In the first part of this three-part series, we outlined the framework for data sharing and data access in the context of Connect Products and Related Services under the Data Act (EU Regulation 2023/2854) (see article here). In this Part II, we will consider the cloud switching provisions and the interoperability provisions pursuant to the Data Act, and briefly examine some practical steps for businesses in their data compliance journey.
Mandatory switching provisions
The Data Act introduces mandatory requirements to enable customers to switch between ‘data processing services’ to prevent vendor lock-in. In this respect, service providers must facilitate, and remove barriers (including switching fees) to, customers switching to another provider of the same service type or to a customer’s own infrastructure. The Data Act is applicable to data service providers irrespective of where they are established, as long as they are providing services to customers based in the EU.
There are exceptions to certain requirements under the Data Act for data processing services that are custom-built and not offered on a broad commercial scale, and data processing services that are provided as a testing / beta version.
The definition of Data Processing Services
The Data Act includes a broad definition of “data processing service” which mirrors common definitions of cloud computing services including the definition of a cloud service under the NIS 2 Directive. The concept is designed to cover the popular delivery models – Infrastructure as a Service (“IaaS”), Platform as a service (“PaaS”) and Software as a Service (“SaaS”) – but is broad enough to include emerging variations such as Storage as a Service and Database as a Service.
Data processing service is defined as a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Service providers (particularly SaaS providers) should analyse whether the services that they offer to customers meets the definition of data processing service. The Data Act applies to all SaaS types which display the characteristics listed in the definition of data processing services.
Customer rights
Under the Data Act, a customer is a natural or legal person who has a contract with the provider of the data processing service for use of their service. The Data Act effectively provides customers with certain rights, including: the right to switch cloud providers; the right to request that their provider port their data to a different provider; the right to request that their provider export their data to an on-site ICT infrastructure and the right to request the erasure of their data and termination of their data processing agreement.
The customer is entitled to export ‘exportable data’ ie, the input and output data (including metadata) directly or indirectly generated by the customer’s use of the data processing service but excludes any assets or data protected by IP rights or constituting a trade secret.
Service provider obligations
The Data Act imposes the following key obligations on service providers:
Removal of obstacles
The Data Act not only prohibits providers from imposing any measures which inhibit customers from exercising their rights under the Act, but obligates them to remove any barriers in place which could act to hinder the customer. These steps include:
- removing prohibitions on customers terminating their contract or switching to an alternative data processing service;
- porting a customer’s exportable data and digital assets to a different provider or to an on-premises ICT infrastructure;
- achieving functional equivalence in the use of the new data processing service; and
- unbundling, where technically feasible, data processing services from other services.
Written contracts
There must be a written contract in place between the customer and the service provider setting out the rights of the user and the service provider’s switching obligations. This contract must be made available prior to signing in a way that allows the user to save the contract. Certain information must be incorporated in this contract, including the following key provisions:
- the right for the customer to switch service or terminate a data processing service agreement “without undue delay” (and in any case, no later than 30 days after the maximum notice period). Where that transitional period is not technically feasible it can be extended, however this extension period cannot exceed 7 months;
- the service provider’s obligation to support the customer’s exit strategy, including by providing it with all relevant information;
- termination provisions allowing termination of the contract on either successful completion of the switching process or at the end of the maximum notice period (ie, no longer than 2 months) where the customer wishes to erase its exportable data and digital assets;
- a maximum notice period for initiation of the switching process which shall not exceed two months;
- an exhaustive specification of categories of data and digital assets that can be ported during the switching process (including those that are exempted where a risk of breach of trade secrets occur);
- the minimum period for data retrieval on termination (which must be at least 30 days);
- a clause guaranteeing full erasure of all exportable data and digital assets generated directly by the customer to relating to the customer after expiry of the retrieval period; and
- switching charges that may be validly imposed.
Information obligations
Providers of data processing services should also be aware of the transparency and information obligations imposed by the Act. Providers must provide customers with information regarding switching and porting procedures (known restrictions and technical limitations) and an online register detailing the data structures and formats of the exportable data.
In addition, providers must maintain certain terms on their website, such as information relating to the jurisdiction of the ICT infrastructure and the measures taken to prevent international government access or the transfer of non-personal data which is held in the EU.
Switching charges
The Data Act provides that switching charges are to be phased out by 11 January 2027. Providers may impose reduced switching charges in the meantime, however these must not exceed the costs directly linked to the switching process. However, it should be noted that proportionate early termination fees are not prohibited under the Act. In light of this change, providers should review their existing exit charges, noting that early termination fees are not expressly prohibited by the Act. However, providers should be mindful that any early termination fees should not constitute penalty clauses which are prohibited under Irish law.
Technical aspects of switching & interoperability
Providers of data processing services should take all reasonable measures in their power to facilitate that the customer achieves functional equivalence in the use of the destination data processing service including ensuring that the exportable data is exported in a structure, commonly used and machine-readable format. However, the Data Act does not go so far as to require the original source service provider to ‘rebuild’ services in the destination service provider’s infrastructure.
In addition, the Data Act provides that the European Commission may introduce harmonised standards that satisfy certain essential requirements for the interoperability of data processing services.
Next steps
With the Data Act now applicable across all Member States, it is important for businesses to finalise and implement their compliance strategy in respect of cloud switching obligations as soon as possible. In particular, businesses should consider the introduction of supplemental contractual terms for customer contracts and a process to handle switching requests.
Contact us
If you have any questions on anything contained in this article or on the Data Act in general, please feel free to reach out to a member of the Technology and Innovation Group or your usual Matheson contact.