Mervinskiy 418

Cross-border data flow in the digital single market: study on data location restrictions

FINAL REPORT A study prepared for the European Commission DG Communications Networks, Content & Technology by:

Digital Single Market

This study was carried out for the European Commission by Time.lex, Spark Legal Network and Tech4i2.

Time.lex Hans Graux Spark Legal Network Patricia Ypma Network of legal experts

Tech4i2 Paul Foley

Internal identification Contract number: 30-CE-0738539/00-91 SMART number 2015/0054

DISCLAIMER By the European Commission, Directorate-General of Communications Networks, Content & Technology. The information and views set out in this publication are those of the author(s) and do not necessarily reflect the official opinion of the Commission. The Commission does not guarantee the accuracy of the data included in this study. Neither the Commission nor any person acting on the Commission’s behalf may be held responsible for the use which may be made of the information contained therein. ISBN 978-92-79-68705-1 doi: 10.2759/92602 © European Union, (insert current year). All rights reserved. Certain parts are licensed under conditions to the EU.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

Contents Abstract ................................................................................................................................................... 5 Executive summary ................................................................................................................................. 6 1.

Introduction ................................................................................................................................... 14

Analytical framework defining concepts of barriers in Member States........................................ 17 2.1. Introduction ............................................................................................................................... 17 2.2. Methodology for the identification and classification of regulatory barriers ........................... 17 2.3. Analysis of identified compliance obligations in 20 Member States ......................................... 21 2.3.1 Health data, particularly patient records held by doctors or hospitals ............................... 21 2.3.2 Financial data, particularly data which is subject to supervision by national regulators .... 29 2.3.3 Citizen data and company records....................................................................................... 36 2.3.4 Judicial data and privileged data.......................................................................................... 40 2.3.5 Tax and accounting records ................................................................................................. 48 2.3.6 Other data types and barriers .............................................................................................. 53 2.4. Establishing an analytical framework for identified barriers – defining a common understanding of data requirements in the EU Member States ...................................................... 60

Complementing the analytical framework with examples ........................................................... 63 3.1

Introduction............................................................................................................................. 63

3.2

The Online Survey.................................................................................................................... 64

3.2.1

Survey methodology ........................................................................................................ 64

3.2.2

Analysis of survey outcomes ............................................................................................ 65

3.3 Interviews.................................................................................................................................... 68 3.3.2 Interview methodology ........................................................................................................ 69 3.3.3 Preliminary interview results and analysis .......................................................................... 70 4.

Quantitative estimate of barriers .................................................................................................. 78 4.1

Introduction............................................................................................................................. 78

4.2

Cross-border data transfer methods ....................................................................................... 78

4.3

Costs of cloud data transfer .................................................................................................... 79

4.5 Cloud data centre costs .............................................................................................................. 82 4.3.1 Cloud data centres in EU28 Member States ........................................................................ 83 4.3.2 Costs of building and operating a cloud data centre ........................................................... 85 4.7 Labour costs and data centre construction and operating costs................................................ 88

4.4.1

Electricity costs and data centre location ........................................................................ 90

4.4.2

Land prices and data centre locations.............................................................................. 91

4.4.3

Climate considerations for data centre location .............................................................. 92

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 4.5

Cloud data centre model ......................................................................................................... 93

4.5.1

Construction costs for cloud data centres ....................................................................... 93

4.5.2

Operational costs for cloud data centres ......................................................................... 95

4.5.3

Cloud data centre costs .................................................................................................... 97

4.6

Optimal and sub-optimal cloud data centre location costs .................................................... 98

4.7

Conclusion ............................................................................................................................. 101

5. Recommendations for functional requirements and future policy concepts in order to facilitate cross border data flow within the EU ................................................................................................. 103 5.1 Introduction .............................................................................................................................. 103 5.2 From form to function – recommendations for recasting ........................................................ 103 5.3 Promoting the free flow of data – crucial policy concepts ....................................................... 110 5.3.1. Where should the free flow of data exist? ....................................................................... 110 5.3.2. Recasting regulations to support the free flow of data .................................................... 112 5.4 Summary – key requirements and recommendations ............................................................. 115 6. Annexes ........................................................................................................................................... 117 6.1 Annex I: Table of Regulatory data location restrictions ............................................................ 117 6.3 Annex III: Workshop Report ...................................................................................................... 141

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

Abstract This Final Report is the result of: ‘Cross-border data flow in the digital single market: study on data location restrictions’ (SMART 2015/0054), undertaken by time.lex, Spark Legal Network and Tech4i2. The objectives of the study were to a) identify and analyse legal and non-legal barriers that hinder the free flow of data within the EU, and b) quantify the impact of these barriers for private and public sector users, and suppliers of cloud computing services. These objectives were achieved through a step-by-step approach, undertaken across seven tasks. Consequently, this report contains: the identification of compliance obligations across the EU (tasks 1 and 2); examples of barriers which complement the analytical framework, results of a survey and in-depth interviews with stakeholders (tasks 2 and 3); an analytical framework that allows for the definition of concepts of barriers to the free flow of data, defining a common understanding of data requirements in the EU (task 4); the results of an economic analysis of the costs and benefits of data location restrictions (task 5) and recommendations for functional requirements and future policy concepts, to facilitate cross border data flow within the EU (tasks 6 and 7).

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

Executive summary Introduction This document comprises the Final Report, produced under the contract between the European Commission and a consortium consisting of time.lex, Spark Legal Network and Tech4i2, for the project ‘Cross-border data flow in the digital single market: study on data location restrictions’ (SMART 2015/0054). This study was organised against the backdrop of the Digital Single Market Strategy, adopted by the Commission in May 2015. Subsequently, the Commission announced plans for a European ‘Free flow of data’ initiative that would “tackle restrictions on the free movement of data for reasons other than the protection of personal data within the EU and unjustified restrictions on the location of data for storage or processing purposes.” Thus, this study aims to address the identification of examples of barriers that hinder the free flow of data across the European Union, including a quantification of their impacts, and the definition of methodologies and frameworks that allow their accurate description, with a view of assessing their necessity, and thus their justification, in a Digital Single Market. The Study Team has achieved these objectives through a step-by-step approach, undertaking seven distinct tasks. This Final Report brings together results from each of these tasks, and includes: an introduction (Section 1), the full results of the identification of compliance obligations in the selected 20 Member States (tasks 1 and 2) and an analytical framework that allows for the definition of various concepts of barriers to the free flow of data, defining a common understanding of data requirements in the EU Member States (task 4, presented in Section 2); a list of examples of the barriers which complement the analytical framework and the results of the survey and in-depth interviews with stakeholders (tasks 2 and 3, Section 3); the results of the economic analysis of the costs and benefits of data location restrictions (task 5, Section 4) and recommendations for a list of functional requirements and future policy concepts in order to facilitate cross border data flow within the EU (tasks 6 and 7, Section 5). Annexes contain the full list of legal compliance obligations and a Workshop Report. Analytical framework defining concepts of barriers in Member States As a first step, the study team identified and collected information in relation to regulatory barriers in twenty Member States, the results can be found in Section 2. This data collection was done via a network of local legal and policy experts, who were invited to report on at least three observed barriers that applied to at least three different types of data, specifically to laws and norms that affect directly or indirectly where electronic data may be stored or where it may be transported to. A total of 40 barriers were identified, 30 of which were indirect, and 10 direct. These have been categorised into the following data types for the purpose of this study: a) Health data (7 indirect barriers); b) Financial data (7 indirect barriers); c) Citizen data and company records (4 indirect barriers); d) Judicial data and privileged information (1 direct, 3 indirect barriers); e) Tax & accounting records (2 direct, 5 indirect barriers); f) Other types of data (including national archives, public registries and gaming / gambling, 3 direct and 8 indirect barriers).

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) One of the principal objectives of this study is to provide an analytical framework that allows for a definition, mapping and understanding of various concepts of barriers to the free flow of data, both from a regulatory and non-regulatory perspective. As a first step to identifying these barriers, the study team has investigated regulatory compliance barriers across 20 Member States via a network of local legal and policy experts and identified such barriers in 18 Member States. Secondly, the study team has conducted a survey and a series of interviews with selected stakeholders in order to identify non-regulatory compliance barriers. With respect to the concept of ‘barriers’, correspondents were asked specifically to identify laws and norms that affect directly or indirectly where electronic data may be stored or where it may be transported to. The following definitions were applied: 



A barrier is considered direct when a law (or other regulatory text) explicitly states where data may or may not be stored or transferred (e.g. data must stay in a specific country, in a specific building, in a specific data centre), or when the law contains an obligation that can only reasonably be met by keeping the data in a specific location. A barrier is considered indirect when a law contains requirements that in practice are likely to be interpreted to restrict data location or data flows (e.g. data must remain accessible to a supervisor, or it must be possible to irretrievably delete data, or it must be exclusively accessible to the owner).

By way of a general summary of the outcome, the overview below can be provided. The table indicates whether barriers were reported for any given Member State (vertical axis) for any given data type (horizontal axis). The table below also identifies the number of barriers per data type (bottom row), and indicates whether the reported barriers were direct (d) or indirect (i) as defined above. Where multiple barriers were reported, this is indicated by multiple letters (e.g. "ddi" indicates that two direct and one indirect barriers were reported). Barriers which are known to have been repealed since the conclusion of the data collection phase of this study are provided with a footnote. Overview of reported regulatory data location obligations (direct and indirect) in 20 MS, per data type

AUSTRIA BELGIUM BULGARIA CROATIA CZECH REPUBLIC DENMARK ESTONIA FINLAND GERMANY GREECE HUNGARY IRELAND LUXEMBOURG MALTA NETHERLANDS

Health

Financial

i i

Citizen data and company records

Tax and accounting

Other

i i i

i i

Judicial and privileged data

d d

i i

i i i

d i i i

i i d

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 1

POLAND PORTUGAL ROMANIA SLOVENIA SWEDEN Total number 2 of barriers Total number direct barriers Total number indirect barriers

d d id i

i i

i d

d 7

Thus, a total of 40 barriers were identified, 30 of which were indirect, and 10 direct. The highest number of barriers (11 in total) was reported for the ‘other’ data types, which is a broad residual category encompassing various types of data from the private sector (mainly from the gaming/gambling sector) and the public sector (mainly in relation to e-government in general). Apart from that residual category, the highest number of barriers (7 each) was reported for health, financial data and tax/accounting cases, in all cases with a clear majority of reported barriers being indirect in nature. In the main report, each data type is examined separately in order to identify trends and patterns. With respect to the nature of the barriers, the following structure can be proposed: Classification of identified regulatory barriers to the free flow of data

Regulatory barriers to the free flow of data Direct barriers Geographic location storage requirements E.g. servers must be located in country X or data can only be stored nationally

Unique national technical requirements E.g. data must use national formats

Indirect barriers Accessibility to supervisors

Prior authorisation schemes

Prohibitions against third party access / disclosure

Subcontracting restrictions

E.g. supervisors must be able to get access

E.g. storage systems must be approved by supervisor

E.g. data may not be made accessible to third parties

E.g. subcontractors must obtain prior approval

Generic technical requirements

Mandatory use of a specific infrastructure

E.g. interoperability

E.g. data must be kept by administration X

Segregation requirements E.g. data must be kept on segregated systems

Destruction requirements E.g. Data must be destroyable in situation X

This restriction has been repealed since the conclusion of the data collection phase of this study; further details are included in the report and Annex 6.1. 2 For the purposes of this total, a single barrier that was reported as being partially direct and partially indirect (identified in the table as d/i) was counted as two separate barriers in order to avoid skewing of percentages.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Most of the types of requirements can be grouped together and correspond to a specific public policy interest. However, even though the policy objective may be legitimate, the implementation of barriers to the free flow of data may be ineffective or disproportionate in light of the intended objective. By way of a specific example, it is clear that accounting documents must be accessible to tax authorities. This legitimate policy objective does not imply that data must be stored locally. The study therefore also assessed how legitimate policy objectives could be formulated in a functional and neutral way that avoids barriers to the free flow of data to the maximum extent. Examples of the barriers, which complement the analytical framework (results of the survey and in-depth interviews with stakeholders) Section 3 of the study describes the outcomes of the survey and in-depth interviews with stakeholders. A small online stakeholder survey was undertaken to provide an insight to the problems and opportunities facing enterprises in relation to cross border data flow. 41 responses were received from 15 countries, including 13 EU Member States. The majority of organisations were SME’s (with less than 200 employees), however six respondents had more than 1,000 employees. Over three quarters of respondents reported that their organisation utilises cloud computing. Nearly all of those using cloud services, 25 enterprises, reported that the location of cloud servers was either ‘important’ or ‘very important’. Just under half of respondents were aware of regulations, or knew that their organisation has encountered regulations or other requirements that hinder their organisations in cross-border flow of data within the EU. 15 of these 19 respondents believed that regulations are ‘justified’ or ‘very justified’ in order to maintain privacy and security. Overall the majority of respondents reported that their organisations were complying with regulations. More generally it became evident that larger organisations are more aware of cloud regulations than smaller organisations. Interviews with a wide range of stakeholders, from the financial, health and public sector as well as from industry (including SME’s), have given the study team further insights in the identified restrictions, in terms of practical implications, drivers behind such restrictions and possible solutions. Additionally, data location restrictions identified by our study team during desk research were often confirmed. Generally, it can be said that stakeholders experience a lack of clarity or knowledge of current data location rules across Europe. The fragmentation of the legal framework was often mentioned as the principal reason. Smaller companies appeared to suffer the most, due to a lack of knowledge and recourses to deal with data flow restrictions. It was generally proffered by interviewees from industry, health and financial sectors that such fragmentation hinders the development of cross border services within the EU and hence of the Digital Single Market. A common thread with regard to the justification or drivers behind data flow restrictions seemed to be that these are intended to safeguard the security of data, which counts slightly stronger for the health and financial sector. Notably in the financial sector, auditing obligations / the right to examine remains an imperative feature for regulators. It appeared from the interviews that the choice of location of data centres by providers seems to be driven by demand for high security and audit controls, mostly based on customer but also on legislative demands. Proffered solutions by interviewees included a) harmonisation amongst certain requirements throughout the EU, for example by aligning standards or promoting cooperation between regulators; b) the provision of 9

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) good practice examples by the public sector and c) the creation of a new EC Regulation, opening up data location within the EU, in combination with a strong notification process where any national legal data location restriction would have to be approved by the EC. Quantitative estimate of barriers Section 4 of this report investigates the additional costs to businesses and other organisations that might arise as a result of restrictions to cross-border data flow. Research examined how data can be digitally transferred across borders. This was necessary to investigate the additional costs associated with different transfer methods affected by restrictions to cross-border data flow. It was established that cloud services offer the only commercially viable transfer method in terms of volume data transfers and access by multiple users. It was also notable that this is a method that requires remote storage (potentially in a third country - across a border from the holder and/or the user(s)). Our team examined cloud subscription prices, envisaging there would be differences in costs between Member States and that options for ‘local’ storage would be available. Interestingly, it was found that most of the large providers offer flat rate pan-EU pricing policies, usually quoted in US dollars. ‘Local’ storage options have only recently been offered by a small number of providers. Discussions with cloud providers also revealed that the price/subscription charged to users in the short-term can be independent of the cost of provision; as providers pursue goals such as maximising market share. Over the long term, cloud service providers will need to obtain a return on their investment, but in the short-term, costs to users (in subscriptions and/or fees) may not reflect costs incurred by cloud service providers. To address this possibly spurious line of investigation the study therefore moved away from examining costs incurred by cloud customers purchasing cloud services. Instead it examined costs incurred by cloud service providers when building and operating cloud data centres in different locations and investigating how these costs might be influenced by restrictions to cross-border data flow. The underlying logic was that at some point in the future any additional costs (currently invested in building cloud data centres by cloud service providers) would be borne by cloud users in the form of higher subscription fees and/or costs. An examination of the Member States in which cloud data centres of leading providers are located found no relationship between the location of centres and the number of data flow restrictions that existed in a Member State. Interviews with providers also suggested that restrictions were not a major issue in deciding where to locate centres in the past. The study developed a model of the costs of cloud data centre provision in all 28 EU Member States to examine the potential additional costs of locating cloud data centres in Member States with the most onerous restrictions on cross-border data flow. This analysis found that there would not be any additional cost (in cloud data centre construction and ten year running costs) if centres were located in the eight Member States with the most restrictions to cross-border data flow. In these Member States the average cost of a cloud data centre would be €251.7 million. This was less than the average cost in all EU Member States (€276.9 million) and considerably less than the average cost of €353.8 million for data centres, in seven EU Member States where cloud data centres have been located by the six leading cloud service providers.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) At the start of the study the geographical coverage of cloud data services was unknown and it was not known where local data restrictions existed. As a result the study did not analyse different scenarios for location restrictions resulting in negative economic impacts (costs). For example, it was not possible to examine how organisations (public and private) in Member States, which were not served by large services providers that had a cloud data centre in their country, were affected. Conclusions and recommendations This report has identified a range of direct and indirect barriers. However, these barriers as such cannot be directly translated into functional requirements. This is because the correct translation of formal requirements into functional requirements depends strongly on the underlying policy objective. As a practical example, if data should be stored on a server in a specific Member State in order to ensure its accessibility to a national supervisor, then the formal data location requirement can be recast into a functional accessibility requirement. However, if the exact same requirement is driven by the need to ensure that data cannot be seized by a third party, then accessibility to a national supervisor is not a sufficient or appropriate translation. Data location as such is not a requirement that can be translated in isolation; the policy objective must be the focus of the translation effort. In other words, translation from formal to functional requirement cannot be done on the basis of the phrasing of the formal requirement, but must be done on the basis of the underlying policy objective. The study therefore has provided a mapping from identified policy objectives into functional requirements: Policy objectives and functional requirements table Policy objective

Functional requirement

Accessibility to a regulator or supervisor

The data must be stored in a manner that allows it to be accessed by the regulator or supervisor upon its request, including via electronic channels, in a format which is usable by and understandable to the regulator or supervisor without requiring any modification and formatting. The person subject to the storage requirement must be able to demonstrate to the regulator or supervisor upon request that accessibility is ensured. The data must be stored in a manner that ensures that it cannot be altered without the prior approval of the person subject to the storage requirement. The person subject to the storage requirement must be able to demonstrate upon request that protection is ensured. The data must be kept in a manner that ensures that it cannot be altered without the prior approval of the competent regulator or supervisor. The person subject to the storage requirement must be able to demonstrate upon request that protection is ensured. The data must be stored in a manner that ensures that it cannot be accessed without the prior approval of the person subject to the storage requirement. The person subject to the storage requirement must be able to demonstrate upon request that protection is ensured. The data must be stored in a manner that ensures that it can be permanently and irrevocably destroyed by the person subject to the storage requirement. The person subject to the destruction requirement and the entity providing the storage services must be able to demonstrate upon request that such destruction is ensured. The data must be stored in a way that allows it to be extracted in a structured, commonly used and machine-readable format that allows it to be used by the person subject to the storage requirement, and by any persons to whom the data will foreseeably be made available or accessible on the basis of its nature and purpose.

Protection against third party modification

Protection against modification by the person subject to the storage requirement Protection against third party accessibility

Destruction of data after the expiration of a certain time period or under certain conditions Interoperability

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Security of the infrastructure

Trustworthiness of the service provider Trustworthiness of the service provider’s personnel

The data must be stored using technical infrastructure that is subject to technical and operational security measures that ensure that the data cannot be accessed without the prior approval of the person subject to the storage requirement. The data must be stored by a provider that is subject to technical and operational security measures that ensure that the data cannot be accessed without the prior approval of the person subject to the storage requirement. The data must be stored in a way that allows access to the data only by personnel with appropriate qualifications and/or which is subject to a legal or contractual duty of confidentiality and secrecy.

The table above builds on the assumption that removing barriers to data location choices is a desired objective. There are however also cases where a Member State may legitimately not wish to open certain data to EU-level storage options. National security and police databases are arguably reasonable examples where a Member State may feel that there is no need or benefit in the current state of technology to allow data storage outside the exclusive control of its own administrations, thus also forbidding storage outside its own borders. This exclusive and sovereign control is a policy objective which has no reasonable functional translation that would permit the removal or softening of data location requirements: when the principal concern of a Member State is that certain data is so critical that it may not be subjected to any sovereignty than one’s own, no foreign data storage option will likely be satisfactory. Even strong encryption is not perpetually trustworthy, and no legal or political construct can ensure that data remains forever in trusted hands. The facilitation of the free flow of data by mitigating data location barriers therefore hinges on two complex issues: firstly, the identification of cases where the principle of the free flow of data apply; and secondly, implementing the necessary changes to transition from formal requirements to functional requirements. The first question is arguably the most complicated: In which cases should Member States be able to introduce barriers to the free flow of data? Based on the available data and on existing legal principles of EU law, the conclusion would appear to be that data location restrictions – or more broadly: legal requirements that affect the free flow of data – in relation to specific services – understood as services usually required against remuneration, can be legitimate only to the extent that these requirements are objectively justified and proportionate in the light of this public interest objective. In such cases and to that extent, a data location restriction could be justified and the free flow of data could be legitimately impeded. When such a justification could not be provided, the requirement must be recast into a functional requirement, in accordance with the functional requirements translation table provided above. This is not a trivial exercise. It implies the screening and simplification of national laws, but can also require the establishment of coordination and harmonisation mechanisms between the Member States in order to establish any technical or organisational requirements that may be relevant for specific data types. These will likely vary from sector to sector. In practice therefore, the process requires a three-step approach; when data falls within the scope of the free movement of data, a Member State would have to:

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)   

Screen its legislation to determine whether it has introduced any requirements that impact the free flow of data; If so, to simplify the requirements by translating them into functional requirements based on the principles set out above; And if the resulting functional requirements result in specific technical or operational requirements, to coordinate with other Member States in order to harmonise and mutually recognise these technical or operational requirements.

This process could be organised in several ways: 



Policy option 1 is to establish the free movement of data purely through the strict application of the Treaties, Services Directive and e-Commerce Directive. This implies no new legal instrument, but requires that Member States are reminded of the impact of the present legal framework on their data location requirements. The effectiveness of this measure is however dependent on the infringement process, which is relatively time consuming and resource intensive. Policy option 2 is the creation of a new horizontal legal instrument, such as a Directive or a Regulation, establishing the free movement of data as a principle, and outlining the requirements and process for Member States to implement exceptions. This allows a more tailored and homogeneous approach, since the scoping and principles set out above can be integrated directly, rather than depending on an interpretation of the existing rules; for this reason, it is the favoured option of the study team, which also seemed to be favoured by a majority of the participants in the project workshop. Policy option 3 is the non-regulatory scoping of the free movement of data through policy recommendations and best-practices based coordination between the Member States. While this option is conducive to encouraging communication, it may be seen as too weak to make quick progress, and may not have the same impact on the market as a regulatory statement of the principle of free movement of data.

Following the choice of a policy option, the process outlined above – identification of barriers, simplifying requirements, and coordinating in order to harmonise and mutually recognise technical or operational requirements – must be followed. In this manner, the importance of the free movement of data as a core principle of the digital single market could be more clearly highlighted and supported at the policy level, in line with the Commission’s objectives on this point.

1. Introduction The current document comprises the fifth and final deliverable (Final Report – D5) to be produced under the contract between the European Commission and the Study Team, consisting of time.lex, Spark and T4i2, under the project ‘Cross-border data flow in the digital single market: study on data location restrictions study on data location restrictions’ (SMART 2015/0054). This study is organised against the backdrop of that Digital Single Market Strategy DSM Strategy), which was adopted by the Commission in May 2015. The Commission’s Communication on A Digital Single Market Strategy for Europe explicitly noted that: “[t]o benefit fully from the potential of digital and data technologies, we will need to remove a series of technical and legislative barriers. Restrictions, such as those related to data location (i.e. Member States requirements to keep data inside their territory) force service providers to build expensive local infrastructures (data centres) in each region or country. […] Any unnecessary restrictions regarding the location of data within the EU should both be removed and prevented.” In order to achieve this objective, the Communication announced the Commission’s plans to propose a European ‘Free flow of data’ initiative that would “tackle restrictions on the free movement of data for reasons other than the protection of personal data within the EU and unjustified restrictions on the location of data for storage or processing purposes.” Both the Commission’s earlier cloud policies and the current Digital Single Market strategy are therefore aligned on the need to identify and address unjustified data location restrictions. A much more delicate question is the identification of these restrictions, and above all the assessment of whether or not they are justified. It is precisely these questions that the present study aims to address: the identification of examples of barriers that hinder the free flow of data across the European Union, including the quantification of their impacts, and the definition of methodologies and frameworks that allow their accurate description, with a view of assessing their necessity, and thus their justification, in a Digital Single Market. Thus the main objectives of this study are to: a) Identify and analyse legal and non-legal barriers in Member States practices that hinder the free flow of data within the European Union, in order to contribute to the sustainable development of a Digital Single Market, and b) Quantify the impact of these barriers for private and public sector uses, as well as suppliers of cloud computing services by conducting a cost benefit analysis3. The Study Team has aimed to achieve these objectives through a step-by-step approach, undertaking the following tasks: 

Task 1: Elaborate a methodology to review and map compliance obligations in the 28 EU Member states

During the execution of this study, the Commission continued their work in the area, publishing amongst others its’ Communication on "Building a European data economy", Brussels, 10.1.2017, COM(2017) 9 final, accompanied by Commission staff working document on the free flow of data and emerging issues of the European data economy, Brussels, 10.1.2017, SWD(2017) 2 final.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 

Task 2: Provide an analytical framework allowing for the definition of various concepts of barriers to the free flow of data within the EU



Task 3: Complement the analytical framework with examples from EU MS



Task 4: Examine a common understanding of data requirements in EU MS



Task 5: Quantitative estimate of barriers (providing list of economic indicators and a Cost Benefit Analysis)



Task 6 and 7: Recommendations (concerning a) functional requirements, which could replace formal requirements and b) on future policy concepts to facilitate cross border data flow).

In addition, the study had an Inception Phase resulting in an Inception Report, which upon approval by the Commission served as a guiding document throughout our study. At the end of the project, we had a Consultation and Finalisation Phase, which included a Workshop with stakeholders and which will end with a final meeting with the Commission, the finalisation of this final report. This Final Report brings together our results from each of the above-mentioned tasks. It also captures and takes into account the results of our stakeholder Workshop called “How to facilitate cross border dataflow in the digital single market?”, which took place in Brussels on 20th March 2017. The purpose of the workshop was to present the provisional results of this study and to facilitate a discussion on these results, providing an opportunity for stakeholders to contribute to the legal and policy discussion in the field. In particular stakeholder feedback was sought on the formulation of recommendations on how to scope the free flow of data, and how to implement those. Over 65 stakeholders participated in the Workshop, many of whom shared their experiences and views on the above-mentioned issues. This report will consequently include the following sections: -

Section 2 includes the full results of the investigation on mapping compliance obligations set out in various levels in the selected 20 Member States (tasks 1 and 2) and an analytical framework that allows for the definition of various concepts of barriers to the free flow of data in Member States, defining a common understanding of data requirements in the EU Member States (task 4). Section 3 provides a list of examples of the barriers which complement the analytical framework and the results of the survey and in-depth interviews with stakeholders (tasks 2 and 3); Section 4 provides the results on the economic analysis for the costs of formal requirements and on the cost and benefits due to the transition from formal to functional requirements (task 5); Section 5 includes our draft recommendations for a list of functional requirements and future policy concepts in order to facilitate cross border data flow within the EU (tasks 6 and 7). Section 6 includes the following Annexes:

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) o o

Annex I: Table of legal compliance obligations4 Annex II: Workshop Report

Which includes a list of external legal experts who contributed to collect the national legal compliance obligations.

2. Analytical framework defining concepts of barriers in Member States 2.1. Introduction One of the principal objectives of this study is to provide an analytical framework that allows for a definition, mapping and understanding of various concepts of barriers to the free flow of data, both from a regulatory and non-regulatory perspective. The goal is to understand the drivers behind these various barriers, and to explore where commonalities and differences lie. This can permit the identification of solutions to mitigate or eliminate needless barriers, i.e. barriers that are unjustified in view of public and private interests, irrational, or simply ineffective. These barriers can of course take many forms. In some cases, there is a clear and objective compliance requirement behind them, such as a legal obligation to store data locally in order to maintain national control over essential systems and services. In other cases, a barrier can result from business requirements (e.g. customer demand to store data locally), policy preferences (e.g. a desire to keep data within one’s own jurisdiction), operational needs (e.g. a requirement to be able to destroy data), or even personal preferences (e.g. favouring local companies) and personal concerns (e.g. concern that foreign entities may seize data stored abroad). All of these barriers can restrict the available choices for storing data in a given locality. This can be acceptable when the reasons are not only objective but also justified, and do not constitute a needless distortion of the single market. However, it is not clear or certain to which extent all of these potential barriers are in fact objective and justifiable. In order to answer that question, a better understanding is needed of the barriers that exist within the European market. This study follows a dual track towards answering these questions. Firstly, the study team has identified regulatory compliance barriers in 18 out of 20 Member States, where a barrier – whether it is justified or not – can be directly or indirectly attributed to a legislative initiative. These are described directly below. Secondly, the study team has conducted a survey and a series of interviews with selected stakeholders in order to identify non-regulatory compliance barriers, and to determine how all of these barriers (regulatory and non-regulatory alike) impact the market in practice. This will permit a better understanding of barriers in the market, and therefore also provide an indication of potential solutions for addressing unjustified barriers.

2.2. Methodology for the identification and classification of regulatory barriers As noted above, as a first step we have identified and collected information in relation to regulatory barriers in twenty Member States, specifically searching also for similarities and differences among the Member States. This was done via a network of local legal and policy experts. These experts across twenty Member States were invited to report a minimum of three observed barriers to the free flow of data, or more accurately to report on at least three observed barriers that applied to at least three different types of data. The correspondents were given free choice of which types of data they chose to report, but they were informed that the following types of data (if available and applicable to the correspondent’s country) were of particular interest to the study:   

Health data, particularly patient records held by doctors or hospitals Financial data, particularly data which is subject to supervision by national regulators Basic identity registers, particularly any official records in relation to a country’s citizens or residents (such as their names, addresses, date of birth) or to legal entities established in a country

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)      

Company records, notably information stored in company registers or business registers Tax records, such as personal or corporate tax declarations Accounting documents, such as balance sheets, income statements or annual accounts submitted by companies and invoices Privileged information, such as information held by lawyers in relation to their clients and information which is covered by national security obligations National archives Judicial data, including court data and police records.

With respect to the concept of ‘barriers’, correspondents were asked specifically to identify laws and norms that affect directly or indirectly where electronic data may be stored or where it may be transported to. For the purposes of the distinction between direct and indirect regulatory barriers, the following definitions were applied: 



A barrier is considered direct when a law (or other regulatory text) explicitly states where data may or may not be stored or transferred (e.g. data must stay in a specific country, in a specific building, in a specific data centre), or when the law contains an obligation that can only reasonably met by keeping the data in a specific location. A barrier is considered indirect when a law contains requirements that in practice are likely to be interpreted to restrict data location or data flows (e.g. data must remain accessible to a supervisor, or it must be possible to irretrievably delete data, or it must be exclusively accessible to the owner). Whether this interpretation is indeed ‘likely’ or not is of course a factual assessment, for which this study principally relied on the assessments of the national experts, who are best placed to assess the implications of a law in their home markets.

In order to obtain usable results, the following clarifications were furthermore provided to the correspondents: 



They were asked not to describe general data protection law which has been adopted at the national level to transpose Data Protection Directive 95/46/EC, since the role and impact of data protection law is already sufficiently known and understood; They were asked to report on any type of electronic data, regardless of its scope or meaning. This includes personal data, statistical data, company data, policy data, etc. Data stored on paper was however explicitly noted to be out of scope for this study. All possible types of data from all possible sectors could be included. The list above indicated data which was noted to be of particular interest to the study, but any other relevant examples were welcomed as well. The study has no focus on any kind of business model or usage context: it is irrelevant whether the data is stored by the government, a private company, a traditional IT company, a public/private cloud, etc. The study examines both direct and indirect barriers to data location or data flows as defined above. Non-regulatory barriers (such as policy preferences, operational requirements etc.) were however out of scope; a specific regulatory source had to be identified for each barrier. Finally, the correspondents were asked to consider restrictions related to any kind of regulatory intervention. This includes legislation (whether international, national, regional or local), but also the interpretation and application of this legislation by courts, regulators, supervisors etc.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) A full overview table of the identified regulatory barriers, including source information and a description, is included in Annex I. Each of these will be discussed further in the sections below. By way of a general summary and before examining each of the reported data types and barriers in detail, the following overview can be provided of reported regulatory barriers. The table indicates whether barriers were reported for any given Member State (vertical axis) for any given data type (horizontal axis). The table below also identifies the number of barriers per data type (bottom row), and indicates whether the reported barriers were direct (d) or indirect (i) as defined above. Where multiple barriers were reported, this is indicated by multiple letters (e.g. "ddi" indicates that two direct and one indirect barriers were reported). Barriers which are known to have been repealed since the conclusion of the data collection phase of this study are provided with a footnote.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

Figure 1 – Overview of reported regulatory data location obligations (direct and indirect) in 20 MS, per data type

AUSTRIA

Health

Financial

BELGIUM BULGARIA

Citizen data and company records

Judicial and privileged data

Tax and accounting

Other

i i

CROATIA CZECH REPUBLIC

d d

DENMARK

ESTONIA FINLAND

GERMANY

GREECE

HUNGARY

IRELAND

LUXEMBOURG

i i

MALTA NETHERLANDS

d 5

POLAND

PORTUGAL

ROMANIA SLOVENIA

SWEDEN

Total number 6 of barriers Total number direct barriers

Total number indirect barriers

This restriction has been repealed since the conclusion of the data collection phase of this study; further details are included in the report and Annex 6.1. 6 For the purposes of this total, a single barrier that was reported as being partially direct and partially indirect (identified in the table as d/i) was counted as two separate barriers in order to avoid skewing of percentages.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Thus, a total of 40 barriers were identified, 30 of which were indirect, and 10 direct. As can be seen in the table above, for the purpose of this study we have categorised the identified regulatory barriers into the following data types: a. Health data b. Financial data, particularly data which is subject to supervision by national regulators c. Citizen data and company records (identity records and company records in official registers; this does not include accounting records that must be kept by the companies themselves) d. Judicial data (including court data and police records) and privileged information (e.g. information held by lawyers in relation to their clients) e. Tax & accounting records f. Other types of data. The highest number of barriers (11 in total) was therefore reported for the ‘other’ data types, which is a broad residual category encompassing various types of data from the private sector (mainly from the gaming/gambling sector) and the public sector (mainly in relation to e-government in general). More specifically, this category contains the following types of restrictions:   

National archives: 2 barriers, identified in Portugal and Slovenia Public registries – eGovernment: 6 barriers, identified in Austria, Croatia, Germany, Hungary, the Netherlands and Romania Gaming/gambling infrastructure: 3 barriers, identified in Bulgaria, Poland and Romania

These will be further assessed below. Apart from that residual category, the highest number of barriers (7 each) was reported for health, financial data and tax/accounting cases, in all cases with a clear majority of reported barriers being indirect in nature. For the other types of data, the number of reported barriers is lower and with a less clear pattern of distribution across direct and indirect barriers, although the indirect barriers globally tend to dominate, except for the residual ‘others’ category. Looking at the sum totals across all barrier types, the distribution is slightly uneven, with 10 reported direct barriers, and 30 reported indirect barriers. As a provisional conclusion, the interpretation and application of the rules thus appear to be more of a barrier to the free flow of data than the actual rules themselves. Of course, this high-level overview does not provide much insight into the nature and drivers behind the barriers. In the sections below, each data type will be examined separately in order to identify trends and patterns, and to assess the justification and necessity of each barrier.

