In Part 2 of our 'deep dive' series, we examined the data access and sharing obligations introduced by the Data Act (Act).
In Part 3, we focus on the practical realities of the Act's provisions dealing with switching between data processing service providers, essentially cloud providers (particularly IaaS, PaaS and SaaS providers). We explore the Act's provisions on switching between data processing services and interoperability, which ultimately seek to: (a) make data switching easier and secure; (b) prevent vendor lock-in; and (c) encourage competition and innovation in the cloud and data services market
Switching: Obligations for Providers
The switching provisions apply to data processing services providers (namely, cloud providers) and are set out in Chapter VI, from Articles 23 to 31 of the Act. Under the Act, 'switching' means the process involving a source provider of data processing services, a customer of a data processing service and, where relevant, a destination provider of data processing services, whereby the customer of a data processing service changes from using one data processing service to using another data processing service of the same service type, or other service, offered by a different provider of data processing services, or to an on-premises ICT infrastructure, including through extracting, transforming and uploading the data.
The Act does not define data service providers but the term 'data processing service' means a digital service that enables on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction (Article 2(8) of the Act).
The Act breaks down switching obligations into various elements to allow customers to switch from the same service or to on-premises ICT infrastructure from one provider (referred to as the "source provider") to a new provider (referred to as the "destination provider"). The key elements of the Act's switching obligations apply to the services, contracts and commercial practices of data services providers from whom a customer is switching. The data switching obligations are as follows:
No Obstacles to Switching are Permitted
To facilitate seamless switching between data processing service providers, the Act prohibits data service providers from imposing pre-commercial, commercial, technical, contractual, or organisational measures which inhibit customers from:
- terminating the contract of the data processing service (after the maximum notice period and successful completion of the switching process);
- concluding new contracts with a different provider of data processing services covering the same service type;
- porting a customer's exportable data and digital assets to a different provider or to an on-premises ICT infrastructure;
- achieving functional equivalence in the use of the new data processing service in the ICT environment of a different provider;
- achieving functional equivalence in the use of the new data processing service in the ICT environment of a different provider; and
- unbundling, where technically feasible, data processing services from other services the provider provides.
While not defined by the Act, functional equivalence is intended to ensure comparable customer experience after a customer switches provider, based on the shared features of the relevant service and a customer's data (Recital 86 of the Act).
Written Contract Terms about Switching
The Act mandates that data switching terms are set out in a "written contract" between the customer and provider (Article 25 of the Act). These written terms must include minimum obligations on data processing service providers regarding a customer's right to request to switch data processing services (or port all customer's exportable data and digital assets to an on-premises ICT infrastructure).
In practice, the minimum written terms apply to providers and include obligations requiring providers to:
- ensure switching occurs without undue delay and within a 30-day transitional period (which may be extended by a further 30 days);
- provide 'reasonable assistance' to the customer and third parties in the switching process;
- support a customer's exit strategy;
- act with due care to maintain business continuity and continuity of services during a switch;
- provide clear information concerning known risks to service continuity;
- specify when a contract is considered terminated (e.g. after successful switching or erasure of exportable data and digital assets); and
- ensure data security throughout the switching process.
Other mandatory terms include a maximum period (not exceeding 2 months) for initiating the switching process, and an exhaustive specification of all categories of data that can be ported during that process.
The European Commission's Expert Group on B2B Data Sharing and Cloud Computing Contracts (Expert Group) published a set of standard contractual clauses (available here), designed to help companies comply with the Act's obligations and to establish fair, secure and transparent agreements for data sharing and cloud services.
Information Obligations
Article 26 of the Act imposes an obligation on data processing service providers to make information available to customer regarding:
- procedures for switching and porting, including information on available methods and formats of switching as well as restrictions and technical limitations which are known to the data processing service provider; and
- an up-to-date online register hosted by the provider of the data processing service with details of all the data structures and data formats, as well as the relevant standards and open interoperability specifications, including an exhaustive specification of all categories of data and digital assets that can be ported during the switching process, including, at a minimum, all exportable data.
Obligation of Good Faith
All parties involved in the switching process are expected to cooperate in good faith to make it effective, enable the timely transfer of data and maintain the continuity of the data processing service (Article 27 of the Act).
International Access and Transfer (Provider Website Terms)
Article 28 of the Act imposes requirements on the data processing service providers to update and maintain, certain terms on their websites. These include:
- information relating to the jurisdiction that the ICT infrastructure for the applicable data processing service is subject;
- a general description of technical, organisational and contractual measures adopted to prevent international government access or transfer of non-personal data held in the Union where such access or transfer would create a conflict with EU law or Member State national law; and
- a reference to the provider's contractual terms (e.g. hyperlinked).
Gradually Phased Out Switching Charges
Article 29 of the Act introduces a phased approach to switching charges:
- From 11 January 2027, providers of data processing services cannot impose switching charges on customers for the switching process.
- From 11 January 2024 to 12 January 2027, providers of data processing services may impose reduced switching charges on the customer for the switching process. Reduced switching charges must not exceed the costs directly linked to the processing.
Technical Aspects of the Switching Process (Cloud Providers)
Article 30 of the Act deals with the technical aspects of the switching process, where a customer switches from one provider (source provider) to a new provider (destination provider) for a service of the same type. These obligations are determined by the nature of the cloud services that are being switched (e.g. IaaS, PaaS or SaaS) and seek to ensure a seamless switching process – such that the new provider can deliver functional equivalence for switching customers (i.e. data services work similarly after the switch). In practice, this will include technical and organisational assistance from the source provider vis-à-vis export tools and data migration support.
Data service providers must ensure their services are compatible with EU-approved standards on operability.
II. Interoperability
Chapter VIII of the Act sets out obligations designed to enhance the interoperability of data and data sharing mechanisms and services, and common European data spaces. These are mainly technical standards, and include the following:
- Requirements for dataset content and other information to be sufficiently described in a machine-readable format to allow a recipient to find, access and use data (Article 33(1)(a) of the Act);
- Requirements for data structures and other information to be described in a publicly available and consistent manner (Article 33(1)(b) of the Act); and
- Where applicable, the means to enable the interoperability of tools for automating the execution of data sharing agreements, such as smart contracts, shall be provided (Article 33(1)(d) of the Act).
More information to follow
Part 3 of our Data Act Deep Dive series provides an overview of the Act's data switching and interoperability obligations. Understanding these obligations, particularly for IaaS, PaaS or SaaS providers, will be essential to ensuring organisations are compliant.
In the final part of the series, William Fry's Technology team shall explore B2B Unfair Contractual Terms in the context of the Act.
Contributed by Aoife Keenan and Caroline Keaveny
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.