The EU Data Act (“Data Act”) was adopted by the European Parliament on 9 November 2023 (final text here) after a long period of negotiations following the European Commission’s publication of a proposed regulation in February 2022 (which we wrote about here).
The Data Act is comprehensive (c. 240 pages with 119 recitals) and introduces significant changes regarding access to data generated by connected devices and related services. This article will focus specifically on the provisions relating to switching and the implications for cloud service providers (“CSPs”).
- What is switching?
The Data Act defines switching as the “process…whereby the customer of a data processing service changes from using one data processing service to using another…of the same service type, or other service, offered by a different provider of data processing services, or to an on-premises ICT infrastructure…”. In other words, when a customer (individuals or businesses) migrates from one CSP to another.
Here, ‘data processing service’[1] has a broad meaning which borrows from the well-known NIST definition of cloud computing. In practice, a wide range of CSPs will be caught.
- What is required of CSPs when it comes to switching?
Key provisions around switching are contained in Chapter VI of the Data Act. The new rules are far-reaching and require CSPs to take steps to make the switching process easier and cheaper for customers.
(a) Removing obstacles to switching (Article 23)
CSPs are not allowed to impose and are required to remove “pre-commercial, commercial, technical, contractual and organisational obstacles” which would make it more difficult for a customer to switch. This includes anything which would inhibit customers’ termination rights, ability to contract with new providers and export of customer data.
There is an additional obligation not to inhibit customers from being able to unbundle services i.e. they should be allowed to switch certain features, e.g. cloud storage, without having to do the same for others e.g. compute. How CSPs will implement compliant solutions in practice remains to be seen.
(b) Withdrawal of switching charges (Article 29)
Switching charges are defined as “charges, other than standard service fees or early termination penalties, imposed by a [CSP] on a customer…for switching to…a different provider or…[migrating] to [on-prem]…”. This include ‘egress charges’ which are charges imposed on the customer for transferring data to another provider.[2]
A key change brought by Data Act is the gradual withdrawal of switching charges. Starting from the three years after the Data Act enters into force, CSPs will no longer be able to impose any switching charges on customers. In the meantime, only reduced switching charges are allowed but cannot exceed costs incurred by CSPs in relation to the switching process. Information on charges must be provided by CSPs to customers in an accessible format prior to any contractual relationship e.g. via their website or as part of their terms.
(c) Contractual obligations (Article 25)
CSPs are required to provide customers with a written contract at the outset clearly setting out the switching process when moving to another CSP or from cloud to on-prem. Terms must also cover timelines for switching (maximum transitional period of 30 days[3]) and details of any costs involved (including termination fees and egress charges).
There are also obligations in relation to the switching process itself, including providing reasonable assistance to the customer (and any third parties authorised by the customer), maintaining business continuity and ensuring a high level of security throughout the switching process.
(d) Technical obligations (Article 30)
CSPs are required to provide assistance services to users wishing to switch, with the aim of facilitating the process e.g. by providing data migration tools, data transfer process support.
There is an express requirement on the incumbent CSP to “take all reasonable measures in their power to facilitate” that the customer “achieves functional equivalence” in their use of the new cloud service. This includes providing necessary technical support, documentation, tools and capabilities. Although there are no express equivalent requirements for destination CSPs, there is a good faith obligation in Article 27 requiring both CSPs to work together to ensure the switching process is effective.
Article 31 provides an exception for certain cloud services. This includes where the “majority of main features has been custom-built to accommodate specific needs of an individual customer” and where those services do not form part of the CSPs standard service offering. If this is the case, then CSPs must inform customers that they will be exempt from switching obligations set out in Chapter VI.
- What does the Data Act mean for CSPs?
The passing of the Data Act marks a period of increased regulatory intervention in the European cloud market. CSPs must prepare to adapt to an altered competitive landscape which may require significant changes to products and services in order to comply with the new regulations.
Consistent with other aspects of EU digital regulation, the Data Act has extra-territorial scope. This is particularly relevant for CSPs due to their nature whereby data processing and storage activities may occur in one location (e.g. data centres in the EU) but the CSPs themselves are located elsewhere (e.g. in the UK/US). The Data Act will capture any CSPs who offer their services to EU recipients, regardless of where the CSPs are themselves located.
- What can CSPs do now?
Although implementation of the Data Act is potentially two years away, CSPs in-scope should start to consider its implications for their products and services.
Consideration of regulatory enforcement risk is also key. Consequences of non-compliance with the Data Act are determined at a national level by competent authorities in relevant Member States who must ensure that penalties are “effective, proportionate and dissuasive”. There is a non-exhaustive list of criteria for assessing penalties, e.g. the nature, gravity, scale and duration of the infringement. However, there is an element of uncertainty regarding how each competent authority conducts this assessment, which could lead to a variety of fine amounts across Member States for the same violation. Importantly, where personal data is involved, data protection authorities have the power to impose fines reflecting amounts set out in EU GDPR.
Examples of practical steps could include:
- reviewing existing data management policies and procedures to identify areas requiring compliance
- reviewing pricing models to assess the implications of the gradual withdrawal of switching charges
- consider whether and to what extent co-operation with other CSPs will be required to facilitate the switching process for customers
- investing in technologies to facilitate switching e.g. data migration tools
- Next steps and key dates
The Data Act is expected to apply from late 2025. It first needs formal approval by the European Council (the final text is unlikely to change) after which it will enter into force on the 20th day following its publication in the Official Journal of the EU. Its obligations will apply 20 months after its entry into force.
[1] Article 2(7): “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction”.
[2] The CMA identified egress fees as a potential barrier to switching as part of their market investigation into cloud services (which we wrote about here).
[3] Under Article 25(4) this can be extended by the CSP if it is not ‘technically feasible’ (but not exceeding seven months).