2.3. Analysis of identified compliance obligations in 20 Member States 2.3.1 Health data, particularly patient records held by doctors or hospitals Overview and subtypes of data The first type of data described in figure 1 was also one of the most frequently reported, with a total of 7 reported barriers over 40 reported barriers, all 7 of them indirect. The prevalence of barriers is not unexpected: health information is highly sensitive, both from a privacy perspective (resulting in stricter data protection rules which are however not discussed further in this report and are not taken into account in these numbers) and from a broader sociological perspective. Given that many categories of health information fall within the scope of professional privilege and should only be 21

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) available to health care practitioners for well-defined purposes, a higher number of barriers could be expected. Perhaps more surprising is the observation that virtually all reported barriers are indirect in nature, and therefore are inferred by the health care practitioners, as opposed to being explicitly stated. Looking at the various types of health data (or rather, the context to which the identified barrier refers), the following types of barriers are given:

Figure 2 – Types of barrier observed (Health)

Country

Source

Restriction imposed on providers / users / data

Direct or indirect

Summary of obligation / restriction

Austria

Gesundheitstelematikgesetz (GTelG 2012), BGBl. I Nr. 111/2012 (Federal Act on Data Security Measures when using personal electronic Health Data or Health Telematics Act 2012), § 6, 14 and 20

Health sector

Indirect

The law defines certain requirements for the storage of patient data. It specifically refers to storage of information in the cloud. According to §6, state-of-the-art encryption has to be applied when storing patient data in the cloud. The provider of the ELGA (electronic health record) has to be authorised to use health records according to § 14. Furthermore, storage has to be in line with data storage specifications, as specified by the Austrian Ministry for Health in regulation (see §28). The storage facilities have to be in the territory of the European Union.

Bulgaria

1. Закон за здравето (Health Act; promulgated on 10 August 2004, last amendments in force as of 01 January 2016), Art. 27, 28.

All health establishments, any medical personnel (incl. doctors, dentists and health care medical specialists, as well as other medical specialists), pharmacists, any person working within the national healthcare system, the National Health Insurance Fund (NHIF) and its regional health insurance funds.

Indirect

The provision of health information to any third person by any of the authorised parties is prohibited, except in explicitly provided cases. These parties are obliged to secure the information from unauthorised access. It is further provided that doctors can store patient records electronically, as well as on paper. Each practice is obliged to store patient records on paper in specialized filling cases in special files within the practice (binding medical standards). The access to these files should be restricted. Further, the National Framework Agreement with the NHIF (which concerns the provision of medical services funded by the NHIF) explicitly requires the medical specialist to keep a hard copy of the medical documents in his/her consulting room. Since there are no specific rules on the electronic records, a risk exists the above requirement for keeping the records within the practice (physically) to be considered literally applicable to the electronic records as well. Health establishments and doctors are also obliged to file electronic reports containing health information with the NHIF on a monthly basis. Finally, with regard to doctorpatient privilege, doctors are obliged not to disclose any health information, as well as other information they have obtained from their patients.

2. Кодекс за професионална етика на лекарите в България обн. - ДВ, бр. 79 от 29.09.2000 (Professional Ethics Code of Doctors in Bulgaria, issued by the Ministry of Healthcare; promulgated on 29 September 2000, last amendments as of 28 September 2013), Art. 51, 52 3. Наредба № 41 от 21.12.2005 г. за утвърждаване на „Медицински стандарти по обща медицинска практика“ (Medical Standards on General Medical Practice, issued by the Ministry of Healthcare; promulgated on 03 January 2006, last amendments in force as of 28 June 2011), Art. 4.1, 4.2

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

4. Национален рамков договор за медицинските дейности между Министерство на здравеопазването, Националната здравноосигурителна каса и Българския лекарски съюз за 2015 г. (National Framework Agreement on Medical Activities, concluded by the National Health Insurance Fund and the Bulgarian Medical Association; promulgated on 23 January 2015, last amendments in force as of 01 January 2016), § 158, 2, I, 6. Czech Republic

1. Act No. 372/2011 Sb. (Medical Services Act) 2. Ministerial Decree No. 98/2012 Sb. (Medical Records Filing) 3. Recommendation No. ZD03/94 (on security of information systems in healthcare)

Patients, Healthcare services providers (employers and employees)

indirect

Patient records are required to be stored in the National Health Registry, a public sector information system, the law does not provide for a possibility of data transfers outside of this system (the only exception is statistical data). The storage of data is not regulated by the Medical Services Act and thus it a matter of particular contractual requirements laid down in the process of public procurement of respective services. General restrictions on processing of sensitive personal data can be applied.

Finland

9.2.2007/159, Laki sosiaalija terveydenhuollon asiakastietojen sähköisestä käsittelystä (Law on electronic processing of client data within social and health care Issued by the decision of the Finnish Parliament on 1 July 2007), § 10

Patients, providers of health care services, and services organizing and providing health care for the patients.

Indirect

Disclosure of patient information electronically through nationwide information services - Patient data may be used in intended nationwide information services provided only to other providers of health care services for organizing and providing health care for the patient. These services must obtain attestations of conformity at the national level, and must adhere to nationally defined interoperability requirements.

Germany

(Muster-) Berufsordnung für die in Deutschland tätigen Ärztinnen und Ärzte (“MBO-Ä“) ((Model) Professional Code for doctors working in Germany. (Federal regulation in conjunction with recommendation)

All physicians in Germany, unless particular rules apply (e.g. for dentists, veterinarians,

Indirect

Physicians can comply with documentation obligations by using electronic storage devices, but are obliged to implement specific data security measures. In that regard, recommendations of the Associations of Physicians need to be taken into account.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

psychiatrists, pharmacists). Greece

Νόμος 3892/2010 (ΦΕΚ 189 Α’) Ηλεκτρονική Καταχώρηση και Εκτέλεση ιατρικών συνταγών και παραπεμπτικών ιατρικών εξετάσεων. (Law N0 3892/2010 (FEK 189 Α’) Electronic Registration and Run prescriptions and referrals for medical examinations), Art. Article 6§ 1;2;5

Pharmacists and social security institutions

Indirect

The General Secretariat for Social Security shall establish and operate the electronic prescription database. The database operates under the supervision of two special departments of the General Secretariat of Social Security. Vector "eGovernment Social Security" IDIKA SA maintains and preserves the databases of electronic prescription on behalf of the General Secretariat for Social Security. The General Secretariat of Social Security and IDIKA SA take all appropriate and proportionate measures for the security of infrastructures and information systems and data protection.

Netherlands

Royal Dutch Society for the promotion of Health Care – Guidelines on the handling of medical records, issued by the KNMS in January 2010 (Koninklijke Nederlandsche Maatschappij tot bevordering der Geneeskunst (KNMG) - Richtlijnen inzake het omgaan met medische gegevens)

All healthcare providers

Indirect

The barrier emerges from a set of specific guidelines explaining the scope and impact of the Medical Treatment Contracts Act. These guidelines were issued in the framework of the much discussed electronic patient records plans in the Netherlands. Those plans envisage local storage only of patient records, and permit exchanges between these local systems with the patient’s consent. The guidelines above were issues in the context of the older planned exchange system, the nationwide EPD (landelijk EPD), which have since been replaced by the National Switchpoint (Landelijk Schakelpunt – LSP), which is under the control of the Association of Care providers for Care communication (Vereniging van Zorgaanbieders voor Zorgcommunicatie - VZVZ). The guidelines however remain applicable, since they emphasize the split between storage in local care information systems under the control of a doctor or hospital, and the exchange mechanism; neither of these points has changed, and the guidelines have not been withdrawn, amended, clarified or replaced. The guidelines refer to the Medical Treatment Contracts Act (Wet op de geneeskundige behandelingsovereenkomst), which requires health care providers to maintain medical records and to ensure their security and confidentiality. However, while health care providers have to safeguard the privacy of the data, the legislation actually contains no binding restrictions with respect to storage or transfer of data, in the sense that it does not permit or forbid external storage. It does however require health care providers to ensure that no third parties (other than assisting health care providers) can get access to the records without the patient’s consent (Article 457) except in the case of statistical or scientific research under certain conditions (Article 458).

GBZ-requirements for software providers from the Association of Care providers for Care communication (Goed Beheerd Zorgsysteem) -eisen voor softwareleveranciers van de Vereniging van Zorgaanbieders voor Zorgcommunicatie – VZVZ)

Scope of the barrier While all reported barriers intend to safeguard the security and confidentiality of the health data, the exact scope of the barrier can differ. Looking at the breakdown, the following barriers can be distinguished: Figure 3 – Nature and scope of barrier observed (Health)

Nature of the barrier

Observed in countries?

National technical storage / exchange requirements among health care providers, or between health care providers and a central health care system

AT, DE, NL

Requirement to use encryption

Requirements defined at the national level may be hard to know / observe by foreign providers.

Storage service providers must be authorised by the government

Foreign providers may not know this requirement and may meet difficulties in observing it.

Requirement for maintain records

BE, EL, NL

Can be interpreted as requiring local storage.

Prohibition against third party access and/or disclosure

BG, CZ, NL

Can be interpreted as prohibiting passive offsite storage (i.e. storage outside the facilities of a health care provider that requires no further processing by the storage service provider).

Requirement to maintain a local hard copy with specific access restrictions

Can be interpreted as also requiring a local electronic copy.

Requirement to communicate electronic data to a local authority

Local communication standards to be adhered to may include Codes of Connection or similarly restrictive requirements that can only be met locally that would impair cross-border interoperability.

Use of a national system to support storage and/or transfer of data among health care practitioners and/or between health care practitioners and a central health care systems

AT, CZ, FI, EL ((e)prescriptions), NL

Can be interpreted as forbidding the use of any other system to transfer / store data. Electronic exchange requires interoperability with the national system (including any requirements for consents / authorisations)

local

entity

which

Why is this (potentially) a restriction to the free flow of data within the European Union?

The main other reported barriers relate to the mandatory use of certain specific health care systems, such as the e-prescription systems deployed nationally in Finland and Greece, and national health record storage and exchange systems. These do not forbid cross-border data flows as such, although the allocation of responsibilities to a specific local entity or infrastructure indirectly suggests that data must be kept locally. These requirements however relate to Member States’ desires to implement specific national health care systems to organise health record exchanges among health care practitioners or between health care practitioners and a central health care system, while promoting patient rights, scientific research, social funding of health care, or other legitimate public interest goals that would be difficult to qualify as objectionable barriers.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Most other reported indirect barriers are described as serving to support medical confidentiality, security, accuracy, accountability (including auditability and supervision of the activities of health care practitioners), privacy and patient rights. Many of the requirements are interpreted as incentivising local data storage, even when there is no explicit requirement to do so. The section below will examine the drivers and potential solutions for each of the barriers described above. Drivers behind the barriers and potential solutions All of the barriers described above are indirect, meaning that they contain requirements that in practice can be interpreted to restrict data location or data flows, even if this is not explicitly stated or (presumably) intended. It is therefore worth verifying what drivers are behind each of the barriers as identified above, and how the driver could be supported without needlessly impairing the free flow of data. Figure 4 – Drivers behind the barrier observed and potential solution (Health)

Nature of the barrier

Objective / driver behind the barrier

Potential solution?

National storage / requirements

technical exchange

Ensuring sufficient security/confidentiality and interoperability

Policy proposals that encourage alignment of nationallevel requirements and achieve broader harmonisation across Europe

Requirement encryption

use

Ensuring sufficient security/confidentiality of the stored data

Policy proposals that encourage alignment of nationallevel requirements and achieve broader harmonisation across Europe

Storage service providers must be authorised by the government

Ensuring security/confidentiality, interoperability between government organisations using those authorised providers, and supporting accountability and supervision

If authorisation is deemed a requirement, at the EU level there should be mutual recognition of such authorisation by individual Member States so that country-to-country authorisations with possibly contradictory requirements are avoided.

Storage facilities must be within national borders

Maintaining national control over healthcare and social security systems and services.

Replaced by EU-level systems or improved cross-border interoperability of national systems through the European Interoperability Framework or Connecting Europe Facility.

Requirement for local entity to maintain records

Ensuring availability and access of health records to patients

Clarification from national regulators, supervisors and lawmakers that offsite electronic storage is not contradictory to this requirement if appropriate security measures are adhered to. Records should be locally accessible and available, not necessarily locally stored.

Prohibition against third party access and/or disclosure

Ensuring sufficient security/confidentiality of the stored data

Clarification from national regulators, supervisors and lawmakers that the requirement can be met if substantive access to the contents of medical records is made impossible. Offsite storage should not necessarily be considered as constituting third party access and disclosure.

Requirement to maintain a local hard copy with specific access restrictions

Ensuring availability and access of health records, and avoiding breaches

Requirement

Maintaining national control

Replaced by EU-level systems or improved cross-border

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) communicate electronic data to a local authority

over healthcare and social security systems and services.

interoperability of national systems through the European Interoperability Framework or Connecting Europe Facility.

Use of a national system to support storage and/or transfers

Maintaining national control over healthcare and social security systems and services.

National lawmakers and policy bodies should clarify that their national systems do not exclude the use of crossborder systems for the storage or transfer of health data. EU level support for interoperability of national healthcare systems to manage consents and authorisations, building on findings from prior large scale pilots such as epSOS and through the European Interoperability Framework or Connecting Europe Facility.

As the overview above shows, the three major categories of drivers behind the indirect restrictions are   

The need for security/confidentiality; Maintaining national control over healthcare and social security systems, and Ensuring availability and access to patient records (in descending order of commonality).

In principle there are potential solutions to all of these barriers in relation to healthcare because their objectives still can be respected at the cross-border level. The practical implementation of these barriers in a manner that avoids needless limitations to the free flow of data hinges mainly on alignment with the stakeholders that establish rules and policies in relation to security, encryption, interoperability and so forth; the reports from correspondents show that these stakeholders are a mix of ministries of health, associations of health care professionals, and non-profit bodies establishing joint e-health rules and practices at the national level. Systematic organisation of these discussions at the EU level might serve to implement some of the solutions identified above. Despite such potential solutions, some data location barriers have also been identified in relation to the implementation of national systems to exchange patient records between health care professionals, or to the centralised storage of substantive health related data (e.g. in relation to eprescriptions). The data collected by our national experts also show that Member States' preference for a centralised or a distributed storage of data varies and that their policies are continually evolving. Member States' policies for distributed storage tend to encourage the public sector to facilitate exchanges between the various stakeholders (e.g. building a network that allows doctors to easily exchange patient records). By contrast, centralised storage policies lead to a public administration where health data is accessible to authorised health care professionals. Both approaches have their merits and appropriate policies should ensure that maintaining national control over healthcare and social security systems and services does not preclude cross-border storage, exchange or accessibility of health data, i.e. through the European Interoperability Framework (EIF) or the digital projects of common EU interested funded under the Connecting Europe Facility (CEF) programme. Removing barriers to the cross-border flow of health data should not affect Member States' possibility to opt for a centralised or a distributed data storage solution in order to meet their public policy objectives.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 2.3.2 Financial data, particularly data which is subject to supervision by national regulators Overview and subtypes of data While financial data is of course a relatively broad concept, several smaller subcategories of financial data (notably tax records and accounting data) were split off for the purposes of this study into separate data types and therefore addressed by separate reports, which are discussed in the sections below. Therefore, this section of the report relates mainly to a residual category of financial records being kept or otherwise processed by banks, insurance companies and other supervised service providers from the financial industry (e.g. mainly rules on (cross-border) outsourcing of financial data and services by financial institutions, the access to financial data which falls under the banking secrecy act). The barriers were also highly uniform in nature: in all 7 reported cases, the reported barriers were indirect. Scope of the barrier There was more diversity in the way the barriers were phrased and approached. Looking at the breakdown, the following barriers can be distinguished:

Figure 5 – Types of barrier observed (Financial)

Country

Source

Austria

Bundesgesetz über die Beaufsichtigung von Wertpapierdienstleistungen, BGBl. I Nr. 60/2007 Latest amendment: BGBl. I Nr. 117/2015 (Federal Act on the Supervision of Securities), Art. 25, 26

Restriction imposed on providers / users / data Companies in Austria that are authorized to provide financial services (securities/bonds/instrum ents/stocks/etc)

Direct or indirect Indirect

Summary of obligation / restriction

Specified by the Austrian national regulation Auslagerungsverordnung, BGBl. II Nr. 215/2007, latest amendment: BGBl. II Nr. 272/2011

Belgium

Circulaire PPB 2004/5 over gezonde beheerspraktijken bij uitbesteding door kredietinstellingen en beleggingsondernemingen / Circulaire PPB 2004/5 sur les saines pratiques de gestion en matière de sous-traitance par des établissements de crédit et des entreprises d’investissement (Circular PPB 2004/5 on healthy management practices in outsourcing by credit institutions and investment companies) Issued by the Belgian Banking, Finance and Insurance Commission on 22 June 2004

Credit institutions, banks and insurance companies

Indirect

The Circular permits cross border outsourcing of financial data and services, but requires that it remains subject to effective supervision. It notes that this is not problematic in the EEA as the regulator will be able to work with other regulators in other countries. Outside the EEA, the same applies in principle, but only if comparable supervision exists, and if there are no restrictions for the regulator to engage in information exchange and cooperation with competent authorities. The regulator will assess these conditions on a case by case basis, implying that cross-border outsourcing requires a direct dialogue with the regulator. Finally, for outsourcing to a service provider who is not subject to any supervision, the outsourcing institution must first consult and confer with the regulator.

Czech

1. Act No. 21/1992 Sb. (Banking Act), § 37 para 2, 38

All banks

Indirect

The Banking Act lays down basic rules of bank secrecy. It is not specifically focused on data storage, but it gives an exhaustive list of cases when banking

It is difficult to trace whether the definition of 'foreign country or ‘third country’ is meant to be ‘each country, which is not part of the European Economic Area’, as a trail of steps needs to be followed, via the Wertpapieraufsichtgesetz (WAG 2007), which refers to the BörseGesetz, which in turn refers to § 2 Bankwesengesetz (BWG; Banking Act). This may contribute to legal uncertainty.

Cross-border data flow in the digital single market: study on data location restrictions Republic

2. Decree No. 163/2014 (due diligence in banking and other financial services), especially its Annex No. 7 (specific requirements for risk management in case of outsourcing), §37(k), 47-52

Ireland

Chapter 2 of the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1))(Investment Firms) Regulations 2017 [‘the Central Bank Investment Firms Regulations]

Collective Investment Undertakings

Circular CSSF 12/552 on central administration, internal governance and risk management, as amended by Circulars CSSF 13/563 and CSSF 14/59, issued by the Luxembourg Supervisory Commission of the Financial Sector (Commission de Surveillance du Secteur Financier - CSSF), Section 5.2.3, Sub-section 7.4.2.1, Sub-section 7.4.2.3

Credit institutions, banks and insurance companies

Circulaire cloud computing 2011/643815 van de Nederlandsche Bank

Credit institutions, investment companies, banks and insurance companies

Luxembour g

Netherland s

(SMART 2015/0054)

data falling within the scope of banking secrecy (i.e. client data) can be made available to third parties. A contrario it implies that any other form of use of such data is prohibited. Decree No. 163/2014 Sb. contains set of particular compliance provisions for banks and other financial institutions. Its Annex 7 is focused on risk management in case of outsourcing. It contains general risk management requirements for all kinds of outsourcing, so it is not specifically targeted at ICT or data processing. There are particular limitations and duties as to the content of outsourcing agreements for data processing, but they only contain a requirement for the inclusion of stipulations regarding data security. Paragraphs 47-52 include only general security requirements without mentioning any particular rules. Indirect

Indirect

The restriction permits outsourcing of certain activities only under strict conditions. For example, the Central Bank needs to be able to conduct inspections at the outsourcing service provider’s premises. There is no specification on the need for inspections to be “on-site”. The Central Bank Investment Firms Regulations are issued by the Central Bank under the powers granted by the Central Bank (Supervision and Enforcement) Act 2013. The Circular does not require all infrastructure and all data to be stored in Luxembourg, but rather emphasizes that that the IT functions of institutions must be effectively protected, which can best be done “in premises at its disposal in Luxembourg”. This is however not a requirement that impedes delocalized storage; storage outside Luxembourg is permitted under strict safeguards and preconditions that protect the confidentiality of banking data. Broadly summarizing the provisions above, outsourcing of IT infrastructure is permitted, but should either be to a party (a PFS) licensed in Luxembourg, or to an internal entity of the outsourcing party’s group after prior informed consent is obtained.

Indirect

The Circular permits cross border use of cloud computing for banking data which is subject to prudential supervision, but requires that it remains subject to effective supervision. This requires a risk based assessment from the outsourcing party, and the conclusion of a contract that allows the supervisor to conduct local audits (or to have these conducted by a third party), an

Cross-border data flow in the digital single market: study on data location restrictions Circular cloud computing 2011/643815 from the Nederlandsche Bank Issued by the Dutch financial supervisor (Nederlandsche Bank) on 6 December 2011 See http://www.toezicht.dnb.nl/binaries/50224828.pdf

Portugal

Aviso do Banco de Portugal n. 5/2013 (Regulation of the Bank of Portugal implementing Article 39(1) of Law No 25/2008 of 5 June concerning the required conditions, mechanisms and procedures of compliance with obligations preventing money laundering and terrorism funding related to the provision of financial services submitted to the supervision of the Bank of Portugal), Art. 5 Law No 25/2008 of 5 June as last amended by Law No 118/2015 of 31 august (this Act also applies to companies which deal with hedge funds, pension funds, securitization, investment consulting, investment in tangible property, certain insurance companies)

Credit institutions (banks), investment and other financial companies, payment institutions and institutions of electronic money with headquarters in Portugal; branches located in Portuguese territory of said institutions headquartered in foreign countries, including external financial branches; post services providers in as much as they provide to the public financial services related with matters under the supervision of the Bank of Portugal.

Indirect

(SMART 2015/0054)

obligation for the cloud provider to provide information to the supervisor upon request, and the right of the outsourcing bank to implement changes in the execution of the services agreement with the cloud provider, including 8 appropriate termination clauses. A subsequent circular has been issued on the right to examine, indicating a series of cloud providers with whom the supervisor has been able to determine that it will have appropriate examination rights. The list is accessible online. The Bank of Portugal has competence to do inspections in any premises of financial institutions or of third parties being used to the exercise of the activity of financial institutions, with the power to demand the presentation of any information or clarifications which it may deem relevant, including the local examination of information elements, the extracting of copies of all pertinent documentation, and the call of any person to hear her and gather that information.

. The Circular addresses the risk that financial enterprises are unaware of where the data has been stored and how it is processed in relation to oversight and enforcement.). The Dutch Central bank has reported that in terms of effective oversight and enforcement the DNB does not differentiate between data stored within or outside the Netherlands.

Figure 6 – Nature and scope of barrier observed (Financial)

Nature of the barrier Application of management subcontractors

specific schemes

risk to

Observed in countries? AT, BE, CZ, NL

which

Why is this (potentially) a restriction to the free flow of data within the European Union? Risk management requirements are defined at the national level by the financial regulators, and may be hard to know / observe by foreign providers.

Control mechanisms (including audits) from the national supervisors may not be hindered

AT, BE, IE, NL, PT

IT systems established abroad may be more difficult to control by the regulators.

Subcontractors have to be officially recognised / authorised as acceptable service providers for this type of data.

AT, LU

National whitelists can be hard to adhere to for service providers working in multiple jurisdictions, since they need to undertake efforts to become listed on a country-by-country basis (compliance cost and efforts).

Comparable supervision must exist in the country of establishment of the service provider

Service provider must operate only from countries where such supervision exists.

Case by case dialogue with the regulator is required before initiating a cross border flow to unknown service providers

Imposes a potentially cumbersome requirement on service providers abroad.

Imposing a choice of law clause in favour of the regulator’s country of operation

Implies that service providers must align with multiple national laws if they wish to operate at the EU level.

As already noted earlier, the barriers reported by the correspondents were all indirect in nature and none of them explicitly prohibits data storage outside of the country, although many of them contain relatively strong encouragements to restrict oneself to national infrastructures. This is however partially born out of necessity, since regulators must indeed have the competence and practical ability to conduct audits on the infrastructure being used; this requirement is significantly harder to meet when exercising this power would require cross-border travel to potentially multiple locations in different Member States. It is also worth stressing that some regulators have shown their willingness to be pragmatic in applying this rule, by only requiring that audits by a competent equivalent regulator are possible. The Austrian and Belgian reports explicitly mention the role of cooperation agreements between regulators as a valid way of meeting this requirement, and the Dutch regulator publishes and maintains a ‘whitelist’ of service providers which have been found on the basis of prior examination and dialogue to be permissible for financial data, due to their ability to satisfy audit requirements. Thus, solutions are possible. The fact that the approach to these issues varies from country–tocountry can result in needless duplication of effort for service providers, thus serving as a disincentive for cross border data flows even for specialised service providers that could conceivably meet local requirements. Drivers behind the barriers and potential solutions The overview above showed that the barriers in relation to financial data are indirect, and relatively universally serve to benefit the confidentiality and security of financial data, which is seen to be at least partially dependent on the regulator’s ability to access and audit the data and the

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) infrastructure where it is located. Nevertheless, good practices exist in some Member States. The table below illustrates how these drivers (security – confidentiality – accountability) could be supported at EU level without needlessly impairing the free flow of data.

Figure 7 – Drivers behind the barrier observed and potential solution (Financial)

Nature of the barrier

Objective / driver behind the barrier

Potential solution?

Application of specific risk management schemes to subcontractors

Ensuring sufficient security/confidentiality

EU level alignment on such requirements

Control mechanisms (including audits) from the national supervisors may not be hindered

Ensuring security/confidentiality, and supporting accountability and supervision

EU level cooperation between regulators and / or establishing third party auditing arrangements for third countries

Subcontractors have to be officially recognised / authorised as acceptable service providers for this type of data.

Ensuring sufficient security/confidentiality

If authorisation is deemed a requirement, at the EU level there should be mutual recognition of such authorisation by individual Member States so that authorisations in one Member State is not mutually exclusive or with possibly contradictory requirements from an authorisation in another Member State. EU level whitelisting of acceptable service providers can similarly be considered.

Comparable supervision must exist in the country of establishment of the service provider

Ensuring security/confidentiality, and supporting accountability and supervision

EU level cooperation between regulators and / or establishing third party auditing arrangements for third countries

Case by case dialogue with the regulator is required before initiating a cross border flow to unknown service providers

Ensuring sufficient security/confidentiality

If authorisation is deemed a requirement, there should be EU level recognition so that country-to-country authorisations with possibly contradictory requirements are avoided. EU level whitelisting of acceptable service providers can similarly be considered.

Imposing a choice of law clause in favour of the regulator’s country of

Maintaining national control over financial systems and services

Substantive obligations of service providers should be sufficiently aligned considering freedom of contracts, obligations and cooperation mechanisms with national

Cross-border data flow in the digital single market: study on data location restrictions operation Prohibition against third party access and/or disclosure

(SMART 2015/0054)

supervisory authorities. Ensuring sufficient security/confidentiality

Clarification from national regulators, supervisors and lawmakers that the requirement can be met if substantive access to the contents of financial data is made impossible. Offsite storage should not necessarily be considered as constituting third party access and disclosure.

The overview above illustrates that part of the solution – alignment on substantive requirements – is comparable to the state of play for health data. However, financial data faces an additional challenge through the requirements imposed by national regulators and supervisors, who require the ability to access and audit data processing facilities. 2.3.3 Citizen data and company records Overview and subtypes of data Correspondents were also invited to identify barriers to the free flow of data for two other types of information which are examined together in this section of the report:  

Citizen data: basic identity registers, particularly any official records in relation to a country’s citizens or residents (such as their names, addresses, date of birth) or to legal entities; Company data: company records, such as balance sheets, income statements or annual accounts submitted by companies.

These two categories of data are examined together here, as they all relate to fundamental information about natural or legal persons which is considered authoritative and therefore has high requirements in relation to trustworthiness and security. A second similarity is that these records tend to be managed as a part of a specific statutory or legislative mandate provided by the public sector. The following overview can be provided for the reported barriers: Figure 8 – Types of barrier observed (Citizen data and company records)

Country

Source

Belgium

Wet van 8 augustus 1983 tot regeling van een Rijksregister van de natuurlijke personen / Loi

Restriction imposed on providers / users / data Any party that wants to access or use

Direct or indirect Indirect

Summary of obligation / restriction The law identifies the Minister of Foreign Affairs as the competent authority to maintain the Register (Article 4), and notes that an authorisation is

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

de 8 août 1983 organisant un registre national des personnes physiques (Law of 8 August 1983 regulating a National Register of natural persons), Articles 4 ter, 5, 8 § 1 and § 2 and Article 14.

information from the National Register

required to access any part of the Register which is granted by law or by a specific committee of the data protection authority (Article 5). The same applies to the National Register Number, which is the identification number assigned to each lawful and permanent Belgian resident: it may not be used without prior authorisation, granted by law or by the aforementioned committee.

Denmark

Bekendtgørelse af lov om Det Centrale Personregister (Civil Register Act), Chapter 14 §55.

Ministry of Economic Affairs and the Ministry of the Interior

Indirect

The law identifies the Ministry of Economic Affairs and the Ministry of the Interior as the competent authorities to maintain the Register, in coordination with the municipalities (§ 2). They are charged with ensuring that the necessary measures are taken to permit the disposal or destruction of CPR in case of specific conditions (§55).

Luxembour g

19 décembre 2002. – Loi concernant le registre de commerce et des sociétés ainsi que la comptabilité et les comptes annuels des entreprises et modifiant certaines autres dispositions légales (19 December 2002. - Law concerning the register of businesses and companies, and concerning accounting and annual accounts of companies, modifying certain other legal provisions), Article 2.

The Ministry of Justice, the CTIE, and the RCSL

Indirect

The law identifies the Ministry of Justice as the responsible entity for the business register, but designates a specific grouping (the RSCL, comprised of the Ministry, Chamber of Commerce and Chamber of Artisanal Professions) as the manager of the Business Register, with offices in the communes of Luxembourg and Diekirch. The Regulation in turn ensures that the files of this Register can be kept digitally, and notes in Article 14 that the underlying database must be held by the Centre for ICT of the State (Centre des technologies de l’information de l’Etat – CTIE - http://www.fonctionpublique.public.lu/fr/structure-organisationnelle/ctie/index.html). Any modifications of data must be done by the CTIE, who is also responsible for its storage for a period of 20 years after any business entity has been struck from the Register.

The Central Population Register controller –

Indirect

The Act on the Central Population Register permits the controller of the Register (The Ministry of Interior) to transfer the data from the Register only

23 janvier 2003. – Règlement grand-ducal portant exécution de la loi du 19 décembre 2002 concernant le registre de commerce et des sociétés ainsi que la comptabilité et les comptes annuels des entreprises (23 January 2003. – Grand Ducal Regulation relating to the execution of the law of 19 December 2002 concerning the register of businesses and companies, and concerning accounting and annual accounts of companies), Articles 1er, 2, 2 bis, 10, 13, 14, 15, 23. Slovenia

Zakon o centralnem registru prebivalstva (Uradni list RS, št. 72/06), (Central Population

Cross-border data flow in the digital single market: study on data location restrictions Register Act), Articles 12, 19 and 23a. Uredba o vodenju in vzdrževanju centralnega registra prebivalstva ter postopku za pridobivanje in posredovanje podatkov (Uradni list RS, št. 70/2000), (Regulation on electronic operations), Article 5.

The Ministry of Interior

(SMART 2015/0054)

to users or other entities authorised by the law (Art. 12 above). There does not seem to be any legal bases which would specifically permit outsourcing of operations related to data form the Register. The Register is a cooperative data base where certain data sources may be authorised to directly maintain their data in the data base (Article 19 above). In case this involves electronic operations the data source must seek prior approval of the Minister of Public Administration (Article 5 of the Regulation) This is an indirect barrier to outsourcing.

Thus, three of the barriers related to natural persons (where personal data protection concerns apply), and one to company data (where such concerns are less important). All reported barriers were indirect in nature, i.e. they did not explicitly specify any geographical restriction or requirement. All of these will be discussed in greater detail in the sections below. Scope of the barrier Given the nature of the data examined (authoritative data in relation to natural or legal persons), it is not surprising that most of the reported barriers related to the exclusive competence of a particular entity for holding the organisation. Nonetheless, other barriers were reported as well. Figure 9 – Nature and scope of barrier observed (Citizen data and company records)

Nature of the barrier Designation of a specific legal entity that manages an official database

Observed in countries? BE, SI, LU

which

Why is this (potentially) a restriction to the free flow of data within the European Union? Can be interpreted as solely permitting storage / transfer of the data by that specific legal entity

A specific mandate under law or from a specific body is required to access or use the data

BE, SI

Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.

