9月13日，欧盟委员会公布了促进非个人信息【non-personal data】在欧盟境内自由流动的立法建议，文件全名是Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for the free flow of non-personal data in the European Union.

接下来对这份立法建议的主要内容做个概述和解读：

立法目标：
To unlock this potential, the proposal aims to address the following issues:
1. Improving the mobility of non-personal data across borders in the single market, which is limited today in many Member States by localisation restrictions or legal uncertainty in the market; 【目前许多成员国都有各种非个人数据（non-personal data）本地化的要求，因此希望通过立法改善欧盟境内非个人信息的自由流动】
2. Ensuring that the powers of competent authorities to request and receive access to data for regulatory control purposes, such as for inspection and audit, remain unaffected; and 【确保：不能因为数据自由流动了，所以监管机构没法调取数据了】
3. Making it easier for professional users of data storage or other processing services to switch service providers and to port data, while not creating an excessive burden on service providers or distorting the market.【让"professional用户"变更数据存储和数据处理服务提供商时更加容易，但又不对提供商造成过大的负担或扭曲市场。这句话的意思就是要数据的携带权以及在各个服务商之间切换时要有互操作性】

为什么要用Regulation而不是Directive等其他的法律工具？

This is particularly important to remove existing restrictions and prevent new ones to be enacted by Member States, to guarantee the legal certainty to the concerned service providers and users and thereby increase trust in cross-border data flows as well as data storage and other processing services.  【主要就是确保对成员国有强制约束力：移除现有的限制流动措施、避免未制定新的限制措施、保障用户和服务提供商享有法律确定性。】 

Recital部分有几点重要信息，提炼出来和大家分享：

The freedom of establishment and the freedom to provide services under the Treaty on the Functioning of the European Union apply to data storage or other processing services. However, the provision of those services is hampered or sometimes prevented by certain national requirements to locate data in a specific territory......[by] Other rules or administrative practices have an equivalent effect by imposing specific requirements...... such as requirements to use technological facilities that are certified or approved within a specific Member State

对非个人信息自由流动进行立法，为的是确保“单一数字市场”。具体来说，就是数据服务提供商（文件中用的原文是：data storage or other processing providers）有自由选择建立提供服务所在地的权利。但是这个自由选择的权利主要被这两个政策法律因素所限制：成员国的数据本地化要求，以及提供数据服务的技术设施必需经其认证或允许。

At the same time, data mobility in the Union is also inhibited by private restrictions: legal, contractual and technical issues hindering or preventing users of data storage or other processing services from porting their data from one service provider to another or back to their own IT systems, not least upon termination of their contract with a service provider.

影响数据自由流动的还有非政策法律原因，导致了用户无法在不同提供商之间进行切换等。

Under Regulation (EU) 2016/679, Member States may neither restrict nor prohibit the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data. This Regulation establishes the same principle of free movement within the Union for non-personal data except when a restriction or a prohibition would be justified for security reasons. 

GDPR已经明确了个人信息应在欧盟境内自由流动，除非出于个人信息保护之外的理由。这次立法将确保非个人信息也能在欧盟境内自由流动，但是成员国可以出于安全原因设定限制措施。

This Regulation should apply to data storage or other processing in the broadest sense, encompassing the usage of all types of IT systems, whether located on the premises of the user or outsourced to a data storage or other processing service provider. It should cover data processing of different levels of intensity, from data storage (Infrastructureas-a-Service (IaaS)) to the processing of data on platforms (Platform-as-a-Service (PaaS)) or in applications (Software-as-a-Service (SaaS)). These different services should be within the scope of this Regulation, unless data storage or other processing is merely ancillary to a service of a different type, such as providing an online marketplace intermediating between service providers and consumers or business
users.

以上是本次立法要覆盖的对象——数据服务提供商的范围，非常宽泛。

接下来进入主要条文：

Article 3 中提供了“数据本地化措施”的定义。'data localisation requirement' means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions of the Member States, which imposes the location of data storage or other processing in the territory of a specific Member State or hinders storage or other processing of data in any other Member State;

Article 4提出了确保数据自由流动的具体措施。

1. Location of data for storage or other processing within the Union shall not be restricted to the territory of a specific Member State, and storage or other processing in any other Member State shall not be prohibited or restricted, unless it is justified on grounds of public security. 除了公共安全，不能限制数据流动。
   

2. Member States shall notify to the Commission any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement in accordance with the procedures set out in the national law implementing Directive (EU) 2015/1535. 如果新设立数据本地化措施，或者改变了原有措施，应当告知欧盟委员会。
   

3. Within 12 months after the start of application of this Regulation, Member States shall ensure that any data localisation requirement that is not in compliance with paragraph 1 is repealed. If a Member State considers that a data localisation requirement is in compliance with paragraph 1 and may therefore remain in force, it shall notify that measure to the Commission, together with a justification for maintaining it in force. 12个月月内，成员国要取消数据本地化措施。如果该保留某项措施，则应当向欧盟委员会提供理由说明。

