6.3 Annex III: Workshop Report

Next Article

5.3.2. Recasting regulations to support the free flow of data

6.3 Annex III: Workshop Report

Workshop Report

Workshop “How to facilitate cross border dataflow in the digital single market?”

Brussels, Brussels, Albert Borschette Conference Centre, 20 March 2017

Objective

The objective of the workshop was to present the provisional results of the study commissioned by the European Commission on cross border dataflows, and facilitate a discussion on these results, providing an opportunity for stakeholders to contribute to the legal and policy discussion in the field. In particular stakeholder feedback was sought on the formulation of recommendations on how to scope the free flow of data, and how to implement those. This enabled the study team to better appreciate the needs of all stakeholders when finalising the study and providing recommendations for future policy action to the European Commission. The workshop was also part of a series of structured dialogues between the European Commission and the Member States and other stakeholders, as announced in the Communication on "Building a European Data Economy".

Target audience

The Workshop targeted representatives of public and private sector users (including SMEs), ICT service providers, and governmental authorities. Over 90 participants registered for the Workshop, of which and XXX were present on the day.

Agenda

- 9h30- 10h00 Registration

- 10h00 - 10h15 Introduction by the EC

- 10h15 - 11h00 Presentation of the Study on Cross-border data flow in the digital single

market: Study on data location restrictions

Speakers: Patricia Ypma, Spark Legal Network, Paul Foley, Tech4i2, Hans Graux, time.lex

- 11h00 - 11h10 Findings of the Study on Facilitating cross border data flow in the Digital

Single Market by London Economics

Speaker: Moritz Godel, London Economics

- 11h10 – 11h20 Coffee break

- 11h20 – 13h00 Moderated debate on the findings of the study and perspectives /

experiences of workshop participants

- 13h00 – 14h00 Lunch break (provided on-site)

- 14h00 – 15h00 Moderated Panel: insights on the needs and conditions for the free flow of

data in the EU and its implementation options

- 15h00 – 16h00 Group discussion on functional requirements that can replace formal

requirements to facilitate cross-border dataflow in the EU

Speakers: Pierre Chastanet, European Commission, Danielle Jacobs, Beltug / Intug, Erik

Dahlberg, Swedish National Board of Trade

Moderator: Hans Graux, time.lex

- 16h00 – 16h10 Coffee Break

- 16h10 – 16h30 Plenary wrap up and conclusions

Introduction

Patricia Ypma opened the workshop, thanking the participants for their attendance in such great numbers. Input of all stakeholders will be of much value for the study team and the EC. Pierre Chastanet continued by stressing the importance of the growing European data economy. There are strong signs that this is hampered by unjustified restrictions to the free movement of data which seem to grow in number. The consequences affect both the private (especially SMEs) and publicsector, as unjustified data location restrictions impair the freedom to provide services and the freedom of establishment. Based on the outcomes of the current study and other work, the Commission has issued a Communication "Building a European Data Economy", supported by a Staff Working Document. Going forward the EC has sent the identified restrictions to the MS and has started structured dialogues with them and other stakeholders (CSIG) to discuss the (justification for and proportionality of) the restrictions that have been identified so far. Discussions will also be held at the Net Futures Conference, which will take place in June this year. Following the results of the dialogues and the further evidence-gathering on data location restrictions and their impacts, the Commission may take action to: a) launch infringement proceedings to address unjustified or disproportionate data location measures where necessary; b) propose further regulatory or nonregulatory initiatives to support the free flow of data, on the basis of an Impact Assessment (in accordance with the Better Regulation Principles).

Presentation of the Study on Cross-border data flow in the digital single market: Study on data location restrictions

The Study team presented their study in three parts:

1. Study objectives, progress and first results: Patricia Ypma, Spark Legal Network 2. Survey results and economic analysis: Paul Foley, Tech4i2 3. Assessment and categorisation of identified compliance obligations, conclusions and preliminary recommendations: Hans Graux, time.lex

Presentation on the findings of the Study on Facilitating cross border data flow in the Digital Single Market by London Economics

Moritz Godel of London Economics presented the outcomes of the similar but smaller study ‘Facilitating cross border data flow in the Digital Single Market’, stressing the prevalence of perceived data location restrictions as opposed to ‘hard’ restrictions.

