GDPR, Part II? EU Organisations to Face New Rules on Non-Personal Data

21 May 2019

The near supersonic growth and expansion of digital technologies – particularly artificial intelligence, machine learning, the Internet-of-Things (IoT) and 5G-enabled services – has resulted in considerable quantities of non-personal data being amassed throughout the EU. In order to retain a strong competitive edge in the expanding international digital ecosystem, the European Commission has introduced a new Regulation governing the free-flow of non-personal data within the EU. It is hoped that this framework, by blocking data localisation techniques implemented by EU Member States, will help secure competition and ensure the growth of technological innovation within the EU, marking another major step in the Commission’s European Digital Single Market strategy.

What is non-personal data?

The Regulation itself avoids a definition for non-personal data. It instead piggybacks on the GDPR by defining non-personal data as any data not falling within the definition of personal data under the GDPR. Given this definition’s considerable breadth, the Regulation gives examples of non-personal data as including:

  • Anonymised or aggregate datasets for big data analytics; or
  • Industry-specific data.

Industry specific data, for example, can be data on precision farming used to monitor and optimise agricultural practices. It could also describe machine-generated data which is non-personal in nature. This would include data on equipment maintenance needs for industrial machinery.

By blocking EU Member State localisation restrictions on the storage and processing of non-personal data, the Regulation will have a major impact on a number of industries that operate in the AI and machine learning sector, including businesses in construction, financial services, healthcare, agriculture and technology industries.

Main changes

The Regulation prohibits Member States from running mandatory data localisation requirements in relation to non-personal data throughout the EU. For example, a legislative measure requiring that health data generated in Ireland or relating to Irish citizens be processed and stored in Ireland would be prohibited under the Regulation.

The new Regulation is set to have a wide-ranging impact on a number of EU organisations, and often, data localisation restrictions are viewed in parallel with data security issues. For instance, customers of an IT service provider might indicate a preference towards locally stored data and show mistrust in its cross-border storage. However, the Commission’s view was that the legal uncertainty in this area would only stifle both the modernisation of EU data services and the competitive strength of European businesses.

In creating a more enhanced mobility framework for non-personal data, the Regulation will:

  1. Safeguard the free movement of non-personal data throughout the EU
  2. Secure data availability for regulatory purposes
  3. Encourage self-regulation for the porting of data

How will the Regulation impact my organisation?

The Regulation comes hot on the heels of the GDPR and introduces a new layer of regulatory compliance of which organisations must be aware.  

For both organisations and customers, the Regulation is set to better facilitate the competitive operation of the EU Digital Single Market and ensure the availability of secure, reliable and affordable cloud services for users. It will improve cross-border commercial activities for organisations that process non-personal data and increase business stability, particularly for start-ups and SMEs, who already face existing challenges in establishing themselves within the digital market.

Interestingly, unlike the GDPR which is enforcement-centric, the Regulation affords Member States manoeuvrability in terms of imposing penalties on organisations for failure to comply with access requests from competent authorities.

Challenges ahead

There are a number of interpretative and practical challenges ahead of the Regulation’s implementation. For example, the Regulation does not make it clear how it is set to interact with the GDPR and many organisations may find that certain datasets in their control often contain a complex mix of personal and non-personal data. For those organisations, compliance with both the new Regulation and the GDPR may be a challenge. It is expected that the Commission will publish guidance for organisations shortly which will address this issue as well as other areas of concern.


The new Regulation, in bringing down existing barriers to the mobility of non-personal data, has re-iterated the Commission’s strong drive towards Digital Single Market reform which will continue over the coming years. While the legislation is welcomed as it looks to ensure legal certainty, greater market integration and a level playing-field around the processing of non-personal data, it implementation over the coming months will not be without its practical challenges.

To find out more how the Regulation will impact EU organisations that use AI and machine learning technologies, contact a member of our Technology team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.  

Discuss your artificial intelligence queries now with John Farrell.


Related Expertise

Technology Law
  • LinkedIn