Global Data and Cyber Handbook

EU

Select a Topic
Start Comparison
Data localization and regulation of non-personal data
Jump to
Data localization and regulation of non-personal data Start Comparison
Are there data localization/data residency or other types of laws that may require the retention and storage of data in the local jurisdiction, or prohibit the transfer of data out of the jurisdiction?

Last review date: January 2025

No

Regulation (EU) 2018/1807 on the framework for the free flow of non-personal data in the European Union prohibits data localization requirements unless they are justified on grounds of public security in compliance with the principle of proportionality (Art. 4). As a consequence, data localization requirements should have been repealed in the EU by 30 May 2021, unless justified under Regulation (EU) 2018/1807.

Does law or regulation impose mandatory requirements to share or make accessible non-personal data?

Last review date: January 2025

☒   Obligation for public sector organizations to share or make accessible non-personal data

☒   Obligation for private organizations to share or make accessible data generated by connected or "IoT" devices

Regulation (EC) No 1049/2001 grants public access to European Parliament, Council and Commission documents, on request (if not already proactively published) and subject to a broad list of public and private interest exceptions.

In September 2023, the Data Governance Act took effect, and key substantive provisions apply from 24 December 2024. The Data Governance Act provides a framework to enhance trust in voluntary data sharing, and limits the ability of public sector bodies to enter into exclusive agreements for the re-use of in-scope data.

In December 2023, the Data Act was published in the Official Journal of the EU. It shall apply from 12 September 2025. The Data Act contains provisions regarding the access, use, making available and sharing of data (both personal and non-personal data) generated by the use of connected products and related services. Users can also ask data holders to make this data available to third parties.

In spring 2024, the European Parliament and the Council reached a political agreement on the Commission proposal for the European Health Data Space. The proposal includes mandatory data-sharing obligations for data holders, such as private entities in the health care sector.

In June 2023, the European Commission put forward a proposed framework for Financial Data Access (“FIDA”) that aims to open the access of financial institutions to each other’s customer data. The Council of the EU reached agreement on its position in December 2024 and the final shape of the legislation will now be negotiated with the European Parliament.

What specific obligations do these data-sharing rules impose on private organizations?

Last review date: January 2025

☒   Obligation to share data on request

☒   Obligation to (re)design products or services to facilitate data accessibility

☒       Obligation to standardize products or services to facilitate data portability or interoperability

{{ $store.state.loadingScreen.message }} ...