Activities of Daniel DALTON related to 2017/0228(COD)
Plenary speeches (1)
Free flow of non-personal data in the European Union (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union PDF (871 KB) DOC (128 KB)
Amendments (45)
Amendment 44 #
Proposal for a regulation
Recital 2
Recital 2
(2) Data value chains are built on different data activities: data creation and collection; data aggregation and organisation; data storage and processing; data analysis, marketing and distribution; use and re-use of data. The effective and efficient functioning of data storage and other processing is a fundamental building block in any data value chain. However, such effective and efficient functioning and the development of the data economy in the Union are hampered, in particular, by two types of obstacles to data mobility and to the internal market.
Amendment 47 #
Proposal for a regulation
Recital 3
Recital 3
(3) The freedom of establishment and the freedom to provide services under the Treaty on the Functioning of the European Union apply to data storage or other processing services, including porting of data. However, the provision of those services is hampered or sometimes prevented by certain national requirements to locate data in a specific territory.
Amendment 50 #
Proposal for a regulation
Recital 3 a (new)
Recital 3 a (new)
(3a) Free flow of data within the European Union will play a leading role in realising data-driven growth and innovation. Like businesses and consumers, public administrations will also benefit from an increased freedom of choice regarding data-driven service providers. In order to stimulate the free flow of data, and given the large amount of data they handle, public administrations should lead by example by refraining from making data localisation restrictions and using data services all over Europe.
Amendment 52 #
Proposal for a regulation
Recital 4
Recital 4
(4) Such obstacles to the free movement of data storage or other processing services and to the right of establishment of data storage or other processing providers originate from requirements in the national laws of Member States to locate data in a specific geographical area or territory for the purpose of storage or other processing. Other rules or administrative practices have an equivalent effect by imposing specific requirements which make it more difficult to store or otherwise process data outside a specific geographical area or territory within the Union, such as requirements to use technological facilities that are certified or approved within a specific Member State. Legal uncertainty as to the extent of legitimate and illegitimate data localisation requirements further limits the choices available to market players and to the public sector regarding the location of data storage or other processing.
Amendment 56 #
Proposal for a regulation
Recital 5
Recital 5
(5) At the same time, data mobility in the Union is also inhibited by private restrictions: legal, contractual and technical issues hindering or preventing users of data storage or other processing services from porting their data from one service provider to another or back to their own IT systems, not least upon termination of their contract with a service provider.
Amendment 60 #
Proposal for a regulation
Recital 7
Recital 7
(7) In order to create a framework for the free movement of non-personal data in the Union and the foundation for developing the data economy and enhancing the competitiveness of European industry, it is necessary to lay down a clear, comprehensive and predictable legal framework for storage or other processing of data other than personal data in the internal market. A principle-based approach providing for cooperation among Member States as well as self-regulation should ensure that the framework is flexible so that it can take into account the evolving needs of users, providers and national authorities in the Union. In order to avoid the risk of overlaps with existing mechanisms and hence to avoid higher burdens both for Member States and businesses, detailed technical rules should not be established.
Amendment 62 #
Proposal for a regulation
Recital 8
Recital 8
(8) This Regulation should apply to legal or natural persons who provide data storage or other processing services to users residing or having an establishment in the Union, including those who provide services in the Union without an establishment in the Union.
Amendment 73 #
Proposal for a regulation
Recital 10
Recital 10
(10) Under Article 16 of the Services Directive the prohibition of the free flow of services including data processing prevent data being localised for reasons other than public security. Under Regulation (EU) 2016/679, Member States may neither restrict nor prohibit the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union for non-personal data except when a restriction or a prohibition would be justified for security reasons. Regulation (EU) 2016/679 and this Regulation provide a coherent set of rules that cater for the free movement of different types of data. In the case of mixed data sets, this Regulation should apply to the non- personal data part of the set. Where non- personal and personal data in a mixed data set are inextricably linked, this Regulation should, without prejudice to Regulation (EU) 2016/679, apply to the whole set, in regard to localisation practices. Furthermore, this Regulation imposes neither an obligation to store the different types of data separately nor an obligation to unbundle mixed data sets.
Amendment 84 #
Proposal for a regulation
Recital 11
Recital 11
(11) This Regulation should apply to data storage or other processing in the broadest sense, encompassing the usage of all types of IT systems, whether located on the premises of the user or outsourced to a data storage or other processing service provider. It should cover data processing of different levels of intensity, from data storage (Infrastructure- as-a-Service (IaaS)) to the processing of data on platforms (Platform-as-a-Service (PaaS)) or in applications (Software-as-a- Service (SaaS)). These different services should be within the scope of this Regulation, unless data storage or other processing is merely ancillary to a service of a different type, such as providing an online marketplace intermediating between service providers and consumers or business users.
