On November 27, 2023, the Council of the European Union adopted the EU Data Act, a new regulation providing harmonized rules on access to data, switching cloud providers and interoperability requirements across the EU. The Data Act aims to lay the foundations of a data economy by changing the legal status of data generated or collected by connected devices and related services. This will require far-reaching modifications of existing business models.
Our previous blog posts provided an overview of the Data Act and focused on data access rights and obligations. This blog post discusses (i) the Data Act rules on switching and interoperability requirements for cloud and other data processing services, and (ii) the restrictions for certain international transfers of non-personal data.
The Data Act will enter into application in the second half of 2025 and will be relevant far beyond the EU’s borders. The provisions discussed in this client alert will apply to providers of data processing services, irrespective of their place of establishment, providing such services to customers in the EU.
The Data Act aims to ensure effective switching between providers of data processing services and tackle cloud vendor lock-in effect by removing contractual, technical and commercial barriers. To this end, the Data Act lays down rules that will have a major impact by creating statutory provisions for topics that have usually been dealt with in contracts between providers and customers. In the view of the legislator, existing approaches have not achieved the desired results in these areas:
- Antitrust. Traditional antitrust concepts, such as the essential facilities doctrine, have not been applied in data processing markets thus far.
- Digital Markets Act. The Digital Markets Act imposes switching and interoperability obligations only on so-called gatekeepers, i.e., the largest digital platforms offering core platform services in Europe. Data processing services have not been in the scope of the designations so far.
- Non-Personal Data Regulation. The 2018 Regulation on the free flow of non-personal data only encourages data processing vendors to develop and apply self-regulatory best practice codes of conduct to facilitate switching between data processing vendors and improve data portability.
- General Data Protection Regulation (GDPR). In the view of the European Commission, the GDPR provisions on data portability have not played the important role it expected. The Data Act is intended to complement the right of data portability under the GDPR with more specific rules. It will also apply to non-personal data. The Data Act is without prejudice to the GDPR, including regarding the powers of supervisory authorities and the rights of data subjects.
Unfortunately, the material and personal scopes of these different sets of rules could overlap, and the interactions between them are not clearly defined or discussed in the Data Act.
Who Is Subject to the Obligations?
The Data Act applies to providers of a data processing service, defined as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.” However, the obligations do not apply “to data processing services of which the majority of main features has been custom-built to accommodate the specific needs of an individual customer or where all components have been developed for the purposes of an individual customer, and where those data processing services are not offered at broad commercial scale via the service catalogue of the provider of data processing services.” Unfortunately, it seems likely that these provisions leave a significant gray area of uncertainty for a number of services that do not fall clearly fall into one of these categories.
Although the Data Act imposes many obligations on providers of data processing services, those providers are not required to develop new technologies or services, to disclose IP-protected digital assets or trade secrets to customers or vendors, or to compromise the customer’s or their own security and integrity of service. In addition, customers and destination vendors must cooperate in good faith with the source vendor to ensure efficient transition processes. The obligations of providers of data processing services can be summarized as follows.
- General Obligations. Providers of data processing services are subject to a general obligation not to impose and to remove pre-commercial, commercial, technical, contractual and organizational obstacles, which inhibit customers from:
- terminating, after the maximum notice period and the successful completion of the switching process, the contract of the data processing service;
- concluding new contracts with a different provider of data processing services covering the same service type;
- porting the customer’s exportable data and digital assets to a different provider of data processing services or to an on-premises Information and Communication Technology (ICT) infrastructure, including after having benefited from a free-tier offering;
- achieving functional equivalence in the use of the new data processing service in the ICT environment of a different provider of data processing services covering the same service type; and/or
- unbundling, where technically feasible, certain data processing services from other data processing services provided by the provider of data processing services.
- Minimum Contract Requirements. In order to achieve these goals, the Data Act especially provides a list of minimum provisions that must be included in contracts for the provision of data processing services irrespective of the service delivery model.
- Reasonable Assistance. The vendors must provide reasonable assistance to customers and third parties in the switching process, including by providing all relevant data, providing the processing services and maintaining a high level of security during the transition period.
- Data Specification. The contract must include exhaustive specifications of all categories of data and digital assets that can be ported and those that cannot.
- Data Erasure. The contract must guarantee the erasure of all digital assets, including all exportable data, generated directly by the customer and/or relating to the customer directly after the expiration of the data retrieval period, unless agreed otherwise.
- Termination. The contract must be considered as terminated automatically once the switching process is completed or after the expiration of the data retrieval period, if customers only want to have their data deleted.
- Time Requirements.
- Initiation of the Switching Process. Contracts should provide for a maximum notice period for initiation of the switching process, which must not exceed two months.
