In the fourth Law-Now in our cloud services series on the Data Act (the “Act”), we focus on the proposed measures to increase interoperability of data processing services.
The recitals to the Act identify a concern that, despite Regulation (EU) 2018/1807 (on the free flow of non-personal data) encouraging service providers to develop and implement self-regulatory codes of conduct covering best practices for facilitating the switching of data processing service providers and the porting of data, the self-regulatory frameworks developed have limited efficacy. In light of the perceived general unavailability of open standards and interfaces, in addition to technical obligations aimed at customer switching the Act also includes provisions creating mechanisms to introduce interoperability specifications and standards for data processing services.
The EU institutions expect the open interoperability specifications and standards developed in accordance with Regulation (EU) 1025/2021 (regarding standardisation) in the field of interoperability and portability to enable a seamless multi-vendor cloud environment, which they consider to be a key requirement for open innovation in the European data economy. Regarding the market take-up of identified standards under the cloud standardisation coordination (CSC) initiative to have been limited, the Commission has a degree of reliance on market participants to develop relevant open interoperability specifications to keep up with the fast pace of technological development in the cloud services industry. It could then adopt relevant open interoperability specifications in the form of common specifications. Under the Act, where a shortfall is identified, the Commission will be able to request European standardisation bodies to develop, and then to mandate, standards for interoperability or open interoperability common specifications - both for the purposes of switching between providers and of interoperability for in-parallel use of data processing services.
Currently, cloud service providers have significant freedom to design their systems and services free of mandated legislative standards. The Act could materially change this, and could therefore have a significant impact on the design of cloud services in Europe.
For the purposes of this article, we have used the latest available draft, the Council's mandate for negotiations with the European Parliament (published 24 March 2023) as our reference point and focused on Article 29. It should be noted that the European Parliament's adopted version, which also has a specific focus on data portability, differs slightly from this.
What is interoperability and what does the draft include?
Interoperability is defined in the Act as ‘the ability of two or more data spaces or communication networks, systems, products, applications or components to exchange and use data in order to perform their functions’1. With regards to data processing services, the draft states that interoperability specifications and harmonised standards must:
- ‘be performance oriented towards achieving interoperability in a secure manner between different data processing services;
- enhance portability of digital assets between different data processing services that cover the same service type; [and]
- ensure, where technically feasible, functional equivalence between different data processing services that cover the same service type.’
While the broad nature of the above signals the overall requirements for the standards that will be introduced under the Act, as it stands, this is the only information on what they are required to do (we will discuss what they are required to cover below). It is to be hoped that the current trialogue discussions will address this lack of clarity. For example, if mandatory interoperability specifications introduced in compliance with the above are overly technically prescriptive and/or broad reaching, cloud service providers (CSPs) could be forced to make significant alterations to their current services and be impeded in the design of future functionality. This could in turn lead to: a reduction in customer choice – potentially both because of a consequential slowdown in innovation (and the bringing of new services and service variants to market) and also the removal of potentially non-compliant services, which might otherwise be available at a lower price point and be sufficient for a customer’s needs; increased prices; a reduction in competition and/or a gradual homogenisation of aspects of cloud services in Europe.
The European Parliament’s proposed revisions, while applying the requirements to portability as well as interoperability, also acknowledge further the need for technical feasibility, speak in terms of ‘equivalent’ rather than the ‘same’ service types and emphasise the need for specification and standards to be designed “in a way to allow for technical advances and inclusion of new functions and innovation in data processing services”. They also include a requirement that “Open interoperability and portability specifications and European standards shall not distort the data processing services market or limit the development of any new competing and innovative technologies or solutions or any technologies or solutions that are based on them”. These are important acknowledgments, which will hopefully be addressed during the trialogue discussions.
In terms of what the standards will likely cover, it is clear from the draft Act that the intention is for them to catch a very wide swathe of services by addressing:
- ‘the cloud interoperability aspects of transport interoperability, syntactic interoperability, semantic data interoperability, behavioural interoperability and policy interoperability;
- the cloud data portability aspects of data syntactic portability, data semantic portability and data policy portability; [and]
- the cloud application aspects of application syntactic portability, application instruction portability, application metadata portability, application behaviour portability and application policy portability.’
As a consequence, the new requirements will have a wide ranging impact on the cloud services industry.
In terms of how the Act envisages standards/specifications actually being implemented, the draft allows for different options including the European Commission: requesting that a third party (such as a European standard organisation) draft them or adopting open/common specifications by implementing act. Provision is included for a Member State to object if it feels that the open/common specifications do not go far enough (perhaps suggesting that the standards will be highly detailed), with the Commission amending the draft as appropriate.
In terms of consultation, in preparing the draft implementing act establishing the common specifications the Commission will be required to consult with relevant stakeholders and take into account the views of the national competent authorities and other relevant bodies or expert groups. This should provide the industry with an opportunity to influence the adoption of pragmatic workable standards. Accordingly it will be important for industry bodies and stakeholders to proactively engage in this process to ensure that any standards proposed and / or mandated are measured, proportionate and appropriately focused.
Implications for CSPs and customers
CSPs face both short- and long-term implications from the Act as drafted. In the short term, it is unclear what form the standards will take, how detailed or prescriptive they will be or when they will be introduced. In the medium to longer term, when the draft implementing act is released, CSPs should be able to participate in the consultation directly as ‘relevant stakeholders’ or indirectly via national and EU trade associations. They will then need to assess the impact of any specifications and standards that are introduced. There is also a significant longer-term risk to the continual innovation and development of cloud services if standards and / or specifications are too restrictive, as CSPs will not be incentivised to create new, differential features as they may not in turn be interoperable with other providers. This is a particular issue in cloud services given the speed at which the market develops and the continual innovation of providers’ different offerings (which, ultimately, is driven by customer demand). Similarly, too restrictive standards / specifications could increase costs for CSPs. These are likely to be far easier for incumbents to shoulder than those CSPs who are yet to scale up, which could in turn lead to a situation in which standards inadvertently support incumbents and stifle the ability for new (potentially European) CSPs to increase their market share.
What can be done?
Any mandated standards should be strictly limited in scope and application to address clearly identified problem areas. As identified in the European Parliament’s text, they must not inhibit further technical advances, innovation or the inclusion of additional functionality. They should not prevent alternative or lower complexity / cost solutions being made available where there is a customer need that does not have a dependency on or need for application of the standard. In other areas it would arguably be better to make interoperability specifications and standards non-binding so as to not inhibit innovation or unnecessarily impede the efforts of CSPs to adapt services to the evolving needs of their customers. Market forces should be allowed to dictate whether the standards are followed.
Conclusion
If the process is carefully managed, stakeholders actively participate and their views and evidence are appropriately reflected there is scope for the new specification and standards to be developed which, with appropriate limitations on the degree and scope of any mandated applicability, could have the desired effect. But significant attention and care will need to be paid to ensure any mandated standards do not adversely impact customer choice, unnecessarily lead to increased costs (which will be reflected in pricing), distort competition or stifle innovation.
For more information on the Act or if you have any questions on how it could affect your business, please reach out to your usual CMS contact.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.