Ten blog korzysta z plików cookies na zasadach określonych here

The „personal data protection craze” is behind us. Is a „non-personal data protection craze” in store?

The General Data Protection Regulation, popularly referred to as the „GDPR”, created a great deal of legal, business as well as social and cultural agitation. As a reminder, this was the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

In view of the approval on 9 November 2018 by the EU Council of the „twin” draft regulation concerning non personal data (as proposed by the European Parliament), a question may be asked if another revolution lies ahead.

The legislative process

The draft Regulation of the European Parliament and of the Council concerning the framework of free flow of non-personal data in the European Union (the “NPDR”) was accepted by the European Parliament on 4 October 2018. Pursuant to the press release of the EU Council the draft was approved by this institution on 9 November. It is due to be signed during the plenary session of the Parliament in mid-November and subsequently published in the EU Official Journal.

At present the Member States are free to formulate their own non-personal data protection regulations, which creates certain problems in the free flow of such data between countries due to regulatory differences between them. For this reason, the proposed regulation will apply directly and replace such national regulations.

Adoption of this legislation has been preceded by nearly two years of consultations and social research, mainly among entrepreneurs. What was confirmed, was the strong belief among European institutions that it is necessary to regulate this sphere on the pan-European plane. According to study results 61.9% of the parties concerned believed that restrictions concerning data localisation ought to be eliminated because they considered them to be an obstacle in running their business and reduced the ability of companies to enter new markets.

What the non-personal data regulation refers to?

The proposed regulation, as the title indicates, concerns non-personal data and defines them as any data which are not personal – within the meaning of the GDPR.

This laconic definition appears mysterious and incomprehensible to the layman. By way of explanation, it refers to all numerical data which do not enable identification of a natural person. As such it embraces chunks of information such as viewed websites, number of visits on websites, the time spent viewing them, the operating system or internet browser possessed by the user, provided they do not refer to a specific, identified or identifiable natural person. Most importantly, such data must not be connected with the person to whom they refer, otherwise they will constitute personal data.

As regards the regulation itself, it contains provisions concerning the free flow of such data, rules for storing them on servers and rules concerning the location of such servers. A regulation has also been provided concerning the methods of obtaining information about processed data by government authorities, which is meant to improve supervisory procedures in the Member States.

Who the non-personal data protection regulation applies to?

All these circumstances are meant to have a positive impact on the market of enterprises specialising in the processing of data on cloud servers and in so called big data. Elimination of barriers will liberalise access to the market and consequently provide opportunities for Polish entrepreneurs. They will be in a position to acquire new clients from all over Europe by offering them lower prices than their local counterparts.

An important issue from the point of view of the parties concerned is that the regulation enables the data processors to draw up their own codes of conduct. The purpose of this is to improve the application of the regulation by creating a closer relationship between the data processor and the person whose data are processed, and by outlining the provisions of the regulation in more detail. This corresponds to the situation already seen in case of the GDPR.

The NPDP Regulation also imposes duties on the Member States. First of all, it formulates the principle that no bans or restrictions may be introduced for storage or other processing of data, unless they are necessary for public security reasons. In addition, under the Regulation the countries are obliged to repeal all regulations concerning data localisation within 12 months of the effective date of the Regulation, unless retaining such restrictions is necessary for the above security reasons. In this case they are required to notify the European Commission about it.

As regards the effective date, it is to be noted that the legislator envisaged a shorter period of vacatio legis for this regulation than for the GDPR. This is the time between publication of the Regulation and its actual entry into force. In this case the recipients have only six months to adjust to the new regulations. As such we can expect that the new rules will come into effect in mid-2019.

Final conclusions

Thus, answering the question raised by me in the title of the article, it seems that we are not going to see an „NPDR craze”, at least not in the social and cultural sense. This is not only due to the fact that the wording is not the easiest to pronounce. The main reason is that from the point of view of ‘Everyman’ the Regulation will have very limited application. However, it will have an impact on companies specialising in cloud solutions and processing of so called big data on their servers. These companies must be ready for the legislative changes which are approaching.


Would you like to be informed about the latest blog posts?

  • - Just provide your e-mail address and receive notifications about the latest posts on the SKP/IPblog blog directly to your inbox
  • - We will not send you spam messages

The administrator of your personal data is a SKP Ślusarek Kubiak Pieczyk sp.k. with its registered office in Warsaw, at ul. Ks. Skorupki 5, 00-546 Warszawa.

We respect your privacy, therefore the data provided to us will not be processed and made available outside the SKP for purposes other than those included in the Terms of Service. Detailed provisions regarding our IP Blog, including a catalog of your rights related to the processing of personal data, can be found in the Privacy Policy.