The Data Act means cloud service providers need to take action. Part 1 of our article provides an overview of contract drafting and information obligations.
With the new Data Act, the European Union (EU) wants to create a single European market for data, open up competition around data-driven business models and make it easier for customers to switch providers. This comes after attempts at self-regulation by the industry, which have not led to the success that the EU hoped for. The EU's digitalisation and data strategy therefore also includes facilitating the process of switching cloud service providers (CSPs), improving market entry opportunities for new providers and gradually eliminating data transfer costs. On 11 January 2024, the Data Act (Regulation on harmonised rules on fair access to and use of data, "DA"), an important pillar of the digitalisation and data strategy, came into force. After a transitional period of 20 months, the DA will be applicable throughout the EU from 12 September 2025.
In addition to new data access rights and independent contract law, the DA places new requirements on CSPs with regard to matters including information obligations and drafting contracts, which we would like to highlight in this article taken from our German CMS blog series "#CMSdatalaw".
Chapter VI DA: Facilitating switching between CSPs and parallel use
With its provisions, particularly in Chapter VI ("Switching between data processing services", Articles 23 to 31 DA), the DA is designed to help remove obstacles faced by customers who want to switch providers and to facilitate the process of transitioning from one data processing service to another (see recital 79 DA). Such obstacles can exist for example due to a lack of open interfaces, insufficient interoperability and a lack of technical standards. Switches are often accompanied by high costs for data migration, format changes or new developments, especially if dependencies have been created in advance that make the switch more difficult. Due to the major obstacles, a customer may delay or refrain entirely from switching providers, even though it would make sense.
Provisions like Article 23 DA are intended to remove such obstacles. The provisions in Chapter VI are intended to allow customers to switch between CSPs and to enable them to use several CSPs at the same time. To this end, according to Article 23 DA, "pre-commercial, commercial, technical, contractual and organisational obstacles" to switching providers must be removed, the actions associated with them must be ceased and achievement of "functional equivalence" must not be prevented. In addition, infrastructure-as-a-service (IaaS) providers should, in accordance with Article 23 (e) DA, ensure that the other services they provide on the basis of the IaaS services are decoupled as far as technically possible.
Article 25 DA contains detailed specifications for drafting contracts that require CSPs to adapt their customer contracts, while Article 26 and Article 28 DA create new information obligations that CSPs must fulfil towards their customers in future. In Article 27, the DA provides for an overarching duty of the parties involved to cooperate in good faith, which is intended to ensure in the event of switching providers that the data transfer takes place within a binding time frame and that continuation of the service is guaranteed during the switch. If charges for switching CSPs are planned, these charges will be gradually withdrawn in accordance with Article 29 DA and may no longer be levied at all from 12 September 2027.
Article 30 DA differentiates between IaaS, platform-as-a-service (PaaS) and software-as-a-service (SaaS) providers and specifies technical requirements for these when implementing a switch between providers: According to Article 30 (1) sentence 2 DA, IaaS providers are expected to provide "the necessary tools" to enable providers to be switched; according to Article 30 (2) DA, PaaS and SaaS providers are expected to provide "open interfaces […] free of charge to facilitate the switching process".
But who will be affected by the new requirements?
The new provisions of the DA: Data processing services as obliged party, customers as entitled party
The parties to whom the new requirements in Articles 23 ff. DA are addressed are providers of data processing services, i.e. according to Article 2 no. 8 DA, those who provide customers with a "digital service". According to recital 80 DA, the aim is for the services covered to be technology-neutral, including in particular (but not exclusively) CSPs that offer IaaS, PaaS and SaaS. According to the definition, the services must ensure "ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources" that is "of a centralised, distributed or highly distributed nature" and "can be rapidly provisioned" with "minimal management effort or service provider interaction". Although recital 80 DA provides some guidance on how to interpret all these vague legal terms, it would seem likely that it will ultimately be up to the courts to decide in the case of disputes whether an offer is to be classified as a "digital service" and a "data processing service" within the meaning of the DA, with all the associated requirements.
Nevertheless, the DA provides customers with a range of new rights. According to Article 2 no. 30 DA, a customer is any "natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services". The obligations of the DA for CSPs therefore apply not only in the B2C sector, but also in the B2B sector. We are providing an overview of these new obligations below.
