You are here:
22 November 2017 / article

Major reforms in Belgian company law underway: what is changing for your business?

As part of its Digital Single Market strategy, the European Commission published on 13 September 2017 a proposal for a Regulation “on a framework for the free flow of non-personal data in the European Union”.

Enough about personal data, what about (restrictions to) the free flow of “non-personal data” ?

Why a Regulation governing “non-personal” data?

  • To make sure that it is safe for businesses to store data anywhere in the EU;
  • To eliminate barriers to trade and to enable a ‘EU data community’;
  • To enhance data mobility within the EU, which is currently hindered by:
    • national laws or regulators requiring certain data to be stored within the country (e.g. in the banking sector, where the regulator sometimes prohibits cross-border data storage, or localisation requirements in public tender procedures);
    • customers of service providers requiring their data to be stored locally; and
    • a lack of trust when data storage is outsourced (as there is no equivalent in the EU of the US “cloud security alliance”).

The combination of these elements leads to a lack of competition between cloud service providers in Europe, various ‘vendor locking’ issues, and a serious lack of data mobility. Switching between (cloud service) providers is often made very difficult. The aim of the new Regulation is therefore to create more competition on the data market, which will result in lower digitalisation costs for companies and a higher trust level on the market, ultimately benefiting both cloud service providers, their clients, and the end-consumers.

What is the scope of application of this draft Regulation?

The new Regulation is intended to apply to the “storage or other processing of electronic data other than personal data” in the EU, which is:

  • provided as a service to users residing or having an establishment in the EU, regardless of whether the provider is established or not in the EU; or
  • carried out by a natural or legal person residing or having an establishment in the EU for its own needs.

The term “electronic data other than personal data” is defined as “data other than personal data as referred to in Article 4(1) of Regulation (EU) 2016/679”. Every type of information that is not “personal data” within the meaning of the GDPR would thus be qualified as “non-personal data” within the meaning of this draft Regulation.

Taking into account the fact that, in practice, most data sets held by companies are ‘mixed’ (i.e. they contain both personal and non-personal data, which cannot be easily separated), both types of legislation should be applied to most data sets. According to the European Commission, this should not be problematic for businesses, as the consistency between the GDPR and the draft Regulation has been ensured.

Key takeaways of the proposed Regulation?

  • EU Member States will be obliged to remove national law requirements for data localisation:
    • location of data for storage or other processing within the EU shall not be restricted to the territory of a specific Member State, and storage or other processing in any other Member State may not be prohibited or restricted by national law, unless it is justified on grounds of public security;
    • Member States will have to notify to the European Commission of any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement; and
    • Member States will have to make the details of data localisation requirements applicable in their territory publicly available online via a single information point.
  • The Regulation will not affect the powers of competent authorities to request and receive access to data for the performance of their official duties. Access to data by competent authorities may not be refused on the basis that it is stored or otherwise processed in another Member State.
  • Facilitation of data portability (via codes of conduct – ‘standard contractual clauses’): the European Commission encourages and will facilitate the development of self-regulatory codes of conduct at EU level, in order to define guidelines on best practices regarding the switching of cloud service providers and to ensure that cloud service providers provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded.

Next steps?

The draft Regulation was proposed by the European Commission on 13 September 2017 and still has to be discussed in and approved by the European Parliament.


piggybank on calculator

New support measures: expansion of corona-paternity leave and measures for companies in restructuring or difficulties

Two royal decrees (Royal Decree No 45 and No 46) have recently been published providing for some additional support measures in the context of the COVID-19 outbreak.... read more
man signing contract

COVID-19 measure: Partial exemption from payment of payroll taxes

A Bill of 25 June 2020 aims to introduce a new system of (partial) exemption from payment to the Belgian Treasury of withheld payroll taxes, in order to provide... read more

Legal considerations for businesses during the coronavirus outbreak in Belgium

As the coronavirus (COVID-19) is increasingly spreading, the priority for companies is, of course, the safety of their employees and of society at large. read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Stay informed