Moderated debate on the findings of the study and perspectives / experiences of workshop participants

In this session the participates were given the opportunity to ask questions with regard to the presentations on both studies and to provide their views and experiences with regard to existing and potential data location restrictions.

Some participants were of the opinion that the study should have covered all 28 MS rather than a selection of Member States. The study team was also asked to explain the methodology for collecting the data location restrictions. Some participants stressed that it seemed like there was a relatively minimal number of rules that are actually restrictive in terms of data location requirements, as most of the identified barriers are indirect. For example, with regard to accessibility of data, this shouldn’t be seen as an actual restriction on the free flow of data, since a rule on accessibility (which may well be justifiable) does not imply that data needs to stay in a certain place. The study team explained that the two studies which were presented today collectively covered all 28 Member States, albeit with minimal methodological differences. They also clarified that requirements on accessibility of data indeed do not by definition imply a direct data localisation restriction; however, depending on its phrasing, a rule can however be understood/ interpreted as a localisation restriction by the targeted stakeholders. In those cases action may be required to clarify the rules or to replace the formal requirement with a functional one. This is one of the core outputs of the study: the identification of good practice functional translations of formal requirements.

Other participants stressed the far-reaching economic consequences of the data location restrictions: higher prices are paid by the users of data (cloud) services. A large cloud provider mentioned that customer preference leads to local choices to the detriment of SMEs, who are less capable of shouldering the higher cost. Furthermore, the participants stressed that this was an issue that affected not just the ICT industry, but all of society, since any citizen or organisation relies on some form of ICT infrastructure. Therefore, elevated costs affect everyone.

With regard to the economic analysis, it was asked why the focus was put on the cloud market while this is not the only existing data service (e.g. data transaction models). Paul Foley described the outcome of research shared earlier in the study (in the inception report) that analysed methods of sharing data. This identified that cloud computing is the only data transfer service that can be undertaken at scale. The overall study focus is however much broader, the assessment of the restrictions and recommendations for data transfer have a broad span and are independent of transfer technologies. The focus on cloud data transfer methods and data centres was adopted to investigate the economic impacts of data restrictions.

On the question from a stakeholder if the study team had found any particular restrictions as part of public procurement law or procedures, the study team answered that these were not found during the research at MS level, which may be partly explained by the fact that this wasn’t included in the Research Guidance to our experts as an option. At the same time, it is expected that such restrictions would not be made explicit as a part of written law or written tender specifications, due to the legal requirement that public procurement requirements or procedures may not be discriminatory. Procurement barriers are occasionally reported, but thus far have proven impossible to verify; often the location requirement was felt to be implied or understood, rather than explicitly made.

Additionally, participants confirmed the existence of various restrictions, such as accounting / bookkeeping laws that force businesses to keep local copies in every country of operation and financial data restrictions that withhold regulated financial institutions to expand their services across borders (within the EU). Good practices were also confirmed, e.g. in Denmark, where the

Bookkeeping act was adapted, changing a data location restriction to a functional requirement of accessibility.

An interesting question was asked about the enforcement of existing rules. As indicated in the presentation, free flow of data is already to some extent supported e.g. by the Treaties and the Services Directive. Would enforcing these not solve the issue? The team indicated that this was indeed one policy option, although it should be noted that the scoping of this legislation was fairly tightly delineated and in each case contained clear public interest exceptions, which seem to be invoked relatively flexibly. A broader approach might therefore be beneficial. The parallel was drawn to existing rules on mutual recognition78 regimes for technical requirements for products; if a similar approach was followed for data in which technical requirements would only be permitted in limited and objectively justifiable situations and an appropriate mutual recognition mechanism was created, this could benefit data localisation requirements.

