What about Non-Personal Data? The new EU Regulation at a glance
March 19, 2019
Since companies began preparing for the GDPR, the importance placed on the proper processing of personal data has been immense, and rightly so, given (1) the potential gold mine of information personal data can provide, (2) the increasing volumes of personal data being used1, and (3) the human and property rights associated with personal data. Yet, the focus on the GDPR begs the question - what about data that isn’t personal data?
On the 28th November 2018, the European Parliament (EP) and European Council (EC) published a framework for the free flow of non-personal data in the European Union (the “Non-Personal Data Regulation”) in the EU Official Journal2.
What is Non-Personal Data?
The published Regulation does not define or make any explicit reference to the term ‘non-personal data’. Instead, it applies to ‘data other than personal data’ (e.g., anonymous data), where personal data is defined with reference to the GDPR, i.e., “any information relating to an identified or identifiable natural person” (Art. 4(1)). Additionally, the definition of processing is exactly the same as defined under the GDPR, which is extremely broad.
Resulting Framework of Data Regulation
The choice to define non-personal data in binary opposition with personal data under the GDPR is clearly intentional, so as to make it impossible for any data processing to escape the scope of the resulting framework created by both regulations (GDPR & Non-Personal Data Regulation).
Simply put, if you process personal data, you refer to the GDPR; if you process any other data, you consult the Non-Personal Data Regulation.
This general rule applies only subject to two exceptions:
1. When you process personal data that falls outside of the material scope of the GDPR, as set out in GPDR Art 2(2).
Processing personal data relating to activities falling outside the scope of EU law, by Member States for national security purposes, and purely personal or household activities are not regulated by the GDPR. Data processing for law enforcement purposes is regulated by the Law Enforcement Directive.
These exemptions do not apply fully to processing non-personal data. In this respect, the Non-Personal Data Regulation has a wider scope - it does not exempt personal or household activities3 or activities by competent Authorities for law enforcement purposes4,
2. When you process non-personal data in the EU ‘for another’s needs’, in the provision of goods or in relation to services
The GDPR applies to personal data processing:
1. In the context of the activities of an establishment in the EU;
2. Of data subjects in the EU where the processing is related to the offering of goods or services or the monitoring of their behaviour within the EU.
When processing non-personal data, the Regulation has a narrower territorial scope. In the first scenario, the Regulation adds the caveat that the processing has to be ‘carried out by a natural or legal person residing or having an establishment in the Union for its own needs’. It remains unclear how this will impact the scope of the Regulation as compared to the GDPR.
In the second scenario, the Regulation only relates to processing of (non-personal) data provided as a service. This is narrower as it does not include goods, and does not cover processing ‘related to’ services which are not provisions of services.
What Does this Mean for Companies?
A quick read of the Non-Personal Data Regulation will reveal that its main obligations relate to Member States rather than corporations, and these obligations are considerably more lenient than those imposed by the GDPR. Easily overlooked, this presents vital knock-on effects that are relevant for companies to consider.
Most crucially, most businesses who have not considered data other than personal data are unlikely to have established systems to ensure that the two are stored in different areas of the business. Such data can be considered to fall within the remit of both regulations, and each regulation will apply accordingly to its relevant part of the data set (i.e., GDPR on personal data part of the data set and the Non-Personal Data Regulation on the non-personal data part). If both types of data are inextricably linked, the GDPR (and its correspondingly stricter obligations) prevails.
It is therefore prudent for businesses to carefully consider its systems and processes in information management to ensure that an inextricable linkage is avoided where possible, so that non-personal data it handles will not have to be GDPR-compliant but only compliant with the relatively much more lenient rules of the Non-Personal Data Regulation, which lacks the financial penalties that the GDPR has (of up to 4% of global annual turnover).
More generally, the Non-Personal Data Regulation presents us with an oft-overlooked principle - that companies would do well not to develop a tunnel-vision in relation to data, focusing only on personal data or just the GDPR. There are a number of relevant issues, such as non-personal data, direct marketing, privacy and even human rights issues that can impact and complicate GDPR compliance in itself.