News

EU Data Act Series (part 7): Easy switching between data processing services (SaaS, IaaS, PaaS…)

Image
Image

The Data Act aims, amongst its main objectives, to enable customers of data processing services to switch between providers offering equivalent services, as well as to make use of multiple services from different providers simultaneously. The Act looks for the removal of commercial, technical, contractual and organizational obstacles for this purpose and establishes a set of organizational and technical measures to facilitate these processes (apart from the general obligation to cooperate in good faith).

Brief intro to the Data Act

The now enacted Data Act reflects EU’s concern about the lack of competitiveness and the burdens that customers of data processing services have to face to switch to another provider, introducing the right of switching (including to on-premise ICT infrastructures). The intention of the legislator is to enable the change of provider while extracting all exportable data and to restore the functionalities of the service with the new provider without any impediments (including, in the future, charges).

Similar principles should apply when a customer wants to make use of several data processing providers simultaneously while ensuring the continuity of service and the interoperability, without undue obstacles and data transfer costs. 

Note that the Data Act will be enforceable as a general rule as from 12 September 2025.

Scope of application regarding switching obligations

Data processing services are defined by the Data Act as a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction. Going a bit deeper into this definition in accordance with Recital 80:

  • customer shall have the capability to (within the agreement) unilaterally self-provision computing capabilities, such as server time or network storage, without (or with very limited) actions from the provider. In other words, automatic or almost automatic service shall be enabled (for instance, through a dashboard or interface). That is, requiring minimal management effort and as entailing minimal interaction between provider and customer.
  • the computing capabilities provided over the network and accessed through mechanisms shall be “ubiquitous” promoting the use of heterogeneous thin or thick client platforms (from web browsers to mobile devices and workstations).
  • the computing resources  (which include resources such as networks, servers or other virtual or physical infrastructure, software, including software development tools, storage, applications and services) shall be:
  • scalable”, which means they can be flexibly allocated to handle fluctuations in demand, irrespective of the geographical location of the resources,.
  • elastic”, which means they can be provided according to the demand (to rapidly increase or decrease resources available depending on workload).
  • Provided in “shared pool”, this means that they are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment.
  • distributed”, which means that they are located on different networked computer/devices communicating among themselves by message passing.
  • highly distributed” refers to data processing services involving data processing closer to where data are being generated (for instance in a connected data processing device).

This broad definition includes a wide spectrum of cloud and edge services, ranging from simple data storage services to highly customized software-as-a-service solutions. Among others,  IaaS (infrastructure-as-a-service), PaaS (platform-as-a-service) and SaaS (software-as-a-service) are expressly indicated.

Data Act excludes from some obligations those data processing services that are majorly custom-built for the customer (e.g. a specific software tailored to the organization's requirements) and which are not offered at a broad commercial scale via provider´s service catalogue.

Right to switch the processing services

Data Act establishes that to facilitate switching between data processing services, all parties involved (both source and destination) should collaborate in good faith with a view to enabling an effective switching process, maintaining the continuity and the secure and timely transfer of necessary data in a commonly used, machine readable format.

The Data Act seems to differentiate between three different scenarios, even though, as we explain below, its applicability in practice is not crystal-clear:

  1. the source provider and the destination provider do not cover the “same service type”; 
  2. the source provider and the destination provider cover the “same service type”. This is defined as “set of data processing services that share the same primary objective, data processing service model and main functionalities”. Services of the same service type may have different and competing characteristics such as performance, security, resilience, and quality of service. There could be same service type with different service’s operational characteristics; and
  3. the source provider and the destination provider provide ICT infrastructure as a service. In this scenario, source provider shall take all reasonable measures to facilitate the process of achieving functional equivalence (this does not mean the source provider needs to build the service taking into account the infrastructure of the destination provider).

There seems to be some inconsistences and lack of clarity about whether the right to switch to a different provider applies only when the source provider and the destination provider perform the same type of service. The definition of “switching” refers to “data processing service of the same service type, or other service”. However, the general right to switch to a different provider (art. 23 of the Data Act) states that, when allowing customers to switch to a data processing service covering the same type of service, the source providers shall take the measures provided for in the following articles. Finally, art. 30 specifically refers in some of its paragraphs to the "same type of service", suggesting that switching can be carried out in relation to other types of services, different then the initial service subject to switch.

We will have to keep an eye on future guidelines to confirm that the right to switch to a different data processing provider applies also to other types of service different then the source services.

Transparency - Minimum contractual terms and information duty

The Data Act sets out the minimum content that must necessarily be included in such contracts with customers, such as (i) clauses allowing the customer to switch to another provider or to port all exportable data and digital assets to an on-premise ICT infrastructure, within a maximum period of 30 calendar days; or (ii) a detailed specification of all data and digital assets that can be ported during the switching process, including, at a minimum, all exportable data. It also establishes that rights relating to the termination of such contracts, including those introduced by Directive (EU) 2019/770 (we have published another post about this Directive, available here) on certain aspects concerning contracts for the supply of digital content and digital services.

Additionally, minimum information must be available on the websites of data processing services providers (which must be up to date): (i) the jurisdiction to which the ICT infrastructure is subject; and (ii) a general description of the technical, organizational and contractual measures adopted in order to prevent international governmental access to or transfer of non-personal data held in the Union and which would create a conflict with Union law or the national law of the relevant Member State. The website must be indicated in the due contract.

Technical aspects of switching

The Data Act also imposes a series of technical obligations aimed at ensuring the interoperability of their services, so that once the switching is completed the customer can benefit from functionally equivalent services.

These technical obligations (excluding providers of resources limited to infrastructural elements without access to operating services, software and applications that are stored, otherwise processed, or deployed on those infrastructural elements) include making open interfaces available to an equal extent to all their customers and the concerned destination providers.

Fees / costs of switching charges

Speaking of compensation for companies' efforts, the Data Act’s main aim is for customers to be able to change of provider without any charges. For this purpose, it provides for a transitional period during which providers may charge fees to their customers for the processing of switching services (with limits). This period ends on 12 January 2027. Standard subscription fees and charges (i.e. anything that goes beyond the provider’s switching obligations ) shall not be considered switching charges.

Next steps

  • Providers of data processing services shall review their standard service agreement (and websites) with customers in order to make sure that it includes the minimum mandatory content.
  • Companies that make use of data processing services shall take Data Act into account when negotiating agreements and at the moment of switch of provider.
  • Source providers of data processing services shall adopt technical and organizational measures in order to ensure they can provide switching services.

Authored by Santiago de Ampuero, Joanna Rozanska, Julia Sáenz and Juan Ramón Robles

Search

Register now to receive personalized content and more!