The implications of the Data Act for cloud computing agreements
Current handbooks and guidelines on cloud computing state requirements with regard to developing a cloud exit strategy, although these handbooks and guidelines do not constitute universally binding law. Providers will not face any penalties for not observing these rules, and at the moment cloud users do not have any means of requiring that the relevant provisions be included in cloud computing agreements enabling them for example to transfer data to another provider.
Will the proposed Data Act affect the situation of customers and service providers?
The proposal includes provisions that guarantee the option of switching to other data processing services. If adopted, due to the nature of the proposal, namely the form of a regulation, like the GDPR currently, it will be directly applicable and will not need to be implemented into national legal systems.
Under the Data Act proposal, data processing providers will be required to introduce the means provided for in the envisaged regulation to give customers using these services the option of switching to a different data processing service comprising services of the same type, rendered by a different provider.
Specifically, the Data Act states that the rights of the customer and the obligations of the provider of a data processing service in relation to switching between providers of such services shall be clearly set out in a written contract. Thus the contract must contain, as a minimum,
- clauses under which it is possible to switch to a data processing service provided by a different data processing service provider or transfer all data, applications and digital files generated directly or indirectly by a customer to a local system;
- exhaustive specification of all data application categories exportable during the switching process;
- the minimum period for data retrieval of at least 30 calendar days.
The Data Act proposal also states contractors’ obligations in relation to technical aspects of switching between providers, and the requirements that operators of data spaces have to comply with to facilitate interoperability of data, data sharing mechanisms and services.
These rules are a step towards tough regulation of the position of a customer when switching to a different provider. As they are in the form of regulation, regardless of their intention, providers will have to comply with the requirements currently laid down in the proposal. If the regulation is adopted in the proposed form, providers will have to “audit” their contract templates to comply with obligations under the Data Act. In turn, for customers, the obligation to ensure switching to other data processing services of a different provider will be an opportunity to avoid vendor lock-in.
The document is at the initial stage of the ordinary legislative procedure, and has not yet been submitted for the first reading. A vacatio legis has been specified of twelve months from enactment of the Data Act, which means that contractors will have sufficient time to prepare for when the regulation comes into force. Thus, equally, the regulation can be expected to come into effect two or three years from now at the earliest.
 The legislative procedure can be tracked here: https://eur-lex.europa.eu/legal-content/EN/HIS/?uri=CELEX%3A52022PC0068