- Transferring the Data. Contracts should also provide that customers can, upon request, switch to another data processing service or port all exportable data to an on-premises ICT infrastructure without undue delay, and in any event no longer than the mandatory maximum transition period of 30 calendar days.
- Data Retrieval. Contracts should provide for a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transition period.
- Longer Transition Period. Where the maximum 30-day transition period for data transferring and retrieval is technically unfeasible, the provider of data processing services must notify the customer within 14 working days after the switching request has been made, explain the technical unfeasibility, and indicate an alternative transition period, which may not exceed seven months. The customer should have the right to extend the transition period once, by a period that the customer deems more appropriate.
- Functional Equivalence. Vendors providing data processing services that concern infrastructural elements, such as servers (known as “infrastructure as a service” or “IaaS”), must take all reasonable measures in their power to facilitate the customer’s achieving functional equivalence in the use of the destination service. To that end, such vendors should provide capabilities, adequate information, documentation, technical support and, where appropriate, the necessary tools. Importantly, this applies only to the features that are common to the source and destination services. The source vendors are not expected to create a new product or service, or to rebuild service within the destination infrastructure.
- Open Interfaces Available. Data processing vendors providing platform-based (“platform as a service” or “PaaS”) and software-based (“software as a service” or “SaaS”) must make open interfaces available to all their customers and relevant destination service providers free of charge to facilitate switching. These interfaces must include sufficient information on the service concerned to enable the development of software to communicate with the service, for the purposes of data portability and interoperability. In addition, PaaS and SaaS vendors must ensure compatibility with the interoperability specifications and standards that will be adopted by the EU. Absent such specifications and standards, vendors must, at the request of the customer, export the exportable data in a structured, commonly used and machine-readable format.
- Gradual Withdrawal of Switching Charges.
- During the Transition Period. For three years after the Data Act enters into force, vendors may charge switching charges that should not exceed the direct cost incurred by the vendor in the switching process. Examples of common switching charges are costs related to the transit of data from one provider to the other. However, customers should generally not bear costs arising from the outsourcing of services arranged for by the source provider. Before entering into a contractual agreement, vendors must provide customers with clear information on switching charges.
- After the Transition Period. After the expiration of the transition period, vendors will no longer be able to impose switching charges, except in cases of in-parallel use of services (in which case switching charges cannot exceed the costs incurred).
- Exceptions. The functional equivalence requirement, the gradual withdrawal of switching charges, and the requirement for PaaS and SaaS vendors to ensure compatibility with EU interoperability and standards do not apply to data processing services of which the majority of main features has been custom-built to accommodate the specific needs of an individual customer or where all components have been developed for the purposes of an individual customer, and where these data processing services are not offered at broad commercial scale via the service catalogue of the data processing service provider. In addition, none of the Data Act switching obligations apply to data processing services provided as a non-production version for testing and evaluation purposes, and for a limited period of time.
- Unbundling. The Data Act treats unbundling as a type of switching and requires vendors not to impose and to remove any obstacles that prevent customers from unbundling a specific individual infrastructure-based service from other processing services under the contract and moving to another vendor. This obligation is subject to the absence of major and demonstrated technical obstacles.
Restrictions for Certain International Transfers of Non-personal Data
The Data Act introduces certain restrictions for the export of non-personal data to recipients outside the EU/European Economic Area. This adds another layer of complexity for companies with international operations, as these new provisions apply in addition to the existing restrictions for international transfers of personal data under the GDPR.
Providers of data processing services must take all adequate technical, legal and organizational measures to prevent international and third-country governmental access to and transfer of non-personal data held in the EU where this would create a conflict with EU law or an EU country’s law. The Data Act does not contain provisions similar to Chapter V of the GDPR, meaning that it does not foresee, e.g., adequacy decisions, standard contractual clauses and/or binding corporate rules to address these challenges.
- Vendors must describe on their website the measures they adopted to prevent illegal access to and transfer of non-personal data held in the EU. Vendors must also indicate the jurisdiction to which their IT infrastructure is subject.
- Any decision of a non-EU court or administrative authority requiring access to or transfer of non-personal data held in the EU is only recognized or enforceable in the EU if it is based on an international agreement between the requesting third country and the EU or the relevant EU country.
- In the absence of such agreement, the vendor is only allowed to give access to or transfer the requested data if the third-country systems require the decision in question to be reasoned, proportionate, specific, subject to appeal and take into account the vendors’ legal interests. Unfortunately, this will require providers of data processing services to undertake complex assessments of foreign laws, most likely under time pressure. It remains to be seen whether the envisaged European Commission guidelines in this area will provide sufficient assistance in these situations.
For more information on this or other digital matters, please contact one of the authors. The authors would like to thank Anastasiia Zeleniuk for her assistance in preparing this blog post.