At Workday, we advocate for a regulatory environment that allows our customers to take full advantage of the power of cloud computing. To that end, we applaud efforts in the European Union (EU) to enact legislation prohibiting restrictions on the free flow of data throughout the region.
To promote the free flow of data, on May 30, Workday co-hosted a roundtable in Brussels with MEP (Member of the European Parliament) Dita Charanzova. Joining us were Pearse O’Donahue, acting director for Future Networks, European Commission; representatives from the governments of Estonia, Belgium, and Ireland; and representatives from European technology, manufacturing, and financial services companies.
The roundtable focused on the European Commission’s paper, Building a European Data Economy, published in January as part of its larger Digital Single Market strategy. That paper aimed to dispel misperceptions among EU Member States about the effects of data localization and proposed taking steps to address restrictions on the flow of data. As the Commission described the issue:
“Sometimes restrictions are imposed by Member States in the belief that supervisory authorities can more easily scrutinise locally stored data. Localisation is also used as a proxy for assurances in terms of privacy, audit, and law enforcement, as well as the security of data. However, in practice, these measures rarely contribute to the objectives they are intended to achieve.”
Our position is that national or other jurisdictions’ data localization requirements are a well-meaning but ineffective means to ensuring data privacy and security. Robust cybersecurity—which we embrace fully—stems from the policies and procedures a controller or processor uses in the storage and processing of data, not the legal jurisdiction where data is stored. While regulators often need to access data to fulfill their responsibilities, access can be assured through arrangements with regulated entities. The mere fact the data might be located in a different country shouldn’t, and doesn’t, impede regulator access. Of course, we understand that data may need to be kept locally in some narrow cases—for sensitive national security information, for example, but those requirements ought to be imposed narrowly.
Participants at the roundtable agreed on the importance of establishing the free flow of data as a single market principle alongside the free movement of goods, services, people, and capital. This would help ensure that data can flow in a vibrant digital economy, dispel the perception among some market participants that data must be kept in any particular jurisdiction, and obligate Member States imposing arbitrary restrictions on data location to justify them on public interest grounds.