Global flows of personal data have been a source of geopolitical concern for many years now. The Court of Justice of the European Union’s “Schrems II” judgement has revived the debate and organisations around the world now have to map personal data flows and conduct transfer impact assessments, while patiently awaiting the developments around the upcoming EU-US Data Privacy Framework.
To date, these compliance challenges were essentially limited to personal data processing, so some organisations and sectors had to do more than others. However, several legislative initiatives deriving from the EU Data Strategy now contain transfer restrictions for non-personal data, that will complement the EU’s already complex personal data transfer framework under the General Data Protection Regulation (GDPR), and will expand the issue of global data transfers to more organisations.
The Data Governance Act (DGA), the proposed Data Act and the proposed Regulation on the European Health Data Space (EHDS) provide the first comprehensive set of rules aimed at protecting EU corporations, and the public sector, against intellectual property theft, industrial espionage and public interest considerations. These new rules aim at ensuring that “protected” non-personal data is not transferred to countries outside the European Economic Area (EEA) without sufficient protection of intellectual property rights, trade secrets, confidentiality, and other EU interests.
For further information on the upcoming data transfer restrictions for non-personal data that will apply to companies and public bodies that fall under the scope of these EU data initiatives, please see our article available here.