec). In addition, personal and non-personal data can be mixed in datasets where IP/trade secret protection and data protection may overlap, as IP and trade secrets protection apply irrespective of the nature of data (personal or non-personal). Thus, not only can it be hard to establish whether the data to be transferred qualifies as personal or non-personal data – and thus which rules should apply – but personal data may also be subject to IP rights or trade secrets protection. In such a case, in the event that (only) GDPR rules would apply, a general transfer (e.g. for commercial or research purpose) would only be conditioned by the level of data protection provided for in the third country. However, no guarantees in terms of IP/trade secrets protection would be required.
Finally, concerning transfers upon request by non-EU/EEA governments, compliance with the new rules may be difficult to achieve for entities such as cloud services providers holding data in the EU. In this regard, while the Data Act (Article 27) certainly builds on the GDPR (Article 48), the two provisions contain nonetheless different rules. In addition, the GDPR’s relevant provision raises serious interpretation issues. The introduction of Article 27 Data Act may thus add to the already existing confusion for cloud service providers as to how they are expected to deal with such foreign governments requests. Perhaps, another approach could be to go towards the application of a single regime in case of international transfers of protected data, irrespective of whether the data at stake qualifies as personal or non-personal.
* The Data Governance Act was adopted on 30 May 2022 and published in the EU Official Journal on 3 June 2022. It shall apply from 24 September 2024. The numbering of the provision governing international data transfers has changed from Article 30 in the proposal to Article 31 in the adopted text.