Prohibition against third party access and/or disclosure

Can be interpreted as prohibiting passive offsite storage (i.e. storage outside the facilities of a manager of the register that requires no further processing by the storage service provider)..

Requirement for the data to be destroyed under certain circumstances

BE, DK, LU

If the data is not kept locally, the managing entity may not have certainty that data can be decisively destroyed.

Joint management / updating of the data is foreseen (i.e. there is cooperation with identified entities such as local registrars or communes) to maintain the data

The existence of multilateral connections to maintain the completeness and accuracy of the data can complicate its hosting with a third party.

An interesting element that emerges from this table but which was not present for earlier data types is the distinction between storage of the authoritative data by a specific entity, and the right to use or access this data. Many of the reported barriers related to the simple observation that a specific entity was designated as the steward of authoritative data, which was interpreted by the correspondents as excluding the possibility of outsourcing, and thus also the possibility of data storage outside of national borders. This is however not necessarily the case: if exclusive control can be ensured with the designated steward, outsourcing of data storage should be allowed. However, in other cases it was noted that no third party was allowed to access or use the data without an appropriate authorisation granted under national law or by a specific body. That would indeed seem to be a barrier for cross border data flows, since it would imply that a foreign body would need to receive such an authorisation. A separate consideration that emerged as a potential barrier was the need for the data to be destroyed under certain circumstances. The obligation is not without consequences, since the outsourcing of data storage to a third party can make it rather more difficult to ensure conclusively that data was effectively destroyed, or indeed that a data owner can count on the service provider to be able to heed the instructions given in this respect.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Drivers behind the barriers and potential solutions The overview above showed that the barriers are indirect, and relatively universally serve to benefit the authenticity and integrity of the data. The table below illustrates how this objective could be supported at EU level without needlessly impairing the free flow of data. Figure 10 – Drivers behind the barrier observed and potential solution (Citizen data and company records)

Nature of the barrier

Objective / driver behind the barrier

Potential solution?

Designation of a specific legal entity that manages an official database

Ensuring sufficient security/confidentiality and authoritative nature of the data

Clarification from national lawmakers that the requirement can be met if the data remains under the exclusive control of the designated legal entity.

A specific mandate under law or from a specific body is required to access or use the data

Ensuring security/confidentiality, and supporting accountability and supervision

If authorisation is deemed a requirement, there should be EU level recognition so that country-to-country authorisations are avoided. EU level whitelisting of acceptable service providers can similarly be considered.

Prohibition against third party access and/or disclosure

Ensuring sufficient security/confidentiality

Clarification from national regulators, supervisors and lawmakers of the necessary information security requirements to restrict access and editing rights in order to satisfactorily meet this obligation, e.g. offsite storage should not necessarily be considered as constituting third party access and disclosure.

Requirement for the data to be destroyed under certain circumstances

Ensuring control over the data, avoiding breaches of confidentiality

Use of security/cryptographic controls that impede third party access and ensure that data can be made inaccessible.

Joint management or updating of the data is foreseen to maintain the data, i.e. there is cooperation with specific organisations such as municipal or supervisory authorities

Ensuring the completeness and accuracy of the data

Use of appropriate role / authorisation management tools to enable remote storage without eliminating joint management.

Besides the designation of a local entity to manage authoritative data, another principal barrier that is difficult to address is the ability to ensure the destructibility of data. Encryption ensures that, even if the data is not literally destroyed, it is at least unusable to an attacker. However, the ability of encryption schemes to withstand cryptographic attacks devolves over time. Therefore, encryption can only provide limited relief on this front and it is by no means a conclusive answer. Cryptography may not be sufficient to ensure conclusively that a third party will not be able to access or retain data over a longer period of time. Therefore, alternative approaches should be considered as outlined by the European Network and Information Security Agency (ENISA). 2.3.4 Judicial data and privileged data Overview and subtypes of data Continuing the examination of particularly sensitive types of data for which barriers would conceivably exist, the correspondents were asked to look into: 40

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 



Privileged information, such as information held by lawyers in relation to their clients and information which is covered by national security obligations, i.e. officially classified information such as RESTRICTED, SECRET, and TOP SECRET. Judicial data, including court data and police records

The following types of data were more specifically reported upon:

Figure 11 – Types of barrier observed (Judicial data and privileged data)

Country

Source

Bulgaria

Закон за адвокатурата (обн. - ДВ, бр. 55 от 25.06.2004 г.; изм. и доп., бр. 97 от 07.12.2012 г.), Bar Act (promulgated on 25 June 2004, last amendments as of 07 December 2012).

Restriction imposed on providers / users / data lawyers

Direct or indirect

Summary of obligation / restriction

Indirect

Lawyers are obliged to keep the confidentiality of any information they have obtained from their clients indefinitely. Such information can be disclosed only if such a disclosure is necessary before a court in connection with an ongoing dispute with the client. Such information shall be kept confidential by any and all of the lawyer’s staff and any other person who is involved in his professional duties. Further, all of the lawyer’s papers, records, electronic documents, computer equipment and other information media are inviolable and cannot be reviewed, copied, examined or be subject to a seizure. on. It does not seem to explicitly prohibit the storage or transportation of this type of information. However, it is unclear how this protection may apply to lawyer’s information stored by an external service provider (for example, cloud service provider) who is not subject to protection any review, copy, examination or seizure of information. Thus, in practice, it could be considered that if a lawyer uses an external service provider for the storage and/or transportation of his confidential information and is aware that such service provider cannot prevent eventual seizure by state authorities of this information, the lawyer does not comply with his confidentiality obligation.

Solicitors

Indirect

The provision of the Advocacy Act lays down confidentiality obligations of solicitors with regards to client communications. The provision of the Code of Criminal Procedure lays down the attorney-client privilege, i.e. it restricts law enforcement bodies from being able to search and seize data that are processed by solicitors about their clients. In case of need to use such data in criminal investigation, the Police or the Public Prosecution Office has to turn first to the Bar Association for permission. If that permission is not granted, it is possible to the court to overrule and to grant a special permission for search and seizure. The Decision was made in a case when a search warrant was asked for client data that were stored by a solicitor. The storage was outsourced in a cloud that was physically located outside premises of the solicitor. The court held that when data is physically located outside premises officially used by the

Етичен кодекс на адвоката (приет с Решение № 324 от 8 юли 2005 г. на ВАС (Обн., ДВ, бр. 60 от 22.07.2005 г.; изм. и доп., бр. 43 от 08.06.2010 г.), Professional Ethics Code of Lawyers (promulgated on 22 July 2005, last amendments as of 08 June 2010.

Czech Republic

Act No. 141/1961 Sb. (Code of Criminal Procedure) § 85b, subsequently Act. No. 85/1996 Sb. (Advocacy Act); Decision No. Nt 615/2014 (Municipal Court in Prague, 9. 7. 2014); Opinion of the Supreme Court No. Tpjn 306/2014, publ. as 35/2015 Sb. tr. rozh

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

solicitor (e.g. in a delocalized cloud), they are not protected by attorney-client privilege. In result, the Police or state Prosecution Service might obtain just simple warrant (not the special warrant required for search and seizure of solicitor premises) in order to get that data. The opinion No. Tpjn 306/2014 stated that the place of performance of advocacy (i.e. the place where attorney-client privilege applies) is not limited only to physical premises of the solicitor but it extends also to logical document storage spaces incl. cloud services. Romania

Government Decision no. 585/2002 approving the national standards for the protection of classified information; Government Decision no. 781/2002 on the protection of restricted information; Law no. 182/2002 on the protection of classified information; and Order no. 16/2014 approving the INFOSEC - INFOSEC 2 Directive.

All legal or natural persons which handle classified information

Indirect

Government Decision no. 585/2002 state that transferring classified information to other users requires security certificates and authorization access according to the appropriate level of secrecy. Top secret information cannot be stored, processed or transmitted in automatic information and/or communication systems which are actually or potentially exposed to users without security clearance. Every transmission requires repeated approval. Information and Communication System must have an authorization from the National Registry Office for Classified Information or its subordinate agencies. Updates and modifications to information and communication systems in absence of a human operator are forbidden. Annex no. 10/C describes the protection measures of the information systems which process data and classified information together with the protection measures of the building where these information systems are based. Government Decision no. 781/2002 stipulates the authorisation procedure for access rights which requires written authorization by the director of the unit which holds classified information. Law no. 182/2002 sets the need for mandatory cypher or other cryptographic elements established by competent authorities. Order no. 16/2014 describes the security operation manners/approaches (for different types of classified information and related specific measures for security certificates and authorization certificates. It requires that information and communication systems handling classified information can use the Internet or similar public networks only subject to adequate cryptographic protection. The National Registry for Classified Information is primarily in charge of supervising compliance, together also with representatives of the Romanian Security Agency, Ministry of Defence, Ministry of Interior, Ministry of Justice, External Information Service, Protection and Guard Service, Special Telecommunication Service, heads of public authorities, economic agents with partial or full share capital and of other public entities and also the authorities or people responsible with the general framework for contraventions.

Cross-border data flow in the digital single market: study on data location restrictions

Slovenia

1. Zakon o tajnih podatkih (Uradni list RS, št. 60/11), (Classified Information Act), Articles 14 and 15.

All organizations and bodies that have access to or handle, store, or transfer information classified according to the Classified Information Act.

Direct (organizat ions need clearance, issued by competen t ministry) and indirect (organizat ions need to establish adequate security measures) .

(SMART 2015/0054)

The Classified Information Act prescribes that classified information may only be transferred outside secure zone if encrypted, by methods confirmed by a committee for information security (Art. 14 in 15). All systems where classified information is held must be protected against electromagnetic radiation. The measurements are made by the Ministry of defence, the Police, The intelligence agency and other authorities by the committee (Art. 17). Whenever classified information is processed outside the original location security measures must be comparable to those that must be implemented at the original location. If the information is stored electronically it must be separated from other possible information by way of physical or virtual separation. Only persons with clearance, issued according to the regulation which defines checking procedures, issued by the competent ministry, may have access to the information (Article 16). The information may only be transferred/ outsourced to those organizations that have acquired clearance, issued according to the regulation which defines checking procedures, issued by the competent ministry.

The police databases and national security information are arguably slightly less relevant for the purposes of this study, since it does not seem unreasonable to argue that they relate directly to the core public task of ensuring the fundamental right to safety, security and justice to the European citizens. As such, the information is an inherent part of the public task, for which policies requiring such data to remain exclusively in the hands of the national competent authorities is unsurprising. These barriers will be examined in the following sections as well to ensure a comprehensive overview. Three out of the four reported barriers are indirect. The direct barrier is reported in Slovenia with respect to national security information, where security requirements are defined at such a high level of detail that foreign storage of data would be practically infeasible. As above, cases for which the legislation directly designates a specific administration that should retain ownership of the data are considered to be indirect, unless (as in the Romanian and Slovenian cases) additional requirements apply that render foreign storage practically difficult. Scope of the barrier The following barriers were reported upon: Figure 12 – Nature and scope of barrier observed (Judicial data and privileged data)

Nature of the barrier Designation of a specific legal entity that manages an official database

Observed in countries? RO

which

Why is this (potentially) a restriction to the free flow of data within the European Union? Can be interpreted as solely permitting storage / transfer of the data by that specific legal entity

A specific mandate under law or from a specific body is required to access or use the data, including to store it

Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.

General confidentiality obligation prohibition against third party access and/or disclosure

BG, CZ

Can be interpreted as prohibiting passive offsite storage (i.e. storage outside the facilities of the data holder that requires no further processing by the storage service provider).

Requirement to impose confidentiality obligations on all persons with access to the data

Can be interpreted as prohibiting passive offsite storage (i.e. storage outside the facilities of the data holder that requires no further processing by the storage service provider).

Legal protections against information seizures

BG, CZ

May be hard to enforce with an external service provider, since legal investigators may not be aware that the information is privileged and cannot be seized.

Requirement for recipients of the data to hold certain certifications

RO, SI

Can be interpreted as prohibiting passive offsite storage, unless the storage service provider can ensure that all persons who access the facility hold such certifications

Prohibition against transfers of data without human intervention

Prohibits data intervention

Controls exist that limit the hardware or software that can be used to process data

RO, SI

transfers

without

human

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) available locally, not internationally National technical storage / exchange requirements

RO, SI

Requirement to use encryption

RO, SI

Data segregation requirements

It is interesting to observe that there are barriers that limit data transfers (storage or transfer) to designated and authorised / certified entities, but none that explicitly tie this issue to geography. The principal barrier for police and national security records is the existence of national requirements in relation to security, certificates, hardware and software choices, and data segregation. With respect to lawyers’ information – arguably a better candidate for improving the free flow of data than classified information that would necessarily remain within the competence of Member States as a matter of national security policy – a unique element in the survey and interview reports from this study is the need to ensure and legally impose confidentiality obligations for all persons who are able to access to the data and the fact that national laws foresee specific legal protections against the seizure of information. Both of these elements are intended to protect professional privilege. However, they are both harder to implement when data is stored offsite, including particularly in a cross border context: while it is possible (and indeed not uncommon as a part of current market practices) to require a service provider to conclude confidentiality agreements with all persons who are able to access data in a data centre, it is less clear and certain that foreign governments would recognise the privileged character of lawyers’ information and apply comparable legal safeguards as those required under national law9. This would seem to complicate the use of non-specialized foreign storage services, i.e. those for which a lawyer would be unsure whether appropriate protections would be applied. Drivers behind the barriers and potential solutions For these particular categories of data, the principal drivers are the assurance of national security, the organisation of an appropriate judicial system, and the assurance of legal privilege to support the protection of legal rights. Nevertheless just as with objectives for barriers to cross-border flow in 9

On this topic, see also http://www.ccbe.eu/NTCdocument/EN_04042014_Comparat1_1400656620.pdf.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) health data, some of these objectives for barriers to cross-border flow in judicial and privileged data could arguably continue to be met without harming existing public interests. Figure 13 – Drivers behind the barrier observed and potential solution ((Judicial data and privileged data)

Nature of the barrier

Potential solution?

Designation of a specific legal entity that manages an official database

Objective / driver behind the barrier Ensuring sufficient security/confidentiality and authoritative nature of the data

A specific mandate under law or from a specific body is required to access or use the data

Ensuring security/confidentiality, and supporting accountability and supervision

General confidentiality obligation - prohibition against third party access and/or disclosure

Ensuring sufficient security/confidentiality

Clarification from national regulators, supervisors and lawmakers that the requirement can be met if substantive access to the contents of lawyers’ data is made impossible. Offsite storage should not necessarily be considered as constituting third party access and disclosure.

Requirement to impose confidentiality obligations on all persons with access to the data

Ensuring that there are no loopholes in legal protections

EU level alignment on such requirements (e.g. through model confidentiality agreements)

Legal protections against information seizures

Ensuring that client privilege cannot be easily breached

Implementation of procedures at the EU level for such seizures and/or EU level whitelisting of specialised service providers so that these can be easily recognized by criminal investigators.

Requirement for recipients of the data to hold certain certifications

Ensuring the appropriateness of security clearance of recipients

EU level alignment on such requirements and/or EU level whitelisting of specialised service providers where all recipients hold such certifications.

Prohibition against transfers of data without human intervention

Ensuring that there are no loopholes in legal protections

EU level alignment on such requirements

Controls exist that limit the hardware or software that can be used to process data

Ensuring sufficient security and confidentiality of the data

EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.

National storage / requirements

technical exchange

Ensuring sufficient security and confidentiality of the data

EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.

Requirement encryption

use

Ensuring sufficient security and confidentiality of the data

EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.

Data segregation requirements

Ensuring sufficient security and confidentiality of the data

EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.

Clarification from national lawmakers that the requirement can be met if the data remains under the exclusive control of the designated legal entity.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

Most of the aforementioned objectives aim to ensure the security and confidentiality of the information. However, the barriers highlight that a variety of controls are required or are considered appropriate to achieve those objectives. Therefore, to continue to meet the common objectives through this variety of controls suggests that greater alignment of those controls at the EU-level is needed. Given the high sensitivity of the data and the fact that its protection requires particular safeguards against even state intervention (i.e. even in criminal investigations lawyers’ records may not be seized without applying a specific protection procedure such as under the Bulgarian Bar Act, Bulgarian Professional Ethics Code of Lawyers, and Czech Advocacy Act as listed above), the evidence from interview reports indicates that an approach that relies on whitelisted specialized service providers may be advisable, since authorities may otherwise struggle to recognize protected information. 2.3.5 Tax and accounting records Overview and subtypes of data In section 2.2.2. above, we examined barriers that applied to a specific category of financial data, namely data which is subject to supervision by national regulators. However, other types of financial information may also be subject to regulatory barriers. We therefore asked correspondents to report specifically on:  

Tax records, such as relevant information for personal or corporate tax declarations. Accounting documents such as invoices. It should be noted that EU level rules exist with respect to electronic invoicing and the storage of electronic invoices, specifically through the Sixth VAT Directive10. The latter permits electronic invoices and also allows invoices to be stored outside of national borders, provided that the invoices are immediately accessible to tax authorities. Thus, the EU legal framework as such inherently demonstrates a potential barrier (the requirement for data to be accessible to auditing authorities) and immediately provides the solution (a neutral requirement to ensure its accessibility via electronic means).

The following types of data were more specifically reported upon:

Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax, see http://eurlex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32006L0112.

Figure 14 – Types of barrier observed (Tax and accounting records)

Country

Source

Restriction imposed on providers / users / data

Austria

Bundesgesetz über allgemeine Bestimmungen und das Verfahren für die von den Abgabenbehörden des Bundes, der Länder und Gemeinden verwalteten Abgaben (Bundesabgabenordnung - BAO), original version: BGBl. Nr. 194/1961, latest amendment: BGBl. I Nr. 163/2015 (Federal Act on the General Principles and Procedures for the Regulation of Taxation as administrated by the Federal Government, the State Governments and the Municipalities (Regulation of Taxation Code, BAO). Bundesgesetz über besondere zivilrechtliche Vorschriften für Unternehmen (Unternehmensgesetzbuch - UGB), Austrian Commercial Code, original version: dRGBl. S 219/1897, latest amendment: BGBl. I Nr. 163/2015. Income Tax Code 1992 (Code des impôts sur les revenus 1992, aka CIR 92) and subsequent amendments, Article 315.

All companies that have to keep books

Закон за счетоводството (обн. - ДВ, бр. 95 от 08.12.2015 г., в сила от 01.01.2016 г.),

Belgium

Bulgaria

Direct or indirect Indirect

Summary of obligation / restriction

All taxpayers

Indirect

Enterprises and taxable

Indirect

The final paragraph of Art.315 of the Income Tax Code states that all tax payers are required to present tax authorities, at their request, and without 11 transportation , with any books and evidentiary documents needed to establish the amount of taxable income. Note that this is a separate requirement from invoice storage rules, which state (in accordance with EU law) that they can be stored anywhere in the EU, conditional on their accessibility to tax authorities. The rule of Art. 315 is broader, relating not just to invoices but to any books and evidentiary documents needed to establish the amount of taxable income. Under the Accounting Act invoices and other accounting information shall be 12 stored on paper and/or technical medium within the respective entity for a

According to Article 131 BAO, the act on federal taxes and duties, financial recordings may be kept abroad. However, upon request of the authorities, they have to be brought to the national territory in a reasonable period of time. According to Article 216 of the Austrian Commercial Code (UGB), books may also be kept in electronic format. However, whoever is responsible for keeping the books has to ensure that the data is readable and – if necessary to make available a number of records that are readable without support tools.

In this context, “without transportation” refers to the fact that the tax payer may not be obliged to physically bring the relevant documents to the tax authorities’ offices; the tax inspectors may invite the tax payer to present documentation in person, but the tax payer may decline, in which case the tax inspectors must go to the tax payer’s establishment. See http://lib.ugent.be/fulltxt/RUG01/002/164/464/RUG01-002164464_2014_0001_AC.pdf 12 According to the Bulgarian authorities, 'in the enterprise' is interpreted by tax authorities as physical location for accounting information on paper and electronic access for digital accounting information. But being an interpretation, it could contribute to legal uncertainty.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

Accounting Act (promulgated on 08 December 2015, in force as of 01 January 2016); Закон за данък върху добавената стойност (обн., ДВ, бр. 63 от 4.08.2006 г., в сила от датата на влизане в сила на Договора за присъединяване на Република България към Европейския съюз, изм. и доп., бр. 95 от 08.12.2015 г., в сила от 01.01.2016 г.), Value Added Tax Act (promulgated on 04 August 2006, last amendments in force as of 01 January 2016). Данъчно-осигурителен процесуален кодекс (обн., ДВ, бр. 105 от 29.12.2005 г., в сила от 01.01.2006 г.; изм., бр. 13 от 16.02.2016 г., в сила от 15.04.2016 г.), Tax and Social Insurance Procedure Code (promulgated on 29 December 2005, last amendments in force as of 15 April 2016)

persons

Germany

Handelsgesetzbuch (The German Commercial Code), § 257 III . (Law / federal legislation)

All merchants on which the HGB (trade law) applies. All companies subject to trade law (which is the vast majority).

Indirect

The company records listed in sub-paragraph 1 of this provision can be kept electronically on video or data medium (such as a CD-ROM or a hard drive), with the exceptions of opening balances and annual balance sheets, if this is in line with standards of good bookkeeping and authenticity and availability of the electronically stored documents are ensured.

Germany

Abgabenordnung (Procedural rules for accounting and records), § 146 AO and § 147 (federal legislation)

All natural and legal persons obliged to keep tax records.

Direct

§ 146 AO provides for an obligation to keep the records required for tax declaration within Germany, with the exception of companies active in foreign countries and complying to local tax law on records. Tax records can be kept electronically outside of Germany if the tax authority gives permission on application by the subject. The permission can (not: has to) be given, if the subject provides the authority with the location of the data centre and access to the data in accordance with § 147 VI AO remains fully possible (§ 147 VI AO grants tax authorities full access to the data for control purposes). According to § 147 II AO certain records may not be kept electronically (e.g. annual balance of accounts).

specified period of time for the different types of accounting documents or in private third party archives. This includes electronic invoices and accounting registers held electronically (different types of software products). Under the Value Added Tax Act (VATA) taxable persons must guarantee the integrity and authenticity of electronic invoices for the whole legally required period. When electronic invoices are stored by electronic means, taxable persons are required to provide electronic (online) access to invoices stored by electronic means. Such access shall be provided to the competent authorities when the taxable person has establishment on the state’s territory, as well as when the person is not established on the state’s territory, but the tax has to be charged in Bulgaria; and to the competent authorities of the Member State in which the tax is chargeable - when the person has establishment on the state’s territory, but the tax is chargeable in another Member State.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

Ireland

Notice from the Revenue Commissioners published in Iris Oifigiuil (Official Journal), 27 January 2012, drawn up in exercise of powers conferred on them by s.887 of the Taxes Consolidation Act 1997 (substituted by s.232 of the Finance Act 2001). (Regulatory Regulated Act)

Companies

Indirect

Subject to the time limits governing the keeping of records, “records must be accessible to inspection by a Revenue official at all reasonable times”. All electronically stored records must be accessible to a Revenue official in paper or electronic form. The method of delivery and the format of the electronic record required by the Revenue official shall be specified by the Revenue 13 official at the time the records are being requested. Where new computer systems or applications are introduced the person to whom the records relate must ensure that the old systems and/or applications are maintained for such period as ensures that the records are retained for the minimum period required by the Acts unless specific approval has been obtained from Revenue to discontinue support for the old systems and/or applications. While Revenue do not mandate how or where records should be stored and there is no requirement that the records be stored in the State, this requirement may (indirectly) impact the choice of a new storage system.

Sweden

Bokföringslag (1999:1078), Swedish Bookkeeping Act , Chapter 7 sections 2 - 4.

All companies and organisations that fall within the Swedish Bookkeeping Act (all companies registered in Sweden)

Direct

The main principle is that bookkeeping data should be kept locally in Sweden, even if stored electronically. Chapter 7 section 3a allows, however, for an exception in case of storage in another EU Member State. According to the section a company may store data electronically or keep computer equipment and systems accessible in another EU Member State if: the company has informed the Swedish Tax Agency (Skatteverket) or – when it comes to financial companies – the Swedish Financial Supervisory Authority (Finansinspektionen); the company upon request by the Swedish Tax Agency (Skatteverket) or the Swedish Customs (Tullverket) gives immediate electronic access to the bookkeeping data for control purposes; and the company can immediately print out relevant bookkeeping data in a readable format.

It should be noted that it is the position of the Irish governmental authorities that the records held must be made available by the person who holds the records following a request by an authorised official; an authorised Revenue can only access records where they have been made available to him by the holder of the records.

It is worth noting that while all reports on accounting records also reference the aforementioned rules on electronic invoices, they are all broader in scope and also include accounting documents (ledgers, balance sheets, registers, etc.) that fall outside the scope of the common EU e-invoicing rules. As such, the information on observed barriers is useful for the purposes of this study. Scope of the barrier The following barriers were reported upon: Figure 15 – Nature and scope of barrier observed (Tax and accounting records)

Nature of the barrier

Observed in which countries? AT, BE, BG, IE, SE

Why is this (potentially) a restriction to the free flow of data within the European Union? A way must be found to meet the response time requirements for delocalised storage.

Storage facilities must be within national borders (except when companies are active across borders), except with permission of the tax authority

Geographic limitation by nature.

Format and method of delivery shall be specified by the tax authority during verifications

Nationally defined requirements may be hard to obtain necessary information, understand, or observe by foreign providers because they may only be available in the local language or may necessitate access to delivery methods that are only available locally, not internationally. Since the Irish authorities could impose specific delivery formats, foreign providers may be perceived as less reliable to meet that objective because they may not be able to support formats or delivery methods specified by Irish authorities.

Information must be retrievable for the supervisory authorities within a reasonable amount of time (AT, BG), without transportation (BE), at all reasonable times (IE) or immediately (SE)

All of the barriers aim to support the accessibility and availability of data to tax authorities in case of tax audits. Only one of the reported barriers however are explicitly geographic in nature; others are indirect and can be managed with a storage system abroad, assuming that appropriate communication interfaces are available that allow data to be retrieved rapidly and in a commonly accepted format. Drivers behind the barriers and potential solutions Accessibility of the data in a readable format is the main priority for this category of data. Therefore, solutions are relatively readily available, and indeed already commonly deployed in most cases. Figure 16 – Drivers behind the barrier observed and potential solution (Tax and accounting records)

Nature of the barrier

Objective / driver behind the barrier

Potential solution?

Information must be retrievable for the supervisory authorities within a reasonable

Ensuring accountability verifiability

The barrier can be addressed if there is sufficient clarity on the requirements in relation to timeliness and method of delivery. EU level guidance on this point may be useful to avoid needless national divergences.

and

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) amount of time (AT, BG), without transportation (BE), at all reasonable times (IE) or immediately (SE) General confidentiality obligation - prohibition against third party access and/or disclosure

Ensuring security/confidentiality, and supporting accountability and supervision

Storage facilities must be within national borders (except when companies are active across borders), except with permission of the tax authority

Ensuring accountability verifiability

and

Modernisation of the requirement – moving to accessibility requirements rather than storage requirements.

Format and method of delivery shall be specified by the tax authority during verifications

Ensuring accountability verifiability

and

The requirement is not a barrier in practice if there is sufficient clarity on the requirements in relation to timeliness and method of delivery. EU level guidance on this point may be useful to avoid needless national divergences.

When new IT systems are introduced, the tax payer must ensure that the old systems remain operative for as long as required to ensure availability under applicable law

Ensuring accountability verifiability

and

Clarification that old systems need not remain operative if the updated system can provide access to all needed information.

As in the previous chapter, most of the aforementioned objectives aim to ensure the accountability and verifiability of the information. However, the barriers highlight that a variety of controls are required or are considered appropriate to achieve those objectives. Therefore, to continue to meet the common objectives through this variety of controls suggests that greater alignment of those controls at the EU-level is needed. In addition, there are also a few explicit geographical barriers that do not seem to be strictly required to achieve the goal of ensuring the availability and verifiability of the data. 2.3.6 Other data types and barriers Overview and subtypes of data As noted above, correspondents were also invited to report on barriers they observed for other types of data, which don’t fall cleanly within any single category, and will therefore be analysed collectively here. These reports referred more specifically to the following types of data:

Figure 17 – Types of barrier observed (other types of barriers)

Country

Source

Restriction imposed on providers / users / data

Austria

Bundesgesetz über die Bundesrechenzentrum GmbH (BRZ GmbH), Federal Act on the Federal Computing Centre (BRZ)

Users (public sector), providers

Bulgaria

Original version: BGBl. Nr. 757/1996, Latest amendment: BGBl. I Nr. 71/2003. Bundesgesetz, mit dem IKT-Lösungen und IT-Verfahren bundesweit konsolidiert werden (IKTKonsolidierungsgesetz – IKTKonG), Federal Act on the Consolidation of ICT Solutions and IT Processes (ICT Consolidation Act), Original version: BGBl. I Nr. 35/2012. Gambling Act, Promulgated, State Gazette, No. 26/30.03.2012, lastly amended and supplemented, SG No. 1/3.01.2014, effective 1.01.2014, article 6(4).

Gambling providers

Direct or indirect Indirect

Summary of obligation / restriction

service

Direct

The law states that “The organizer shall have to ensure storing of all data in relation to offering gambling services in the territory of the Republic of Bulgaria, including registration and identification of patrons, wagers made, and winnings paid out. Storing of information shall be on data storage equipment (control local server) located in the territory of the Republic of Bulgaria according to a procedure and in a manner as set forth in the ordinance under para. 1, item 4. The data shall be stored in the way they were created for a term of 5 years after the expiry of the term of limitation for repayment of the public liabilities related to these data.”

ICT tasks and duties with respect to the development, maintenance and operation (incl. hosting) are assigned by law to the Austrian Federal Computing Centre (BRZ). The statutory duties are listed in Article 2 of the Bundesrechenzentrum GmbH Gesetz. The list includes i.a. IT support in the areas of unemployment, Austro Control (aviation), banking, disabled persons, insurance supervision, health, finance, and others; According to Article 4 of the ICT Solution Consolidation Act, the BRZ has to be used as a subcontractor by governmental bodies before initiating a public procurement process, if their offer is in line with the market.

Croatia

Zakon o državnoj informacijskoj infrastrukturi, Narodne novine br. 92/2014, Law on the State Information Infrastructure, Official Gazette of Republic of Croatia no. 92/2014 passed on July 15, 2014 and Regulation on Organizational and Technical Standards for Connecting to the State Information Infrastructure, Official Gazette of Republic of Croatia no. 103/2015.

Public sector bodies, the ICT sector

Direct

According to the Law on the State Information Infrastructure, public registers are stored in data centres that are located on the territory of the Republic of Croatia, and that meet the requirements prescribed by Regulation on Organizational and Technical Standards for Connecting to the State Information Infrastructure (Article 12).

Germany

§ 126 III Grundbuchordnung (national federal

All parties (potential cloud processors) from

Indirect

The restriction excludes outsourcing of data processing to any entity other than the state or legal persons under public law (such as the

Cross-border data flow in the digital single market: study on data location restrictions

Hungary

legislation)

the private sector and all non-German (be it from the private or from the public sector) parties.

2013. évi L. törvény az állami és önkormányzati szervek elektronikus információbiztonságáról

All Hungarian and nonHungarian service providers who may provide cloud services in the governmental sector.

Act L of 2013 on Electronic Information Security of State and Municipal Bodies (“Information Security Act”) adopted by the Hungarian Parliament with the effect of 25 April 2013. 2010. évi CLVII. Törvény a nemzeti adatvagyon körébe tartozó állami nyilvántartások fokozottabb védelméről, Act CLVII of 2010 on National Data Assets (“Data Assets Act”), adopted by the Hungarian Parliament with the effect of 22 December 2010

(SMART 2015/0054)

communities). This excludes all entities from the private sector explicitly, and most likely must be read as all entities outside Germany (as public entities of other member states are not explicitly mentioned, and systematically not meant by this provision). A fortiori this should also exclude all cloud providers which are not only processors, but controllers themselves. Direct

The Information Security Act expressly specifies a list of entities, and requires that any data controlled by these entities can only be operated in an IT system in the territory of Hungary. Such entities are, for example, autonomous administrative bodies (e.g. Public Procurement Authority, Equal Treatment Authority, Hungarian Competition Authority, National Authority for Data Protection and Freedom of Information, National Election Office, ministries, independent regulatory authorities (National Media and Communications Authority, Hungarian Energy and Public Utility Regulatory Authority), public administrative bodies established by an act and directed by the Government (Central Statistics Office, National Office of Atomic Energy, Hungarian Intellectual Property Office, National Tax and Customs Administration), security forces (Police, prison service, civil security services), State Audit Office, Hungarian National Bank, Courts and National Office for the Judiciary, Governmental offices of Hungarian counties and Budapest etc. The relevant authority (now it's the National Electronic Information Security Authority) may approve that a listed entity transfers the operation of an IT system to another EU Member State. The Information Security Act also provides that specific registries which serve as a fundamental basis for the Hungarian public administration and are considered to be authentic by law (“national data assets” – as defined in the Data Assets Act) can only be processed in an IT system in the territory of Hungary. For a given registry, the data controller authority (as appointed by law) may not decide freely about the identity of the data processor. Most of the data controllers have to use a specific data processor. In the other cases, the data controllers can decide between either carrying out all data processing themselves or outsourcing it, but if they decide to outsource, the data processor has to be either an administrative body or a fully stateowned company. The Minister for National Development may give

Cross-border data flow in the digital single market: study on data location restrictions

Netherland s

Ministerie van Binnenlandse Zaken en Koninkrijksrelaties - Kamerbrief over cloud computing, Ministry of Internal Affairs and Kingdom Relationships – Chamber letter on cloud computing, Issued by the Minister of Internal Affairs and Kingdom Relationships, M. Donner, on 20 April 2011

Poland

Gaming Law of 19 November 2009, article 16d

The entirety of the national public sector

Direct

Decreto-Lei n. 16/93 of 23 January (Decree-Law No 16/93 of 23 January (as amended by Law No 14/94 of 11 May)

National and regional archives, private individuals holding classified archive items.

individual exemptions. The letter is an early statement of the Dutch government’s position on cloud computing, announcing its intention to establish a closed national cloud (Rijkscloud), and noting that “a strict requirement is that the data remain in the Netherlands and that security is adequate for all participants, and can be addressed at a level which is acceptable for the selected applications”, and that “in relation to information security, the ‘open’ cloud outsourcing of ICT services, or the storage of information outside the Netherlands, implies risks that cannot yet be appropriately 14 covered.”

