The proposed Data Act is best known for its far-reaching data sharing obligations related to smart products. Arguably, less attention has been paid to the new set of rules for cloud service providers aimed at making switching between providers easier.
Up until now, cloud service providers have primarily been subject to self-regulatory instruments, e.g. codes of conducts such as the SWIPO SaaS and IaaS Code of Conduct. The Data Act is set to introduce a number of new rules. In this blogpost we look at what type of cloud service providers are in scope (find our previous blogpost with a broader comparative analysis here). Then we touch upon the key obligations, including the new minimum contractual terms as well as the discussion around switching charges. We also take a look at new safety measures for transfer of and access to non-personal data, and interoperability standards applicable to cloud service providers.
1. Which cloud service providers are in scope of the Data Act?
In principle the Data Act proposal captures providers of “data processing services”, i.e. digital services which offer access to scalable and centralised or distributed computing resources. Computing resources include resources such as networks, servers or other virtual or physical infrastructure, operating systems, software, including software development tools, storage, applications and services. Seemingly, this definition is broad and will include all common cloud service model types, e.g. software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS). The European Parliament’s proposal further mentions distinct combinations of IT services such as “Storage as a Service” and “Database as a Service” in the recitals.
However, there are certain carve-outs which narrow the scope a bit:
- The Commission’s initial proposal already explicitly excluded online content service providers in the meaning of the Portability Regulation (EU) 2017/1128 from the scope, i.e. providers of digital content which offer e.g. music, movies, or sports programs for download or streaming on their customers’ smartphones, laptops or other devices.
- In addition, based on the recitals of the European Parliament’s proposal, digital services qualified as online platforms under the DSA as well as services where the data processing service is not part of the core business should be excluded from the scope.
2. What obligations does the Data Act introduce for cloud service providers?
a. Removal of commercial, technical or contractual obstacles
In a nutshell, the Data Act aims to facilitate the switching of customers (both business and consumers) from one provider to another. Providers will be required to remove any commercial, technical and contractual obstacles for the customer. In particular, the customer should be able to:
- Port its data, including metadata (generated by the customer’s use), applications and other digital assets to another provider. Digital assets refer to elements in digital format for which the customer has a right to use (such as applications, virtual machines or virtual containers). The European Parliament suggested in the recitals to reduce the scope of exportable data and exclude third party assets or data protected by trade secrets or IP rights as well as data related to the security and integrity of the service and data used by the service provider to operate, maintain and improve the service. Porting would also be possible to on-premise systems.
- Maintain functional equivalence. Functional equivalence means the possibility to re-establish, on the basis of the customer’s data, a minimum level of functionality in the environment of a new provider. This obligation is limited so that services will only be expected to facilitate functional equivalence for functionalities that both the originating and destination services offer (i.e. not extending to functionalities of the PaaS and/or SaaS service delivery model beyond that).
- Terminate the contract within a maximum notice period. In this aspect the positions are still diverging: the Commission has proposed a short period of 30 days whereas the Council proposes up to 2 months, and the European Parliament’s proposal falls in the middle with 60 days.
b. Minimum contractual terms with customers
The Data Act proposal further introduces a minimum contractual standard for provisions relating to the switching process. Thus, providers must include clauses in their customer contracts, such as:
- A mandatory maximum transition period, within which the customer can switch to another provider. The transition period is highly relevant in practice and will likely vary depending on the complexity of the data processing services and on how deep the service is embedded in the customer’s IT environment. The transition period is still controversial between the Commission, the European Parliament and the Council, ranging from 30 to 90 days (with co-legislators sharing the view that the customer should have the right to extend the transition period if needed).
- A minimum period for data retrieval of at least 30 days, starting after the termination of the transition period.
- An obligation of the provider to assist the customer through the switching process during the transition period.
- Details about all data and application that can be exported. According to the Council’s position, providers should further specify categories of metadata specific to the “internal functioning of provider’s service” which are excluded from the exportable data.
- An obligation of the provider to maintain a high level of security. This proposal has been introduced by both, European Parliament and the Council, where the Council further specified that the security must be maintained throughout the porting process, the data transfer and a specific retention period.
The Council also suggests including additional clauses such as an obligation for the provider to guarantee the erasure of the data, provided that the porting process has been completed or to reference an online register hosted by the provider, with details of all standards and data structures formats in which the exportable data will be available. The Council further introduced transparency requirements, obliging providers to publish information on their website (which should be referenced in customer contracts) about the jurisdiction to which their IT-infrastructure is subject and the measures taken to prevent unlawful governmental access to non-personal data.
3. The question of switching charges
To avoid potential vendor lock-in effects, the Data Act generally aims to limit the charges imposed by the provider to customers for the switching process. There seems to be a consensus that after a transition period of 3 years, providers are prohibited to impose any switching charges. However, the positions are diverging on the transition period: The Council’s proposal allows providers to impose reduced charges on both B2C and B2B customers. In contrast, the European Parliament intends to exempt B2C customers from any charges as of the entry into force of the Data Act, while allowing reduced charges only for B2B customers.
There also seems to be a consensus that switching charges should not exceed the costs incurred by the provider that are directly linked to the switching process. However, which costs should be considered within the scope is still subject to ongoing discussions. For instance, the Council seems to be in favour of including certain costs related to the outsourcing of support actions during the switching process, whereas the European Parliament intents to exclude any costs arising from such outsourcing. The European Parliament also proposes that providers must inform customers about highly complex or costly switching before concluding a contract with the customer.
4. International access and transfer of non-personal data
Similar to the GDPR’s regime for personal data, the Data Act obliges providers to take all technical, legal and organizational measures, including contractual arrangements, to prevent unlawful international transfer and third-country governmental access to non-personal data.
In principle, providers must comply with access requests to non-personal data based on judicial decisions issued by a third-country authority if there is a mutual legal assistance treaty in force between such country and the Union. However, in the absence of such international treaty, access and transfer of the requested non-personal data shall only take place if specific conditions are met.
The European Parliament further suggests, that if the provider has reason to believe that the transfer of or access to non-personal data may lead to the risk of re-identification of non-personal, or anonymized data, the provider shall request the competent data protection authorities for authorization before transferring or giving access to data.
5. Interoperability and portability standards
Interoperability between service providers is a key element to facilitate the effective switching. As a result, the Commission will be empowered to request European standardisation bodies to develop interoperability and portability standards or adopt delegated acts in this regard. The standards will cover aspects of (i) cloud interoperability (such as transport interoperability, syntactic interoperability or policy interoperability), (ii) cloud data portability (such as data semantic portability and data policy portability) and (iii) cloud application portability (such as application instruction portability, application metadata portability or application behaviour).
Once published in a central Union standards repository, providers will have to ensure compliance with such standards. In contrast to the Council’s position, the European Parliament suggested that providers should be granted a one-year transition period for compliance with newly issued standards.
6. Outlook
At this stage, the Data Act is still subject to ongoing negotiations between the Council and the European Parliament. Although there is yet no precise timeline for its final adoption a final Trilogue meeting where a political agreement could be reached has been tentatively scheduled for 27 June 2023. However, the direction of travel is clear and the current drafts clearly indicate the scope of new rules cloud providers can expect. Providers are well advised to keep an eye on the Data Act during the Trilogue phase and prepare for the new obligations lurking on the horizon.