The Data Act and its impact on cloud vendors - Christina Maria Schwaiger, CMS

The Data Act, currently discussed at the European Council, aims to enable easier data access, use and sharing. But what does it mean from a cloud vendor and a cloud customer perspective? In this interview, Christina Maria Schwaiger, attorney at law at CMS Reich-Rohrwig Hainz in Vienna, discusses the impacts of the upcoming regulation, with a focus on cloud service providers.

Thanks a lot for answering our questions today! Can you, first of all, tell us a bit more about your role at CMS?

Thank you for having me. I am an attorney at the Technology, Media & Telecommunications department of CMS in Vienna. I specialize in various areas such as data protection, cybersecurity, AI regulation, IT law, e-commerce, and commercial law.

Before joining CMS, I had the chance to gain valuable experience as a member of the Austrian Data Protection Authority and the European Data Protection Board, particularly in procedural matters such as complaint procedures, data breach notifications and administrative penalty proceedings. My clients find my “regulator perspective” particularly useful as it offers insights into which compliance measures are most relevant in practice.

What was the initial drive for the creation of a Data Act? What are the stated goals of this new regulation?

The primary goal of the Data Act is to enhance the availability and sharing of data among various actors across economic sectors. The European Commission's proposal seeks to promote equitable distribution of data's value within the data economy and enable easy access and use of data.

Additionally, the Data Act aims to simplify the process of switching data processing service providers while also introducing protective measures against illegal data transfers made by cloud service providers.

The “Act” is still in discussion (as of April 2023). Is there a clear timeline regarding the next steps (end of negotiations, effective date, etc.)?

In February 2022, the European Commission presented its draft legislative proposal for the Data Act to the European Parliament and Council. At the end of last year, expectations were high, that the Data Act will be adopted by mid-2023, with a 12-month implementation period. Currently, the European Parliament, the Council (member states), and the European Commission are still in trilogue negotiations and aim to conclude discussions by the end of June.

One goal of the Act is to foster a seamless multi-cloud environment where customers could more easily switch from one vendor to another. Before going into detail, could you summarize what will be the main impacts of the Act for cloud providers (assuming the text stays as is)?

The impacts of the Data Act on cloud providers are diverse and include:

• (i) the obligation to remove obstacles (of commercial, technical, contractual and organizational nature) that hinder the change of provider,
• (ii) the development of interoperability standards for data between different sectors,
• (iii) the implementation of measures to protect against illegal international data transfers by cloud providers and against governmental access to non-personal data held in the EU where such transfer or access would conflict with EU or member state law and
• (iv) the obligation to provide users with specific information before selling, renting or leasing an IoT product or service, including disclosing the type and amount of data that will be collected, how access to the data will be granted, and the identity of the data holder, which could be the seller, manufacturer, developer or provider of the product or service. These requirements are known as "pre-contractual disclosure obligations".

Regarding the requirements for CSPs to make their services easily portable to another vendor: the goal is to make it easier for customers to change their cloud provider. But in practice, negotiations have shown that interoperability between providers is a complex topic. From your perspective, what are the main concerns and hindrances?

In order for true interoperability to be achieved, data utilized by one service provider must be compatible with that of others. This would require the harmonization of data across different service providers and market participants in accordance with a common EU-wide standard.

Incompatibilities between platforms currently exist for two main reasons: commercial reasons, wherein platforms wish to remain as closed communities, and technical reasons, wherein underlying technical data formats are incompatible with those of other platforms due to the absence of a common standard.

However, creating a common standard would entail higher costs for individual providers to adjust and align their systems, which could potentially impede innovative activity and disruptive innovation.

Another aspect that arose as part of the current discussions is the switching charges a customer has to pay when moving to another cloud provider (or back to on-premise). Can we imagine a situation where a customer would not have to pay any switching costs when leaving its current provider?

Under the Data Act, cloud providers are allowed to impose lower switching and data egress charges during a three-year transition period after the Act comes into force. After this period, all charges related to switching and egress fees should be abolished – thus the customer no longer has to pay switching costs.

The most recent compromise text makes it clear that contractual arrangements can include penalties for early termination, which will not be considered as switching charges.

Given the ongoing discussions, are there some obligations for cloud vendors that will likely be removed from, or added to the final text?

While there is a consensus that cloud providers should stop imposing data egress or switching charges three years after the entry into force of the Data Act, the transition period shall be discussed further during trilogue negotiations.

The Council intends to allow for reduced charges during this period, while the European Parliament suggests that consumers should be exempted from any switching charges as soon as the Data Act enters into force. However, the European Parliament would still allow for reduced charges during the transition period for business-to-business relations. Therefore, this matter remains unresolved, and a final solution has yet to be reached.

For additional information on the Data Act, have a look at CMS' series of articles, discussing different aspects of the proposed Act with a focus on cloud services.

Read more about how Txture's Business Case Builder helps cloud providers speed up the cloud transformations of their clients here

Or request a personal demo session and see the tool in action >>