International transfers of personal v. non-personal data : reconstructing the EU legal puzzle

Abstract

Data has become an essential input in the digital economy: having access to a large, updated, accurate and verified source of data is a key competitive advantage, allowing a firm to personalize its services for its customers and engaging in targeted advertising. In addition, data access is increasingly important to train AI models. At the same time, data easily ‘moves’ across the borders, generating an exponential growth of cross-border data flows. The paper analyses the EU data acquis – i.e. a complex regulatory framework developed by the European Union during the past years. The framework essentially pursues two distinct goals: on the one hand, it aims at fostering B2B data sharing, to enhance the competitiveness of the EU digital economy. On the other hand, via the adoption of the General Data Protection Regulation (GDPR) in 2016, the EU has also opted for a high level of protection for personal data. The paper discusses conflicts and overlaps between these two goals, looking at the case of international data transfers of ‘personal’ and ‘non-personal’ data. In this regard, the paper compares the legal framework applicable to international transfer of personal data under the GDPR, with the new legal framework concerning the transfer of non-personal data under the Data Act (DA) and the Data Governance Act (DGA).The paper argues that the blurring distinction between personal and non-personal data, the narrow interpretation of anonymization techniques, the expansion of the ‘appropriate measures’ requirements in the GDPR, and the introduction of new rules for the transfer of non-personal data have the effect of limiting the ability of economic operators to engage in data processing activities outside the EU and potentially limit international data transfers outside the EU.