(Update February 2023: Please see also our press release of February 2023)
CISPE.cloud supports the objectives of the Data Act proposal and the legitimate goal of avoiding contractual and technical switching barriers. We warmly welcome the IMCO Draft Opinion Amendments by MEP Rapporteur Adam Bielan and the improvements to the Data Act proposed on Chapter VI (Cloud Switching) of the Data Act to the Internal Market and Consumer Protection Committee.
As an organisation representing cloud infrastructure services providers, we strongly believe that customers should enjoy the freedom to choose the technology and services that best meets their needs. This requires preventing and removing lock-in effects, including barriers to switching providers caused by unfair software licensing terms.
For over 3 years, CISPE members worked with customers and the European Commission in the Switching and Porting (SWIPO) Working for data portability of cloud infrastructure services. In April 2021, CISPE declared 21 services compliant with the SWIPO Infrastructure (IaaS) Code on 12 May 2021. CIOs and customer organisations across Europe support and benefit, daily, from the of the SWIPO Infrastructure (IaaS) Code, demonstrating the operational benefit of a fully operational switching mechanism.
CISPE and CIOs organisations are keen to adapt and expand the SWIPO portability Code to meet the requirements of the Data Act and encompass more services in the cloud technology stack.
Switching cloud infrastructure services remains a complex operation: the variety of services available, the volume of the data to be transferred, the specialist technical assistance and project management required, as well technical modifications that customers need to anticipate (e.g. reconfiguration, change in architecture) or require, cannot be compared with portability operations under the General Data Protection Regulation or mobile number portability.
As the Data Act proposal intends to require “functional equivalence” between the same “services type”, we call upon EU institutions to be cognizant about the impact that these broad concepts can have on cloud infrastructure providers and on EU businesses developing cloud-based applications.
Unlike similar concepts in the Electronic Communication Framework, the concept of “functional equivalence” in the Data Act remains vague, undefined and appears to oversimplify the nature of cloud infrastructure services and adversely affect the take up and innovation of cloud services. This needs to be addressed.
Together with a necessary clarification of the definition of “functional equivalence” and “service type”, the development of guidelines and codes of conduct and European standards should be encouraged to define the scope of this concept and how it is expected to work in practice, while considering the difference between IaaS and non-IaaS services.
Given the technical complexity, any such codes of conduct and/or European standards can be developed under the supervision of the technical services of the Commission such as DGIT. Overall, combining legal requirements with self-regulatory initiatives such as standards and codes of conduct developed jointly by cloud customers and providers is the most effective way to address the technical, operational and contractual issues that the Data Act is trying to solve and deliver on the goals of this important legislation.
Brussels, November 7, 2022
Comments by CISPE on the Data Act and Proposed Clarifications
Unlike similar concepts in the Electronic Communication Framework (such as “equivalence of input” vs “equivalence of output” in Recital 185 of the EECC) which are described in detailed terms and incumbent infrastructure access obligations which are set ex-ante by NRAs at national level, the concept of “functional equivalence” in the Data Act remains vague, undefined and appears to oversimplify the nature of cloud infrastructure services.
The level security, operational resilience, and quality of service vary from a provider to another and depend on how customers have designed and configured their applications. This is not comparable to numbers porting under the EU communication framework. With the current definition, both originating, and destination providers will have difficulties to comply with the proposed obligations to enable the customer switching rights.
Cloud infrastructure providers have no control or power to ensure that their competitors’ services are equivalent to their own. Cloud service providers compete on underlying aspects like security, availability, location and more. Imposing one-size-fits all technical specifications based on an undefined notion of “functional equivalence” may result in a reduction in consumer choice.
Article 23; Paragraph 1
CISPE supports the requirement for providers of data processing services to remove all obstacles that could inhibit customers from switching to another data processing service, covering the same service type, in the IT-environment of the destination provider.
We support a right to terminate on 30 days’ notice. The exercise of such a right, however, should not affect other contractual commitments negotiated between customers and their cloud service providers, such as when the customer has negotiated a fixed term agreement against a discounted rate.
Data processing services portability rules should be complemented by additional principles aiming at eliminating unfair software application lock-in practices imposed by vertically integrated providers who are also applications providers.