Amendment 92 #
Proposal for a regulation
Recital 12
Recital 12
(12) Data localisation requirements represent a clear barrier to the free provision of data storage or other processing services across the Union and to the internal market. As such, they should be banned unless they are justified based on the grounds of public security, as defined by Union law, in particular Article 52 of the Treaty on the Functioning of the European Union, and satisfy the principle of proportionality enshrined in Article 5 of the Treaty on European Union. In order to give effect to the principle of free flow of non-personal data across borders, to ensure the swift removal of existing data localisation requirements and to enable for operational reasons storage or other processing of data in multiple locations across the EU, and since this Regulation provides for measures to ensure data availability for regulatory control purposes, Member States should not be able to invoke justifications other than public security.
Amendment 97 #
Proposal for a regulation
Recital 13
Recital 13
(13) In order to ensure the effective application of the principle of free flow of non-personal data across borders, and to prevent the emergence of new barriers to the smooth functioning of the internal market, Member States should immediately notify to the Commission any draft act that contains a new data localisation requirement or modifies an existing data localisation requirement. Those notifications should be submitted and assessed in accordance with the procedure laid down in Directive (EU) 2015/153533. _________________ 33 Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
Amendment 100 #
Proposal for a regulation
Recital 14
Recital 14
(14) Moreover, in order to eliminate potential existing barriers, during a transitional period of 12 months, Member States should carry out a review of existing national laws, regulations or administrative provisions of a general nature laying down data localisation requirements and notify to the Commission, together with a justification, any data localisation requirement that they consider being in compliance with this Regulation. These notifications should enable the Commission to assess the compliance of any remaining data localisation requirements.
Amendment 103 #
Proposal for a regulation
Recital 15
Recital 15
(15) In order to ensure the transparency of data localisation requirements in the Member States for natural and legal persons, such as providers and users of data storage or other processing services, Member States should publishdetails of such requirements on a single online information point and regularly update the information on such measuresor should provide such details to a Union-level information point established under another Union act. Member States should regularly update this information. In order to appropriately inform legal and natural persons of data localisation requirements across the Union, Member States should notify to the Commission the addresses of such online points. The Commission should publish this information on its own website, along with a consolidated list of data localisation requirements in force in Member States.
Amendment 107 #
Proposal for a regulation
Recital 16
Recital 16
(16) Data localisation requirements are frequently underpinned by a lack of trust in cross-border data storage or other processing, deriving from the presumed unavailability of data for the purposes of the competent authorities of the Member States, such as for inspection and audit for regulatory or supervisory control. Therefore, this Regulation should clearly establish that it does not affect the powers of competent authorities to request and receive access to data in accordance with Union or national law, and that access to data by competent authorities may not be refused on the basis that the data is stored or otherwise processed in another Member State. Furthermore, this regulation should not affect the powers of competent authorities to adopt regulation that ensures authorities online access to data held abroad.
Amendment 108 #
Proposal for a regulation
Recital 17
Recital 17
(17) Natural or legal persons who are subject to obligations to provide data to competent authorities can comply with such obligations by providing and guaranteeing effective and timely electronic access to the data to competent authorities, regardless of the Member State in the territory of which the data is stored or otherwise processed. Such access may be ensured through concrete terms and conditions in contracts between the natural or legal person subject to the obligation to provide access and the data storage or other processing service provider.
Amendment 109 #
Proposal for a regulation
Recital 18
Recital 18
(18) Where a natural or legal person subject to obligations to provide data fails to comply with them and provided that a competent authority has exhausted all applicable means to obtain access to data, the competent authority should be able to seek assistance from competent authorities in other Member States. In such cases, competent authorities should use specific cooperation instruments in Union law or international agreements, depending on the subject matter in a given case, such as, in the area of police cooperation, criminal or civil justice or in administrative matters respectively, Framework Decision 2006/96034, Directive 2014/41/EU of the European Parliament and of the Council35, the Convention on Cybercrime of the Council of Europe36, Council Regulation (EC) No 1206/200137, Council Directive 2006/112/EC38 and Council Regulation (EU) No 904/201039. In the absence of such specific cooperation mechanisms, competent authorities should cooperate with each other with a view to provide access to the data sought, through designated single points of contact, unless it would be contrary to the public order of the requested Member State. _________________ 34 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union (OJ L 386, 29.12.2006, p. 89). 35 Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (OJ L 130, 1.5.2014, p. 1). 36 Convention on Cybercrime of the Council of Europe, CETS No 185. 37 Council Regulation (EC) No 1206/2001 of 28 May 2001 on cooperation between the courts of the Member States in the taking of evidence in civil or commercial matters (OJ L 174, 27.6.2001, p. 1). 38 Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax (OJ L 347, 11.12.2006, p. 1). 39 Council Regulation (EU) No 904/2010 of 7 October 2010 on administrative cooperation and combating fraud in the field of value added tax (OJ L268, 12.10.2010, p.1).
