(by Sean Ennis and Ben Evans)

For the EU legislator, the proposal for a Data Act represents an important step towards the enactment of long-term rules aimed at establishing good governance of the data economy and appropriate incentives to innovate. While the proposed regulation contains many valuable provisions that are worthy of implementation, we find that insufficient thought appears to have been given to the potential implications of the cloud portability and interoperability provisions for competition and innovation. The broad idea with these provisions is to ensure that cloud customers are not locked-in to their current provider. Preventing lock-in is not easy, though, and entails the development of specific rules. One of the key proposals entails the establishment of ‘equivalence’ between cloud computing services. This assumes the existence of sets of ‘equivalent services’ and extends, under certain conditions, to the achievement of ‘functional equivalence’ across those services. Such an equivalence could facilitate the overarching objective of enabling cloud customers to switch relatively easily from one provider to another and to interoperate between different cloud providers. Although laudable in principle, an expansive definition of ‘equivalence’ could have unintended consequences that risks a chilling effect on innovation and competition by smaller cloud providers, and more generally upon those cloud computing services that are competing most assiduously to meet customer needs. In our recent paper, we examine the Data Act through a joint economic and legal lens, and explain why equivalence can have such a surprising unintended consequence.

We point out that a Brussels effect need not, in this instance, involve a raising of the bar but could easily result in a lowering of the bar and the creation of markets providing only ‘lowest common denominator’ features. Notably, some of the proposed portability and interoperability rules appear to have been inspired to some extent by experiences with open banking, a concept first implemented by the UK in the context of an effort to open up competitive pressures in banking which were otherwise judged weak. The open banking effort involved the creation of APIs that would allow secure portability and interoperability between different financial service providers, thus reducing entry barriers and switching costs for customers. After years of preparation, the system has ultimately worked relatively smoothly. This experience is sometimes used as an analogy for what could happen with broader portability and interoperability across different digital activities, and it is used to justify efforts for creating horizontal and symmetric portability and interoperability rules. Yet such analogies are not necessarily appropriate, particularly between cloud computing services, which exhibit high degrees of feature complexity and innovation, and banking services, which exhibit both a limited number of key features and a relatively low level of innovation. We would suggest that these two differences are critical for considering the nature and focus of future cloud regulation and may limit the value of analogies to prior experiences with portability and interoperability.

We show that the provisions of the Data Act relating to portability and interoperability require urgent attention from the legislator. We find that ‘service type’ and ‘equivalent service’ are legal concepts divorced from the technical realities of the cloud industry and emphasise that distinguishing between the IaaS and PaaS layers, in particular, is an increasingly challenging and artificial pursuit. Focusing first on portability, we underscore the reality that data and application portability are entirely distinct concepts which manifest differently across the spectrum of cloud computing service models. Turning to interoperability, we identify shortcomings of the proposed provisions and emphasise optimism over the emergence of market-driven solutions. We also find that a number of key concepts, in particular ‘custom-built’, ‘technical feasibility’ and ‘equal ability to influence’ contractual terms, are inadequately defined and would, hence, engender considerable legal uncertainty. Crucially, we highlight concerns that many of the proposed provisions, including those that would impose mandatory contract law, run counter to the objective of the regulation and stand to put smaller and new challenger firms at a significant competitive disadvantage. In general terms, we would suggest that the legal text adopted by the EU Parliament represents an advancement over both the original text proposed by the EU Commission and the text adopted by the EU Council, although it is inherently concerning that so much of the attempted reduction in ambiguity is situated in the text’s increasingly dense thicket of Recitals. Indeed, despite certain improvements, we fear that a pervasive absence of clarity could give rise to legal disputes that will necessarily complicate and even forestall the switching process.

Looking ahead to the trilogues for determining a final EU text, we would highlight shortcomings in the text adopted by the EU Council, which proposes to extend the provisions relating to portability and interoperability to instances where a customer simultaneously uses two services from two different providers. We find that such an extension would only exacerbate the problems that are inherent in the current language of the provisions and may be largely unworkable, not least because cloud providers do not necessarily have visibility on whether a customer is using multiple services from different providers in parallel. Indeed, such provisions would require access to customer content in a way that may adversely impact the trust between customer and provider, or a reliance upon customer attestations on how they are using cloud services that would be challenging for providers to verify. In either case, we are concerned that providers would gain new insights into their customers’ use of other providers and how services offered by providers technically work, creating unduly onerous new administrative and technical burdens both for providers and customers. The extension also stands to undermine the ability of cloud providers to account for their network costs by charging ordinary transfer fees, since it would not necessarily be possible to determine whether a given transfer request is being made by a customer for the purpose of switching.

The provisions relating to cloud portability and interoperability risk being swept along with the Data Act. Ultimately, we conclude that the legislator would need to clearly demonstrate broad-base market failures in order to adequately justify the profound, horizontal and symmetric intervention that it proposes to impose in the Data Act. Should the regulation be enacted without substantial redrafting, we fear that it could restrict competitive differentiation by law across markets for cloud computing services and reduce customer-desired options available in current and future product offerings.

This blog was published first by the Society for Computers and Law on 31 March 2023.