Moderated Panel: insights on the needs and conditions for the free flow of data in the EU and its implementation options and Group discussion on functional requirements that can replace formal requirements to facilitate cross-border dataflow in the EU

Pierre Chastanet, Danielle Jabobs and Erik Dahlberg presented their views on the needs and conditions for the free flow of data in the EU and its implementation options.

Danielle Jacobs pointed out that for Beltug/Intug, the issues go further than direct data location restrictions. She provided an example of e-archiving laws recently in adopted in Belgium, after other Member States had adopted similar rules (e.g. in Germany): this is not about limiting free flow of data, but if Belgian or other legislators set a standard, there will be a barrier for other companies since they need to identify national standards on a case by case basis, even in the absence of a hard location requirement. Another example concerns Belgian banks, which need approval to use Office 365 as a cloud service. The 1st applicant got accepted by the supervisory authority; the 2nd got rejected initially, but was approved after further discussion. This is a lot of work for these companies. Companies working internationally do not want to have to use different software or store data in different countries. A bank that had branches in Belgium and Luxembourg decided to hold all data in Luxembourg due to strict national data location rules in Luxembourg, making this the only viable investment option. This is also happening in France and Germany. This has an adverse effect on competition on the market. A better example exists in the Netherlands where a whitelist exists of services providers suitable for supervised financial providers. Clearly, we are still very far form a digital single market, a lot of hard work still has to be done!

Erik Dahlberg asked the question if we need a 5th Treaty freedom, namely the free movement of data. Data is everywhere and dataflows take place all the time. This has an effect on personal data, and a fair balance should be struck between the protection of these data and trade. It is not possible to split personal and non-personal data, so if we have rules making it easier to share nonpersonal data, the rule may not work, because it would be so burdensome to split up the personal / non-personal data. He concluded that the establishment of a 5th freedom is not appropriate. Instead,

78 The principle of mutual recognition stems from Regulation (EC) No 764/2008. It guarantees that any product lawfully sold in one EU country can be sold in another. The Regulation also defines how a country can deny mutual recognition of a product. If a product required transfer of data across borders and local or Member State data restrictions prevent crossborder data transfer this could restrict the Mutual Recognition objectives that aim to provide market access in all EU Member States for products that are not subject to EU harmonisation.

the proportionality test should be sufficient and should be applied by MS (and EU) to test their restrictions.

A discussion was held on the question of ‘whether we need new rules or rather a new mindset to eliminate barriers to the free flow of data’. It was agreed that more awareness is definitely needed. Erik Dahlberg mentioned that the main barrier would seem to be consumer/customer preferences. Problems are not necessarily national barriers, but maybe other barriers.

The EC stressed that they are gathering further evidence, and based on that evidence, will propose measures for political consideration. It is therefore very important to collect new evidence in order to define the policy scenarios. How do you balance scenarios between legislation-based approaches and principles-based approaches?

Hans Graux concluded that everyone agreed that there is a need for more transparency and awareness of the measures. There should be better rules for ensuring proportionality of national measures, when they are adopted. Is it conceivable that purely national measures are justifiable in the European data market? The challenges should after all be identical across Member States. It was suggested that there was a need for a forum for discussing these issues systematically.

It was then discussed if cooperating with sector-specific association or professional bodies is desirable. Erick Dahlberg mentioned that standards organisations provide a good example of the utility of specific and well targeted discussions to address practical issues. More sector-specific discussions would be good.

It was further discussed that legislation shouldn’t facilitate the introduction of needless barriers. It was put forward that it is important in the proportionality assessment that all effects are taken into account, not just direct effects in one particular area. For example, a legislative measure that restricts infrastructure development also restricts trade.

Hans Graux then asked the participants if we have been comprehensive in scoping the main drivers behind data location requirements – are they indeed ultimately triggered by the need for the availability and security of data? Or should we be looking at other areas too? A participant mentioned that a functioning digital single market needs a vision beyond the national level. There is a need to find a way for policy makers to address digital single market needs at the EU level, or preferably at the global level.

It was mentioned by an industry association representative that the restrictions that we are talking about are a result of protectionism. However, the idea of a fifth freedom is not serious: we are not really going to have a treaty change.