Amendment 110 #
Proposal for a regulation
Recital 19
Recital 19
(19) Where a request for assistance entails obtaining access to any premises of a natural or legal person including to any data storage or other processing equipment and means, by the requested authority, such access must be in accordance with Union or Member State procedural law, including any requirement to obtain prior judicial authorisation. Obtaining data from a private entity from another Member State through the central contact point cannot be used to circumvent the EU and international legal aid regulations.
Amendment 113 #
Proposal for a regulation
Recital 20
Recital 20
(20) The ability to port data without hindrance is a key facilitator of user choice and effective competition on markets for data storage or other processing services. The real or perceived difficulties to port data cross- border also undermine the confidence of professional users in taking up cross-border offers and hence their confidence in the internal market. Whereas natural persons and consumers benefit from existing Union legislation, the ability to switch between service providers is not facilitated for users in the course of their business or professional activities.
Amendment 117 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to take full advantage of the competitive environment, professional users should be able to make informed choices and easily compare the individual components of various data storage or other processing services offered in the internal market, including as to the contractual conditions of porting data upon the termination of a contract. In order to align with the innovation potential of the market and to take into account the experience and expertise of the providers and professional users of data storage or other processing services, the detailed information and operational requirements for data porting should be defined by market players through self- regulation, encouraged and, facilitated and monitored by the Commission, in the form of Union codes of conduct which may entail model contract terms. Nonetheless, if such codes of conduct are not put in placeThe Commission should evaluate the development and effectively implemented within a reasonable period of time, the Commission should review the situationation of these codes of conduct.
Amendment 121 #
Proposal for a regulation
Recital 24
Recital 24
(24) Enhancing trust in the security of cross-border data storage or other processing should reduce the propensity of market players and the public sector to use data localisation as a proxy for data security. It should also improve the legal certainty for companies on applicable security requirements when outsourcing their data storage or other processing activities, including to service providers in other Member States.
Amendment 122 #
Proposal for a regulation
Recital 25
Recital 25
(25) Any security requirements related to data storage or other processing that are applied in a justified and proportionate manner on the basis of Union law or national law in compliance with Union law in the Member State of residence or establishment of the natural or legal persons whose data is concerned should continue to apply to storage or other processing of that data in another Member State. These natural or legal persons should be able to fulfil such requirements either themselves or through contractual clauses in contracts with providers.
Amendment 125 #
Proposal for a regulation
Recital 26
Recital 26
(26) Security requirements set at national level should be necessary and proportionate to the risks posed to the security of data storage or other processing in the area in scope of the national law in which these requirements are set.
Amendment 126 #
Proposal for a regulation
Recital 27
Recital 27
(27) Directive 2016/114841 provides for legal measures to boost the overall level of cybersecurity in the Union. Data storage or other processing services constitute one of the digital services covered by that Directive. According to its Article 16, Member States have to ensure that digital service providers identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use. Such measures should ensure a level of security appropriate to the risk presented, and should take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards. These elements are to be further specified by the Commission in implementing acts under that Directive. _________________ 41 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).
Amendment 129 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Commission should periodically reviewsubmit a report on the implementation of this Regulation, in particular with a view to determining the need for modifications in the light of technological or market developments.
Amendment 138 #
Proposal for a regulation
Article 2 – paragraph 1 – introductory part
Article 2 – paragraph 1 – introductory part
1. This Regulation shall apply to the storage or other processing of electronic data other than personal data in the Union, which is
Amendment 152 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
Amendment 153 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2 a (new)
Article 3 – paragraph 1 – point 2 a (new)
2a. ‘processing’ means any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Amendment 154 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
4. ‘provider’ means a natural or legal person who provides data storage or other processing services;
Amendment 155 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
5. ‘data localisation requirement’ means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions of the Member States, which imposes the location of data storage or or practices of Member States and its emanations, including those related to public procurement, which imposes ther processing of data in the territory of a specific Member State or hinders storage or other processing of data in any other Member State;.