Direct

The law requires that “the entity which organises betting via the Internet shall archive all the data exchanged between itself and a participant of betting in real time on a data archiving device located within the territory of the Republic of Poland, including the data which make it possible to determine the course and results of betting and transactions carried out under betting and data necessary to identify a participant of betting."

Direct

Entities which organise betting via the internet

Portugal

(SMART 2015/0054)

Exporting classified (or pending classification) archive items requires 14

Since this letter was issued, the Dutch government has further developed its cloud strategy; at this point in time it appears that only ‘state secrets’ should be kept at Dutch premises, see Letter of the Ministry of Internal Affairs and Kingdom Relationships (Ministerie van Binnenlandse Zaken en Koninkrijksrelaties), answering Parliamentary questions, of 4 July 2014 (with reference no 2014Z09632, see file:///Users/patriciaypma/Downloads/beantwoording-kamervragen-over-opslag-van-vertrouwelijke-data-door-overheidsorganisaties-en-semi-publiekeinstellingen%20(1).pdf, in Dutch) with regard to the storage by governmental organisations and semi-governmental institutions of confidential data. See also Strategic Agenda Governmental service (Strategische I-agenda Rijksdienst) of 2th December 2016: file:///Users/patriciaypma/Downloads/rapport-strategische-i-agenda-rijksdienst%20(1).pdf (in Dutch). Additionally, since this letter was issued, internal governmental guidelines have been developed to guide governmental authorities with regard to their data storage decisions, Rijkscloud is possible, which take as a starting point that decisions on data storage should be judged by the relevant governmental authority on a case-by –case basis, taking into account considerations such as risk assessment and management and data security which in turn relates to the type of data, the use of data encryption, etc. 15 After the cut-off point of our data-collection under this Study, this requirement was amended by the Polish Gambling Act that entered into force on 1 April 2017 (amending act – “National Journal” 2017, poz. 88, adopted on 13 January 2017). The new wording, now set out in Article 15d paragraph 3 of the Polish Gambling Act, is as follows: “the entity which organises betting via the Internet shall archive all the data exchanged between itself and a participant of betting in real time on a data archiving device located within the territory of the Republic of Poland or a European Union Member State or Member States of the European Free Trade Association (EFTA) - parties to the Agreement on the European Economic Area, including the data which make it possible to determine the course and results of betting and transactions carried out under betting and data necessary to identify a participant of betting”.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

authorization from the Minister supervising the archive heritage, if temporary, and also of the Member of the Government to which the item belongs, if definitive. Classified (or pending for classification) archive items cannot stay abroad longer than one year, but it can be renewed for identical period. Romania

Law no. 161/2003 on assuring transparency measures in exercising public dignities, functions and in the private sector for preventing and sanctioning corruption (Legea nr. 161 din 2003 privind unele masuri pentru asigurarea transparentei in exercitarea demnitatilor publice, a functiilor publice si in mediul de afaceri, prevenirea si sanctionarea coruptiei )

Romania

Government Decision no. 111/2016 approving the Norms of application of 24 February 2016 on gambling, Articles 2, 127 and 136.

Public authorities and the operators of the National Electronic System: the General Inspectorate for Information Technology and Communications under the Ministry for Communication and for Information Society for the “e-Government System”, the Ministry for Public Administration for “eAdministration System” and the authority established by the Supreme Council for State Defence for the national security and defence system.

Indirect

Public authorities have the obligation to apply an electronic procedure described in this law for making available public information or services via electronic means. The electronic procedure requires the transferred documents comply with the criteria set by the National Electronic System (for example to be electronically signed, to be in the format agreed by the system and that the electronic documents be generated, stored and transmitted as the system establishes).

Online providers

Direct

gambling

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

Office, identification data of Romanian users, financial data of Romanian users, as well as any transaction made by a Romanian player. On the mirror server daily/monthly logs will be transmitted, which will allow real time verification of the licensed gambling operator. The mirror server is the electronic system made out of hardware and/or software, located at the National Gambling Office or in a tier 2 licensed data centre, which is capable of storing and reporting/exporting logs in compliance with the National Gambling Office order. The back-up/safety server is the hardware and software system, located at the National Gambling Office or in a licensed data centre which stores data about Romanian users or about users which use Romanian IP addresses, as well as game data and financial transactions on online gambling authorized in Romania which are transferred according with the technical procedure established by the National Gambling Office presidential order and without the possibility to be modified by the online gambling operator licensed in Romania. Slovenia

Zakon o varstvu dokumentarnega in arhivskega gradiva ter arhivih (Uradni list RS, št. 30/2006) https://www.uradni-list.si/1/content?id=72425 (English translation not available)

Archives, external providers of services and equipment for storage or processing of archives data.

Indirect

Public archives documentation may only be transferred to third countries or other EU Member States if the competent minister consents to such transfer. Outsourcing of providers of storage for archive data is possible if the provider is chosen by the rules of a public tender and if the provider is accredited by the national archive (Art. 72). The national archive monitors at all times whether a third party provider adheres to the conditions for accredited equipment and services (Art. 86). Inspection supervision of the provisions of this act is in the hands of the Culture and Media Inspection. (Art 75.) An inspector has the right to physically access and inspect the premises, spaces and equipment where archived data is stored (Art. 77).

Scope of the barrier The following barriers were reported upon: Figure 18 - Nature and scope of barrier observed (other types of barriers)

Nature of the barrier A specific mandate under law or from a specific body is required to access the data

Observed in countries? PT

which

Why is this (potentially) a restriction to the free flow of data within the European Union? Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.

A specific mandate under law or from a specific body is required to export the data

PT, SI

Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.

Storage service providers must be authorised by the government

Foreign providers may not know this requirement and may meet difficulties in observing it.

Control mechanisms (including audits) from the national supervisors may not be hindered

IT systems established abroad may be more difficult to control by the regulators.

Requirement to use encryption

Requirements defined at the national level may be hard to know / observe by foreign providers.

Storage facilities must be controlled by a public sector entity

DE (real estate registers), NL (national cloud)

Geographic limitation by nature.

Designation of a specific legal entity that manages an official database

AT, HR, NL

Can be interpreted as solely permitting storage / transfer of the data by that specific legal entity

National technical storage / exchange requirements

Requirements defined at the national level may be hard to know / observe by foreign providers.

National functional requirements for information processing systems

Requirements defined at the national level may be hard to know / observe by foreign providers.

Storage facilities must be within national borders, or they may be outside national borders but a copy must be made to a mirror system within national borders

BG, PL, RO

Geographic limitation by nature.

Most of the requirements are not new or unique, and have been observed for other data types in prior sections of the report. There are however two notable exceptions, namely the requirement for authorisation to export data (in relation to National Archives that are responsible for the long term preservation, collection, and publication of governmental, cultural and historical records at the national level and therefore the protection of national heritage), and the requirement to maintain local systems and/or mirror systems within national borders (in relation to gambling systems). To limit duplication of previous chapters, only these two barriers will be examined further below. Drivers behind the barriers and potential solutions Figure 19 – Drivers behind the barrier observed and potential solution (other types of barriers)

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Nature of the barrier

Objective / driver behind the barrier

Potential solution?

A specific mandate under law or from a specific body is required to export the data

Maintaining national control over cultural systems and services for the protection of national heritage against loss

Clarification that the rule was intended to protect physical artefacts with heritage value, which may be lost abroad. Duplication of electronic data should not pose the same problem.

Storage facilities must be within national borders, or they may be outside national borders but a copy must be made to a mirror system within national borders

Ensuring accountability verifiability

Clarification that the fundamental requirement is to ensure the integrity and auditability of the information. Local storage or mirroring a system is not the only way of achieving this goal.

and

2.4. Establishing an analytical framework for identified barriers – defining a common understanding of data requirements in the EU Member States The section above has provided a first insight in some of the principal regulatory barriers that may restrict the free flow of data for processing and storage purposes within the European Digital Single Market, along with the drivers behind them, and some of the solutions that might be explored to resolve them. It should be recognised that the scope of this overview is not exhaustive; however, given the methodology that relied on national experts to obtain key examples of barriers to the free flow of data, the listing undoubtedly contains the principal barriers and can at any rate be considered as representative for the state of play across the EU. While the overview above did not yet aim to identify non-regulatory barriers – these will be further examined in the sections below - it is however possible at this stage to provide a provisional analytical framework that can be used to describe and assess these barriers, based on their key characteristics. The purpose of this analytical framework is twofold: 



Firstly, the framework is intended to provide an overview of existing data requirements that may be encountered across the EU. It should thus be possible to classify every barrier mentioned above into a specific section of the analytical framework, and to describe it accurately. Secondly, it is intended to allow the definition of common solutions to common problems, allowing barriers to be mitigated or overcome.

Broadly, the following structure could be proposed in relation to regulatory barriers, which is intended to be designed so that it can be applied to any type of data (i.e. it is not dependent on sector specific elements). The elements in bright blue designate specific types of barriers encountered:

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

Figure 20 – Classification of identified regulatory barriers

Regulatory barriers to the free flow of data Direct barriers Geographic location storage requirements

Indirect barriers

Unique national technical requirements E.g. data must use national formats (HR, SV)

E.g. servers must be located in country X (BG,PL, RO)

Accessibility to supervisors E.g. supervisors must be able to get access (AT, BE, IE, NL, PT)

Prior authorisation schemes

Prohibitions against third party access / disclosure

Subcontracting restrictions

E.g. storage systems must be approved by supervisor (SI, RO)

E.g. data may not be made accessible to third parties (BG, CZ, NL)

E.g. subcontractors must obtain prior approval (AT, LU, NL)

or data can only be stored nationally (DE, SE, PT, SV, NL) Generic technical requirements E.g. interoperability (FI)

Mandatory use of a specific infrastructure E.g. data must be kept by administration X (AT, CZ, LU, NL)

Segregation requirements E.g. data must be kept on segregated systems

Destruction requirements E.g. Data must be destroyable in situation X (BE, DK) 16

Most of the types of requirements can be grouped together and correspond to a specific public policy interest as shown above. However, this does not imply that implementation of barriers to the free flow of data in the specific cases as described above always achieves their intended policy objectives. Although the policy objective may be legitimate, the implementation of barriers to the free flow of data may be ineffective or disproportionate in light of the intended objective. By way of a specific example, it is clear that accounting documents must be accessible to tax authorities. However, this legitimate policy objective does not imply that data must be stored locally. Looking at the objectives in general, these can briefly be assessed as follows: Figure 21 – Barriers, aims and policy objectives

Type of barrier

Policy Objectives

Geographic location storage requirements

Tends to be imposed to ensure a public policy interest, typically either accessibility to 17 18 19 national supervisors, such as the Gambling or Tax Authorities .  The policy objective can still be achieved through cooperation with foreign supervisors, except when the exclusive availability to certain bodies is required to achieve the policy objective. Tends to serve a public policy interest in terms of interoperability, availability and

National

technical

The requirement to maintain local systems and/or mirror systems within national borders (in relation to gambling systems), see for BG: Gambling Act, promulgated, State Gazette, No. 26/30.03.2012, lastly amended and supplemented, SG No. 1/3.01.2014, effective 1.01.2014, article 6(4), PL: Gaming Law of 19 November 2009, article 16d and RO: Government Decision no.111/2016 approving the Norms of application of 24 February 2016 on gambling, articles 127 and 136. 18 Accounting data (for tax purposes), for DE: Procedural rules for accounting and records, § 146 AO and § 147 (federal legislation) and SE: Swedish Bookkeeping Act, Chapter 7, sections 2-4. 19 Other restrictions that fall under this category relate to national (and regional) (classified) archive information, see PT: Decree-Law No16/93 of 23 January, as amended by Law No 14/94 of 11 May).

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 20

requirements

Accessibility supervisors

Generic requirements

Prior schemes

technical

authorisation

Mandatory use of specific infrastructure

Prohibitions against third

security .  The policy objective can only be achieved when a specific requirement is necessary and no appropriate equivalent requirements are commonly adopted in the market. Tends to serve a public policy interest by ensuring that compliance with national requirements can be verified (mainly found in relation to the Financial or Tax 21 authorities) .  The policy objective can still be achieved through cooperation with foreign supervisors. Tends to serve a public policy interest in terms of interoperability, availability and 22 security .  The policy objective can only be achieved if these requirements are known and realistically available to foreign service providers. Tends to serve the public interest by ensuring that compliance with national requirements can be verified (e.g. when storage service providers must be authorised 23 by the government) .  The policy objective can still be achieved, for example through cooperation with foreign supervisors. Tends to serve the public interest by ensuring that data is centralised with a single body, where access can be tightly secured and controlled, and where appropriate use 24 (in accordance with national policy) can be verified .  The policy objective to maintain national control over healthcare and social security systems and services (and in the case of Luxembourg the business register) can only be achieved when there is no alternative to such centralisation. Tends to serve both public and private interest by ensuring privacy, confidentiality and 25 26 27 security of the data (health , privileged data , banking data )

Public register information, see HR: Law on the State Information Infrastructure, Official Gazette of Republic of Croatia no 92/2014 passed on 15 July, 2014 and Regulation on Organizational and Technical Standards for Connecting to the State Information Infrastructure, official Gazette of Republic of Croatia no 103/2015 and classified information, see SV: Classified information Act, articles 14 and 15. 21 Financial data (access by Financial Authority), see AT: Federal Act on the Supervision of Securities, art. 25, 26, specified by Regulation Auslagerungsverordenung, BGBI. II Nr. 215/2007, latest amendment BGBI. II Nr. 272/2011, BE: Circular PPB 2004/5 on healthy management practices in outsourcing by credit institutions and investment companies issued by the Belgian Banking, Finance and Insurance Commission on 22 June 2004, IE: Central Bank UCITS Notice, October 2013, Annex II and NL: Circular Cloud Computing 2011/643815 issued by the Dutch Central Bank on 6 December 2011, PT: Regulation of the Bank of Portugal implementing Article 39(1) of Law No 25/2008 of 5 June and Article 5 Law No 25/2008 of 5 June, lastly amended by Law No 118/2015 of 31 August; Accounting data (access by Tax Authorities), see BE: Income Tax Code 1992 and subsequent amendments, Article 315, Notice from the Revenue Commissioners published in Iris Oifigiuil (Official Journal), 27 January 2012, drawn up in exercise of powers conferred on them by s. 887 of the Taxes Consolidation Act 1997(substituted by s.232 of the Finance Act 2001). 22 Health data, particularly patient records, see FI: Law on electronic processing of client data within social and health care, issues by the decision of the Finish Parliament on 1 July 2007, § 10. 23 Health data, see AT: Federal Act on Data Security Measures when using personal electronic Health Data or Health Telematics Act 2012, §6, 14 and 20.Civil register, see SV: Central Population Register Act, Articles 12, 19 and 23a; National archives, see SV: Zakon o varstvu dokumentarnega in archiveskega gradiva ter arhivih (Uradni list Rs, st. 30/2006); National security information, see RO: Government Decision no. 575/2002 approving the national standards for the protection of classified information. 24 Examples were found predominantly in relation to health data and/or patient records, see AT: Health Telematics Act 2012, § 6, 14 and 20 and the Federal Act on Federal Computing Centre (BRZ), BGBI. Nr 757/1996, lastly amended BGBI. I Nr 71/2003 and ICT Consolidation Act, BGBI. I Nr 35/2012, CZ: Medical Services Act No. 372/2011 Sb, Ministerial Decree No. 98/2012 Sb. and Recommendation No. ZD03/94, FI: Law on electronic processing of client data within social and health care, 1 July 2007; ((e-)prescriptions), see: EL: Law No 3892/2010 (FEK 189 A’) Electronic Registration and Run prescriptions and referrals for medical examinations, § 6 1, 2, 5, NL: Guidelines on the handling of health records, issues by the KNMS in January 2010 and GZB- requirements for software from the Association of Care providers for Care communication. But also with regard to business registers, see LU: 19 December 2012 - Law concerning the register of businesses and companies, and accounting and annual accounts of companies, modifying certain other legal provisions, Art. 2 and Grand Ducal Regulation relating to the execution of the aforementioned law, Art. 1er, 2, 2bis, 10, 13, 14, 15, 23. 25 See BG: Health Act; promulgated on 10 August 2004, last amendments in force as of 01 January 2016), Art. 27, 28, CZ: Medical Services Act, NL: Guidelines on the handling of medical records and GBZ-requirements for software providers.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) party access / disclosure

Segregation requirements

Subcontracting restrictions

Destruction requirements



The policy objective can only be achieved if the prohibitions are appropriately scoped, i.e. substantive access from third parties must be prevented at all costs. Data storage and processing facilities can be managed by a third party when their services include appropriate security assurances. Separation should exist between different users of a system or service to prevent one 28 malicious or compromised user from affecting the service or data of another . This tends to serve both public and private interest by ensuring privacy, confidentiality and security of the data.  The policy objective can only be achieved if these requirements are appropriately scoped with consideration for the necessary level of assurance required for different classifications of data and also the varying nature of 29 information systems and services . Tends to serve the public interest by ensuring that compliance with national 30 requirements can be verified .  The policy objective can only be achieved if the restrictions, e.g. necessary prior approval or permission, are objective and non-discriminatory. Tends to serve both public and private interest by ensuring privacy, confidentiality and 31 security of the data .  The policy objective can only be achieved if these requirements are appropriately scoped. Data storage and processing facilities can be managed by a third party when their services include appropriate destruction assurances.

This overview is of course only partial, covering only 20 Member States. It only relates to regulatory barriers; as has been recognised above, barriers can also result from business requirements (e.g. customer demand to store data locally), policy preferences (e.g. a desire to keep data within one’s own jurisdiction), operational needs (e.g. a requirement to be able to destroy data), or even personal preferences (e.g. favouring local companies) and personal concerns (e.g. concern that foreign entities may seize data). These would of course not be revealed by examining only regulatory barriers. Therefore, in the sections below we will assess information from additional sources in order to strengthen the understanding of barriers to the free flow of data in the EU.

3. Complementing the analytical framework with examples 3.1 Introduction Complementing the collection of data on regulatory compliance obligations, and while developing an expanding analytical framework, the Study team sought views of businesses32 and other organisations about their use and perceptions of cloud services and data location restrictions. 26

See BG: Bar Act of 25 June 2004, lastly amended on 7 December 2012), CZ: Act No. 141/1961 Sb. (Code of Criminal Procedure) § 85b, subsequently Act. No. 85/1996 Sb. (Advocacy Act), Decision No. Nt 615/2014 (Municipal Court in Prague, 9. 7. 2014) and Opinion of the Supreme Court No. Tpjn 306/2014, publ. as 35/2015 Sb. tr. Rozh. 27 See CZ: Act No. 21/1992 Sb. (Banking Act), § 37 para 2, 38. 28 https://www.gov.uk/government/publications/cloud-service-security-principles/cloud-service-security-principles 29 https://www.gov.uk/government/publications/implementing-the-cloud-security-principles/implementing-the-cloudsecurity-principles#principle-3-separation-between-consumers 30 Financial data, see AT: Federal Act on the Supervision of Securities, specified by regulation BGBI. II Nr. 215/2007 and LU: Circular CSSF 12/552 on central administration, internal governance and risk management, as amended, issued by the Luxembourg Supervisory Commission of the Financial Sector and NL: Cloud computing 2011/643815 from the Dutch national bank of 6 December 2011. 31 Basic identify registers, see BE: Law of 8 August 1983 regulating a National Register of natural persons, Art 4ter, 5, 8§1 and § 2 and Art. 14, and DK: Civil Register Act, Chapter 14 §55; and the retention requirement of the company registers in LU: Grand Ducal Regulation of 23 January 2003 relating to the execution of the law of 19 December 2002 concerning the register of businesses and companies, and concerning accounting and annual accounts of companies. 32 In the selected twenty (20) EU MS for the study. The survey was completed online survey

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) This study of businesses complemented stakeholder interviews described in section 3.3. This phase is only partially completed: fifteen (10) interviews have been conducted so far, and a further five (5) are being carried out in the coming weeks.

3.2 The Online Survey Our desk research was complemented by an online stakeholder survey examining cross border data flow in the digital single market. The survey sought in particular the view of cloud users about data flow restrictions and the time and other costs of complying with regulations and obligations. 3.2.1 Survey methodology The online survey questions were developed by the Core Team and focused on the perceived barriers (such as data protection, information security, enforcement etc.) and the direct practical implications of those barriers (e.g. cost, lower uptake, security issues, lack of trust etc.). Coverage of both compliance obligations, and requirements not related to a compliance obligation were investigated. The study provided some real-world insights to the perceptions of stakeholders about regulations and their impact. The figure below describes how respondents were sought to complete the questionnaire. There were two ‘entry’ or ‘initiation’ methods. Firstly, the large red arrow on the left describes direct emails to potential respondents. More than 360 e-mails were sent to potential respondents. The emails provided a short overview of the project describing why respondents’ help was required. The e-mail was supported by a signed recommendation letter from the Commission.

Figure 22 – Manner in which respondents were sought to complete the questionnaire

3.2.2 Analysis of survey outcomes 41 organisations completed online questionnaires were received by the closing date for the online survey (13th July 2016). This represented an eleven per cent response rate (from the 367 emails distributed). This is above average for a ‘cold calling’ online survey 33. Obviously a sample size of only 40 self-selecting respondents should be treated with caution and extrapolations or conjecture about proportions of businesses with different characteristics must be avoided. A sample size of 2,000 is required to provide a confidence level of plus or minus two per cent. This review will therefore simply focus on the characteristics of respondents and the different responses from those that had differing concerns about cross border data flow requirements. 90 per cent of respondents to this questionnaire described themselves as either an ‘expert’ or stated that they ‘knew a lot’ about their organisation’s use of cloud computing. Responses were received from 15 countries including 13 EU Member States. Respondents came from a range of organisation sizes with the largest organisation employing around 400,000 employees compared to the3 smallest with just one employee. The majority were SME’s (with less than 200 employees), however six respondents had more than 1,000 employees. These six were all from IT or technology related organisations, whereas the rest of the respondents were from varied industrial and sectoral organisations, such as creative industries, research and technology related companies, as well as some government sector representatives.

Nulty D. 2008. The adequacy of response rates to online and paper surveys. Assessment and Evaluation in Higher Education, 33, 3, 301-314.

Figure 23 – Location of online questionnaire respondents

Austria 1 Belgium 3

Croatia 1 Denmark 1 Finland 3

United Kingdom 18

Germany 1 Italy 1 Netherlands 1 Poland 2

Spain 3 Switzerland 1

Sweden 1

Portugal 2 Romania 1

Over three quarters of respondents reported that their organisation utilises cloud computing and the same amount reported that cloud computing was either ‘important’ or ‘very important’ in helping with their efficiency. Three quarters of respondents also considered the price of the cloud service to be an ‘important’ or ‘very important’ factor in the selection of a service provider. 25 respondents thought that the location of cloud servers was either ‘important’ or ‘very important’, with only six reporting server location was ‘unimportant’ or ‘very unimportant’. The relative unimportance to these six respondents was probably because they were SMEs were not using cloud computing. Four of the businesses were not IT or technological firms therefore cloud computing was not regarded as a necessity. Regulations Just under half of respondents were aware of regulations, or knew that their organisation has encountered regulations or other requirements that hinder their organisations in cross-border flow of data within the EU.34 The main regulations known by the remaining respondents related to concerns about regulations regarding the use of personal data and data security. Six respondents reported personal data regulations, and four of these respondents from private sector organisations of different sizes and different locations across Europe all reported that their company has encountered the requirement for this regulation ‘frequently’. 15 out of 19 respondents who are aware of restrictions believed that regulations are ‘justified’ or ‘very justified’ in order to maintain privacy and security.

This is in reference to a question in the questionnaire that asks: in your country do you know of, or has your organisation encountered, any regulations or other requirements that hinder public or private organisations in the free flow of data across borders?

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Respondents generally felt that knowledge and awareness of data regulations was more closely related to the size of a business or organisation than other factors, such as industry sector. Eleven respondents suggested that larger businesses were more aware; this was mainly due to their larger data holdings and the employment of dedicated roles, such as Data Protection Officers. In smaller businesses data was rarely overseen by a single employee and those involved were frequently not a data regulation or data management specialist. One of the questions in the survey concerned the importance of the location of cloud servers to the respondents. 25 respondents stated that the location of servers were ‘Important’ or ‘Very Important’. These respondents were mainly IT Experts or from technical fields (Software Developer, etc.) Conversely six respondents thought the location for the cloud server was ‘Unimportant’ or ‘Very Unimportant’. Amongst this later group of six respondents two companies stated their company does not use cloud computing. All the companies were small. Another question asked whether they were aware of any regulations in their country for crossborder data. The 25 respondents that regarded server location as important were more aware of regulations concerning data regulations. Regulations frequently mentioned included personal data regulations, security and safety as well as specific regulations within their country. For example Spain has a Data Protection Law. The majority of this group thought regulations were sensible and justified. The six respondents that thought the location of cloud servers were unimportant were generally unaware of regulations concerning data. The one respondent that was aware of regulations thought they were justified. Overall the majority of respondents reported that their organisations were complying with regulations. More generally it became evident that larger organisations are more aware of cloud regulations than smaller organisations. Estimating compliance costs in EU28 Member States Research undertaken by IDC for the European Commission35 estimated that in 2013 61.5 per cent of all businesses have at least one cloud based solution in their IT mix. This equates to more than 83 million EU28 businesses36. For some that might simply be their e-mail system or the use of a unified communications solution, for others it may be something more sophisticated such as a CRM solution, their accounting software or access to external computing power and storage upon which to run their own applications or store their data. By the end of 2015 IDC expected the number of businesses using cloud to reach almost 70 per cent of all business (over 93 million). IDC highlighted that the Telecommunication/Media and Financial Services sectors were leading the use of cloud, both had close to 70 per cent usage levels by businesses in 2013 and reaching above 75 per cent by the end of 2015. By contrast the Public Sector was lagging slightly with only just over half of all Public Sector bodies using Cloud in 2013; this was expected to increase to just under 60 per cent in 2015. It further noted that on average it took about 2.5 person days (20 hours) for small businesses to consider and/or comply with regulations. For the 93.8 million cloud using businesses in 35 36

IDC. 2014. Uptake of Cloud in Europe. Eurostat bd_9ac_l_form_r2.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 2015 this would represent a total ‘cost’ of 234 million days. In 2015 Eurostat reported that average daily labour costs (for an 8-hour day) were €20037. The monetary cost of 234 million days would therefore equate to €46.8 billion per annum. Clearly there will be many businesses that simply are not aware of regulations or believe they do not apply to their business. But even if the above calculation is incorrect by a magnitude of 100 compliance would still be costing EU28 Member State businesses €468 million per annum. It must be acknowledged that businesses have many administrative compliance obligations (e.g. VAT, social contributions, company taxes etc.). Nonetheless, if regulations were eliminated or more easily communicated and understood the time spent by business on compliance could be considerably reduced. Tips and recommendations from respondents Participants were asked for recommendations to overcome any problems they had experienced or they could foresee in Europe. Solutions and or tips were suggested by just over a quarter of respondents from private sector organisations of different sizes in different industry sectors and different locations across Europe. These included better harmonisation of data regulations throughout EU28 Member States so that businesses, particularly those operating in more than one country, would have a common set of regulations to comply with, rather than having to search through data regulations in each Member State in which they operate. Encryption of data, use of cloud servers in less regulated environments and virtualisation of servers were seen as potential solutions to problems concerning cloud storage location. Encryption was thought to be useful in more securely holding personal data. Virtualisation of servers was thought to be solution when scaling IT infrastructure. Throughout the study with various stakeholders and online respondents our study team was often told that regulations about data flow are at best unclear, and on occasions contradictory. One respondent believes that not many organisations in their country have thought through regulatory issues, this was thought to be particularly true for smaller organisations. Definitive sources of information, providing centralised, succinct and easy to comprehend information about cross border data flow regulations are rarely available and many are confused by what they can and cannot do with data. One large cloud service provider interviewed for the study stated that they were appointing regulatory experts in each country so that they could better understand their obligations. They were also considering providing ‘how to’ guides for their users. These types of user’s guides could provide greater clarity in EU Member States for organisations about regulations related to data holdings and transferring data across borders.

3.3 Interviews In addition to the survey, the study team conducted a series of 20 interviews with relevant stakeholders across Europe, to collect further relevant data on data location restrictions and their practical application, thus improving the robustness of collected data. This section provides a description of the methodological approach that we followed for carrying out in-depth interviews with stakeholders, and an overview of the results.

Eurostat Hourly labour cost briefing http://ec.europa.eu/eurostat/statistics-explained/index.php/Hourly_labour_costs

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 3.3.2 Interview methodology The focus of the interview phase was to gain a better understanding of the local situation and practical operation of data location restrictions and/or barriers within the European Union. Following the collection of data on compliance obligation during the desk research and our results from the online questionnaires, these in-depth interviews represented a further step in the direction of collecting and analysing legal and non-legal barriers in Member States practices that hinder the free flow of data. On the basis of the survey responses and together with the results of our desk research, we were able to identify key issues for further detailed analysis. On the basis hereof, we selected a number of stakeholders, within the relevant sectors and in a selection of countries, to be interviewed in order to gain further information and insights on these barriers. Our methodology consists of the following steps: 1) 2) 3) 4)

Selecting interviewees Drafting interview questions Contacting stakeholders and organising interviews Holding interviews and reporting

Each step will be described below. Selecting interviewees The Study Team has made a selection of interviewees taking into account the following two criteria: 



key issues raised during desk research and in the online surveys, which relate to key sectors where a concentration of barriers were identified during the desk research and surveys (e.g. financial, health, industry and public sectors), which are described in detail under section 2; a balanced spread of countries, where the identified key issues and key sectors are represented

The Study team thus identified stakeholders in the financial and health sectors as well as representatives from industry (with a focus on the telecommunications sector, users and cloud service providers, and both SME’s and large companies) and the public sector. Subsequently, the study contacted stakeholders in the health sector, the financial sector, the industry sector and the public sector. Not all names or full details of the interviewees could be provided due to anonymisation requests.

Drafting interview questions The desk research questionnaire and analytical framework developed in Tasks 1 and 2 respectively were used as the basis for developing the interview questions. We developed a standard interview questionnaire, which was used as a starting point and which we adopted to each specific interviewee. Such flexibility was important as the situation and background varied considerably between the interviewees. Adapting the questions to the specific answers provided by the stakeholders in the survey, the Study team was able to ask the “right” questions to maximise their input for a more comprehensive picture of the operation of barriers in their Member State. Contacting stakeholders and organising interviews In concurrence with the design of the interview questions, selected stakeholders were contacted by email in order to arrange the interviews. Emails were followed up by phone calls to confirm receipt of the email and to try and arrange interviews in a timely manner. Holding interviews and reporting The interviews were structured to be conducted either through conference calls or video calls (using Skype) with the interviewees. Each interview lasted between thirty to forty-five minutes and it followed a similar outline, namely: a brief introduction to the study by the interviewer, a tour de table of the parties, discussion of specific questions and answers, a description of the next steps of the study and explanation of how and when the interview reports would be used and any anonymisation requirements. During the interview interviewees’ views and experiences were discussed in detail, with regard to data location restrictions impacting them and/or their organisations and / or their sector to gain a better understanding of the local situation and practical operation of data location restrictions and /or barriers. Following the interview, an interview report was written up and sent to the interviewees for feedback and validation, after which the reports were revised and finalised. The validated Interview reports were sent to the EC as attachment to the First Interim Progress Report and any remaining reports were thereafter sent by email. These can be found in Section 6 (Annex III). Please note that not all interview reports can be made available due to anonymisation requirements of certain organisations. 3.3.3 Preliminary interview results and analysis The study team has carried out twenty interviews, across the main relevant sectors, where the interviewees have a presence in a specific Member State or across the EU or even globally. A majority of interviews (11) were held with stakeholders from industry, more specifically with companies operating in cloud computing services and/or the telecommunications sector and associations representing those companies either at national, EU level or globally. Two of these were SME’s and three were Industry Associations that represent (amongst others) SMEs. Three interviews were conducted in the financial sector and two with organisations that are active in the health sector. Four interviews were held with a public sector authority. Below we provide a summary of the interviews, divided per sector. Industry It appeared from our interview with European Business Association Business Europe that their members are generally keen to acquire more knowledge on the existing national legal /regulatory data location restrictions. Additionally, there seems to be an appetite for a reduction in unjustified data location restrictions across EU Member States; a lot of businesses find that the current patchwork of legal requirements with regard to data location and cloud makes it difficult to provide and / or develop cross border services within the EU.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Cloud service providers such as interviewee Amazon are frequently confronted with data location requests from major customers, who require that data remain in their local jurisdictions. Amazon decided to diversify their data centre locations, since it allows them to meet these concerns in a scalable way. Usually the drivers are compliance related, mainly over data protection concerns. Further, Amazon stressed that regulators and customers should understand that they provide IaaS services, which differs from many other types of cloud providers, in that they do not know what data is involved in their activities. Amazon thus does not, and is not required, to know if and what kind of (personal) data are on their services. Consequently, it cannot assume responsibility for compliance with legal requirements. Thus, customers have to make the right choices to match their legal requirements, and to ensure appropriate security. It is important for Amazon to “remain agnostic on this point. Otherwise it would be a risk for privacy and security reasons. We cannot see the customers’ data, and do not want to do that, or assume legal liabilities on this point.” It is interesting to note that Amazon occasionally engages with regulators in order to provide assurances to their customers that they can use our services in a compliant way. This was also the case with the Dutch regulator (the Dutch Central Bank), which has publicly listed Amazon as (currently one of 14 in total) service providers that agreed on the inclusion on the right to examine in their contracts with regulated financial institutions, in accordance with Dutch legal requirements. The EU's largest IaaS company, OVH, stated in the interview that they are mainly confronted with the legal requirement that data must stay within the EU in order to facilitate legal compliance. Operationally for OVH “this requirement does not make any difference, since all of our data centres apply the same security practices”. This means that they are ISO compliant and certified, and apply the same procedures to ensure security. OVH added that these requests usually come from the public sector and from industries with sensitive data, such as banks. OVH have no knowledge on the type of data these concerns. With regard to the location of their data centres, OVH are a principally EU based organisation; their compliance with EU laws and principles is an important argument for many of their customers. OVH added that the international market is dominated by a few large international players, and the stronger EU level requirements allow EU service providers to survive more easily in the market: “It is not so clear that an EU service offering by EU providers would exist if there were no data location requirements or expectations”. Within the EU, OVH operates data centres in a few EU countries, including France and Germany, which are countries “where there is a lot of demand for data to stay locally”. Digital Europe, an association representing the digital technology industry in Europe, considers “the removal of regulatory and non-regulatory barriers as crucial to ensure that European digital technology businesses can work across the EU and compete globally.” The main data location requirements that their members encounter within the EU “are related to audits and controls, and interactions with regulators and supervisors.” They find that the definition of national level requirements, such as the requirement to meet local standards or to obtain local permissions, or to interact with national regulators, can be difficult. Many times businesses cannot identify the exact requirements, and there is simply a lack of knowledge, which in turn causes businesses to be more careful. Digital Europe also argued that some local requirements could be harmonised or implemented at the EU level, for example by aligning standards or cooperating between regulators. This could be organised through sector specific consultations and reviews of legislation. “The public sector could also play a role there: there seems to be more of a tendency to keep public sector data in local/national clouds. That does not provide a good example to the market.”