The audience was asked if there is a need for new legislation. There wasn’t a clear consensus. One potential strategy is to apply more strictly the existing Treaty/services directive provisions. This could raise visibility of the problem (even if infringement proceedings are unlikely to provide results within an effective timeframe). A second suggested option was the adopted of new legal instruments, such as a Regulation on the free flow of data. A third option concerned soft measures, better communication, and information sharing among MS regarding their requirements.

There was a relatively strong consensus that, if there were to be new legislation, it should be principle-based, ensuring that if there are barriers, they are proportionate and justified and MS should be required to back them up.

Moritz from LE mentioned that where behavioural biases exist, things should be made more transparent. What drives the cost for services? Since there is lack of information between cost and security, it would be a huge advantage if we could be more transparent – provide assurances regarding security, and what costs relate to. It could be a role for better education.

The Polish country representative stated that there is a need for legislation (a simple future-proofed instrument) to tackle the barriers that exist, but also the ones that may arise in future. This is difficult, as impact assessments etc are needed. There is a requirement to keep in mind the importance of perception – companies would like to invest but are unsure of legal situation. A simple legal instrument could clarify the legal situation and bring the issue to the forefront.

Another participant stated that restrictions are increasing so something needs to be done before the situation gets out of control. Sharing practices and raising awareness is all very nice, but is not going to stop Member States introducing restrictions. Some believe that the existing EU legal framework is not fit to deal with the challenge. Infringement proceedings are very difficult and time-consuming. The only viable option is new legal instrument: a Regulation, not a Directive. A very simple regulation should suffice, with a handful of articles. It was also mentioned that action will need to be taken quick; Europe will lose out before too long. Another participant confirmed and added that there is a need for a short piece of legislation.

Hans Graux concluded that there is clearly appetite for a simple legislative approach, but not a consensus opinion. Exchanging best practices is a good idea, but would this solve everything? Treaty change is not the most legally efficient way of doing it, while infringement proceedings are slow and sensitive.

Hans Graux asked the participants about justifications to the limitations of the free flow of data: how can this be assessed/dealt with, in practice? Using a transparency mechanism has been suggested –where Member States need to notify any new barriers, so that it would be clear which measures exist. A question was posed whether such a transparency mechanism should also include requirements of private bodies / self-imposed restriction at sector-specific level? One participant stated that there is a need to have the mechanism to shift burden of proof to Member States, where they need to justify the restriction.

Patricia Ypma asked the participants ‘how do you assess if data location restriction is justified?’ Participants answered this by saying that this mechanism exists in international trade and that the criteria are already set by the CJEU, with regard to the Services Directive.

Hans Graux subsequently asked if the current framework is indeed suitable to apply the same logic to data as to services and goods. Probably data is usually in the context of services, so similarities between free flow of data and free flow of services.

Some participants were not in favour of limiting / harmonising restrictions across Europe, but would rather start with increasing trust in certificates and labels, and ensure regulations apply equally across the board. Then, the companies will come and ask for regulation. If rule against data location requirements were introduced without the above, people will hesitate further before moving to the cloud. Lack of control of data was perceived as one of the main barriers to moving to the cloud. Other participants did not agree with this comment: the fact that industry and a majority of Member States want a regulation is relatively unique, and shows how important this issue is.

Representatives of the UK, DK, IE governments support the idea of a regulation in order to improve legal certainty.

Wrap up discussions and conclusions

It was concluded that:

- There is consensus on the fact that restrictions on the free flow of data exist within the EU, although not everyone agrees on their impact on the data economy; - A majority of participants agree that there is a need for more transparency and awareness of the measures in place at national level; - There is a strong movement that is of the opinion that existing (unjustified) barriers to the free flow of data should be eliminated. The majority of this group seem to have a preference for a Regulation, where Member States have an obligation to notify and justify their legal restrictions, and where the principle of proportionality is applied to assess any justifications.

The creation of a 5th Freedom is not preferred. An alternative is raising awareness and communication / cooperation between regulators and industry.

