Table of Contents

Introduction

Please share all documents and links that might be of interest to other organizations. You can share something by:

• Clicking 'edit' and inserting a link (ctrl+K) under the relevant header on this page;
• If you insert a link, please give a short introduction to the content of the page you are referring to and why you think it is relevant.
• You can also share documents by uploading them to the relevant file lists, which can be found under each header.
• If you have uploaded a document, or shared a link, please mail the mailing list to let them know that there is a new addition to the wiki. If you want feedback on your documents, please let people know how you want to receive their input.

Please note that these pages are not yet restricted. The pages will soon be only visible for the members of the Task Force, at what time you can share more sensitive documents and information. If you want to be part of the Task Force, please contact Charlie van Genuchten: charlie.genuchten@geant.org.

GDPR Knowledge Exchange

Links

Summary Press Release State of the Union 2017: A framework for the free flow of non-personal data in the EU

On Tuesday 19 September the European Commission presented a press release, outlining the main regulatory goals of the proposal for a legal framework for the free flow of non-personal data in the European Union. This is the beginning of a long legislative process that may have an impact on GÉANT and our community. This information has been circulated within GÉANT, and I have been advised to forward this to you all.

As the main elements of the proposal, the press release underlines: 

1. 1. 1. The establishment of the principle of free flow of non-personal data across borders

This means that Member States would no longer be able to oblige organisations to locate the storage or processing of data within their borders. Restrictions would only be justified for reasons of public security. 

1. 1. 1. The establishment of the principle of data availability for regulatory control

This principle would enable competent authorities to exercise their rights of access to data wherever it is stored or processed in the EU.

1. 1. 1. EU codes of conduct 

The proposal envisages the development of EU codes of conduct to remove obstacles in switching between service providers of cloud storage and to porting data back to users' own IT systems. The proposal for a Regulation on a framework for the free flow of data in the European Union was presented on 13 September 2017. It aims to establish the scheme of free, cross-border flow of data within the EU. The key elements of the proposal include the following:

1. 1. 1. Subject matter and scope (Articles 1-2)

Article 1 clarifies that the future Regulation would aim to ensure the free movement of non-personal data within the EU and lay down rules relating to data localisation requirements, the availability of data to competent authorities and data porting for professional users. The Regulation would be applicable where the storage or other processing of non-personal data is provided as a service to users residing in the EU, or carried out by a natural or legal person residing or having an establishment in the EU.

1. 1. 1. Principle of the free movement of data (Article 4)

This key article establishes the principle of free movement of non-personal data in the EU. It prohibits any data localisation requirement, unless it is justified on grounds of public security.

1. 1. 1. Data availability for competent authorities (Article 5)

Article 5 aims to ensure data availability for regulatory control by competent authorities. Therefore, users would not be able to refuse to provide access to data, required by competent authorities on the basis that such data is stored or further processed in another Member State.

1. 1. 1. Codes of conduct (Article 6)

Article 6 obliges the Commission to encourage service providers and professional users to develop and implement codes of conduct detailing the information on data porting.

1. 1. 1. Single points of contact and Committee (Articles 7-8)

This institutional part of the proposal establishes bodies that would support the functioning of the free-flow of data. Article 7 obliges Member States to designate single points of contact, which would be required to cooperate with each other and with the Commission when it comes to the application of the future Regulation. 

Next Steps

The European Parliament's Committee responsible for the proposal is expected to nominate a Rapporteur to prepare the Parliament's draft position in the coming months.

The Council will also work on the proposal in order to reach a Council's internal agreement.

Once the European Parliament and the Council reach their positions on the proposal, they will carry out 'trilogue' negotiations, assisted by the Commission, with a view to reaching an agreement on the proposal.

The Member States ministers are expected to discuss the topic of free flow of data at the EU Digital Summit, scheduled for 29 September 2017.

Documents

Please upload your documents on GDPR Knowledge Exchange

Compliance and Frameworks

Links

UK Information Commissioner on consent and alternatives and Jisc blog post on the draft guidance

Documents

Please upload your documents on Compliance and Frameworks

Impact and Risk Assessment

Links

Article 29 WP draft guidance on DPIAs which references approvingly the UK Information Commissioner on Privacy Impact Assessment

Documents

Please upload your documents on Impact and Risk Assessment

Privacy by Design

Links

Documents

Please upload your documents on Privacy by Design

(Shared) Services

Links

Blog posts on on how we are categorising Jisc services and how to determine the appropriate legal basis

Peer-reviewed papers on how GDPR applies to incident response and big data, including learning analytics

Documents

Please upload your documents on (Shared) Services