17 C
Casper
Tuesday, May 28, 2024

EU Data Act: Rules for Cloud and IoT Data Switching

Must read

Cloud switching made easy! EU Data Act unlocks your data, lets you jump providers & share IoT info. Businesses beware: unfair contracts & data access powers shift in 2025.

The EU has recently taken another step towards implementing its digital reform agenda by adopting Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data more commonly known as the Data Act.

Like much of the EU’s new digital package, the instrument’s name does not always clearly explain what it does. Here, the Data Act covers four main areas:

  • Cloud providers will have to help their customers switch providers.
  • Providers of Internet of Things devices and related services must make data available to users and, potentially, third parties.
  • Unfair terms in standard form business-to-business data licenses will not be binding.
  • Public authorities and EU bodies will be given new rights to ask for pseudonymized personal and non-personal data where they have an exceptional need for that data.

Most of these provisions apply from 12 September 2025 (although some obligations are deferred to a later date). Further details about the EU’s wider package of reform are available in our EU Digital Package Handbook.

Cloud switching

The Data Act contains new obligations on the providers of cloud services to enable their customers to switch to other cloud providers or to take the processing in-house.

These obligations apply to “data processing services”. While this sounds broad, it refers to digital services that enable ubiquitous and on-demand access to a shared pool of configurable, scalable, and elastic computing resources that can be rapidly provisioned with minimal effort. In other words, cloud services.

However, this is wider than commodity cloud services. While the definition of data processing services refers to those that can be “rapidly provisioned and released with minimal management effort or service provider interaction” (Article 2(8)), there are specific provisions in Article 31 that make it clear that these obligations also apply to custom-built services that are not offered on a broad, commercial scale.

The providers of cloud services will have the obligations set out below. Importantly, these are all expressed in high-level terms – working out how to implement them in practice is unlikely to be straightforward. It will likely raise complex technical questions in many cases.

  • Good faith: All parties will be under a general duty to cooperate in good faith to make the switching effective and timely and to ensure the continuity of the relevant service.
  • Contractual commitments: Providers must make significant new contractual commitments to facilitate switching. By way of example, this includes that: (a) the customer can trigger the switching process at any time by giving a maximum of two months’ notice; (b) the data must then be ported to a new provider within 30 days (extendable to up to seven months if this is not technically feasible); and (c) the provider must provide an exhaustive specification of all categories of data that can be ported as part of the switching process, including at a minimum all exportable data.
  • No charges for switching (eventually): The provider can only charge for costs directly incurred by the switching process and must phase out all such charges by January 2027.
  • Functional equivalence for IaaS: There are complicated provisions intended to allow customers of Infrastructure-as-a-Service (IaaS) services to obtain “functional equivalence” from a new cloud provider. Functional equivalence ensures the new cloud service can deliver materially comparable outcomes in response to the same inputs. This is likely to raise numerous practical and technical implementation issues. Open specifications and standards will likely play an important role in determining how the obligation works.
  • Standards and parallel running: Significant emphasis is placed on cloud providers complying with relevant open specifications and standards. This includes helping facilitate the in-parallel use of multiple cloud services, i.e., the ability to share the computing workload across multiple cloud providers who provide interoperable services.
  • Prohibition on third-country access: There are new provisions that require cloud providers to take appropriate measures to prevent third-party countries from accessing or transferring
    non-personal data, where that would breach EU or Member State law. In particular, third-country orders for the disclosure of non-personal data should only be enforceable if based on an international agreement (such as an MLAT) or if certain strict provisions are satisfied.

Internet of Things data

With the number of devices connected to the Internet steadily increasing, the Internet of Things has become a reality. However, only a small part of the data generated by these devices is used, and the economic value of the data is available only to a few large companies.

The EU Data Act addresses this by imposing new obligations on those providing “connected products” (i.e., devices that collect data and communicate that data via an electronic communications service) and related services. The obligations generally relate to “product data” (data intended to be retrieved from the connected product) and service data.

The key obligations are:

  • User rights to IoT data: Connected devices and related services must be designed so that product and service data is, by default, in a comprehensive, structured, commonly used, and machine-readable format. Where technically feasible, that data should be directly accessible by the user – but if not, it should be provided on request.
  • New disclosure obligations: Providers of connected devices and related services must inform users of the data collected and made available to the user before entering into a contract.
  • Right to share IoT data with third parties: Users can ask that this data, to the extent readily available, be made directly available to a third party, where feasible, continuously and in real-time. The data must be made available on FRAND terms, and the third party may have to pay to access that data. However, large technology companies, designed as “gatekeepers” under the Digital Markets Act, are not eligible third parties to receive data on a user’s request.
  • Removal of database rights for IoT data: The sui generis database right will not apply to product or service data.
  • Protection for personal data, security data and trade secrets: Various additional protections may apply where the data contains personal data, trade secrets or could undermine the security of the relevant connected products. For example, data holders may require users to preserve the confidentiality of data considered to be trade secrets, such as through confidentiality agreements, strict access protocols, or technical standards.

The obligations in the Data Act are potentially onerous for product manufacturers. There is interest in these new rights in some sectors, such as the automotive industry. However, the scope of these provisions is very broad and it is not immediately clear that the data from some connected products (for example, eToys or smart televisions) would be of any real economic interest to users or third parties.

Unfair standard form business-to-business data licenses

Unfair terms in a standard-form business-to-business data license will not be binding. The definition of an unfair term broadly follows the structure used for unfair consumer terms, i.e.:

  • Unfair terms are generally defined as those that grossly deviate from good commercial practice in data licensing, contrary to good faith and fair dealing.
  • Some terms are blacklisted and so automatically unfair, e.g. excluding liability for deliberate breach or gross negligence.
  • Some terms are grey-listed and so presumed unfair, e.g. unilateral rights to change the price save in certain cases and subject to the right of the licensee to terminate.
  • Terms relating to the main subject matter of the contract or price are excluded from any fairness assessment.

Importantly, these provisions are of general application and are not just limited to IoT data.

Public body access to data

Finally, public sector bodies and EU institutions can request data from private sector entities to fulfill their public functions where there is an exceptional need.

In the case of a public emergency, this right extends to personal and non-personal data, albeit the personal data must be first anonymized or pseudonymized. This data must be made available free of charge.

In other cases of exceptional need, this right is limited to non-personal data and the holder of data is entitled to fair compensation.

Brexit – Position in the UK

While the UK mirrors some aspects of the EU Digital Package, there is no equivalent measure to the EU Data Act.

The UK has proposed some new data portability rights in the Data Protection and Digital Information Bill but they are likely to be much more targeted than the broad obligations in the EU Data Act. Ofcom also issued a report into the cloud services market in October 2023 that included a public cloud infrastructure market referral to the UK Competition and Markets Authority. That could lead to new remedies in the UK to enable cloud switching.

More articles

Latest news