The provisions are contained in a wide-ranging draft new EU Data Act that is otherwise focused on liberating non-personal data held by product manufacturers and service providers and on enabling that data to be used by consumers, rival companies and public bodies, under certain conditions.
The transfer of personal data outside of the EU, including in the context of foreign authorities’ request to access such data, is already subject to strict conditions under EU data protection law. These latest Commission plans would apply similar restrictions to the transfer of, and foreign access to, EU-held non-personal data for the first time.
As well as seeking to govern cloud providers’ response to foreign requests for EU-held data, the European Commission has proposed to require cloud providers to “take all reasonable technical, legal and organisational measures, including contractual arrangements” to prevent the transfer of non-personal data outside of the EU where the transfer “would create a conflict with Union law or the national law of the relevant member state”.
Information law expert Rosie Nance of Pinsent Masons said there are parallels to be drawn between the proposals and the existing requirements cloud providers face under the General Data Protection Regulation (GDPR) in respect of the international transfer of personal data.
“The proposals to restrict non-personal data transfers are is similar to the GDPR obligation, clarified in the Schrems II ruling, for cloud providers subject to the GDPR to ensure personal data transferred outside the EU receives protection essentially equivalent to the protection it would receive under EU law. These obligations under the personal data protection regime, however, extend to both cloud providers and their customers to the extent they are subject to the GDPR; in contrast, the proposed obligations in relation to non-personal data would apply only to cloud providers.”
Article 27 of the draft Act also seeks to govern how cloud providers respond when foreign authorities or courts order them to facilitate access to EU-held non-personal data.
According to the proposal, decisions of that nature would not be recognisable or enforceable in the EU unless based on an international agreement, such as a mutual legal assistance treaty, that the EU as a whole or an individual EU member state has in place with the third country requesting access to the data.
The Commission has, however, also anticipated cases arising where no such international agreement exists and compliance with the foreign decision by the cloud provider would risk it breaching EU law or national law of member states.
In those cases, it has proposed three strict conditions under which cloud providers would be able to comply with foreign decisions relating to access to EU-held non-personal data.
Cloud providers would first have to ensure that “the third-country system requires the reasons and proportionality of the decision or judgement to be set out, and it requires such decision or judgement, as the case may be, to be specific in character, for instance by establishing a sufficient link to certain suspected persons, or infringements”.
The cloud provider would also have to check that the third country provides it with the right to raise reasoned objections to the access request by a foreign authority before a court or tribunal in that country, and the foreign court or tribunal is “empowered under the law of that country to take duly into account the relevant legal interests” it has under EU or member state law.
According to the draft Act, cloud providers would be able to ask EU authorities for their views on whether the conditions for complying with a foreign data access request are met. It said this might extend to enquiring whether the EU authority “considers that the decision may relate to commercially sensitive data, or may impinge on national security or defence interests of the Union or its member states”.
Even if a lawful basis for transferring or enabling foreign access to the data under the draft Act is met, the proposal is to limit the cloud providers to providing “the minimum amount of data permissible in response to a request, based on a reasonable interpretation thereof”.
Cloud providers would also be bound to notify the data holder about the request before complying with it, other than in exception cases “where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity”, according to the draft.
The EU Data Act was trailed in the European Commission’s ‘shaping Europe’s digital future’ strategy. It is one piece of a wider puzzle of EU law governing data, which includes existing legislation such as the GDPR, which applies to personal data, and the proposed new EU Data Governance Act, which is designed to encourage the creation of new infrastructure for sharing data, and in turn help build a digital single market for data across EU member states.