If customers are locked-in proprietary application services without the possibility of porting their own software to competing data processing services, data portability and switching providers are at best a wishful thought.
23 (d) should not overlap with the definition of functional equivalence and related technical and operational aspects that need to be defined by codes of practice or European standards as mentioned above.
Successful switching of data processing services requires good faith cooperation between originating and the destination service provider. The need for fair collaboration is clearly recognised by the Draft Data Act in its recital 74.
Article 24; Paragraph 1
We believe that the combination of 30 days mandatory transition period as well as the 6 months period in particular circumstances may be acceptable and feasible for a customer to achieve according to market practices, in particular for standardised services such as IaaS. It should be understood that the customer is responsible for the switching process.
By ensuring transparency over timing, customers can make informed choices regarding the switching cloud providers. Ensuring cloud service providers justify the length in time it will take customers to transfer data should offer comfort to the Commission that cloud service providers will not unduly delay the process. This approach recognises the technical and practical realities of cloud switching in that there are varying degrees of complexities which should be handled on a case-by-case basis.
The data types that suppliers are required to transfer should only include those generated by the customer or which uniquely relate to the customers own usage of the service – cloud service providers will generate their own proprietary information concerning usage, efficiency etc., which they should not be obliged to release to potential competitors, particularly given that this will not assist the customer with the actual switch of their service.
Article 24; Paragraph 2
The additional 6 months transition period proposed by the Commission, in our opinion may occur for non-standardised services.
However, there might be complex cases where 6 months are not feasible and not in the customers interest (e.g., migration of workloads from EU companies in the energy, financial or health sector that in the traditional outsourcing usually takes 3 years cannot be reduced to 6 months), as acknowledged by the banking industry and also in the draft opinion from European Parliament’s Committee on Industry, Research and Energy that makes a similar change to the text.
The originating provider should be responsible for providing clear information about data transfer costs, but should not be obliged to bear costs outside of its control, which are determined by the customer or destination provider. By providing transparency to customers on the scale of costs at the outset of the contract, customers can make informed decisions pre-contract, and plan their data transfers accordingly. The Commission can monitor these costing parameters to ensure cloud service providers are being fully transparent and justified in their approach to costs, and therefore fair with their customers.
Article 26; Paragraph 4
When Codes of Conduct jointly developed and applied by customers and provider exist, these should be recognised as compliance tools to meet the requirements of Chapter VI of this Regulation.
CISPE is a strong supporter of free flow of data as a key driver allowing customers to innovate and grow their business in Europe and internationally. It is important that the Data would not prevent cloud customers to operate their business as they see fit. At the same time CISPE recognizes that cloud infrastructure customers should have the assurance that their interests are protected under EU laws and that their data is shielded against law enforcement access requests that would be directed to their CSPs in violation of EU laws. CISPE supports technological and digital sovereignty as an enabler of trust in cloud services for EU businesses and Governments and, in the absence of a definition as to what “digital sovereignty” means, particularly for the cloud industry, it has proposed “Digital Sovereignty Principles for Cloud Infrastructure Services”.
While the Data Act is aligning with CISPE’s position on this topic, CISPE believes that 1/ the onus of providing evidences of the adequacy of the third country legal system should be on the Commission and not on providers that do not have the necessary resources to perform complex legal analyses and 2/ synergies should be found between the General Data Protection Regulation (GDPR) and the Data Act so that adequacy decisions issued by the Commission on the protection of fundamental rights side will be taken into in the context of the Data Act as most of non-personal data in scope are usually mixed data sets with personal data. A dual personal/non-personal data regime would increase the compliance burden and cost on providers without necessarily improving the protection on the data.
See above for comments concerning the difficulty in establishing ‘same service types.’
Interoperability appears a clearer concept than functional equivalence. Interoperability specifications and standards are useful in helping customers transition services, but should be mandatory on cloud service providers only when necessary and without limiting their ability to innovate and create services that serve their customer’s needs.
Transparency regarding the compliance of a service with standards and interoperability requirements pre-contract should allow customers to make sufficiently informed decisions before entering into a contract for the provision of cloud services.
Where the Commission chooses to implement European standards, these should take into account both any relevant international standards (given the global nature of cloud services and the fact that many customers rely on them), as well as seeking impact from relevant parties within the industry that will be affected by the new standards.