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Global Cloud Company Exact Online uses data centres in seven locations, and offers a private cloud deployment model to allow customers to run the services locally. They informed us that they locate EU customer data in two British Rackspace data centres close to London while part of the data for the Netherlands and Belgium are stored at Microsoft Azure with data centres in Ireland and the Netherlands. They chose those countries principally “in order to satisfy demand for high security and audit controls”. Exact’s choice for an EU location: ”was also driven by legal requirements”, where “Data protection and information security are key objectives”. It should be added however that Exact provides “assurances to our customers on security and availability, not on legal compliance. We don’t guarantee compliance with national accounting rules, or data protection. We work globally, so that would not be manageable.” If customers request local storage, then these are met by private cloud services. It seems that there is not a need of interacting with national supervisor authorities, or at least this does not happen systematically, because in practice: “we make sure that our customers can access their data in the cloud, and they can provide it to the authorities. Any other system would mean we need to communicate directly with regulators, and that would be very difficult from a confidentiality perspective. We cannot judge which requests are legitimate; that should be the customer’s decision”. A telecommunication company that requested anonymisation, pointed out that the complex and fragmented legislative landscape on storing and processing of data is one of the main obstacles for many telecommunication companies that want to expand across borders. One of other our interviewees, an SME delivering research and consultancy services to both the public and private sector38, proffered that the level of importance of the location of data servers of their cloud provider(s) depends on the type of client. When working on German government projects, data cannot leave Germany, meaning that a local server should be used. However, even if these are stored on a local data centre in Germany, we do not know for sure where this data actually is, and if it is safer. The same interviewee pointed out that data location restrictions, e.g. with regard to health data, can have a detrimental effect on infrastructures of IT businesses, which rely on the outsourcing of certain data processing activities. Data centres are opening in countries where energy process is cheaper, such as Northern countries (e.g. Finland). In this case the German provider would just be a virtual service, while processing on machines is done in Finland. With regard to security of the data, the interviewee suggested that it would be useful if two data centres should be in place, to ensure proper back-up, however currently backup is not organised that way in practice, meaning that security may be high but the availability of the data is not ensured. When asked about the cost of compliance with data location restrictions, our interviewee pointed out that one needs to look at the benefits too: it might be cost related to data security but restrictions may make some companies money.39 From our interview with a French small (not for profit) industry association, representing IT companies in France, it appeared that their members’ experience with the free flow of data is ambiguous: “There are global leading companies amongst our members who would always advocate the free flow of data. At the same time, some of our member’s businesses depend on the local market and it would be in their favour to have national / regional data location restrictions in place. Such restrictions would increase their business.” 38

Institute for Infrastructure Economics & Management (IEM). Their own cost relates to the more expensive services to be used when working for the German government. This might be 10 times more expensive than using a non-local provider. 39

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

The Computer & Communications Industry Association (hereinafter also referred to as “CCIA”) argued that there is an evident lack of clarity with regard to the national legal framework within the EU. For example, the results from a contracted research study in six EU Member States40 showed various legal restrictions with regard bookkeeping/accounting, tax and other financial data. Data location restrictions with regard to accounting data have a profound impact as every company (big or small) has accounting obligations. CCIA noted, however, that good practices are shown in France and Denmark, who have changed their laws so that accounting data can be stored in the cloud as long as tax authorities can gain access to these data digitally. Another concern mentioned by CCIA is a push towards data having to be stored within the bigger countries, which have a protectionist environment with regard to data location, which means that smaller countries are losing out. “… investments are being made in data centres in bigger countries (e.g. Germany), even if these are not the best countries to invest in in terms of environment (green energy) or cost, which can be seen as a misallocation of investments.” Hence, in Europe we are not reaping the benefits of the single market and are all paying a premium for storing our data. The biggest losers are suppliers of the data centres (e.g. IBM, Microsoft), as they cannot establish datacentres in the location that is the most economical or greenest etc. Regarding ICT users, CCIA stated that one can say that the more dependent a company is of data location storage, the higher a premium one pays for it. This situation will continue to expand, while we continue to use (more) cloud services. According to CCIA only a very small amount of players can potentially benefit from the currently fragmented market: local telecoms or postal services providers, which pick up contracts driven by local data location and “which are many times more expensive than when we would have a free market”. The ideal solution suggested by CCIA would be to put in place an EC Regulation, clarifying the rules and opening up data location within the EU. In addition, a strong notification process should be in place where any national rules have to be approved by the EC. A software and services company that requested anonymization, stated that the location of data is not an issue which particularly affects their business, because hosting data is not their core activity. Our interviewee suggested that in 80% of cases, their customers’ data is located in the costumers’ infrastructures, while in the other 20% they use a local data centre in Belgium, where the company is based. The reason for choosing that location was: “not because we are legally required to keep the data locally, at least not as far as we are aware, but because a local data centre facilitates interaction with the operators. We have direct contacts with them and know them personally”. Our interviewee mentioned that recently customers had insisted on using local data centres. Our interviewee noted that the reason of those requests could concern “independence and protection against incidents. They want the data to stay under their exclusive control, and not worry about anyone else being able to get access to it. The other aspect is legacy and habits: they had appropriate solutions in place, and didn’t want to change them”.

ECIPE Policy brief No. 03/2016: ‘Unleashing Internal Dataflows in the EU: An Economic Assessment of Data Localisation Measures in the EU Member States’ by Matthias Bauer, Martina F. Ferracane, Hosuk Lee-Makiyama, Erik van den Marel.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) A representative of E+Europe argued that is evident that local differences (e.g. national data locations restrictions) cause market failures with a negative effect on the Digital Single Market. Our interviewee reported examples of existing (direct and indirect) data location restrictions across the EU which were found through aforementioned ECIPE study on unleashing internal dataflows in the EU. For example, Luxembourg financial rules do not forbid people from storing the data outside their country; however, they make it difficult and cumbersome as storage outside Luxembourg is only permitted under strict conditions41. Germany is another example where companies may prefer or feel obliged to keep the data within the country. Indirect data location restrictions tend to originate from costumers (e.g. customer’s reticence). Additionally, E+Europe mentioned that the number of national restrictions within and outside the EU (e.g. Russia) has increased. However, there are good examples such as the USA, where such restrictions are rare. A solution suggested by E+Europe would be to abolish any restrictions with the exception of restrictions based on national security objectives, allowing storing and moving data freely within the EU. “I think at this point, we would need an EU regulation which says that MS have to justify any data location restrictions. They would thus have to explain the public policy objective that justifies the restriction”. Financial sector The Study team interviewed stakeholders from the financial sector, representing organisations active at the European, global and national level. This group of stakeholders can be divided into two categories: a) Commercial businesses operating in the financial sector and that experience barriers in the free flow of data (i.e. a national bank with a global presence and a European banking federation; b) a national financial regulator who makes decisions on the flow of data at national level. Hence, we were provided with differing perspectives on free flow of data restrictions in the EU. With regard to the first subgroup of interviewees, interview reports show that financial organisations experience various barriers with regard to the use of cloud services, which generally falls under outsourcing. For example, our interviewee at a Spanish financial institution mentioned that national financial regulations limit the free flow of data across the EU, which is amplified by the fact that these rules differ from one EU Member State to another. In Spain, banks (so no other financial organisations such as Fintechs) have to notify the national Financial Supervisory Authority each time they want to outsource a service (including a cloud service). In practice, this authorisation process can significantly increase time to market. Thus “bringing agility to this procedure and having harmonisation across EU member States is fundamental for banks to be competitive in the Digital Single Market.” In Spain, other non-legal barriers identified are related to a lack of a digital cloud culture or a lack of a data-driven culture, which can be translated in uncertainty in using new technologies such as cloud computing services. Our interviewee in Spain declared “at the moment we use cloud computing for non-core business activities such as google apps and collaborative tools for employees; however, the bank would like to develop the use of cloud computing also to the core business (e.g. financial data, client data) in the near future”. Interviewees also stated that their organisations are working on developing the use of cloud computing to store and transfer data (e.g. financial data, client data) and strategies to make 41

See Circular CSSF 12/552 on central administration, internal governance and risk management, as reported in this report under section 2.3.2, figure 5, see also section 6, Annex II.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) the outsource process more agile and less burdensome to be competitive in the Digital Single Market. Banks also increasingly make use of data analytics to develop products for their clients and find themselves restricted by data location requirements. Additionally, differences between requirements and rules on data transferring and cloud computing between the US and EU were highlighted as well as the direct impact that the more lenient requirements in the US have on the competitiveness of EU banks (e.g. when they want to transfer data outside the EU). The manner in which national financial regulators exercise their supervisory power, can possibly have an impact on the development of use of cloud services. If a national regulator is mainly concerned with prudential supervision (as opposed to rule-based supervision), the focus is on the monitoring the solvency position, liquidity and operational risks which suggests that there is more room for national financial institutions to chart their own course to those results. In the same vein, a national regulator that follows the principle of prudential supervision, is merely concerned with ensuring that a proper risk analysis is being performed by financial institutes and that the ‘right to audit’ is being guaranteed in outsourcing contracts. The national regulator that we interviewed, mentioned that they get a lot of questions with regard to the requirement to submit a risk analysis when outsourcing in the cloud as this is perceived as a difficult requirement. To mitigate this, the regulator has created a model risk analysis, based on ENISA standards. The same regulator noted that most cloud service providers do not translate legal and regulatory requirements concerning the right to examine in their contracts (i.e; standard contracts of big service providers may include restrictions as to visiting rights of supervisory authorities). Health sector With regard to the health sector, the Study team has interviewed two stakeholders, namely a Portuguese biomedical research centre, and a European committee operating in eHealth. They were chosen in order to represent various views as they differ in terms of size (small vs big) and area of activity (European vs national). These stakeholders reported legal and operational requirements regarding the location of data in this sector at both national (PT) and EU level. As mentioned under section 2, the common thread which with regard to health sector data flow restrictions is that these are intended to safeguard the security and confidentiality of the data. More specifically, the Biomedical Law Centre mentioned that they encounter restrictions to the free flow of medical research data from Portugal to third countries, which mainly apply to personal (health) data. It also referred to an issue relating to genetic data which can only be accessed/processed by physicians with a specific professional formation (e.g. Professors in genetics). Other physicians or health professionals can only access genetic data if the patient has given his/her prior consent.42 The law provides that the health unit or hospital is itself responsible for keeping the genetic data secure. Cocir submitted that most health care providers wish to retain complete control over the health records, so that data cannot be accessed by third parties without their knowledge and the patients’ consent. The main issue is not just the legal obligation to keep data in a certain location, but rather to ensure that it is confidential and secure. The establishment of secure systems across borders is 42

Lei 12/2005, Informação genética pessoal e informação de saúde provides, amongst other things, that files with genetic data regarding healthy individuals may not be accessed by, transferred to or analysed by doctors or any other health care professional(s) (Article 6 (5)) and that genetic databases which allow for an identification of ‘family members’ must be supervised by a doctor with specialisation in genetics or, in case such person is not available, by another doctor (Article 7(3)).

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) very difficult. Cocir furthermore explained that they are unsure if auditing rules are being commonly negotiated and exercised; this might exceed the technical capabilities of the users, and also their resources. “This is also why specialised health care cloud service providers should be preferred: not only do they know the context and the requirements, but also they will be known to local regulators and professional bodies, who can work with them to ensure that the systems are secure and useful. If that does not exist and systems can be chosen completely freely, there is no assurance of security and compliance with local requirements. That would be the biggest problem for a cross border system.” Public sector Our interview with the Ministry of Public Administration, e-Croatia Directorate, confirmed that public registries have to be stored in data centres that are located in Croatia43. Our interviewee, who was actively involved in the drafting process of that law, confirmed that this restriction was a specific requirement of the members of Parliament, for security and confidentiality reasons: the Croatian state deals with important data that defines the rights and obligations of citizens, which need to be secured. It was noted that without that data the State would have difficulties to function. This interview further gave the study team some insight on how the Croatian government approaches the use and development of cloud by the public sector. In line with the governmental eCroatia Strategy, the government currently develops a Shared Service Centre that will provide IaaS, PaaS and SaaS services for public institutions. The aim is to have a state-owned and managed cloud (government cloud) for storage of certain types of data (such as data classified as being critical for the functioning of the State). Hence, the state owned cloud is being developed for several reasons: first, to ensure a high security and maintenance level for citizens registries; second, to ensure the reuse of software solutions by institutions and the same procedural behaviour for civil servants/users while providing/using the same processes/services; finally, to ensure a financial consolidation in ICT expenditures of public institutions. The Danish Business Authority, which has a lot of practical experience with the application of the Danish Bookkeeping Act. The old Act provided that accounting data had to be stored in Denmark, however this is now been amended. ”The amendment of the Bookkeeping Act establishes that financial records can be stored abroad in an electronic format, provided that the authorities have access to the data. Thus, this has become a functional requirement rather than a location requirement. There is no need for approval before sending electronic data outside Denmark, whilst under the former regime, such storage abroad was only permitted, subject to a separate dispensation from the Danish Business Authority.” Interviewees further gave the study team some insight on the Danish Business Authorities’ thoughts on the benefits of getting rid of unjustified requirements: “it is good for businesses to have a choice; they should agree with service providers as they see fit and should be able to choose the service provider that delivers the best quality service for the best price. […] If you are required to have data localised in specific MSs, there is also a higher risk of hacking.” Summarising remarks As can be deducted from the above, our interviews have given the study team further insights in the identified restrictions, in terms of practical implications (what are the implications and how do stakeholders deal with them), drivers behind such restrictions and possible solutions. Additionally,

In accordance with the State Information Infrastructure Act.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) data location restrictions identified by our study team during desk research were often confirmed while and an additional legal compliance obligation was identified in Portugal.44 Generally, can be said that a majority of interviewees and/ or their members experience a lack of clarity or knowledge of current data location rules across Europe. The fragmentation of the legal framework was often mentioned as principal reason. In this respect, smaller companies seem to experience disadvantages the most, due to a lack of knowledge and recourses to deal with data flow restrictions. Although some interviewees suggested that national data location restrictions may create business opportunities for some industry players focussing on national markets, it was generally proffered by interviewees from the industrial, health and financial sector that such fragmentation hinders the development of cross border services within the EU and hence of the digital single market. A common thread with regard to the justification or drivers behind data flow restrictions seems to be that these are intended to safeguard the security of data, which counts slightly stronger for the health and financial sector. Notably in the financial sector, auditing obligations / the right to examine remains an imperative feature for regulators. The manner in which national financial regulators exercise their supervisory power can possibly have an impact on the development of use of cloud services. For example, a national regulator that follows the principle of prudential supervision is merely concerned with ensuring that a proper risk analysis is being performed by financial institutes and that the ‘right to audit’ is being guaranteed in outsourcing contracts, while other regulators take a more proactive role. Such differences may thus create an un-level playing field between Member States. The location of data centres seems to be driven by demand for high security and audit controls, mostly based on customer but also on legislative demands. Proffered solutions included harmonisation amongst certain requirements throughout the EU, for example by aligning standards or promoting cooperation between regulators. The public sector could provide good examples by starting to take their data out of private, local clouds. Others suggested the creation of EC Regulation, clarifying the rules and opening up data location within the EU, in combination with a strong notification process where any national legal restrictions have to be approved by the EC.

See PT: Lei 12/2005, Informação genética pessoal and informação de saúde.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

4. Quantitative estimate of barriers 4.1 Introduction This chapter considers costs associated with barriers to cross-border data flow. The aim is to examine the additional costs to businesses and other organisations that might arise as a result of restrictions to cross-border data flow. It became evident at an early stage in the study that to identify costs associated with barriers to cross-border data flow it was first necessary to examine how data is digitally transferred across borders. Only by considering data transfer methods could the additional costs associated with restrictions to cross-border data flow be identified. It is assumed that these additional costs (for cross-border data flow) will be borne by those using/subscribing to the digital transfer methods. This chapter therefore starts with a consideration of data transfer methods; before examining additional costs for data transfer arising from restrictions to cross-border data flow.

4.2 Cross-border data transfer methods The introduction highlighted that the study started by examining how data is digitally transferred across borders. The four key methods can be divided into two groups:Point to multipoint transfer 

Cloud: Cloud storage services are remote servers that store data online. They can be accessed from anywhere. Data holders45 generally require an account to use cloud services. Holders can share links to data with anyone, users can then download the data from the cloud storage account. Access to the data stored in the cloud can be for a) specific people or organisations, b) anyone with the link or c) made public and anyone can access the data;



File sharing service46: These services are similar to cloud. They are designed more for sharing files, as opposed to storing them. Data holders upload the data and then send the link to the users with whom they want to share the data. Generally accounts are not required and data can be shared with multiple people;

Point to point transfer 

Device to device: BitTorrent is an example of a device to device transfer method for transferring large files across the internet. It differs from cloud storage because the user accessing data downloads it directly from the data holder’s computer(s). Data is not uploaded by the data holder to a server. BitTorrent provides much faster transfer speeds for the user than cloud storage;

A ‘data holder’ is defined as the person or organisation that is sending data files (or packets of data) across a border to someone, in this example the receiver is called a ‘user’. In the conceptualisation the user is assumed to be in a different country to the user, hence the data is transferred across a border. 46 Some commentators list FTP separately. However, it has all the characteristics of a file sharing service - FTP: data users have access to an FTP (file transfer protocol) server. Data holders upload data and users can then download it through an FTP client of their computer

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 

Send or zip and send: Data holders send data to a user(s) directly or after compressing the data file, for example by email.

The study carefully examined the characteristics of the four transfer methods. It quickly became evident that point-to-point methods (sending data and device to device) are not commercially viable (nor ‘enforceable’) and therefore it was agreed that it was not sensible to include them for detailed investigation in the study. File sharing services enable data sharing at a commercial scale (one holder to several users). However, data volumes that can be transferred are relatively small. It is also notable that for many file-sharing services costs associated with data transfer can be zero. However, both the holder and user will need compatible software, but this can often be obtained for free. Examining detailed costs for these three services is therefore unnecessary since transfer can take place at no extra cost (as a result of restrictions to cross-border data flow) to the holder or the user47. Cloud is the only commercially viable transfer method in terms of volume data transfers and access by many users. It is also notable that this is a method that requires remote storage (potentially in a third country - across a border from the holder and/or the user(s)). It is also the only method that generally requires a data sharing account and thus incurs costs for the data holder. Therefore this study focused on cloud as the primary method of interest for this study for cross-border data transfers.

4.3 Costs of cloud data transfer At the beginning of the study it was thought that it would be relatively easy to examine additional costs for data transfer arising from cross-border data flow restrictions. It was assumed that one would look at the cost of storage (of fixed size of data – for example 1TB) from a provider to store data anywhere and then compare this with the cost to store data in a particular location or Member State. With hindsight it is evident this assumption was flawed and rather naïve, for two main reasons. 

Most large cloud providers have adopted pricing schedules that stipulate a single price in US dollars for cloud data storage wherever in the EU the user is located. In essence these are flat rate pan-EU pricing policies.



As the next section demonstrates most of the large cloud providers only have cloud data centres in small number of EU Member States. They did not offer a service that enabled users to choose where their data would be stored.

Discussions with cloud providers also revealed that the price/subscription charged to users is independent of the cost of provision. Obviously over a long time period cloud service providers will need to obtain a return on their investment. But in the short-term other considerations, such as maximising market share, can take precedence. A strategy maximising market share at the start of technology service deployment is relatively common. In the early 2000’s Internet Service Providers initiated intense price competition, with some even offering free connections, to maximise market share. 47

Obviously hardware, software and ISP service costs are incurred but these are not solely related to data transfer.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Consolidation then took place in the market and price levels rose to more realistic levels that ‘covered costs’. At an early stage in the study it became evident that looking at the costs of cloud services to users could produce spurious results. In order to overcome this problem it was decided not to focus on service users’ costs when examining the additional costs to data transfer arising from cross-border data flow restrictions.48 Instead the study examined the additional costs for cloud service providers. The logic being that these costs could be absorbed by cloud service providers in the short-term and not passed on to cloud service users in the form of usage or subscription costs. But in the long term, in a competitive market, cloud service providers would have to pass these costs on to consumers or they would go broke. The study therefore embarked on an exercise, unforeseen at that the start of the project, to examine the cost of building and operating cloud data centres in EU Member States. The underlying premise for this approach was that a rational economic cloud service provider in a competitive market would locate cloud data centres in the most economically advantageous location that met user needs. It must be pointed out the relationship between ‘economically advantageous’ and ‘user needs’ does not mean that cloud data centres would be located in the cheapest locations, other factors also needed to be considered. From the cloud supplier’s viewpoint an example of these further considerations is the need for stable access to sufficient numbers of workers during the construction and operational phases of cloud centre development. User needs will also determine the location of cloud data centres. For example one cloud service provider felt that had to locate a data centre close to a major financial centre because their financial clients required low latency. Data centres could be built in cheaper locations in other Member State, but they would not be able to provide their financial users with low latency due to the additional time it would take a packet of data to get from the other Member State. This final example highlights that even when examining cloud data centre construction costs (supply side issues for providers) the economic rationale for location decisions will not always be prevalent. Quality or speed of service that users require (demand side issues for providers) is also important considerations. By examining where cloud data centres have been located it is possible to examine if locations might have been influenced by cross border restrictions to cross-border data flow. Also by modelling cloud data centre costs in all EU Member States it is possible to examine the additional costs (above the average data centre cost or the most economically advantageous location) that might arise as a result of restrictions to cross-border data flow causing a data centre to be built in a particular location or Member State. An important staring point was to examine where existing cloud data centres are located. This provided an insight to average costs that have been incurred in the Member States chosen so far as locations for cloud data centres. This information provides an important

At the start of the study it was not evident where local data restrictions existed. Nor was the extent of geographical coverage of cloud data services known. As a result local scenarios were not investigated. In addition, resources for economic analysis were restricted and sufficient coverage of representative locations would not have been possible. This would be a valuable area for further analysis.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) benchmark when considering other Member States that might require a data centre to be built in their country if restrictions on cross-border data flow are sufficiently onerous. The issue of data centre location becomes more complex if competition in cloud service markets is required. Market competition arises through having two or more providers. In the case of cloud data services this could mean (that in Member States with onerous restrictions on cross-border data flow) two or more cloud data service centres would be desirable to offer competitive services to users. Since considerable economies of scale arise through building large data centres this could lead to over provision of data storage space, if competition is required, in Member States with onerous restrictions on cross-border data flow. However, it is probable that this excess space would be utilised by the cloud provider(s) to serve cloud users in other Member States; unencumbered by restrictions on cross-border data flow. Whilst this issue might have some relevance, if competition is desirable, it would be very difficult to investigate due to the understandable commercial sensitivity concerns of cloud service providers about sharing their marketing and economic strategies. Our team have spoken with many of the leading cloud service providers, but they were not willing to share commercially sensitive information. The approach adopted in this study is therefore relatively simple. Firstly, an examination of where the cloud data centres of leading providers are located takes place. The study then focuses on building a model of the costs of cloud data centre provision in all EU Member States. This can then be used to examine the potential additional costs49 of locating cloud data centres in Member States with the most onerous restrictions on cross-border data flow. The next section examines the deployment of cloud data centres across Europe. Documented information about the Google cloud data centre in Belgium is used to identify key cost components for data centres and the magnitude of costs associated with their development. The costs of key components, most notably staff costs and electricity, are compared across EU28 Member States. It is important to clarify the main difference between a cloud and a data centre. A cloud data centre is an off-premise form of computing that offers data storage and other services on the Internet, whereas a data centre usually refers to on-premises hardware or a remote location that stores data within an organisation's network. The penultimate section develops a model to forecast costs for cloud data centre deployment in EU28 Member States. The various cost components are calculated using Eurostat data and rankings are provided to compare Member State’s relative performance. The section concludes with a comparison of costs across the construction (three years) and ten year operational life of a cloud data centre. The final section examines the cost of developing cloud data centres located in the first round of deployment; these are regarded as being located in the optimal locations desired by cloud service providers to meet user needs. These costs are compared with the

In comparison with the average cost for a cloud data centre in EU28 Member States or in comparison with the average cost for building and operating cloud data centres in the locations already selected by cloud service providers.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) deployment of cloud data centres in the eight Member States with the highest number of obligations restricting data flow across borders. At the start of the study the geographical coverage of cloud data services was unknown and it was not known where local data restrictions existed. As a result the study did not analyse different scenarios for location restrictions resulting in negative economic impacts (costs). For example, it was not possible to examine how organisations (public and private) in Member States, which were not served by large services providers that had a cloud data centre in their country, were affected. Organisations with their own data storage solutions might have incurred additional costs, smaller organisations without this capability might also have struggled. This would be a valuable area for further analysis.

4.5 Cloud data centre costs Gartner forecast that the global market for cloud-computing services was $160 billion in 2015. That is still only four per cent of all IT spending, but it is growing fast, as most other parts of the industry are stagnant or even declining. By 2016 Gartner predicted growth of 16.5 per cent to €186 billion50. The Economist51 identified the five leading global cloud service providers, see figure 24. Figure 24 - Market share of leading global cloud service providers Q4 2014

Source: Synergy Research Group 2015

In September 2016 McKinsey announced that “The cloud debate is over—businesses are now moving a material portion of IT workloads to cloud environments”. While the preceding figures are large and studies show the growing importance of cloud computing it is important to focus on the impact of the cross border data obligations and regulations. This study therefore focuses on cloud data centres to provide illustrative examples of costs for services providers in addressing cross border data flow regulations. 50

http://www.gartner.com/newsroom/id/3188817 25 January 2016 Economist. 2015. The cheap convenient cloud. http://www.economist.com/news/business/21648685-cloudcomputing-prices-keep-falling-whole-it-business-will-change-cheap-convenient 52 Quoted in Economist. 2015. The cheap convenient cloud. 51

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) As noted in the introduction the underlying economic tenet associated with data location restrictions is that regulations (restricting cross border data flow) will cause cloud data centres to be located in sub-optimal locations within the EU. It was highlighted that it is rational to assume that these additional costs, associated with locating in non-optimal locations, will be passed on to consumers eventually. But in the short-term market share strategies pursued by cloud service providers might absorb these costs. It is also possible that cloud providers might charge a premium for the use of cloud data centres in particular locations. 4.6 Cloud data centres in EU28 Member States Cloud data centres are facilities that house large numbers of high-performance computers, known as servers, as well as networking equipment and communication links. Cloud data centres store, manage or process digital data at scale within secure, specialised, resilient and self-contained facilities. Essentially, a cloud data centre consolidates numerous separate IT functions within a single operating unit, thus delivering economies of scale, improved performance and efficiency. The servers in the cloud data centres store data and offer services such as IaaS (infrastructure as a service), PaaS (platform as a service), SaaS (software as a service) and NaaS (network as a service). Copenhagen Economics53 report cloud providers capture scale advantages by consolidating the storage and processing of data in large data centres, thereby shifting the landscape towards larger-scale, purpose-built facilities with a focus on operational costs and efficiency. In essence, data is cheap to transport and data centres are subject to large-scale economies. Concentration of the data keeps the costs of data storage and operations of its services down, which ultimately benefits all Internet users. Moreover, data security is an important aspect and cloud service providers focus heavily and invest accordingly to ensure that data is kept safe at their data centres. 4.3.1 Cloud data centres in EU28 Member States Leviathan Security Group54, in a 2015 study, found six ‘Infrastructure as a Service’ (IaaS) public cloud computing providers in EU28 Member States55. These were:



Amazon Web Services - with data centres in France, Germany and Ireland;



DigitalOcean - UK and Netherlands (Amsterdam);



Google Compute Engine56 - Belgium (Mons), Finland, Ireland and the Netherlands;



Linode - UK;

Copenhagen Economics. 2015. The economic impact of Google’s data centre in Belgium. Leviathan Security Group. 2015. Quantifying the cost of forced localisation. The six EU28 cloud servers are described on page 10. 55 The Leviathan study focused on “Infrastructure as a Service” (IaaS) cloud computing providers. They excluded storage-only, routing-only, and other providers that, while they may well be general-access cloud providers, do not provide general computing instances (page 6). The study clearly differentiates between Europe, the Schengen Area and EU28 Member States 56 Copenhagen Economics. 2015. The economic impact of Google’s data centre in Belgium. reports that Google also operates data centres in Hamina, Finalnd and Dublin Ireland. A fourth is reported to be underway in Eemshaven, Netherlands. 54

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 

Microsoft Azure - Ireland and Netherlands;



Rackspace cloud servers - UK.

Figure 25 – The distribution of cloud data centres for the six largest cloud service providers in the European Union

Adapted from Leviathan Security Group. 2015.

Outside of the seven Member States where cloud data centres have been built (Belgium, Finland, France, Germany, Ireland, Netherlands and the UK), see Figure 25, cloud services users would have to use non-public cloud providers if regulations did not permit crossborder data flows. In these cases those using non-public cloud providers would probably have to build their own private cloud (presumably ‘on-premise’) or utilise a dedicated private cloud. In both these alternatives the decision of where the service would be provided would be made and paid for solely by the cloud user for their own private use. Figure 26 - The number of data flow restrictions in EU Member States where leading cloud providers have located cloud data centres

Number of restrictions Germany (1 data centre)

Belgium (1 data centre)

Netherlands (3 data centres)

Ireland (3 data centres)

1 Finland (1 data centre) Note: Number of restrictions found in previous chapter analysis of compliance obligations

Figure 26 provides an insight to the number of data flow restrictions in EU Member States where leading cloud providers have located cloud data centres. Three Member States are amongst those with the most onerous cross-border data transfer regulations (Germany, Belgium and the Netherlands). But the other two Member States have relatively few 84

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) restrictions. This analysis shows that there is only an insignificant statistical relationship between the number of data location restrictions and the location of cloud data centres.57 In the case of the public-cloud services considered in this study, the cloud service provider might have to build new cloud data service centre in additional locations to meet demand. These costs would then be ‘spread’ across all the public cloud service users. In 2013 Intellect UK58 reported that the UK dominated the European data centre59 market with around 60 per cent of market share. They suggested that data centres contribute over five per cent of GVA and turnover was growing at 15 per cent per year. Their assertion that increasing demand for digital data means that the UK sector is poised for further growth must be questionable following the UK decision to exit the European Union. Interestingly, in the light of the Intellect UK assertion of the majority of servers being located in the UK, Leviathan Security Group suggest that the cost of services to users provided from cloud data centres located in the UK and Ireland are significantly higher than from centres located in Belgium, Germany and the Netherlands. This assertion is examined later in this chapter. Leviathan also report price competition within mainland Europe is fierce and DigitalOcean’s Amsterdam-based data centre is reported to have the cheapest 1GB ($0.015 / hour) and 2GB ($0.030 / hour) worldwide pre-instance pricing60. This would rebuke the views of some commentators that suggest cloud services can be obtained more cheaply elsewhere in the world61. Intellect UK reported that as well as regulations related to cross border data flow some companies, particularly financial services, require low latency - very high speed transactions that require the kind of connectivity that can only be met by a combination of proximity and high bandwidth. The location of cloud data centres might also be affected this requirement in serving Europe’s leading financial centres. 4.3.2 Costs of building and operating a cloud data centre The Copenhagen Economics study of construction and operations of two data centres in Mons Belgium (the first constructed between 2007 and 2009 and became operational in 2010, the second was constructed between 2011 and 2014) provides a valuable insight to

Using Pearson’s correlation coefficient. Intellect UK. 2013. So what have data centres ever done for us? http://www.techuk.org/component/techuksecurity/security/download/1858?file=So_what_have_data_centres_ ever_done_for_us.pdf&Itemid=181&return=aHR0cDovL3d3dy50ZWNodWsub3JnL2luc2lnaHRzL3JlcG9ydHMvaXR lbS8xODU4LWRhdGEtY2VudHJlLXB1YmxpY2F0aW9ucw== 59 The Intellect study focuses on all types of data centres, not just cloud data centres. However, cloud data centres and data centres are similar in terms of infrastructure. Both store data with servers and other equipment in a single location. Cloud service providers use data centres to house cloud services and cloud-based resources. For cloud-hosting purposes, vendors also often own multiple data centres in several geographic locations to safeguard data availability during outages and other data centre failures. Data centres are typically run in-house by the IT department of a single company. http://www.businessnewsdaily.com/4982-cloud-vsdata-center.html 60 Linode, with a data centre in the UK was reported as matching the DigitalOcean offer. 61 Barrett B. 2015. Amazon’s new unlimited cloud storage is absurdly cheap. Wired. http://www.wired.com/2015/03/amazon-unlimited-everything-cloud-storage/ 58

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) construction and operational costs for two cloud data centres. Figure 24 provides an overview of construction and operating costs.

Figure 27 - Construction and operational costs for the Mons Google data centre

Data Centre 1

Data Centre 2

Construction

2007 to 2009

2011 to 2014

Total Costs

€270 million

€280 million

Goods and services

€120 million

€125 million

Labour and capital costs

€150 million

€155 million

Construction jobs per annum

500

Operating costs per annum

€36 million

Not yet operational

Employee FTEs

350

Operational costs per annum

Estimated employee costs Electricity and other costs

€29.5 million €6.5 million

Source: Derived from Copenhagen Economics. 2015. The economic impact of Google’s data centre in Belgium. Currency converted at prevailing rates in July 2015.