Amendment 156 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
Article 3 – paragraph 1 – point 6
6. ‘competent authority’ means an authority of a Member State that has the power to obtain access to data stored or processed by a natural or legal person for the performance of its official duties, as provided for by national or Union law;
Amendment 159 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
7. ‘user’ means a natural or legal person, including a public authority or body, using or requesting a data storage or other processing service;
Amendment 162 #
8. ‘professional user’ means a natural or legal person, including a public sector entity, using or requesting a data storage or other processing service for purposes related to its trade, business, craft, profession or task.
Amendment 163 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Location of data for storage or other processing within the Union shall not be restricted to the territory of a specific Member State, and storage or other processing in any other Member StateData localisation requirements shall not be prohibited or restricted, unless it isunless they are justified on grounds of public security, in compliance with the principle of proportionality.
Amendment 170 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. Member States shall immediately notify to the Commission any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement in accordance with the procedures set out in the national law implementingArticles 5, and 7 of Directive (EU) 2015/1535.
Amendment 171 #
3. Within By ... [12 months after the start of applicationdate of entry into force of this Regulation], Member States shall ensure that any data localisation requirement that is not in compliance with paragraph 1 ishas been repealed. IBy ... [12 months after the date of entry into force of this Regulation] if a Member State considers that a data localisation requirement is in compliance with paragraph 1 and may therefore remain in force, it shall notify that measure to the Commission, together with a justification for maintaining it in force.
Amendment 172 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Member States shall make the details of any data localisation requirements applicable in their territory publicly available online via a single information point which they shall keep up-to-date, or via a Union-level information point established under another Union act if and when available.
Amendment 174 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish the links to such points on its website, along with a consolidated list of all data localisation requirements referred to in paragraph 4, which it shall regularly update.
Amendment 181 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. Where a competent authority has exhausted all applicable means to obtain access to the data, it may request the assistance of a competent authority in another Member State in accordance with the procedure laid down in Article 7, and the requested competent authority shall provide assistancFor the purposes of paragraph 1 of this Article, where a competent authority does not receive access to data from a natural or legal persons, and if no specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States, that competent authority may request the assistance from a competent authority of another Member State in accordance with the procedure laid downset out in Article 7, unless it would be contrary to the public order of the requested Member State.
Amendment 184 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. Where a request for assistance entails obtaining access to any premises of a natural or legal person including to any data storage or other processing equipment and means, by the requested authority, such access must be in accordance with Union or Member State procedural law.
Amendment 191 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. The Commission shall encourage and facilitate the development of self- regulatory codes of conduct at Union level, in ordwhich enables professional users to define guidelines on best practices in facilitating the switchengage with contractual information in a clear and informed manner, ing of providers and to ensure that they provide professional users with sufficiently detailed, clear andrder to contribute to a competitive data economy. The Code of Conduct should be based on principles of transparentcy of information before a contract for data storage and processing is concluded, as regards, interoperability, that take due account of open standards and that define guidelines covering inter alia the following issues:
Amendment 196 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the processes, technical requirements, timeframes and charges that apply in case abest practices in facilitating the switching of providers, and minimum information requirements to ensure that professional user wants to ss are provided witch to another provider or port data back to its own IT systems, including the processes and location of any data back- up, the available data formats and supports, the required IT configuration and minimum network bandwidth; the time required prior to initiating the porting processsufficiently detailed, clear and transparent information before a contract for data processing is concluded, regarding the processes, technical requirements, timeframes and charges that apply in the event that a professional user wants to switch to and othe time during which the data will remain available for portingr provider or port data back to its own IT systems; and theclear guarantees for accessing data in the caseevent of the bankruptcy of the provider; and
Amendment 199 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
Amendment 206 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. The Commission shall encourage providers to effectively implement the codes of conduct referred to in paragraph 1 within one[two years after the startdate of apppublication of this Regulation].
Amendment 214 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
3. The Commission shall review the development and effective implementation of such codes of conduct and the effective provision of information by providers no later than two[four years after the startdate of apppublication of this Regulation].
Amendment 220 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. No later than [5four years after the date mentioned in Article 10(2)], the Commission shall carry out a review of this Regulation and present a reportof publication of this Regulation] the Commission shall submit a report evaluating the implementation onf the main findingsis Regulation to the European Parliament, the Council and the European Economic and Social Committee.