The EU’s General Data Protection Regulation (GDPR) ostensibly outlaws barriers to the flow of personal data between EU countries, and in September 2017, the European Commission published a draft regulation for a similar rule on non-personal data transfers. Yet a plethora of questions remain. How effective will the two regulations be at ending data localization in practice? Just how easy is it to separate personal from non-personal data, and treat them according to separate laws? And how should policymakers address the remaining obstacles to data flows outside the union?
On December 7, 2017, ITIF's Center for Data Innovation hosted a conversation with a panel of experts. The discussion was moderated by Nick Wallace, Senior Policy Analyst at the Center for Data Innovation.
Pearse O’Donohue, acting director for the Future Networks Team at the European Commission’s DG CONNECT, shared his perspective on the free flow of data. In his view, a principle on data flow should be established in European law, and EU member states should not create barriers to data movement. In addition, he suggested that the European Commission be allowed to work with industry to create such standards.
After O’Donohue spoke, Wallace asked Jean-Marc Leclerc, a government and regulatory affairs executive at IBM, why some member states may want to deter the free flow of data. Leclerc implied that it may be a form of protectionism; in other words, some states use data localization rules to create market access barriers.
Leclerc said that the European Commission’s willingness to discuss the General Data Protection Regulation (GDPR) rules before they are implemented will likely increase its speed of adoption once it goes into effect. However, he expressed concern over small adjustments to regulations which could render them useless—for example, overreaching national security provisions could actually increase data localization.
Lenard Koschwitz, director of European affairs at Allied for Startups, shared his view from the start-up perspective. According to him, start-up leaders and entrepreneurs have expressed a desire for the free flow of data for a while; in fact, he claimed that sharing data comes naturally to young entrepreneurs and companies. He also emphasized that the cost of establishing and running a business has dropped because it’s easier to outsource tasks, such as setting up a website or bookkeeping, in the digital age. Since cloud service and data-run companies are an integral source of that, he worries that any regulation that negatively impacts data collection or storage may hurt companies. On the other hand, O’Donohue believes that regulation like the GDPR will help start-ups and other small businesses, since it will help them compete against big businesses with more data.
Overall, the panelists discussed the costs of data localization and the implications of the GDPR and the proposed Free Flow of Data Regulation for data transfers within and beyond Europe.