Intellect UK suggests slightly lower construction costs of €130 million for a ‘large data centre’, but this assertion is provided without reference to the source63. They also estimate higher running costs for data centres of €78 million per annum, this assertion is also not sourced. Intellect UK suggest the cost of power is between 25 and 60 per cent of the total operating costs at data centres, the source of this assertions is not referenced. This figure is considerably above the 17 per cent documented at the Google data centre. In a separate report Intellect UK report that electricity consumption at a very large data centre could cost €3.9 million a year64. This figure appears to be similar to the Google Mons study65. However, as highlighted later, electricity costs vary considerably across EU Member States.

Eurostat telecommunications labour cost per FTE in 2008 for Belgium lc_ncostot_r2 Intellect UK. 2013. Ibid. 64 Intellect UK. 2013. Data centres and power: Fact or fiction? 65 According to Google their global data centre operation electrical power ranges between 500 and 681 megawatts. Google Green Infographics. https://environment.google/approach/#/datacenters/infographics. The highest level of power consumption is reported to be 150 megawatts at the Inner Mongolia Information Park owned by China Telecom. The tenth most power hungry is the Tulip Data City in Bangalore, India that consumed just over 80 megawatts. Intellect UK. 2013 ibid. Report that the average very large data centre may consume 30GWh of power in a year. 63

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) The location of data centres will be affected by a number of factors including the availability and cost of appropriate skills, climate and electricity costs (and or the availability of low carbon energy). These key components in construction and operational phases are presented graphically in Figure 25. The remainder of this section considers these costs before using the constituent elements to produce a model to forecast cloud data centre costs in EU28 Member States.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Figure 28 - Key components in the construction and operational phases of development for cloud data centres

4.7 Labour costs and data centre construction and operating costs The previous section highlighted that labour costs are key components of both the construction and operational phases of cloud data centre development. Labour costs represent approximately 55 per cent of construction costs and 80 per cent of operational costs. Figure 29 provides an overview of labour costs for construction workers in EU Member States. The average cost is €22,929 per annum. Highest costs are recorded in Denmark (€51,676 per annum) and Ireland (€47,577) where prices are 125 per cent and 107 per cent above the EU average, respectively. Cheapest costs for construction workers are found in Romania (€4,869) and Bulgaria (€5,085) which are 21 per cent and 22 per cent of the EU average, respectively. Figure 29 - Labour costs for construction workers (FTE) in EU Member States in 2012

Indexed value 2012

EU28 average

100

Austria

183

Belgium

120

Bulgaria

Croatia

Cyprus

n/a

Czech Rep.

Denmark

225

Estonia

Finland

158

France

136

Germany

147

Greece

Hungary

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Ireland

207

Italy

134

Latvia

Lithuania

Luxembourg

n/a

Malta

n/a

Netherlands

178

Poland

Portugal

Romania

Slovakia

Slovenia

Spain

120

Sweden

174

UK 184 Source: Eurostat. 2016. Total labour costs for construction workers (FTE) in 2012 in businesses with 250 to 499 th employees lc_ncost_r2 Data last updated on 25 May 2016

Figure 27 provides an overview of labour costs for telecommunications workers in EU Member States. The difference in labour costs for telecommunications personnel is not as great as for construction workers. The average cost for telecommunications workers is €58,148 per annum. Lowest costs for telecommunications (like construction workers) are found in Romania (€14,447) and Bulgaria (€10,812), this is 25 per cent and 19 per cent of the EU average, respectively. Highest costs are recorded in the Belgium (€98,568 per annum) and Sweden (€88,350) where prices are 70 per cent and 52 per cent above the EU average, respectively. Figure 30 - Labour costs for telecommunications workers (FTE) in EU Member States in 2012

Indexed value 2012

EU28 average

100

Austria

126

Belgium

170

Bulgaria

Croatia

yprus

Czech Rep.

Denmark

124

Estonia

Finland

117

France

128

Germany

119

Greece

Hungary

Ireland

115

Italy

106

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Latvia

Lithuania

Luxembourg

136

Malta

n/a

Netherlands

126

Poland

Portugal

Romania

Slovakia

Slovenia

Spain

108

Sweden

152

108

Source: Eurostat. 2016. Total labour costs for telecommunications workers (FTE) in 2012 in businesses with 10 or th more employees lc_ncostot_r2 Data last updated on 25 May 2016

4.4.1

Electricity costs and data centre location

Figure 28 provides an overview of electricity prices per kilowatt-hour in EU Member States for larger industrial consumers. The average cost per kilowatt-hour in EU28 Member States is 0.0649 euros per kilowatt-hour. Highest prices are recorded in the UK (0.1288 euros per kilowatt-hour) and Ireland (0.0844 euros) where prices are 98 per cent and 30 per cent above the EU average, respectively. Cheapest prices are found in Sweden (0.0344 euros) and Finland (0.0429 euros), which are 53 per cent and 66 per cent of the EU average, respectively. When choosing where to locate or expand their operations, energy costs are a much more important consideration for data centres than they would be in a conventional business. But as noted earlier electricity is only approximately 17 per cent of annual operational costs at the Google data centre in Mons, Belgium. Thus while there are significant differences in electricity costs these might be overshadowed by higher personnel costs that constitute much of the remaining approximate 80 per cent of operating costs.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

Figure 31 - Electricity prices (per Kilowatt-hour) for industrial consumers in EU Member States in 2015

Indexed value 2015 EU28 average

100

Austria

Belgium

Bulgaria

Croatia

Cyprus

151

Czech Rep.

116

Denmark

Estonia

Finland

France

Germany

Greece

Hungary

118

Ireland

130

Italy

102

Latvia

Lithuania

101

Luxembourg

Malta

149

Netherlands

103

Poland

Portugal

109

Romania

Slovakia

136

Slovenia

Spain

117

Sweden

198

Source: Eurostat. 2016. Electricity prices for industrial consumers Consumption between 70,000 and 150,000 66 MWh nrg_pc_205

4.4.2

Land prices and data centre locations

Most of the preceding cost elements (labour costs and electricity) associated with a data centre location are likely to be relatively similar throughout a Member State. However, land 66

Eurostat only had data for eight Member States in the highest consumption category (over 150,000 MWh). This would have been more appropriate for data centres. Relative differences between Member States at the highest consumption category are unlikely to be very different from those presented in the table.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) prices will probably vary as much throughout a Member State as they will between Member States. There is also a paucity of reliable data about land costs in EU28 Member States. For example, rents for a hectare agricultural land vary from €879 in Romania to €130,000 in Malta67. And average prime city centre rental levels vary from €1,220 in Bulgaria to 25,575 in the UK68. Land costs for data centres will obviously be significant. But in the overall consideration of cost components during the ten (or more) years of life for a data centre they are likely to represent less than one per cent of total costs. 4.4.3

Climate considerations for data centre location

Climate conditions are a moderately important factor in deciding where to locate data centres. Locations that are too hot will require servers to be cooled. The Green Grid shows the best European locations for data centres on the basis of average air temperatures. Almost all of northern Europe shares the optimum environmental conditions for data centres because lower average air temperatures increase the proportion of free air-cooling that is available. Thus reducing electricity consumption required for cooling in summer.

Eurostat. 2016. Land prices and rents - annual data [apri_ap_aland]. Last updated 17 April 2012. Global Property Guide. 2016. Average per square metre (sq. m.) prices in US$/€ of 120-sq. m. apartments located in the centre of the most important city of each country. http://www.globalpropertyguide.com/Europe/square-meter-prices 68

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Figure 32 - Climate conditions for data centres in Europe

Source: HLH http://www.ingenieur.de/HLH/2015/Ausgabe-10/Sonderteil-Klima-und-Kaelte/Mit-direkter-freierKuehlung-Energie-und-Kosten-sparen?page=6

4.5 Cloud data centre model Figure 25 provided an overview of the key cost components for cloud data centres. Figure 24 provided an insight to typical numbers of workers and power consumption at that Google cloud data centre in Belgium. This section examines the preceding information about differences for cost components in EU28 Member States to estimate construction and operational costs of cloud data centres. 4.5.1

Construction costs for cloud data centres

The key cost components when constructing a cloud data centre are construction workers, servers and other computing equipment and land. Section 4.4.2 highlighted land prices to locate a cloud data centre are likely to vary as much within countries as they are between countries. It was also noted that over the ten to 15year life of a cloud data centre land costs will represent less than one per cent of total costs. Due to complexity and their relatively limited importance land costs are omitted from the model. Another item omitted is the cost of servers and associated computing equipment. These items are likely to be purchased and/or sourced from global suppliers there will therefore be little difference (due to local socio-economic circumstances) between EU28 Member States.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) The primary cost element included in calculations is therefore the labour costs document in section 4.3.2. Figure 27 highlighted that the construction phase of the Belgian cloud data centre required approximately 500 construction workers for three years. Figure 30 shows that labour costs for construction are on average €34.4 million in EU Member States. The most expensive is Denmark where labour costs for 500 construction workers for three years would total €77.5 million. The cheapest is in Romania where the same task could be completed for €7.3 million. Figure 33 - Construction costs for cloud data centres in EU28 Member States

Labour costs (450 people for 3 years) for construction €m

Rank

EU28 average

34.4

Austria

62.8

Belgium

41.3

Bulgaria

7.6

Croatia

18.0

Cyprus

n/a

Czech Rep.

19.3

Denmark

77.5

Estonia

23.1

Finland

54.3

France

46.8

Germany

50.7

Greece

28.2

Hungary

19.5

Ireland

71.4

Italy

46.3

Latvia

17.3

Lithuania

12.6

Luxembourg

n/a

Malta

na/

n/a

Netherlands

61.4

Poland

11.9

Portugal

23.6

Romania

7.3

Slovakia

15.5

Slovenia

27.1

Spain

41.4

Sweden

60.0

63.2

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

4.5.2

Operational costs for cloud data centres

The key cost components when operating a cloud data centre are telecommunications, personnel and electricity. These costs were considered in sections 4.4 and 4.4.1. Climatic considerations were reviewed in section 4.4.3, but it was noted that these were broadly similar across Northern Europe. Figure 31 shows that labour costs for operating a cloud data centre are on average €20.4 million in EU Member States. The most expensive is Sweden where labour costs for 350 telecommunications workers are €30.9 million per annum. The cheapest is in Bulgaria where the same task could be completed for €3.8 million. Figure 32 also shows that electricity costs for 60 GWh for operating a cloud data centre are on average €3.9 million in EU Member States. The most expensive is the UK where 60GWh would cost €7.7 million per annum. The cheapest is in Sweden where the same amount of electricity would cost €2.1 million. The last two columns to the right of table Figure 31 show the total annual operating cost of a cloud data centre in EU28 Member States. The most expensive location is in Belgium where annual operating costs would be €38 million per annum. The cheapest is in Bulgaria where operational costs would be €7.3 million per annum.

Figure 34 - Annual operational costs for cloud data centres in EU28 Member States

Total Operating Costs per annum

Operations 350 telecoms workers (€m)

Electricity GWh (€m)

EU28 average

20.4

3.9

24.2

Austria

25.7

3.1

28.8

Belgium

34.5

3.5

38.0

Bulgaria

3.8

3.6

7.3

Croatia

9.6

3.1

12.7

Cyprus

18.3

5.9

24.2

Czech Rep.

12.1

4.5

16.6

Denmark

25.2

2.7

27.9

Estonia

8.7

3.4

12.1

Finland

23.8

2.6

26.4

France

26.0

3.2

29.2

Germany

24.2

3.2

27.4

Greece

13.4

2.6

16.0

Hungary

9.9

4.6

14.5

Ireland

23.5

5.1

28.6

Italy

21.5

4.0

25.5

Latvia

7.7

3.3

11.1

Lithuania

6.5

3.9

10.4

Luxembourg

27.7

3.0

30.6

Malta

n/a

5.8

n/a

Netherlands

25.5

4.0

29.5

Poland

8.4

3.5

11.8

Portugal

14.7

4.2

18.9

Romania

5.1

3.0

8.1

Slovakia

11.0

5.3

16.3

Slovenia

14.5

3.4

17.9

Spain

21.9

4.5

26.5

Sweden

30.9

2.1

33.0

21.9

7.7

29.6

Rank

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 4.5.3

Cloud data centre costs

Preceding sections have examined construction costs and operational costs for cloud data centres in EU28 Member States. To gain a realistic insight to total costs it is necessary to consider costs over the lifetime of a data centre. The typical lifetime of a cloud data centre is expected to be ten years, with servers being replaced every three to five years69. If a ten-year lifetime is adopted the total operating cost of a cloud data centre will be the construction costs plus ten years of operational costs. Figure 32 shows an overview of these typical lifetime costs in EU28 Member States. It is important to add the caveat that the model developed is relatively simple; only concentrating on costs elements where comparison between Member States can be reliably investigated. Land costs that will represent a small proportion of total costs are excluded. Capital costs associated with servers and other computing equipment during construction (and/or by replacement in later years) are excluded because they predominantly will be sourced from global markets and therefore be a similar cost across all EU Member States. Like any model the absolute numbers are unlikely to be totally accurate, but they provide an insight to the relative differences in cost between EU Member States; because key parameters have been consistently applied in the model. Figure 32 shows that cost of a cloud data centre over a ten year lifetime is on average €276.9 million in EU Member States. The most expensive location is in Belgium where a cloud data centre would cost €421.4 million over a ten-year lifespan. The cheapest is in Bulgaria where cloud data centre would cost €81 million to construct and run over the same time period. Figure 35 - Ten year lifetime costs for cloud data centres in EU28 Member States

Construction and ten years of operating costs €m

Rank

EU28 average

276.9

Austria

350.8

Belgium

421.4

Bulgaria

81.0

Croatia

145.0

Cyprus

n/a

Czech Rep.

185.1

Denmark

356.9

Estonia

144.0

Finland

318.4

France

339.1

Germany

324.8

Gittlen G. 2013. Extending the life of your data centre. http://www.computerworld.com/article/2498440/data-center/extending-the-life-of-your-data-center.html

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Greece

187.9

Hungary

164.9

Ireland

356.9

Italy

301.3

Latvia

127.9

Lithuania

116.8

Luxembourg

n/a

Malta

n/a

Netherlands

356.8

Poland

130.2

Portugal

213.1

Romania

88.0

Slovakia

178.8

Slovenia

205.7

Spain

306.2

Sweden

389.8

359.4

4.6 Optimal and sub-optimal cloud data centre location costs It could be argued that the first seven Member States where cloud providers chose to build data centres (Belgium, Germany, Ireland, Netherlands and UK, see section 4.3) are in locations that providers regarded as optimal solutions for them and/or their users during the early stages of cloud data centre deployment. It is possible to assert that having built a first round of data centres primarily in locations to meet user needs later choices for additional data centres (being built now or in the future) might be driven more by concerns of cloud service providers about cross-border data regulations - thus they might be located in sub-optimal locations70. The previous chapter provided results from the analysis of compliance obligations in 19 EU Member States. This provided details of Member States where reported barriers were most abundant. Three countries with four obligations, stood out as particularly onerous, these were Austria, Bulgaria, and Germany, see Figure 34. Five additional countries had three obligations; these were Belgium, Czech Republic, Netherlands, Romania and Slovenia. It is possible to assert that if new cloud data centres were located on the basis of compliance with cross-border obligations they should be built in these countries. Figure 36 - Number of compliance obligations in EU Member States

Interviews with cloud providers have confirmed that ten years ago cloud servers were built to meet the needs of cloud service providers. In recent years the situation has been reversed and now server locations are designed to best meet user needs and cross-border data compliance requirements. However, these location decisions could also include user concerns such as lower latency and/or cost factors.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Number of barriers Austria

Bulgaria

Germany

Belgium

Czech Rep.

Netherlands

Romania

Slovenia

Ireland

Luxembourg

Portugal

Croatia

Denmark

Finland

Greece

Hungary

Poland

Sweden

Estonia

Malta

Source: Study team survey of 20 EU28 Member States

Preceding sections have developed a model to estimate the costs for building and operating cloud data centres in EU28 Member States. It is therefore possible to examine how the cost of locating cloud data centres in Member States with more data flow barriers would compare with costs associated with centres in the eight Member States where cloud data centres have already been deployed. Figure 35 provides an overview of the ten-year lifetime cost of cloud data centres in the seven countries where the first round of cloud data centres have been located. Four of the countries are in the top nine most expensive locations. The average cost of cloud data centres in these seven Member States is €359.4 million The average cost in the eight Member States with the highest number of cross-border data transfer compliance obligations is €251.7 million71. These results suggest that the first round of cloud data centres, which should have been able to provide optimal deployment locations for cloud service providers, have been deployed in 71

It is acknowledged that a simple focus on the quantity or number of obligations might not reflect the qualitative extent or difficulties in the magnitude of the obligations. There may be a difference between restrictions, notably between direct and indirect restrictions. However, obligations usually concerned a few sectors and the extent of coverage was pretty much the same across Member States that had the obligation, so qualitatively there was not too much difference.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Member States that appear to be amongst the most costly for lifetime cloud data centre costs. It is therefore possible to assert that data location restrictions are unlikely to lead to increased costs (above those endured by first round deployment) for the creation of cloud data centres in EU Member States with more onerous obligations. However, it is possible that data restrictions could lead to the provision of more cloud data centres than cloud service providers would ideally like to deploy if they wish to provide services in Member States with more onerous cross-border data transfer compliance obligations. With each cloud data centre costing €276.9 million on average in EU Member States over provision of centres could be costly. However, as the introductory section to this chapter identified this situation (overcapacity in relation to Member State user requirements) would probably be offset by the fact that cloud data centre over-capacity (in a Member State with more onerous compliance obligations) could be used cloud data providers to serve users in other Member States. In a situation with increasing demand for cloud services, and cloud revenues increased by 16.5 per cent between 2015 and 2016, the construction of additional cloud centres in Member States could have no net additional cost to cloud service providers and thus users (in comparison with the lifetime costs of the first cloud data centres in the EU).

100

Figure 37 - Comparison of costs for deploying first and later rounds of cloud data centres in EU Member States

First round cloud data centres

Eight Member States with most obligations

Estimated ten year lifetime cloud centre cost (€m)

Number of obligations

Estimated cloud centre cost (€m)

Belgium

421.4

Austria

350.8

Finland

318.4

Belgium

421.4

France

339.1

Bulgaria

81.0

Germany

324.8

Czech Rep.

185.1

Ireland

356.9

Germany

324.8

Netherlands

356.8

Netherlands

356.8

359.4

Romania

88.0

Slovenia

205.7

AVERAGE

3.4

251.7

AVERAGE

353.8

4.7 Conclusion This chapter examined costs associated with barriers to cross-border data flow. The study commenced by looking at the mechanics of transferring data. This found that whilst several methods exist cloud is the only commercially viable transfer method in terms of volume data transfers, across borders, with access by many users. Our team examined cloud subscription prices, envisaging there would be differences in prices between Member States and that options would be available for the location where data was stored. At the commencement of the study, in December 2015, none of the large cloud providers had local (within Member State) storage options for customers. Indeed, most had then, and still have now, flat rate pan-EU pricing policies, usually quoted in US dollars. Discussions with cloud providers also revealed that the price/subscription charged to users in the short-term can be independent of the cost of provision; as providers pursue goals such as maximising market share. Over the long term cloud service providers will need to obtain a return on their investment, but in the short-term costs to users (in subscriptions and/or fees) may not reflect costs incurred by cloud service providers. To address this possibly spurious line of investigation the study therefore moved away from examining costs incurred by cloud customers purchasing cloud services. Instead it examined costs incurred by cloud service providers by examining the costs incurred by building and operating cloud data centres in different locations and investigating how these costs might be influenced by restrictions to cross-border data flow. The underlying logic was that at some point in the future any additional costs would be borne by cloud users in the form of higher subscription fees and/or costs. An examination of the Member States in which cloud data centres of leading providers are located found no relationship with the location of centres and the number of data flow

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) restrictions that existed in a Member State. Interviews with providers also suggested that restrictions were not a major issue in deciding where to locate centres in the past. The study developed a model of the costs of cloud data centre provision in all EU Member States to examine the potential additional costs of locating cloud data centres in Member States with the most onerous restrictions on cross-border data flow. This analysis found that there would not be any additional cost in cloud data centre construction and ten year running costs if centres were located in the eight Member States with the most restrictions to cross-border data flow. In these Member States the average cost of a cloud data centre would be €251.7 million. This was less than the average cost in all EU Member States (€276.9 million) and considerably less that the average cost of €353.8 million for data centres, in seven EU Member States operated by the six leading cloud service providers.

102

5. Recommendations for functional requirements and future policy concepts in order to facilitate cross border data flow within the EU 5.1 Introduction The sections above have described current prevalent legal requirements that affect data location choices in Europe, as well as their effect from a cost-benefit perspective. It is important to consider whether and how these requirements could be re-casted in a way that satisfies the underlying policy objective without needlessly impairing the free flow of data in the European Union. Section 3 of the report provided a short analysis, including examples, of the main categories of legal requirements that directly or indirectly affected data location choices. In the present section, we will first propose alternative functional requirements that would achieve the desired objective while minimising data location impacts (section 5.2 below), followed by a framework for introducing and promoting this approach from a policy perspective (section 5.3). The proposals and concepts described in this Chapter were presented for discussion at a project workshop in Brussels on 20 March 2017, and have subsequently been updated and revised to align with the feedback provided during this event. A full workshop report is included in Annex II of this report.

5.2 From form to function – recommendations for recasting This report has identified two forms of direct formal barriers: geographic location storage requirements (where legislation explicitly dictates that data must remain at a specific location) and unique national technical requirements (where the use of specific encryption technologies, data formats, accreditation procedures etc. which are inaccessible to foreign service providers are mandated). Examples of the former were identified in relation to gambling services, accounting documents and taxation, and examples of the latter were found in relation to national security, police data and national defence. More numerous were the indirect data location requirements, which included the accessibility of data to specific supervisors or regulators, the definition of generic technical requirements, prior authorisation schemes for infrastructure or service providers, the mandatory use of a specific infrastructure, data segregation requirements, subcontracting restrictions, and data destruction requirements. However, this list as such cannot be directly translated into functional requirements. This is because the correct translation of formal requirements into functional requirements depends strongly on the underlying policy objective. As a practical example: if data should be stored on a server in a specific Member State in order to ensure its accessibility to a national supervisor, then the formal data location requirement can be re-cast into a functional accessibility requirement. However, if the exact same requirement is driven by the need to ensure that data cannot be seized by a third party, then accessibility to a national supervisor is not a sufficient or appropriate translation. Data location as such is not a requirement that can be translated in isolation; the policy objective must be the focus of the translation effort.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Similarly, the mandatory use of infrastructure of a specific organisation is not a requirement that can be translated into a functional requirement. It should be determined first why a specific organisation was empowered, i.e. what the underlying policy objective was. Possibly the organisation was given its mandate to ensure the security and interoperability of the data, or perhaps merely because the Member State considered the data a part of its national sovereignty for which the free flow of data would be irrelevant. The policy objectives must be made explicit in order to translate it to a functional requirement. In other words, translation from formal to functional requirement cannot be done on the basis of the phrasing of the formal requirement, but must be done on the basis of the underlying policy objective. Examining the identified policy objectives for the known direct and indirect requirements and mapping them into functional requirements, the following overview emerges:

104

Figure 38 – Policy objectives and functional requirements table Policy objective

Functional requirement

Example

Accessibility to a regulator or supervisor

E.g. the German Procedural rules for accounting and records), § 146 provides for an obligation to keep the records required for tax declaration within Germany, with the exception of companies active in foreign countries and complying to local tax law on records. Tax records can be kept electronically outside of Germany if the tax authority gives permission on application by the subject. The permission can be given, if the subject provides the authority with the location of the data centre and access to the data.

Note: EU level agreement on specific data formats can be useful in some contexts, but this is not universally the case, nor is this technically a data location issue. Protection against third party modification

The data must be stored in a manner that ensures that it cannot be altered without the prior approval of the person subject to the storage requirement. The person subject to the storage requirement must be able to demonstrate upon request that protection is ensured. Note: EU level agreement on appropriate protection techniques (such as encryption) can be useful in some contexts, but this is not always needed. Encryption may not be an absolute requirement in all cases.

Protection against modification by the person subject to the storage requirement

The data must be kept in a manner that ensures that it cannot be altered without the prior approval of the competent regulator or supervisor. The person subject to the storage requirement must be able to demonstrate upon request that protection is ensured. Note: EU level agreement on appropriate protection techniques (such as encryption) can be useful in some contexts, but this is not always needed. Encryption may not be an absolute requirement in all cases.

The policy objective is to ensure that accounting documents remain accessible to tax authorities so that they can conduct verifications. E.g. the Austrian Federal Act on Data Security Measures when using personal electronic Health Data or Health Telematics Act defines certain requirements for the storage of patient data. It specifically refers to storage of information in the cloud. According to §6, state-of-the-art encryption has to be applied when storing patient data in the cloud. The policy objective is to ensure that confidential information cannot be accessed by an unauthorised third party. E.g. The Romanian Government Decision no. 111/2016 approving the Norms of application of 24 February 2016 on gambling, Articles 2, 127 and 136 require that the main system includes a game server, a registering and identification system for registering and identifying the participant of the game, as well as a system for storing and transferring information for each game session, each registration fee and each payment made by the user. The main system must ensure that an encrypted back-up/safety server is used that ensures real time transfer and automated registration of all data requested by the National Gambling Office, containing daily and monthly logs that allow real time verification of the licensed gambling operator. The policy objective is to ensure that all relevant data including logs are

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

accessible to the regulator, without allowing the gambling organisation the possibility of making modifications. Protection against third party accessibility

The data must be stored in a manner that ensures that it cannot be accessed without the prior approval of the person subject to the storage requirement. The person subject to the storage requirement must be able to demonstrate upon request that protection is ensured. Note: EU level agreement on appropriate protection techniques (such as encryption) can be useful in some contexts, but this is not universally the case, nor is this technically a data location issue. Encryption may not be an absolute requirement in all cases.

E.g. the Bulgarian Bar Act and the Professional Ethics Code of Lawyers oblige lawyers to keep the confidentiality of any information they have obtained from their clients indefinitely. Such information can be disclosed only if such a disclosure is necessary before a court in connection with an ongoing dispute with the client, and shall be kept confidential by any and all of the lawyer’s staff and any other person who is involved in his professional duties. Further, all of the lawyer’s papers, records, electronic documents, computer equipment and other information media are inviolable and cannot be reviewed, copied, examined or be subject to a seizure. It is unclear how this protection may apply to lawyer’s information stored by an external service provider (for example, a cloud service provider) who is not subject to protection against any review, copy, examination or seizure of information. The policy objective is to ensure that confidential information cannot be accessed by third parties (including, in this example, public authorities that have not followed the appropriate procedures).

Destruction of data after the expiration of a certain time period or under certain conditions

Interoperability

106

The data must be stored in a manner that ensures that it can be permanently and irrevocably destroyed by the person subject to the storage requirement. The person subject to the destruction requirement and the entity providing the storage services must be able to demonstrate upon request that such destruction is ensured. Note: The mirror image of the policy objective (a ‘non-destruction requirement’ that ensures that the person subject to the storage requirement cannot destroy it) would fall under the ‘Protection against modification by the person subject to the storage requirement’ heading above. The data must be stored in a way that allows it to be extracted in a structured, commonly used and machine-readable format that allows it to be used by the person subject to the storage requirement, and by any persons to whom the data will foreseeably be made available or accessible on the basis of its nature and purpose.

E.g. the Belgian Law of 8 August 1983 regulating a National Register of natural persons requires a process to be established and responsible persons to be designated to destroy this database in certain circumstances. The policy objective is to ensure that the data are destroyed in certain circumstances.

E.g. the Finnish Law on electronic processing of client data within social and health care, issued by decision of the Finnish Parliament on 1 July 2007, allows patient data may be used in nationwide information services for organizing and providing health care. These services must obtain attestations of conformity at the national level, and must adhere to nationally defined interoperability requirements.

Cross-border data flow in the digital single market: study on data location restrictions

Security of the infrastructure

Note: EU level agreement on specific data formats is highly desirable for cases where cross border interoperability is a part of the purpose of the data. If there is no commonly used data format or no consensus on which data format must be used, interoperability cannot be achieved. The data must be stored using technical infrastructure that is subject to technical and operational security measures that ensure that the data cannot be accessed without the prior approval of the person subject to the storage requirement. Note: mandatory certification of the infrastructure can be appropriate, and should be done against internationally recognised standards. National security standards should be avoided except in cases where free flow of data can be legitimately excluded.

(SMART 2015/0054)

The policy objective is to ensure the interoperability between the services.

E.g. the Luxembourg Circular CSSF 12/552 on central administration, internal governance and risk management emphasizes that that the IT functions of institutions must be effectively protected, which can best be done “in premises at its disposal in Luxembourg”. Storage outside Luxembourg is permitted under strict safeguards and preconditions that protect the confidentiality of banking data. Broadly summarizing, outsourcing of IT infrastructure is permitted, but should either be to a party (a PFS) licensed in Luxembourg, or to an internal entity of the outsourcing party’s group after prior informed consent is obtained. The policy objective is to ensure that sensitive information is stored in secure facilities.

Trustworthiness of the service provider

The data must be stored by a provider that is subject to technical and operational security measures that ensure that the data cannot be accessed without the prior approval of the person subject to the storage requirement. Note: prior notification to a national supervisor and prior authorisation of the service provider can be appropriate. Prior authorisation should be done against internationally recognised standards, resulting in a common whitelisting approach. In such cases, mutual recognition of the standards and whitelists should be sought to avoid fragmentation. Post-hoc supervision by a national supervisor can be appropriate. However, in such cases a country of origin rule should be applied to avoid cumulative and potentially contradictory supervision.

The Austrian Gesundheitstelematikgesetz (GTelG 2012), § 6, 14 and 20 defines certain requirements for the storage of patient data. According to §6, state-ofthe-art encryption has to be applied when storing patient data in the cloud. The provider of the ELGA (electronic health record) has to be authorized to use health records according to § 14. The policy objective is to ensure that patient records can only be stored by a provider that meets the law’s trustworthiness requirements.

National authorisation schemes without mutual recognition should be avoided except in cases where free flow of data can be legitimately excluded. Trustworthiness of the service provider’s personnel

107

The data must be stored in a way that allows access to the data only by personnel with appropriate qualifications, that has undergone a prior background check and/or which is subject to a legal or contractual duty of confidentiality and secrecy.

E.g. the Romanian Government Decision no. 781/2002 on the protection of restricted information, Article 6 (1) and (2) allow personnel to access restricted information only on the basis of a written authorization by the director of the unit which holds classified information.

Cross-border data flow in the digital single market: study on data location restrictions

Note: the application of this measure can be facilitated through standardised requirements list (common definitions of background checks to be conducted, common templates of contractual confidentiality obligations, and suitable accreditations). National personnel requirement schemes without mutual recognition should be avoided except in cases where free flow of data can be legitimately excluded.

108

(SMART 2015/0054)

The policy objective is to ensure that individual persons are appropriately bound by confidentiality obligations and cannot access data without appropriate prior verifications.

Since the objectives can of course overlap in practice (e.g. legal requirements can exist both to ensure protection against modification by third parties and to ensure interoperability), it goes without saying that the functional requirements can be applied cumulatively. The table above also builds on the assumption that removing barriers to data location choices is a desired objective. There are however clearly also cases where a Member State may legitimately not wish to open certain data to EU-level storage options. National security and police databases are arguably reasonable examples where a Member State may feel that there is no need or benefit in the current state of technology to allow data storage outside the exclusive control of its own administrations, thus also forbidding storage outside its own borders. This exclusive and sovereign control is a policy objective which has no reasonable functional translation that would permit the removal or softening of data location requirements: when the principal concern of a Member State is that certain data is so critical that it may not be subjected to any sovereignty than one’s own, no foreign data storage option will likely be satisfactory. Even strong encryption is not perpetually trustworthy, and no legal or political construct can ensure that data remains forever in trusted hands. However, such cases where data can legitimately be excluded from the free flow of data should be relatively rare in practice. The question of when this position is appropriate shall be dealt with in section 5.3 below.