4. Member States shall make the details of any data localisation requirements applicable in their territory publicly available online via a single information point which they shall keep up-to-date. 每个成员国应将所有数据本地化措施的相关信息汇聚于唯一的信息枢纽，对外公布。

5. Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish the links to such points on its website. 欧盟委员会将集中各成员国建立的上述信息枢纽，对外公布。
   

Article 5 保障监管机构能调取数据

1. This Regulation shall not affect the powers of competent authorities to request and receive access to data for the performance of their official duties in accordance with Union or national law. Access to data by competent authorities may not be refused on the basis that the data is stored or otherwise processed in another Member State. 不能因数据存储在其他成员国而拒绝监管机构调取数据的合法要求。

2. Where a competent authority has exhausted all applicable means to obtain access to the data, it may request the assistance of a competent authority in another Member State in accordance with the procedure laid down in Article 7, and the requested competent authority shall provide assistance in accordance with the procedure laid down in Article 7, unless it would be contrary to the public order of the requested Member State. 一国监管机构如果穷尽了所有的办法仍然无法获取数据，则数据所在国的监管机构应当给予协助调取数据。

3. Where a request for assistance entails obtaining access to any premises of a natural or legal person including to any data storage or other processing equipment and means, by the requested authority, such access must be in accordance with Union or Member State procedural law. 数据调取的方式应当合法。

4. Paragraph 2 shall only apply if no specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States. 如果成员国之间有了数据交换的合作机制，本条ii才适用。
   

Article 6 旨在提升转移数据的便利

1. The Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level, in order to define guidelines on best practices in facilitating the switching of providers and to ensure that they provide professional users with sufficiently detailed, clear and transparent information before a contract for data storage and processing is concluded, as regards the following issues:

   (a) the processes, technical requirements, time frames and charges that apply in case a professional user wants to switch to another provider or port data back to its own IT systems, including the processes and location of any data back-up, the available data formats and supports, the required IT configuration and minimum network bandwidth; the time required prior to initiating the porting process and the time during which the data will remain available for porting; and the guarantees for accessing data in the case of the bankruptcy of the provider; and
   (b) the operational requirements to switch or port data in a structured, commonly used and machine-readable format allowing sufficient time for the user to switch or port the data. 【由于数据在不同服务商之间转移涉及复杂的经济和竞争利益，因此欧盟委员会对此没敢采取直接立法做出详细要求，而是鼓励在欧盟层面建立数据服务提供商“自我规制的行为准则” （self-regulatory codes of conduct）。准则的目的有两个：一是为将来行业的“最佳实践指南”打下制度基础；二是确保在professional用户与服务商签订合同之前，就能了解到数据从该服务商向外迁移时的具体技术细节和要求，如此用户就能决定是否采用该服务商。】

2. The Commission shall encourage providers to effectively implement the codes of conduct referred to in paragraph 1 within one year after the start of application of this Regulation. 欧盟鼓励服务商在立法生效后的1年内有效地落实行为准则。
   

3. 3. The Commission shall review the development and effective implementation of such codes of conduct and the effective provision of information by providers no later than two years after the start of application of this Regulation. 在本法生效2年后，欧盟委员会应当审查行为准则的制定和实施，以及服务商是否向用户做了有效告知。
   

Article 7 建立了监管机构相互合作的机制

1. Each Member State shall designate a single point of contact who shall liaise with the single points of contact of other Member States and the Commission regarding the application of this Regulation. Member States shall notify to the Commission the designated single points of contact and any subsequent change thereto.

2. Member States shall ensure that the single points of contact have the necessary resources for the application of this Regulation. 以上两点合起来的要求就是：每个成员国应专门为该项立法制定唯一的联络人。

3. Where a competent authority in one Member State requests assistance of another Member State to have access to data pursuant to Article 5 paragraph 2, it shall submit a duly motivated request to the latter's designated single point of contact, including a written explanation of its justification and legal bases for seeking access to data. 需要就数据调取合作时，监管机构应当向其他成员国的联络人提交申请，并写清调取的事由和法律支撑。
   

4. The single point of contact shall identify the relevant competent authority of its Member State and transmit the request received pursuant to paragraph 3 to that competent authority. The authority so requested shall, without undue delay:
   (a) respond to the requesting competent authority and notify the single point of contact of its response and
   (b) inform the single point of contact and the requesting competent authority of any difficulties or, in the event the request is refused or responded to in part, of the grounds for such refusal or partial response. 联络人收到申请后，将申请移交至其国内的相关监管机关。监管机关应及时反馈情况。

5. Any information exchanged in the context of assistance requested and provided under Article 5 paragraph 2 shall be used only in respect of the matter for which it was requested. 所调取的数据不得改变用途。

6. The Commission may adopt implementing acts setting out standard forms, languages of requests, time limits or other details of the procedures for requests for assistance. Such implementing acts shall be adopted in accordance with the procedure referred to in Article 8. 欧盟委员会可就此机制建立操作标准。
   

以上即为该立法建议的主要内容了，供大家参考。