The information obligations for CSPs under the DA at a glance
In future, CSPs will have to fulfil a number of new information obligations to customers or the general public, including information on switching providers, international data transfers, charges and exemptions from legal obligations.
What content should be ported to a new service? What data formats does the provider support? How should the data be ported? To enable customers to make an informed decision and plan switching providers, the DA stipulates various information obligations of the provider to the customer (Article 26 DA, recital 95 DA).
In accordance with Article 26 DA, the CSP is initially required to provide the customer with detailed information on the available switching procedures and the transfer of content. This includes information on the available methods and formats of the switching process and data transfer as well as information on the (technical) restrictions known to the provider (see Article 26 (a) DA). In addition, in accordance with Article 26 (a) and (b) DA, the provider must refer the customer to an up-to-date online register with details of all the data structures and data formats as well as the relevant standards and open interoperability specifications in which the exportable data are available in accordance with Article 25 (2) (e) DA. This register does not have to be accessible to the general public on the internet; a portal accessible exclusively to customers may also be sufficient. The DA does not explicitly specify the point in time when these information obligations begin to apply.
There is also an information obligation to the public under Article 28 DA, which requires CSPs to make available on their websites consistently up-to-date information regarding the jurisdiction to which the ICT infrastructure used for the provision of the services is subject (Article 28 (1) (a) DA), including a description of the technical, organisational and contractual measures taken by the provider to prevent possible international governmental access or governmental disclosure of non-personal data held in the EU (Article 28 (1) (b) DA). These information obligations are accompanied by the requirement under Article 32 (1) DA for the provider to take adequate technical and organisational measures to prevent access by governmental bodies from third countries, insofar as their right of access is in conflict with Union law or the law of an EU Member State.
Article 29 (4) and (5) DA also contain pre-contractual information obligations for the provider to inform any customers before entering into a contract in a publicly and easily accessible form of the charges levied for the service, the fees charged in the event of premature termination of the contract and possible switching charges (4) as well as informing customers – where this is the case – of the highly complex or costly process of switching providers (5).
Insofar as the provider is partially exempt from the statutory requirements under the DA, the provider must also inform potential customers of this before they enter into the contract in accordance with Article 31 (3) DA.
The DA also contains specifications for drafting contracts
Article 25 DA specifies the requirement for the contract agreed between provider and customer to be a "written contract". In addition, the contract must be made available to the customer before signing in a way that allows the customer to store it permanently. Furthermore, Article 25 DA encourages CSPs to revise contracts taking into account the sometimes very detailed legal requirements of the DA. This may make it necessary for providers to revise their existing cloud terms and conditions.
Pursuant to Article 25 (2), (3) and (5) DA, the contract must stipulate or provide for, among other things, the customer's right to switch providers or to port all data to a customer-owned environment (Article 25 (2) (a) DA), the requirement for the provider to "ensure a high level of security" in the event of switching providers, in particular during data transfer (Article 25 (2) (a) (iv) DA), "a maximum notice period for initiation of the switching process, which shall not exceed two months" (Article 25 (2) (d) DA), a specific and exhaustive list of all data categories that are ported while switching providers, specific and exhaustive information as to which data are "specific to the internal functioning of the provider's data processing service" and will not be ported in the event of a "risk of breach of trade secrets" (Article 25 (2) (e) and (f) DA), the customer's right to request ("upon termination of the maximum notice period" of two months) to switch to a different provider, move to its own premises or erase its data (Article 25 (3) DA), and the customer's right to a one-off appropriate extension of the transitional period (Article 25 (5) DA).
If a provider violates the new provisions, there may be fines and consequences under civil law. In addition to provisions being rendered invalid, claims by affected customers or claims under competition law by competitors of the provider are also conceivable.
In our next article, we look at the new requirements for CSPs within a switching process under the Data Act. With our German CMS blog series "#CMSdatalaw" we provide an overview of data law, such as the Data Act and the Data Governance Act. You can find the introductory article to our blog series here. Please also visit our CMS Insight page "Data Law“.
The legal text and recitals in the Digital Services Act (DSA) and the Data Governance Act (DGA) can be found in compact form for practical use at CMS DigitalLaws.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.