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054)

5.3 Promoting the free flow of data – crucial policy concepts The overview table above (see figure 36) shows that the translation of existing legal barriers to the free flow of data into functional requirements that minimise the impact on data location choices is possible. However, it does require that the policy objectives are known and are made explicit, and that they fall within the scope of the free flow of data policy. The facilitation of the free flow of data by mitigating data location barriers therefore hinges on two complex issues: firstly, the identification of cases where the principle of the free flow of data apply; and secondly, implementing the necessary changes to transition from formal requirements to functional requirements. 5.3.1. Where should the free flow of data exist? The first question is arguably the most complicated: in which cases should Member States be able to introduce barriers to the free flow of data? Based on the available data, there appears to be a clear consensus that public safety and public security are policy areas in which Member States feel justified in introducing data processing restrictions that ensure that their sovereignty in these policy areas cannot be in any way compromised. But current restrictions go further: the examples identified in relation to e.g. taxation and gambling show a broader perspective, as do examples in relation to health data and legal or privileged data. The Treaty on the Functioning of the European Union of course defines the principal freedoms in the EU, as well as Member States’ rights to restrict these under some circumstances, and therefore can be useful as a first test of when restrictions to the free flow of data might be justified. The Treaty allows Member States to introduce limitations to the free movement of workers and the right to establishment “justified on grounds of public policy, public security or public health”; this scoping of possible exceptions already seems to apply reasonably well to many of the data processing restrictions identified above. While a data location restriction cannot reasonably be construed as an emanation of the free movement of workers, it can indeed impact the establishment of an undertaking as it may be required to establish a local legal entity to comply with legal requirements in relation to its field of business. The free movement of services is a more directly applicable freedom in the current context, since many of the examples of restrictions to the free flow of data also have an indirect impact on the freedom to offer a service: it becomes significantly harder for an undertaking to freely offer its services across the EU when there is a requirement to maintain its data within specific borders. Unjustified data location restrictions therefore indirectly impact the free movement of services. The Treaty defines the core principle of the freedom to provide services within the Union, while specifying that it applies to services that are normally provided for remuneration; this too is a useful starting point for scoping the free flow of data, since the application of the remuneration criterion would eliminate most government services, such as police databases or civil registers, which would likely need to be excluded from the free flow of data for reasons of national sovereignty. The Services Directive 2006/123/EC provides further guidance on the impact of the Treaty, since it aims to facilitate the exercise of the freedom of establishment for service providers and the free movement of services. It builds on the aforementioned concepts of restrictions on the grounds of public policy, public security or public health by integrating case law from the Court of Justice, allowing Member States to introduce restrictions to the free movement 110

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) of services for ‘overriding reasons relating to the public interest’ (Article 16(1)(b)). This concept includes “public policy; public security; public safety; public health; preserving the financial equilibrium of the social security system; the protection of consumers, recipients of services and workers; fairness of trade transactions; combating fraud; the protection of the environment and the urban environment; the health of animals; intellectual property; the conservation of the national historic and artistic heritage; social policy objectives and cultural policy objectives”72. Recital (41) of the Directive clarifies that ‘public policy’ “covers the protection against a genuine and sufficiently serious threat affecting one of the fundamental interests of society and may include, in particular, issues relating to human dignity, the protection of minors and vulnerable adults and animal welfare. Similarly, the concept of public security includes issues of public safety”. There is however a clear risk of overreach if the concept of ‘overriding reasons relating to the public interest’ were to be directly transposed to the concept of data location restrictions. While it is clear that the provision of services remains subject to the provisions of the Treaty and the Services Directive, it is not evident that any topic that could give rise to restrictions under the Services Directive would also automatically legitimise data location restrictions in the relevant industry. To give a trivial example: the protection of animals can be an overriding reason for restrictions to the free movement of services, but this does not imply that data affecting the protection of animals must be restricted to a specific Member State. The e-Commerce Directive 2000/31/EC, which would apply if the legal restriction in a Member State would target an information society service, similarly permits Member States to restrict the freedom to provide information society services from another Member State for reasons of public policy (in particular the prevention, investigation, detection and prosecution of criminal offences, including the protection of minors and the fight against any incitement to hatred on grounds of race, sex, religion or nationality, and violations of human dignity concerning individual persons), the protection of public health, public security, including the safeguarding of national security and defence, and the protection of consumers, including investors. Of course, in many cases the e-Commerce Directive would not apply to data location restrictions: if a doctor or a lawyer would be required to keep their records within their national borders, this is not a regulation of an information society service, but of the professional activity as a whole. In those cases, the limitations of the e-Commerce Directive would be moot. The Services Directive however could apply, and contains several provisions that would appear to be at odds with direct data location restrictions. Notably, Article 16.2 forbids Member States to restrict the freedom to provide services across borders by requiring a provider to have an establishment in their territory; to obtain an authorisation from their competent authorities except where provided for in the Directive; and to ban the provider setting up a certain form or type of infrastructure in their territory which the provider needs in order to supply the services in question. The Directive however does not explicitly forbid Member States from requiring a provider to set up a certain form or type of

See recital (8) of the Services Directive.

111

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) infrastructure in their territory in order to supply the services in question, which would have been more directly relevant. However, a correct application of these principles would lead to the conclusion that data location restrictions – or more broadly: legal requirements that affect the free flow of data – in relation to specific services – understood as services usually required against remuneration, as provided by the Treaty and the Services Directive - can be legitimate only to the extent that these requirements are objectively justified by an overriding reason relating to the public interest, and that they are proportional in the light of this public interest objective. Applied logically and consistently, this should imply that such restrictions should be identified by Member States, and that the policy objective should be explicitly stated, explaining why the policy objective constitutes an overriding reason that can only be achieved through the imposed restriction. In the absence of this approach, the necessity and proportionality test could not be applied. In such cases and to that extent, a data location restriction could be justified and the free flow of data could be legitimately impeded. Examples would include police databases, classified information, and official registers – none of which would be considered as an element of a ‘service’ under the Treaty, since (and to the extent that) they are a part of government functions which are not provided for remuneration. When such a justification could not be provided, the requirement must be recast into a functional requirement. 5.3.2. Recasting regulations to support the free flow of data Once it has been determined that data should fall within the remit of the free flow of data policy – either as a logical consequence of the application of the Treaties, the Services Directive or the e-Commerce Directive, or as a part of a future Free Movement of Data right that could be construed along the principles outlined above – any legal requirements in relation to the data would need to be recast in accordance with the functional requirements translation table provided above. It should however be recognised that this is not a trivial exercise. It implies the screening and simplification of national laws – a similar exercise to what was also required by the implementation of the Services Directive73 - but more importantly it can also require the establishment of coordination and harmonisation mechanisms between the Member States in order to establish any technical or organisational requirements that may be relevant for specific data types. These will likely vary from sector to sector. Examples of the need for such coordination and harmonisation mechanisms can be drawn from the functional requirements translation table, in combination with the data from the identified national restrictions: Figure 39 – Policy objectives and harmonisation needs Policy objective 73

Need for coordination and harmonisation?

See the Commission’s guidance on simplification in the Handbook on implementation of the Services Directive; http://bookshop.europa.eu/en/handbook-on-implementation-of-the-services-directive-pbKM7807096/; Chapters 5 (on simplification) and 7 (on permissible limitations to the free movement of services) are particularly salient.

112

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Accessibility to a regulator or supervisor

Elimination of data location restrictions implies that a regulator in Member State A must be able to access data in Member State B. This policy objective can be phrased in a technologically neutral manner (i.e. without imposing specific approaches, technologies or solutions) as has been done in the functional requirements translation table. However, to facilitate accessibility, the regulators or supervisors may require harmonisation on data formats, language or semantics, and access procedures.

Protection against third party modification, or against modification by the person subject to the storage requirement

Resulting requirement: interaction between regulators or supervisors to establish and mutually recognise suitable data formats, language or semantics, and access procedures. The policy objective can be phrased in a technologically neutral manner (i.e. without imposing specific approaches, technologies or solutions) as has been done in the functional requirements translation table. However, if regulators want to recognise specific requirements (e.g. specific encryption technologies), then this requires harmonisation.

Security of the infrastructure

Resulting requirement: coordination between legislators, regulators or supervisors to establish and mutually recognise any appropriate approaches, technologies or solutions The policy objective can be phrased in a technologically neutral manner (i.e. without imposing specific approaches, technologies or solutions) as has been done in the functional requirements translation table. However, if regulators want to recognise specific requirements for specific types of infrastructure (e.g. certification against specific security standards), then this requires harmonisation.

Trustworthiness of the service provider

Resulting requirement: coordination between legislators, regulators or supervisors to establish and mutually recognise any appropriate security standards and certification approaches. The policy objective can be phrased in a technologically neutral manner (i.e. without imposing specific requirements) as has been done in the functional requirements translation table. However, if regulators want to implement a prior notification/authorisation scheme for specific types of service providers, then this requires harmonisation.

Trustworthiness of the service provider’s personnel

Resulting requirement: coordination between legislators, regulators or supervisors to establish and mutually recognise any prior notification and authorisation requirements (within the limitations permitted by the Services Directive for authorisation schemes). The policy objective can be phrased in a technologically neutral manner (i.e. without imposing specific requirements) as has been done in the functional requirements translation table. However, if regulators want to align on the required qualifications, background check and/or duty of confidentiality and secrecy, then this requires harmonisation. Resulting requirement: coordination between legislators, regulators or supervisors to establish and mutually recognise any required qualifications, background check and/or duty of confidentiality and secrecy.

The complexity stems from the fact that these requirements do not follow a one-size-fits-all model where a single security standard, certification, authorisation etc. could be applied across all industries in a homogeneous way. In practice, it can only be established in a sector by sector basis, where any pre-existing legal frameworks and cooperation platforms can be leveraged to facilitate harmonisation and mutual recognition. This does not necessarily imply that a free movement of data principle could only be implemented through a purely vertical (sector specific) approach. Indeed, it is perfectly possibly to introduce a generic free movement of data rule in a horizontal initiative, e.g. 113

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) through a legal instrument that scopes the right as applying to the data processing activities of any services in the sense of the Treaty, and indicating that exceptions are only permissible if they are objectively justified by an overriding reason relating to the public interest, and that they are proportional in the light of this public interest objective. The sector specific element implies however that, beyond this horizontal intervention, sector specific coordination mechanisms – e.g. via national regulators or national expert groups – are necessary to address the practical implications of this right. In other words: the statement of the free movement of data can and should be done horizontally, but it should be acknowledged that implementing measures – agreeing on harmonised security requirements, data formats, access mechanisms etc. – will need to be organised at the sector specific level. This too is not new: the Services Directive contained both an administrative cooperation obligation between Member States (Chapter VII) and permitted the creation of a convergence programme (Chapter VIII) through codes of conduct “particularly by professional bodies, organisations and associations”. A similar approach could be applied to address sector specific concerns. In practice therefore, the process requires a three-step approach: when data falls within the scope of the free movement of data, a Member State would have to: 

 

Screen its legislation to determine whether it has introduced any requirements (either directly or via any competent regulators or supervisors) that impact the free flow of data (comparable to the administrative simplification duty imposed upon the Member States by the Services Directive); If so, to simplify the requirements by translating them into functional requirements based on the principles set out above; And if the resulting functional requirements result in specific technical or operational requirements, to coordinate with other Member States in order to harmonise and mutually recognise these technical or operational requirements.

It is possible that these steps would be implemented slightly differently by the Member States, depending on national sensitivities and local markets. However, a shared statement of the principle would seem to be particularly useful to communicate clearly to legislators and regulators (including professional bodies, organisations and associations) that the free flow of data is the standard rule and expectation in the digital single market, and that exceptions should be objectively necessary and proportionate. The outcome of the process thus is not necessarily the removal of any technical or organisational requirements, but rather to ensure that these are harmonised across the Member States wherever possible. In the absence of this approach, service providers can be subject to overlapping, duplicate or contradictory requirements, creating compliance costs that are particularly hard to bear for SMEs. By way of example, Figure 5 in section 2.3.2. identified 7 sets of legal sources containing requirements for IT providers in the financial industry. These are highly similar but not identical, and there is no clear mutual recognition mechanism between the national regulators, implying that an IT provider targeting this industry needs to assess on a country-by-country basis which certifications, accreditations and authorisations it needs. This can be resolved either by harmonising the relevant requirements, or by mutual recognition. This is done for financial data on a voluntary basis by some regulators: the 114

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) Austrian and Belgian reports explicitly mention the role of cooperation agreements between regulators, and the Dutch regulator publishes and maintains a ‘whitelist’ of service providers which have been found on the basis of prior examination and dialogue to be permissible for financial data. Expanding this approach to cover Member States equally and to incorporate other industries – legal services, health care, accounting, gambling, etc. – would be a key way to implement this recommendation on the basis of existing good practices.

5.4 Summary – key requirements and recommendations Summarising the recommendations above, two key steps should be taken in order to eliminate unjustified restrictions to data location. The first step is scoping the free movement of data, by outlining clearly where the free movement of data applies and where it does not. Materially, this should be done by only permitting the Member States to implement legal requirements in relation to services (as defined in the Treaty and the Services Directive) that affect the free flow of data to the extent that these requirements are objectively justified by an overriding reason relating to the public interest, and that they are proportional in the light of this public interest objective This can be done in several ways: 



The second step is then of course the implementation of the free movement of data. As described above – and irrespective of the chosen policy option – this must be done through three sub steps: 



115

Member States must screen their legislation to identify any requirements that might run afoul of the free movement of data (which can of course build on the findings of the present Study); Simplify any identified requirements by translating them into functional requirements;

Cross-border data flow in the digital single market: study on data location restrictions (SMART 2015/0054) 

Coordinate with other Member States and with other representatives (including professional bodies, organisations and associations) in order to harmonise and mutually recognise any technical or operational requirements that cannot be phrased in a technologically neutral manner.

In this manner, the importance of the free movement of data as a core principle of the digital single market could be more clearly highlighted and supported at the policy level, in line with the Commission’s objectives on this point.

116

6. Annexes 6.1 Annex I: Table of Regulatory data location restrictions Country

Data type

Source (title of law/ regulation or (policy or regulatory decision

Austria

Health data, patient records

Gesundheitstelematikgesetz (GTelG 2012), BGBl. I Nr. 111/2012 (Federal Act on Data Security Measures when using personal electronic Health Data or Health Telematics Act 2012), § 6, 14 and 20

Austria

Financial data

Bundesgesetz über die Beaufsichtigung von Wertpapierdienstleistungen, BGBl. I Nr. 60/2007 Latest amendment: BGBl. I Nr. 117/2015 (Federal Act on the Supervision of Securities), Art. 25, 26 Specified by the Austrian national regulation Auslagerungsverordnung, BGBl. II Nr. 215/2007, latest amendment: BGBl. II Nr. 272/2011

Restriction imposed on providers / users / data Health sector

Direct or indirect

Summary of restriction

Indirect

The law defines certain requirements for the storage of patient data. It specifically refers to storage of information in the cloud. According to §6, state-of-the-art encryption has to be applied when storing patient data in the cloud. The provider of the ELGA (electronic health record) has to be authorized to use health records according to § 14. Furthermore, storage has to be in line with data storage specifications, as specified by the Austrian Ministry for Health in regulation (see §28). The storage facilities have to be in the territory of the European Union.

Companies in Austria that are authorized to provide financial services (securities/bonds/in struments/stocks/et c)

Indirect

Article 25 of the Federal act on supervision of securities stipulates that special attention has to be paid when using third-party subcontractors for providing financial services in order to minimize business risks. When outsourcing tasks, it has to be ensured that the control mechanisms by the Austrian financial market supervision authority (Finanzmarktaufsicht, FMA) are not hindered. Due diligence has to be applied when outsourcing. Written contracts with the subcontractor have to be in place. Article 26 specifically deals with outsourcing to a foreign country (‘Drittland’). In addition to Article 25, the subcontractor has to be officially registered for the financial activities in the foreign country (1), and there has to be a cooperation agreement between the FMA and the foreign country. It must be noted that strictly spoken this is not a restriction to the free flow of data, assuming that with ‘foreign country or ‘third country’ (‘Drittland’) is meant ‘each country, which is not part of the European Economic Area’ as defined in § 2 of the Banking Act. This interpretation of ‘Drittland’ with regard to the Federal act on supervision of securities, is confirmed by the Austrian authorities. However, it can be argued that it will be very difficult for a citizen to trace this definition, as a trail of steps needs to be followed, via the Wertpapieraufsichtgesetz (WAG 2007), which

Cross-border data flow in the digital single market: study on data location restrictions

Austria

Accounting data

Austria

Public data, public sector information

Bundesgesetz über allgemeine Bestimmungen und das Verfahren für die von den Abgabenbehörden des Bundes, der Länder und Gemeinden verwalteten Abgaben (Bundesabgabenordnung - BAO), original version: BGBl. Nr. 194/1961, latest amendment: BGBl. I Nr. 163/2015 (Federal Act on the General Principles and Procedures for the Regulation of Taxation as administrated by the Federal Government, the State Governments and the Municipalities (Regulation of Taxation Code, BAO). Bundesgesetz über besondere zivilrechtliche Vorschriften für Unternehmen (Unternehmensgesetzbuch, UGB), Austrian Commercial Code, original version: dRGBl. S 219/1897, latest amendment: BGBl. I Nr. 163/2015. Bundesgesetz über die Bundesrechenzentrum GmbH (BRZ GmbH), Federal Act on the Federal Computing Centre (BRZ) Original version: BGBl. Nr. 757/1996, latest amendment: BGBl. I Nr. 71/2003. Bundesgesetz, mit dem IKT-Lösungen und IT-Verfahren bundesweit konsolidiert werden (IKT-Konsolidierungsgesetz , IKTKonG), Federal Act on the

118

All companies that have to keep books

Indirect

Users (public sector), providers

Indirect

(SMART 2015/0054)

refers to the BörseGesetz, which in turn refers to § 2 Bankwesengesetz (BWG; Banking Act). This can contribute to legal uncertainty. According to Article 131 BAO, the act on federal taxes and duties, financial recordings may be kept abroad. However, upon request of the authorities, they have to be brought to the national territory in a reasonable period of time. According to Article 216 of the Austrian Commercial Code (UGB), books may also be kept in electronic format. However, whoever is responsible for keeping the books has to ensure that the data is readable and – if necessary - to make available a number of records that are readable without support tools.

Cross-border data flow in the digital single market: study on data location restrictions

Belgium

Financial data, particularly data which is subject to supervision by national regulators

Belgium

Public data, b,asic identity registers, particularly official records in relation to Belgian residents.

Belgium

Tax data

119

Consolidation of ICT Solutions and IT Processes (ICT Consolidation Act), original version: BGBl. I Nr. 35/2012. Circulaire PPB 2004/5 over gezonde beheerspraktijken bij uitbesteding door kredietinstellingen en beleggingsondernemingen / Circulaire PPB 2004/5 sur les saines pratiques de gestion en matière de sous-traitance par des établissements de crédit et des entreprises d’investissement (Circular PPB 2004/5 on healthy management practices in outsourcing by credit institutions and investment companies), issued by the Belgian Banking, Finance and Insurance Commission on 22 June 2004.

(SMART 2015/0054)

Credit institutions, banks and insurance companies

Indirect

The Circular permits cross border outsourcing of financial data and services, but requires that it remains subject to effective supervision. It notes that this is not problematic in the EEA as the regulator will be able to work with other regulators in other countries. Outside the EEA, the same applies in principle, but only if comparable supervision exists, and if there are no restrictions for the regulator to engage in information exchange and cooperation with competent authorities. The regulator will assess whether these conditions on a case by case basis, implying that cross-border outsourcing requires a direct dialogue with the regulator. Finally, for outsourcing to a service provider who is not subject to any supervision, the outsourcing institution must first consult and confer with the regulator.

Wet van 8 augustus 1983 tot regeling van een Rijksregister van de natuurlijke personen / Loi de 8 août 1983 organisant un registre national des personnes physiques (Law of 8 August 1983 regulating a National Register of natural persons), Articles 4 ter, 5, 8 § 1 and § 2 and Article 14.

Any party that wants to access or use information from the National Register

Indirect

The law identifies the Minister of Foreign Affairs as the competent authority to maintain the Register (Article 4), and notes that an authorisation is required to access any part of the Register which is granted by law or by a specific committee of the data protection authority (Article 5). The same applies to the National Register Number, which is the identification number assigned to each lawful and permanent Belgian resident: it may not be used without prior authorisation, granted by law or by the aforementioned committee.

Income Tax Code 1992 (Code des

All taxpayers

Indirect

The final paragraph of Art.315 of the Income Tax Code states that all tax payers are required to present tax authorities, at their request, and without transportation, with

Cross-border data flow in the digital single market: study on data location restrictions

impôts sur les revenus 1992, aka CIR 92) and subsequent amendments, Article 315.

Bulgaria

Health data, particularly any information that has been collected with respect to the physical and/or mental condition of patients.

1. Закон за здравето (Health Act; promulgated on 10 August 2004, last amendments in force as of 1 January 2016), Art. 27, 28. 2. Кодекс за професионална етика на лекарите в България обн. - ДВ, бр. 79 от 29.09.2000 (Professional Ethics Code of Doctors in Bulgaria, issued by the Ministry of Healthcare; promulgated on 29 September 2000, last amendments as of 28 September 2013), Art. 51, 52. 3. Наредба № 41 от 21.12.2005 г. за утвърждаване на „Медицински стандарти по обща медицинска практика“ (Medical Standards on General Medical Practice, issued by the Ministry of Healthcare; promulgated on 3 January 2006, last amendments in force as of 28 June 2011), Art. 4.1, 4.2. 4. Национален рамков договор за медицинските дейности между

120

Indirect

(SMART 2015/0054)

any books and evidentiary documents needed to establish the amount of taxable income. Note that this is a separate requirement from invoice storage rules, which state (in accordance with EU law) that they can be stored anywhere in the EU, conditional on their accessibility to tax authorities. The rule of Art. 315 is broader, relating not just to invoices but to any books and evidentiary documents needed to establish the amount of taxable income. The provision of health information to any third person by any of the authorised parties is prohibited, except in explicitly provided cases. These parties are obliged to secure the information from unauthorised access. It is further provided that doctors can store patient records electronically, as well as on paper. Each practice is obliged to store patient records on paper in specialized filling cases in special files within the practice (binding medical standards). The access to these files should be restricted. Further, the National Framework Agreement with the NHIF (which concerns the provision of medical services funded by the NHIF) explicitly requires the medical specialist to keep a hard copy of the medical documents in his/her consulting room. Since there are no specific rules on the electronic records, a risk exists the above requirement for keeping the records within the practice (physically) to be considered literally applicable to the electronic records as well. Health establishments and doctors are also obliged to file electronic reports containing health information with the NHIF on a monthly basis. Finally, with regard to doctor-patient privilege, doctors are obliged not to disclose any health information, as well as other information they have obtained from their patients.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

Министерство на здравеопазването, Националната здравноосигурителна каса и Българския лекарски съюз за 2015 г. (National Framework Agreement on Medical Activities, concluded by the National Health Insurance Fund and the Bulgarian Medical Association; promulgated on 23 January 2015, last amendments in force as of 1 January 2016), § 158, 2, I, 6. Bulgaria

121

Privileged data, any data which has been provided to the lawyer, including financial, health, tax, income information, emails, etc.

Закон за адвокатурата (обн. - ДВ, бр. 55 от 25.06.2004 г.; изм. и доп., бр. 97 от 07.12.2012 г.), Bar Act (promulgated on 25 June 2004, last amendments as of 7 December 2012). Етичен кодекс на адвоката (приет с Решение № 324 от 8 юли 2005 г. на ВАС (Обн., ДВ, бр. 60 от 22.07.2005 г.; изм. и доп., бр. 43 от 08.06.2010 г.), Professional Ethics Code of Lawyers (promulgated on 22 July 2005, last amendments as of 8 June 2010).

lawyers

Indirect

Lawyers are obliged to keep the confidentiality of any information they have obtained from their clients indefinitely. Such information can be disclosed only if such a disclosure is necessary before a court in connection with an ongoing dispute with the client. Such information shall be kept confidential by any and all of the lawyer’s staff and any other person who is involved in his professional duties. Further, all of the lawyer’s papers, records, electronic documents, computer equipment and other information media are inviolable and cannot be reviewed, copied, examined or be subject to a seizure. The above rules generally ensure the highest level of protection of the confidentiality of the lawyer’s information. Also, it does not seem to explicitly prohibit the storage or transportation of this type of information. However, it is unclear how this protection may apply to lawyer’s information stored by an external service provider (for example, cloud service provider) who is not subject to protection any review, copy, examination or seizure of information. Thus, in practice, it could be considered that if a lawyer uses an external service provider for the storage and/or transportation of his confidential information and is aware that such service provider cannot prevent eventual seizure by state authorities of this information, the lawyer does not comply with his confidentiality obligation.

Cross-border data flow in the digital single market: study on data location restrictions

Bulgaria

Accounting data, information on primary (e.g. electronic invoices and other electronic documents) and secondary (e.g. company records – balance sheets, annual accounts, etc. stored electronicall y) accounting documents, as well as accountancy books (ledgers) in electronic form.

Закон за счетоводството (обн. ДВ, бр. 95 от 08.12.2015 г., в сила от 01.01.2016 г.), Accounting Act (promulgated on 08 December 2015, in force as of 01 January 2016); Закон за данък върху добавената стойност (обн., ДВ, бр. 63 от 4.08.2006 г., в сила от датата на влизане в сила на Договора за присъединяване на Република България към Европейския съюз, изм. и доп., бр. 95 от 08.12.2015 г., в сила от 01.01.2016 г.), Value Added Tax Act (promulgated on 04 August 2006, last amendments in force as of 01 January 2016). Данъчно-осигурителен процесуален кодекс (обн., ДВ, бр. 105 от 29.12.2005 г., в сила от 01.01.2006 г.; изм., бр. 13 от 16.02.2016 г., в сила от 15.04.2016 г.), Tax and Social Insurance Procedure Code (promulgated on 29 December 2005, last amendments in force as of 15 April 2016).

Enterprises and taxable persons

Indirect

(SMART 2015/0054)

Under the Accounting Act invoices and other accounting information shall be stored 74 on paper and/or technical medium within the respective entity for a specified period of time for the different types of accounting documents or in private third party archives. This includes electronic invoices and accounting registers held electronically (different types of software products). Under the Value Added Tax Act (VATA) taxable persons must guarantee the integrity and authenticity of electronic invoices for the whole legally required period. When electronic invoices are stored by electronic means, taxable persons are required to provide electronic (online) access to invoices stored by electronic means. Such access shall be provided to the competent authorities when the taxable person has establishment on the state’s territory, as well as when the person is not established on the state’s territory, but the tax has to be charged in Bulgaria; and to the competent authorities of the Member State in which the tax is chargeable - when the person has establishment on the state’s territory, but the tax is chargeable in another Member State.

According to the Bulgarian authorities, 'in the enterprise' is interpreted by tax authorities as physical location for accounting information on paper and electronic access for digital accounting information. But being an interpretation, it could contribute to legal uncertainty.

122

Cross-border data flow in the digital single market: study on data location restrictions

Bulgaria

Data, related to gambling services

Gambling Ac, promulgated, State Gazette, No. 26/30.03.2012, lastly amended and supplemented, SG No. 1/3.01.2014, effective 1.01.2014, article 6(4).

Gambling providers

Croatia

Public data, information in any public registry - in particular personal data pursuant to the Personal Data Protection Act (e.g. health data records, basic identity registers, judicial data, etc.)

Public bodies, sector

Health data, patient records and records

1. Act No. 372/2011 Sb. (Medical Services Act); 2. Ministerial Decree No. 98/2012 Sb. (Medical Records Filing);

Patients, Healthcare services providers (employers and

Czech Republic

123

(SMART 2015/0054)

service

Direct

sector ICT

Direct

indirect

the

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

processed in the National Health Registry

3. Recommendation No. ZD03/94 (on security of information systems in healthcare).

employees)

Czech Republic

Financial data, in particular bank related information

1. Act No. 21/1992 Sb. (Banking Act), § 37 para 2, 38 2. Decree No. 163/2014 (due diligence in banking and other financial services), especially its Annex No. 7 (specific requirements for risk management in case of outsourcing), §37(k), 47-52.

All banks

Indirect

The Banking Act lays down basic rules of bank secrecy. It is not specifically focused on data storage, but it gives an exhaustive list of cases when banking data falling within the scope of banking secrecy (i.e. client data) can be made available to third parties. A contrario it implies that any other form of use of such data is prohibited. Decree No. 163/2014 Sb. contains set of particular compliance provisions for banks and other financial institutions. Its Annex 7 is focused on risk management in case of outsourcing. It contains general risk management requirements for all kinds of outsourcing, so it is not specifically targeted at ICT or data processing. There are particular limitations and duties as to the content of outsourcing agreements for data processing, but they only contain a requirement for the inclusion of stipulations regarding data security. Paragraphs 47-52 include only general security requirements without mentioning any particular rules.

Czech Republic

Judicial and privileged data, client records processed by solicitors

Solicitors

Indirect

124

contractual requirements laid down in the process of public procurement of respective services. General restrictions on processing of sensitive personal data can be applied.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

data. The opinion No. Tpjn 306/2014 stated that the place of performance of advocacy (i.e. the place where attorney-client privilege applies) is not limited only to physical premises of the solicitor but it extends also to logical document storage spaces incl. cloud services.

Denmark Public data,

Bekendtgørelse af lov om Det Centrale Personregister (Civil b Act), Chapter 14 §55. Register a s i c

Ministry of Economic Affairs and the Ministry of the Interior

Indirect

Patients, providers of health care

Indirect

Disclosure of patient information electronically through nationwide information services. Patient data may be used in intended nationwide information services

i d e n t i t y r e g i s t e r s Finland

125

Health data, particularly

9.2.2007/159, Laki sosiaalija terveydenhuollon asiakastietojen

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

patient records

sähköisestä käsittelystä (Law on electronic processing of client data within social and health care, issued by decision of the Finnish Parliament on 1 July 2007), § 10.

services, and services organizing and providing health care for the patients.

Germany

Health data, patient records and in particular x-ray imagery.

All physicians in Germany, unless particular rules apply (e.g. for dentists, veterinarians, psychiatrists, pharmacists).

Indirect

Germany

Company data

Handelsgesetzbuch (The German Commercial Code), § 257 III. (Law / federal legislation).

All merchants on which the HGB (trade law) applies. All companies subject to trade law (which is the vast majority).

Indirect

Germany

Tax data

Abgabenordnung (Procedural rules for accounting and records), § 146 AO and § 147 (federal legislation).

All natural and legal persons obliged to keep tax records.

Direct

126

provided only to other providers of health care services for organizing and providing health care for the patient. These services must obtain attestations of conformity at the national level, and must adhere to nationally defined interoperability requirements.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

tax authorities full access to the data for control purposes). According to § 147 II AO certain records may not be kept electronically (e.g. annual balance of accounts). Germany

Public data, real estate related registry information

§ 126 III Grundbuchordnung (federal legislation).

All parties (potential cloud processors) from the private sector and all nonGerman (be it from the private or from the public sector) parties.

Indirect

The restriction excludes outsourcing of data processing to any entity other than the state or legal persons under public law (such as the communities). This excludes all entities from the private sector explicitly, and most likely must be read as all entities outside Germany (as public entities of other member states are not explicitly mentioned, and systematically not meant by this provision). A fortiori this should also exclude all cloud providers which are not only processors, but controllers themselves.

Greece

Public data, social security and medical data

Pharmacists and social security institutions

Indirect

Hungary

Public data, information heldby public bodies

2013. évi L. törvény az állami és önkormányzati szervek elektronikus információbiztonságáról

All Hungarian and non-Hungarian service providers who may provide cloud services in the governmental sector.

Direct

127

Act L of 2013 on Electronic Information Security of State and Municipal Bodies (“Information Security Act”) adopted by the Hungarian Parliament on 25 April 2013.

Cross-border data flow in the digital single market: study on data location restrictions

2010. évi CLVII. Törvény a nemzeti adatvagyon körébe tartozó állami nyilvántartások fokozottabb védelméről, Act CLVII of 2010 on National Data Assets (“Data Assets Act”), adopted by the Hungarian Parliament on 22 December 2010.

Ireland

128

Financial data

Tax data

(SMART 2015/0054)

Audit Office, Hungarian National Bank, Courts and National Office for the Judiciary, Governmental offices of Hungarian counties and Budapest etc. The relevant authority (now it's the National Electronic Information Security Authority) may approve that a listed entity transfers the operation of an IT system to another EU Member State. The Information Security Act also provides that specific registries which serve as a fundamental basis for the Hungarian public administration and are considered to be authentic by law (“national data assets” – as defined in the Data Assets Act) can only be processed in an IT system in the territory of Hungary.

Chapter 2 of the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1))(Investment Firms) Regulations 2017 [‘the Central Bank Investment Firms Regulations]

Collective Investment Undertakings

Companies

Indirect

For a given registry, the data controller authority (as appointed by law) may not decide freely about the identity of the data processor. Most of the data controllers have to use a specific data processor. In the other cases, the data controllers can decide between either carrying out all data processing themselves or outsourcing it, but if they decide to outsource, the data processor has to be either an administrative body or a fully state-owned company. The Minister for National Development may give individual exemptions. The restriction permits outsourcing of certain activities only under strict conditions. For example, the Central Bank needs to be able to conduct inspections at the outsourcing service provider’s premises. There is no specification on the need for inspections to be “on-site”. The Central Bank Investment Firms Regulations are issued by the Central Bank under the powers granted by the Central Bank (Supervision and Enforcement) Act 2013.

Indirect

Subject to the time limits governing the keeping of records, records must be accessible to inspection by a Revenue official at all reasonable times. All electronically stored records must be accessible to a Revenue official in paper or electronic form. The method of delivery and the format of the electronic record required by the Revenue official shall be specified by the Revenue official at the time the records are being requested. Where new computer systems or applications are introduced the person to whom the records relate must ensure that the old systems and/or applications are maintained for such period as ensures that the records are retained for the minimum period required by the Acts unless specific approval has been obtained from Revenue to discontinue support for the old systems and/or

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

applications. While Revenue do not mandate how or where records should be stored and there is no requirement that the records be stored in the State, this requirement may (indirectly) impact the choice of a new storage system. Luxembo urg

Luxembo urg

Financial data, particularly data which is subject to supervision by national regulators

Circular CSSF 12/552 on central administration, internal governance and risk management, as amended by Circulars CSSF 13/563 and CSSF 14/59, issued by the Luxembourg Supervisory Commission of the Financial Sector (Commission de Surveillance du Secteur Financier CSSF), Section 5.2.3, Sub-section 7.4.2.1, Sub-section 7.4.2.3.

Credit institutions, banks and insurance companies

Public data, business registers

The Ministry of Justice, the CTIE, and the RCSL

23 janvier 2003. – Règlement grand-ducal portant exécution de la loi du 19 décembre 2002 concernant le registre de

129

Indirect

The Circular does not require all infrastructure and all data to be stored in Luxembourg, but rather emphasizes that that the IT functions of institutions must be effectively protected, which can best be done “in premises at its disposal in Luxembourg”. This is however not a requirement that impedes delocalized storage; storage outside Luxembourg is permitted under strict safeguards and preconditions that protect the confidentiality of banking data. Broadly summarizing, outsourcing of IT infrastructure is permitted, but should either be to a party (a PFS) licensed in Luxembourg, or to an internal entity of the outsourcing party’s group after prior informed consent is obtained.

Indirect

The law identifies the Ministry of Justice as the responsible entity for the business register, but designates a specific grouping (the RSCL, comprised of the Ministry, Chamber of Commerce and Chamber of Artisanal Professions) as the manager of the Business Register, with offices in the communes of Luxembourg and Diekirch. The Regulation in turn ensures that the files of this Register can be kept digitally, and notes in Article 14 that the underlying database must be held by the Centre for ICT of the State (Centre des technologies de l’information de l’Etat – CTIE http://www.fonction-publique.public.lu/fr/structureorganisationnelle/ctie/index.html). Any modifications of data must be done by the CTIE, who is also responsible for its storage for a period of 20 years after any business entity has been struck from the Register.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

commerce et des sociétés ainsi que la comptabilité et les comptes annuels des entreprises (23 January 2003. – Grand Ducal Regulation relating to the execution of the law of 19 December 2002 concerning the register of businesses and companies, and concerning accounting and annual accounts of companies), Articles 1er, 2, 2 bis, 10, 13, 14, 15, 23. Netherlan ds

Health data, patient records

All healthcare providers

Indirect

Credit institutions, investment

Indirect

130

Financial

Circulaire

cloud

computing

Cross-border data flow in the digital single market: study on data location restrictions

Netherlan ds

data, particularly data which is subject to supervision by national regulators.

