Cloud interoperability core to Dutch calls for EU Data Act amendments

Out-Law News | 14 Sep 2022 | 6:27 pm | 2 min. read

Cloud computing providers that provide IT infrastructure to businesses should face a new legal duty to ensure that those businesses “can enjoy functional equivalence” when they switch to using services offered by other cloud providers that rely on the same infrastructure, a Dutch regulator has said.

The proposal was set out by the Authority for Consumers and Markets (ACM) in the Netherlands after a study it conducted into the cloud services market (78-page / 1.1MB PDF) identified concerns about customer ‘lock-in’, which is where customers face barriers to switching between service providers.

“The major risk of lock-in is that it reduces the incentives to provide high-quality services at competitive prices,” the ACM said in its market study report. “A negative effect of lock-in that can already be seen is the fact that users are unable to switch if the costs of using the cloud usually turn out to be higher than users estimate in advance, which is often the case.”

In the cloud market, some cloud providers offer what the ACM has referred to as “an integrated service” where businesses can access cloud-based infrastructure, software and platform services. The ACM said that there can be barriers for businesses to overcome when seeking to switch to other services – particularly software-as-a-service (SaaS) or platform-as-a-service (PaaS) solutions – from an integrated service provider. It also flagged concerns over the interoperability between different service provider solutions, which it said has an impact on businesses that make use of more than one cloud provider.

The ACM has said changes should be made to the draft EU Data Act to promote switching and interoperability, in respect of data processing services, to address the issues it identified.

The existing Data Act proposals envisage the development of new European standards for the interoperability of data processing services. The ACM has said that the draft Data Act should be amended (2-page / 90KB PDF) to require data processing service providers, in the absence of standards for the type of services they offer, be obliged to make application programming interfaces (APIs) available to support interoperability with other services.

According to the proposals, those APIs should “ensure, where technically feasible, that third-party services can enjoy the same functional equivalence as first-party services”. The measure would be underpinned be a new duty on exporting data processing service providers to “ensure that the customer, after switching to a service covering the same service type offered by a different provider of data processing services, can enjoy functional equivalence in the use of the new service”.

In its market study report, the ACM said that businesses that use cloud services can also adapt their cloud strategies to address the risk of becoming ‘locked-in’ to a supplier.

It said: “Given the complexity of a full switch, it is all the more important that users have the freedom to choose and combine the best or cheapest service from the different cloud providers and third parties. In that case, a cloud user could also opt for a gradual migration, even if links are needed between the different services.”

The ACM’s study, and associated proposals, is the latest in a string of recent interventions by Dutch authorities in relation to the cloud market.

Last month, the Dutch government updated its cloud policy to enable sensitive personal data that government departments are responsible for to be stored by US cloud providers, subject to the data being encrypted and other safeguards. In addition, the Nationaal Cyber Security Centrum (NCSC) in the Netherlands recently published and promoted a memo addressing the extra-territorial reach of the US CLOUD Act and related risks EU entities face in respect of the disclosure of data they are responsible for to US authorities.