The study team promised to consider all the feedback, views, experiences and suggestions shared by the participants while drafting its final conclusions and recommendations to the EC.

Participants list

From the Commission:

Pierre Chastanet Ronelle Kok Audrius Perkauskas Simon Weidler Rui Cordeiro da Silva

From the Study team:

Hans Graux, time.lex Paul Foley, Tech4i2 Patricia Ypma, Spark Legal Network Peter McNally, Spark Legal Network

Surname Name email

Gelmini Koch Selandari Benoist Rémi Rainer Silvia Hélène secretariat@psc-europe.eu Rainer.Koch02@telekom.de silvia.selandari@orgalime.org h.benoist@ebf.eu

Schmitz Hafskjold Rasmussen Bårdsen HECHT Thomas Christine Trine Trond Helge Brit Thomas.schmitz@mae.etat.lu christine.hafskjold@kmd.dep.no trri@di.dk Trond.Helge.Bardsen@mfa.no brit.hecht@bbva.com

TUYTSCHAEVER Nick Boscolo Marco

Gastaldi Elisa

Echikson William

Borggreen Hernando Christian Ines

Franklin Leclerc Magnus Jean-Marc

Boué De Regt Thomas Mieke Nick.Tuytschaever@economie.fgov.be marco.boscolo@intesasanpaolo.com elisa.gastaldi1@ge.com bechikson@gmail.com cborggreen@ccianet.org hernando@cocir.org franklin@mlex.com jmleclerc@be.ibm.com thomasb@bsa.org mieke.deregt@diplobel.fed.be

Worsøe Katinka Clausdatter kcw@danskerhverv.dk

Jacobs Danielle

Eder Rotureau

Philip Cécile Cristobal Bocos Pedro

Damas Kaunistola Florian Esa danielle.jacobs@beltug.be philip.e@apple.com cro@cabinetdn.com pedro@openforumeurope.org florian.damas@nokia.com esa.kaunistola@microsoft.com

Azzopardi Eich Amendola Masse Hidvegi Naranjo Thornby Blendl Plovie Jepsen Joseph Cornelius Antonio Estelle Fanni Diego Charlotte Quirin Anca Hans joseph.s.azzopardi@gov.mt eich@zvei.org antonio.amendola@intl.att.com estelle@accessnow.org fanny@accessnow.org diego.naranjo@edri.org charlotte.thornby@oracle.com q.blendl@bdi.eu anca.plovie@nokia.com Jeppe.Jepsen@motorolasolutions.com

Soerensen Mette mescso@erst.dk

Lobrano Guido

Colley

Hamish Müller Andreassen Christine g.lobrano@businesseurope.eu hamish.colley@culture.gov.uk chrian@um.dk

Barros Lovegrove Dahlberg Ingenrieth Krauss Gyss Zvaigzne Ananicz Precsenyi Meteyer Jensen Munk

De Silva Melle Joelma Godel Ossip Vela Manuel James Erik Frank Martina-Luise Nicolas Elita Katarzyna Zoltan Herve Helena Juul Grit Kuruneruge Samitha Sujith manuel.barros@anacom.pt james.lovegrove@redhat.com erik.dahlberg@kommers.se fingenrieth@sriw.de M.Krauss@bitkom.org Nicolas.gyss@telenor.com elita.zvaigzne@varam.gov.lv unknown Zoltan_precsenyi@symantec.com herve.meteyer@finances.gouv.fr hjj@ida.dk gmu@ida.dk

s.desilva@nabarro.com Tiel Groenestege Melle.Groenestege@veon.com Almeida joelma.almeida@fct.pt

Moritz Silja-Madli Christina mgodel@londoneconomics.co.uk Silja-Madli.Ossip@mfa.ee cristina.vela@telefonica.com

Ruth MacDonnald unknown

Boekens Flanagan Shal Kris Anne Jan Kris.Boeykens@economie.fgov.be anne.flanagan@dccae.gov.ie unknown

Whilen Alexander unknown

Repan Batas Nogarlain Radislav Sophie Novik unknown Sophie.batas@huawei.com unknown