Public and government data, in

2011/643815 van de Nederlandsche Bank

Circular cloud computing 2011/643815 from the Nederlandsche Bank Issued by the Dutch financial supervisor (Nederlandsche Bank) on 6 December 2011 See http://www.toezicht.dnb.nl/binarie s/50-224828.pdf Ministerie van Binnenlandse Zaken en Koninkrijksrelaties - Kamerbrief over cloud computing, Ministry of

companies, banks and insurance companies

The entirety of the national public

(SMART 2015/0054)

supervision. This requires a risk based assessment from the outsourcing party, and the conclusion of a contract that allows the supervisor to conduct local audits (or to have these conducted by a third party), an obligation for the cloud provider to provide information to the supervisor upon request, and the right of the outsourcing bank to implement changes in the execution of the services agreement with the 75 cloud provider, including appropriate termination clauses. A subsequent circular has been issued on the right to examine, indicating a series of cloud providers with whom the supervisor has been able to determine that it will have appropriate examination rights. The list is accessible online.

Direct

The letter is an early statement of the Dutch government’s position on cloud computing, announcing its intention to establish a closed national cloud (Rijkscloud), and noting that “a strict requirement is that the data remain in the Netherlands and

The Dutch Central bank has reported in this regard that the Circular does not include any explicit data location requirements and in terms of effective oversight and enforcement the DNB does not differentiate between data stored within or outside the Netherlands. The Circular addresses the risk that financial enterprises are unaware of where the data has been stored and how it is processed in relation to oversight and enforcement. The central idea is that cloud computing is seen as an outsourcing issue and that according to article 3:18 of the Law on financial oversight (Wet op financiëel toezicht) the financial enterprise is still responsible for compliance with regard to the outsourced activities (including where the data is stored and how it is processed).

131

Cross-border data flow in the digital single market: study on data location restrictions

Poland

Portugal

particular public sector data of a confidential nature.

Internal Affairs and Kingdom Relationships – Chamber letter on cloud computing, Issued by the Minister of Internal Affairs and Kingdom Relationships, M. Donner, on 20 April 2011

Data related to gambling services

Gaming Law of 19 November 2009, Art. 16d.

Financial data, information subject to supervision of the Banking

Aviso do Banco de Portugal n. 5/2013 (Regulation of the Bank of Portugal implementing Article 39(1) of Law No 25/2008 of 5 June concerning the required conditions,

sector

that security is adequate for all participants, and can be addressed at a level which is acceptable for the selected applications”, and that “in relation to information security, the ‘open’ cloud outsourcing of ICT services, or the storage of information 76 outside the Netherlands, implies risks that cannot yet be appropriately covered.”

Direct

Indirect

The Bank of Portugal has competence to do inspections in any premises of financial institutions or of third parties being used to the exercise of the activity of financial institutions, with the power to demand the presentation of any information or clarifications which it may deem relevant, including the local examination of information elements, the extracting of copies of all pertinent documentation, and the call of any person to hear her and gather that information.

Entities which organise betting via the internet

Credit institutions (banks), investment and other financial companies, payment institutions and institutions of

(SMART 2015/0054)

Since this letter was issued, the Dutch government has further developed its cloud strategy; at this point in time it appears that only ‘state secrets’ should be kept at Dutch premises, see Letter of the Ministry of Internal Affairs and Kingdom Relationships (Ministerie van Binnenlandse Zaken en Koninkrijksrelaties), answering Parliamentary questions, of 4 July 2014 (with reference no 2014Z09632, see file:///Users/patriciaypma/Downloads/beantwoording-kamervragen-over-opslag-van-vertrouwelijke-data-door-overheidsorganisaties-en-semi-publiekeinstellingen%20(1).pdf, in Dutch) with regard to the storage by governmental organisations and semi-governmental institutions of confidential data. See also Strategic Agenda Governmental service (Strategische I-agenda Rijksdienst) of 2th December 2016: file:///Users/patriciaypma/Downloads/rapport-strategische-i-agenda-rijksdienst%20(1).pdf (in Dutch). Additionally, since this letter was issued, internal governmental guidelines have been developed to guide governmental authorities with regard to their data storage decisions, Rijkscloud is possible, which take as a starting point that decisions on data storage should be judged by the relevant governmental authority on a case-by –case basis, taking into account considerations such as risk assessment and management and data security which in turn relates to the type of data, the use of data encryption, etc. 77 After the cut-off point of our data-collection under this Study, this requirement was amended by the Polish Gambling Act that entered into force on 1 April 2017 (amending act – “National Journal” 2017, poz. 88, adopted on 13 January 2017). The new wording, now set out in Article 15d paragraph 3 of the Polish Gambling Act, is as follows: “the entity which organises betting via the Internet shall archive all the data exchanged between itself and a participant of betting in real time on a data archiving device located within the territory of the Republic of Poland or a European Union Member State or Member States of the European Free Trade Association (EFTA) - parties to the Agreement on the European Economic Area, including the data which make it possible to determine the course and results of betting and transactions carried out under betting and data necessary to identify a participant of betting”.

132

Cross-border data flow in the digital single market: study on data location restrictions

Portugal

133

Regulatory Authority

mechanisms and procedures of compliance with obligations preventing money laundering and terrorism funding related to the provision of financial services submitted to the supervision of the Bank of Portugal), Art. 5 Law No 25/2008 of 5 June as last amended by Law No 118/2015 of 31 august (this Act also applies to companies which deal with hedge funds, pension funds, securitization, investment consulting, investment in tangible property, certain insurance companies).

Public data, documents gathered by public or private bodies in the course of their activities with the purpose of administrati ve managemen t, evidence or

Decreto-Lei n. 16/93 of 23 January (Decree-Law No 16/93 of 23 January (as amended by Law No 14/94 of 11 May).

electronic money with headquarters in Portugal; branches located in Portuguese territory of said institutions headquartered in foreign countries, including external financial branches; post services providers in as much as they provide to the public financial services related with matters under the supervision of the Bank of Portugal. National and regional archives, private individuals holding classified archive items.

Direct

(SMART 2015/0054)

The exchange of classified archive items by others existing in other countries which have exceptional interest for Portuguese cultural heritage requires authorization by joint order of the ministries to which the good belongs and by archive policy, upon hearing of the management body. Exporting classified (or pending classification) archive items requires authorization from the Minister supervising the archive heritage, if temporary, and also of the Member of the Government to which the item belongs, if definitive. Classified (or pending for classification) archive items cannot stay abroad longer than one year, but it can be renewed for identical period.

Cross-border data flow in the digital single market: study on data location restrictions

(SMART 2015/0054)

information. Romania

134

Government data, privileged information (National security information)

All legal or natural persons which handle classified information

Indirect

Cross-border data flow in the digital single market: study on data location restrictions

Romania

Public data held by public bodies

135

Public authorities and the operators of the National Electronic System: the General Inspectorate for Information Technology and Communications under the Ministry for Communication

Indirect

(SMART 2015/0054)

Cross-border data flow in the digital single market: study on data location restrictions

Romania

136

Data on Romanian online gambling users, users which are using Romanian IP addresses and data referring to the game or to the financial transactions of online gambling operators authorized

publice si in mediul de afaceri, prevenirea si sanctionarea coruptiei )

and for Information Society for the “eGovernment System”, the Ministry for Public Administration for “e-Administration System” and the authority established by the Supreme Council for State Defence for the national security and defense system.

Government Decision no. 111/2016 approving the Norms of application of 24 February 2016 on gambling, Articles 2, 127 and 136.

Online gambling providers

Direct

(SMART 2015/0054)

The game server is the electronic system made out of the hardware and software system on which both the game activity takes place, as well as storing the data about this activity. As art. 127 (2) specifies, the main system includes a game server, a registering and identification system for registering and identifying the participant of the game, as well as a system for storing and transferring information for each game session, each registration fee and each payment made by the user. The main system will assure on the back-up/safety server encrypted, real time transfer and automated registration of all data requested by the National Gambling Office, identification data of Romanian users, financial data of Romanian users, as well as any transaction made by a Romanian player. On the mirror server daily/monthly logs will be transmitted, which will allow real time verification of the licensed gambling operator. The mirror server is the electronic system made out of hardware and/or software, located at the National Gambling Office or in a tier 2 licensed data centre, which is capable of storing and reporting/exporting logs in compliance with the National Gambling Office order. The back-up/safety server is the hardware and software system, located at the National Gambling Office or in a licensed data centre which stores data about

Cross-border data flow in the digital single market: study on data location restrictions

in Romania.

(SMART 2015/0054)

Romanian users or about users which use Romanian IP addresses, as well as game data and financial transactions on online gambling authorized in Romania which are transferred according with the technical procedure established by the National Gambling Office presidential order and without the possibility to be modified by the online gambling operator licensed in Romania.

Slovenia

Public data, information in the Central Population Register: name, surname, date of birth, citizen identificatio n number, place of residence, citizenship, marital status.

Zakon o centralnem registru prebivalstva (Uradni list RS, št. 72/06), (Central Population Register Act), Articles 12, 19 and 23a. Uredba o vodenju in vzdrževanju centralnega registra prebivalstva ter postopku za pridobivanje in posredovanje podatkov (Uradni list RS, št. 70/2000), (Regulation on electronic operations), Article 5.

The Central Population Register controller – The Ministry of Interior

Indirect

The Act on the Central Population Register permits the controller of the Register (The Ministry of Interior) to transfer the data from the Register only to users or other entities authorised by the law (Art. 12 above). There does not seem to be any legal bases which would specifically permit outsourcing of operations related to data form the Register. The Register is a cooperative data base where certain data sources may be authorised to directly maintain their data in the data base (Article 19 above). In case this involves electronic operations the data source must seek prior approval of the Minister of Public Administration (Article 5 of the Regulation) This is an indirect barrier to outsourcing.

Slovenia

Government and public data, any data that is classified according to the Classified Information Act, held by public

1. Zakon o tajnih podatkih (Uradni list RS, št. 60/11), (Classified Information Act), Articles 14 and 15.

All organizations and bodies that have access to or handle, store, or transfer information classified according to the Classified Information Act.

Direct (organiz ations need clearanc e, issued by compet ent ministry ) and

137

Whenever classified information is processed outside the original location security measures must be comparable to those that must be implemented at the original location. If the information is stored electronically it must be separated from other possible information by way of physical or virtual separation. Only persons with

Cross-border data flow in the digital single market: study on data location restrictions

registries, public administrati on bodies, judiciary, supervisory authorities, the government , the private sector, etc. Slovenia

138

Public data, any information that is to be archived by national archives, such as where the law prescribes so (e. g. data held by public authorities, that need to be stored for a longer period), national heritage data, and

Zakon o varstvu dokumentarnega in arhivskega gradiva ter arhivih (Uradni list RS, št. 30/2006) https://www.uradnilist.si/1/content?id=72425 (English translation not available)

Archives, external providers of services and equipment for storage or processing of archives data.

(SMART 2015/0054)

indirect (organiz ations need to establis h adequat e security measure s).

clearance, issued according to the regulation which defines checking procedures, issued by the competent ministry, may have access to the information (Article 16).

Direct (the require ment of accredit ation and public tender) and indirect (the compet ence of the inspecto r to enter and inspect the premise s).Indire

The information may only be transferred/ outsourced to those organizations that have acquired clearance, issued according to the regulation which defines checking procedures, issued by the competent ministry.

Cross-border data flow in the digital single market: study on data location restrictions

other. Sweden

139

Accounting data, all data necessary for bookkeepin g(including verifications , invoices, etc)

(SMART 2015/0054)

ct Bokföringslag (1999:1078), Swedish Bookkeeping Act , Chapter 7 sections 2 - 4.All data necessary for bookkeeping, including verifications, invoices, etc.

All companies and organisations that fall within the Swedish Bookkeeping Act (all companies registered in Sweden)

Direct

The main principle is that bookkeeping data should be kept locally in Sweden, even if stored electronically. Chapter 7 section 3a allows, however, for an exception in case of storage in another EU Member State. According to the section a company may store data electronically or keep computer equipment and systems accessible in another EU Member State if: the company upon request by the Swedish Tax Agency (Skatteverket) or the Swedish Customs (Tullverket) gives immediate electronic access to the bookkeeping data for control purposes; and the company can immediately print out relevant bookkeeping data in a readable format.

The following external experts contributed to this report and the drafting of the above table, by providing important legal information with regard to their country of expertise.

List of national legal experts Name

Country

Jelena Burnik

Slovenia

Prof. Dr. George Dimitrov, Desislava Krusteva

Bulgaria

Prof. Dr. Alexandre Dias Pereira

Portugal

Dr. Marton Domokos

Hungary

Prof. Dr. Nikolaus Forgó, Christian Hawellek

Germany

Dr. Nina Gumzeij

Croatia

Pirkko-Liis Harkmaa

Estonia

Dr. Christine Kirchberger

Sweden

Dr. Marina Markellou

Greece

Valentina Pavel

Romania

Prof. Dr. Przemylaw Polanski

Poland

Dr. Radim Polcak

Czech Republic

Dr. Andrej Savin Dr. Clemens Wass

Austria

Aleksander Wiatrowski

Finland

140

6.3 Annex III: Workshop Report

Workshop Report Workshop “How to facilitate cross border dataflow in the digital single market?” Brussels, Brussels, Albert Borschette Conference Centre, 20 March 2017 Objective The objective of the workshop was to present the provisional results of the study commissioned by the European Commission on cross border dataflows, and facilitate a discussion on these results, providing an opportunity for stakeholders to contribute to the legal and policy discussion in the field. In particular stakeholder feedback was sought on the formulation of recommendations on how to scope the free flow of data, and how to implement those. This enabled the study team to better appreciate the needs of all stakeholders when finalising the study and providing recommendations for future policy action to the European Commission. The workshop was also part of a series of structured dialogues between the European Commission and the Member States and other stakeholders, as announced in the Communication on "Building a European Data Economy". Target audience The Workshop targeted representatives of public and private sector users (including SMEs), ICT service providers, and governmental authorities. Over 90 participants registered for the Workshop, of which and XXX were present on the day. Agenda

141

9h30- 10h00

Registration

10h00 - 10h15 Introduction by the EC

10h15 - 11h00 Presentation of the Study on Cross-border data flow in the digital single market: Study on data location restrictions Speakers: Patricia Ypma, Spark Legal Network, Paul Foley, Tech4i2, Hans Graux, time.lex

11h00 - 11h10 Findings of the Study on Facilitating cross border data flow in the Digital Single Market by London Economics Speaker: Moritz Godel, London Economics

11h10 – 11h20 Coffee break

11h20 – 13h00 Moderated debate on the findings of the study and perspectives / experiences of workshop participants

13h00 – 14h00 Lunch break (provided on-site)

14h00 – 15h00 Moderated Panel: insights on the needs and conditions for the free flow of data in the EU and its implementation options

15h00 – 16h00 Group discussion on functional requirements that can replace formal requirements to facilitate cross-border dataflow in the EU Speakers: Pierre Chastanet, European Commission, Danielle Jacobs, Beltug / Intug, Erik Dahlberg, Swedish National Board of Trade Moderator: Hans Graux, time.lex

16h00 – 16h10 Coffee Break

16h10 – 16h30 Plenary wrap up and conclusions

Introduction Patricia Ypma opened the workshop, thanking the participants for their attendance in such great numbers. Input of all stakeholders will be of much value for the study team and the EC. Pierre Chastanet continued by stressing the importance of the growing European data economy. There are strong signs that this is hampered by unjustified restrictions to the free movement of data which seem to grow in number. The consequences affect both the private (especially SMEs) and publicsector, as unjustified data location restrictions impair the freedom to provide services and the freedom of establishment. Based on the outcomes of the current study and other work, the Commission has issued a Communication "Building a European Data Economy", supported by a Staff Working Document. Going forward the EC has sent the identified restrictions to the MS and has started structured dialogues with them and other stakeholders (CSIG) to discuss the (justification for and proportionality of) the restrictions that have been identified so far. Discussions will also be held at the Net Futures Conference, which will take place in June this year. Following the results of the dialogues and the further evidence-gathering on data location restrictions and their impacts, the Commission may take action to: a) launch infringement proceedings to address unjustified or disproportionate data location measures where necessary; b) propose further regulatory or nonregulatory initiatives to support the free flow of data, on the basis of an Impact Assessment (in accordance with the Better Regulation Principles). Presentation of the Study on Cross-border data flow in the digital single market: Study on data location restrictions The Study team presented their study in three parts: 1. Study objectives, progress and first results: Patricia Ypma, Spark Legal Network 2. Survey results and economic analysis: Paul Foley, Tech4i2 3. Assessment and categorisation of identified compliance obligations, conclusions and preliminary recommendations: Hans Graux, time.lex Presentation on the findings of the Study on Facilitating cross border data flow in the Digital Single Market by London Economics Moritz Godel of London Economics presented the outcomes of the similar but smaller study ‘Facilitating cross border data flow in the Digital Single Market’, stressing the prevalence of perceived data location restrictions as opposed to ‘hard’ restrictions. Moderated debate on the findings of the study and perspectives / experiences of workshop participants

142

In this session the participates were given the opportunity to ask questions with regard to the presentations on both studies and to provide their views and experiences with regard to existing and potential data location restrictions. Some participants were of the opinion that the study should have covered all 28 MS rather than a selection of Member States. The study team was also asked to explain the methodology for collecting the data location restrictions. Some participants stressed that it seemed like there was a relatively minimal number of rules that are actually restrictive in terms of data location requirements, as most of the identified barriers are indirect. For example, with regard to accessibility of data, this shouldn’t be seen as an actual restriction on the free flow of data, since a rule on accessibility (which may well be justifiable) does not imply that data needs to stay in a certain place. The study team explained that the two studies which were presented today collectively covered all 28 Member States, albeit with minimal methodological differences. They also clarified that requirements on accessibility of data indeed do not by definition imply a direct data localisation restriction; however, depending on its phrasing, a rule can however be understood/ interpreted as a localisation restriction by the targeted stakeholders. In those cases action may be required to clarify the rules or to replace the formal requirement with a functional one. This is one of the core outputs of the study: the identification of good practice functional translations of formal requirements. Other participants stressed the far-reaching economic consequences of the data location restrictions: higher prices are paid by the users of data (cloud) services. A large cloud provider mentioned that customer preference leads to local choices to the detriment of SMEs, who are less capable of shouldering the higher cost. Furthermore, the participants stressed that this was an issue that affected not just the ICT industry, but all of society, since any citizen or organisation relies on some form of ICT infrastructure. Therefore, elevated costs affect everyone. With regard to the economic analysis, it was asked why the focus was put on the cloud market while this is not the only existing data service (e.g. data transaction models). Paul Foley described the outcome of research shared earlier in the study (in the inception report) that analysed methods of sharing data. This identified that cloud computing is the only data transfer service that can be undertaken at scale. The overall study focus is however much broader, the assessment of the restrictions and recommendations for data transfer have a broad span and are independent of transfer technologies. The focus on cloud data transfer methods and data centres was adopted to investigate the economic impacts of data restrictions. On the question from a stakeholder if the study team had found any particular restrictions as part of public procurement law or procedures, the study team answered that these were not found during the research at MS level, which may be partly explained by the fact that this wasn’t included in the Research Guidance to our experts as an option. At the same time, it is expected that such restrictions would not be made explicit as a part of written law or written tender specifications, due to the legal requirement that public procurement requirements or procedures may not be discriminatory. Procurement barriers are occasionally reported, but thus far have proven impossible to verify; often the location requirement was felt to be implied or understood, rather than explicitly made. Additionally, participants confirmed the existence of various restrictions, such as accounting / bookkeeping laws that force businesses to keep local copies in every country of operation and financial data restrictions that withhold regulated financial institutions to expand their services across borders (within the EU). Good practices were also confirmed, e.g. in Denmark, where the

143

Bookkeeping act was adapted, changing a data location restriction to a functional requirement of accessibility. An interesting question was asked about the enforcement of existing rules. As indicated in the presentation, free flow of data is already to some extent supported e.g. by the Treaties and the Services Directive. Would enforcing these not solve the issue? The team indicated that this was indeed one policy option, although it should be noted that the scoping of this legislation was fairly tightly delineated and in each case contained clear public interest exceptions, which seem to be invoked relatively flexibly. A broader approach might therefore be beneficial. The parallel was drawn to existing rules on mutual recognition78 regimes for technical requirements for products; if a similar approach was followed for data in which technical requirements would only be permitted in limited and objectively justifiable situations and an appropriate mutual recognition mechanism was created, this could benefit data localisation requirements. Moderated Panel: insights on the needs and conditions for the free flow of data in the EU and its implementation options and Group discussion on functional requirements that can replace formal requirements to facilitate cross-border dataflow in the EU Pierre Chastanet, Danielle Jabobs and Erik Dahlberg presented their views on the needs and conditions for the free flow of data in the EU and its implementation options. Danielle Jacobs pointed out that for Beltug/Intug, the issues go further than direct data location restrictions. She provided an example of e-archiving laws recently in adopted in Belgium, after other Member States had adopted similar rules (e.g. in Germany): this is not about limiting free flow of data, but if Belgian or other legislators set a standard, there will be a barrier for other companies since they need to identify national standards on a case by case basis, even in the absence of a hard location requirement. Another example concerns Belgian banks, which need approval to use Office 365 as a cloud service. The 1st applicant got accepted by the supervisory authority; the 2nd got rejected initially, but was approved after further discussion. This is a lot of work for these companies. Companies working internationally do not want to have to use different software or store data in different countries. A bank that had branches in Belgium and Luxembourg decided to hold all data in Luxembourg due to strict national data location rules in Luxembourg, making this the only viable investment option. This is also happening in France and Germany. This has an adverse effect on competition on the market. A better example exists in the Netherlands where a whitelist exists of services providers suitable for supervised financial providers. Clearly, we are still very far form a digital single market, a lot of hard work still has to be done! Erik Dahlberg asked the question if we need a 5th Treaty freedom, namely the free movement of data. Data is everywhere and dataflows take place all the time. This has an effect on personal data, and a fair balance should be struck between the protection of these data and trade. It is not possible to split personal and non-personal data, so if we have rules making it easier to share nonpersonal data, the rule may not work, because it would be so burdensome to split up the personal / non-personal data. He concluded that the establishment of a 5th freedom is not appropriate. Instead,

The principle of mutual recognition stems from Regulation (EC) No 764/2008. It guarantees that any product lawfully sold in one EU country can be sold in another. The Regulation also defines how a country can deny mutual recognition of a product. If a product required transfer of data across borders and local or Member State data restrictions prevent crossborder data transfer this could restrict the Mutual Recognition objectives that aim to provide market access in all EU Member States for products that are not subject to EU harmonisation.

144

the proportionality test should be sufficient and should be applied by MS (and EU) to test their restrictions. A discussion was held on the question of ‘whether we need new rules or rather a new mindset to eliminate barriers to the free flow of data’. It was agreed that more awareness is definitely needed. Erik Dahlberg mentioned that the main barrier would seem to be consumer/customer preferences. Problems are not necessarily national barriers, but maybe other barriers. The EC stressed that they are gathering further evidence, and based on that evidence, will propose measures for political consideration. It is therefore very important to collect new evidence in order to define the policy scenarios. How do you balance scenarios between legislation-based approaches and principles-based approaches? Hans Graux concluded that everyone agreed that there is a need for more transparency and awareness of the measures. There should be better rules for ensuring proportionality of national measures, when they are adopted. Is it conceivable that purely national measures are justifiable in the European data market? The challenges should after all be identical across Member States. It was suggested that there was a need for a forum for discussing these issues systematically. It was then discussed if cooperating with sector-specific association or professional bodies is desirable. Erick Dahlberg mentioned that standards organisations provide a good example of the utility of specific and well targeted discussions to address practical issues. More sector-specific discussions would be good. It was further discussed that legislation shouldn’t facilitate the introduction of needless barriers. It was put forward that it is important in the proportionality assessment that all effects are taken into account, not just direct effects in one particular area. For example, a legislative measure that restricts infrastructure development also restricts trade. Hans Graux then asked the participants if we have been comprehensive in scoping the main drivers behind data location requirements – are they indeed ultimately triggered by the need for the availability and security of data? Or should we be looking at other areas too? A participant mentioned that a functioning digital single market needs a vision beyond the national level. There is a need to find a way for policy makers to address digital single market needs at the EU level, or preferably at the global level. It was mentioned by an industry association representative that the restrictions that we are talking about are a result of protectionism. However, the idea of a fifth freedom is not serious: we are not really going to have a treaty change. The audience was asked if there is a need for new legislation. There wasn’t a clear consensus. One potential strategy is to apply more strictly the existing Treaty/services directive provisions. This could raise visibility of the problem (even if infringement proceedings are unlikely to provide results within an effective timeframe). A second suggested option was the adopted of new legal instruments, such as a Regulation on the free flow of data. A third option concerned soft measures, better communication, and information sharing among MS regarding their requirements. There was a relatively strong consensus that, if there were to be new legislation, it should be principle-based, ensuring that if there are barriers, they are proportionate and justified and MS should be required to back them up.

145

Moritz from LE mentioned that where behavioural biases exist, things should be made more transparent. What drives the cost for services? Since there is lack of information between cost and security, it would be a huge advantage if we could be more transparent – provide assurances regarding security, and what costs relate to. It could be a role for better education. The Polish country representative stated that there is a need for legislation (a simple future-proofed instrument) to tackle the barriers that exist, but also the ones that may arise in future. This is difficult, as impact assessments etc are needed. There is a requirement to keep in mind the importance of perception – companies would like to invest but are unsure of legal situation. A simple legal instrument could clarify the legal situation and bring the issue to the forefront. Another participant stated that restrictions are increasing so something needs to be done before the situation gets out of control. Sharing practices and raising awareness is all very nice, but is not going to stop Member States introducing restrictions. Some believe that the existing EU legal framework is not fit to deal with the challenge. Infringement proceedings are very difficult and time-consuming. The only viable option is new legal instrument: a Regulation, not a Directive. A very simple regulation should suffice, with a handful of articles. It was also mentioned that action will need to be taken quick; Europe will lose out before too long. Another participant confirmed and added that there is a need for a short piece of legislation. Hans Graux concluded that there is clearly appetite for a simple legislative approach, but not a consensus opinion. Exchanging best practices is a good idea, but would this solve everything? Treaty change is not the most legally efficient way of doing it, while infringement proceedings are slow and sensitive. Hans Graux asked the participants about justifications to the limitations of the free flow of data: how can this be assessed/dealt with, in practice? Using a transparency mechanism has been suggested – where Member States need to notify any new barriers, so that it would be clear which measures exist. A question was posed whether such a transparency mechanism should also include requirements of private bodies / self-imposed restriction at sector-specific level? One participant stated that there is a need to have the mechanism to shift burden of proof to Member States, where they need to justify the restriction. Patricia Ypma asked the participants ‘how do you assess if data location restriction is justified?’ Participants answered this by saying that this mechanism exists in international trade and that the criteria are already set by the CJEU, with regard to the Services Directive. Hans Graux subsequently asked if the current framework is indeed suitable to apply the same logic to data as to services and goods. Probably data is usually in the context of services, so similarities between free flow of data and free flow of services. Some participants were not in favour of limiting / harmonising restrictions across Europe, but would rather start with increasing trust in certificates and labels, and ensure regulations apply equally across the board. Then, the companies will come and ask for regulation. If rule against data location requirements were introduced without the above, people will hesitate further before moving to the cloud. Lack of control of data was perceived as one of the main barriers to moving to the cloud. Other participants did not agree with this comment: the fact that industry and a majority of Member States want a regulation is relatively unique, and shows how important this issue is. Representatives of the UK, DK, IE governments support the idea of a regulation in order to improve legal certainty. 146

Wrap up discussions and conclusions It was concluded that: -

There is consensus on the fact that restrictions on the free flow of data exist within the EU, although not everyone agrees on their impact on the data economy; A majority of participants agree that there is a need for more transparency and awareness of the measures in place at national level; There is a strong movement that is of the opinion that existing (unjustified) barriers to the free flow of data should be eliminated. The majority of this group seem to have a preference for a Regulation, where Member States have an obligation to notify and justify their legal restrictions, and where the principle of proportionality is applied to assess any justifications. The creation of a 5th Freedom is not preferred. An alternative is raising awareness and communication / cooperation between regulators and industry.

The study team promised to consider all the feedback, views, experiences and suggestions shared by the participants while drafting its final conclusions and recommendations to the EC.

147

Participants list From the Commission:

From the Study team:

Pierre Chastanet Ronelle Kok Audrius Perkauskas Simon Weidler Rui Cordeiro da Silva

Hans Graux, time.lex Paul Foley, Tech4i2 Patricia Ypma, Spark Legal Network Peter McNally, Spark Legal Network

Surname

Name

Gelmini

Rémi

secretariat@psc-europe.eu

Koch

Rainer

Rainer.Koch02@telekom.de

Selandari

Silvia

silvia.selandari@orgalime.org

Benoist

Hélène

h.benoist@ebf.eu

Schmitz

Thomas

Thomas.schmitz@mae.etat.lu

Hafskjold

Christine

christine.hafskjold@kmd.dep.no

Rasmussen

Trine

trri@di.dk

Bårdsen

Trond Helge

Trond.Helge.Bardsen@mfa.no

HECHT

Brit

brit.hecht@bbva.com

TUYTSCHAEVER

Nick

Nick.Tuytschaever@economie.fgov.be

Boscolo

Marco

marco.boscolo@intesasanpaolo.com

Gastaldi

Elisa

elisa.gastaldi1@ge.com

Echikson

William

bechikson@gmail.com

Borggreen

Christian

cborggreen@ccianet.org

Hernando

Ines

hernando@cocir.org

Franklin Leclerc

Magnus Jean-Marc

franklin@mlex.com

Boué

Thomas

thomasb@bsa.org

De Regt

Mieke

mieke.deregt@diplobel.fed.be

Worsøe

Katinka Clausdatter

kcw@danskerhverv.dk

Jacobs

Danielle

danielle.jacobs@beltug.be

Eder

Philip

philip.e@apple.com

Rotureau Cristobal Bocos

Cécile Pedro

cro@cabinetdn.com

Damas

Florian

florian.damas@nokia.com

Kaunistola

Esa

esa.kaunistola@microsoft.com

Azzopardi

Joseph

joseph.s.azzopardi@gov.mt

Eich

Cornelius

eich@zvei.org

Amendola

Antonio

Masse

Estelle

antonio.amendola@intl.att.com estelle@accessnow.org

Hidvegi

Fanni

fanny@accessnow.org

Naranjo

Diego

diego.naranjo@edri.org

Thornby

Charlotte

charlotte.thornby@oracle.com

Blendl

Quirin

q.blendl@bdi.eu

Plovie

Anca

anca.plovie@nokia.com

Jepsen

Hans

Jeppe.Jepsen@motorolasolutions.com

jmleclerc@be.ibm.com

pedro@openforumeurope.org

Soerensen

Mette

mescso@erst.dk

Lobrano

Guido

g.lobrano@businesseurope.eu

Colley

Hamish

hamish.colley@culture.gov.uk

Müller Andreassen

Christine

chrian@um.dk

Barros

Manuel

manuel.barros@anacom.pt

Lovegrove

James

james.lovegrove@redhat.com

Dahlberg

Erik

erik.dahlberg@kommers.se

Ingenrieth

Frank

fingenrieth@sriw.de

Krauss

Martina-Luise

M.Krauss@bitkom.org

Gyss

Nicolas

Nicolas.gyss@telenor.com

Zvaigzne

Elita

elita.zvaigzne@varam.gov.lv

Ananicz

Katarzyna

unknown

Precsenyi

Zoltan

Zoltan_precsenyi@symantec.com

Meteyer

Herve

herve.meteyer@finances.gouv.fr

Jensen

Helena Juul

hjj@ida.dk

Munk De Silva

Grit Kuruneruge Sujith

Melle

Tiel Groenestege

Melle.Groenestege@veon.com

Joelma

Almeida

joelma.almeida@fct.pt

Godel

Moritz

mgodel@londoneconomics.co.uk

Ossip

Silja-Madli

Silja-Madli.Ossip@mfa.ee

Vela

Christina

cristina.vela@telefonica.com

Ruth

MacDonnald

unknown

Boekens

Kris

Kris.Boeykens@economie.fgov.be

Flanagan

Anne

anne.flanagan@dccae.gov.ie

Shal

Jan

unknown

Whilen

Alexander

unknown

Repan

Radislav

unknown

Batas

Sophie

Sophie.batas@huawei.com

Nogarlain

Novik

unknown

149

gmu@ida.dk Samitha s.desilva@nabarro.com

European Commission Cross-border data flow in the digital single market: study on data location restrictions Luxembourg, Publications Office of the European Union 2017 – 149 pages

ISBN 978-92-79-68705-1 doi: 10.2759/92602

150

KK-02-17-487-EN-N

doi: 10.2759/92602

ISBN 978-92-79-68705-1

Mervinskiy 418

Articles inside

4.4.2 Land prices and data centre locations

6.3 Annex III: Workshop Report

5.3.2. Recasting regulations to support the free flow of data

5.4 Summary – key requirements and recommendations

4.4.1 Electricity costs and data centre location

3.3.2 Interview methodology

4.7 Labour costs and data centre construction and operating costs

4.3.2 Costs of building and operating a cloud data centre

4.3.1 Cloud data centres in EU28 Member States

4.3 Costs of cloud data transfer

4.5 Cloud data centre costs

3.3.3 Preliminary interview results and analysis

3.3 Interviews

2.3.2 Financial data, particularly data which is subject to supervision by national regulators

2.3.4 Judicial data and privileged data

2.3.3 Citizen data and company records

2.3.5 Tax and accounting records

3.2.2 Analysis of survey outcomes

2.3.6 Other data types and barriers

understanding of data requirements in the EU Member States

1. Introduction