Leaked documents have revealed details of the European Union’s proposed data act, which is likely to have a significant impact on cloud computing providers operating in the region. Providers could be compelled to put extra safeguards in place to help avoid illegal data transfers outside the EU and to make their services more interoperable. This could benefit buyers by making it easier to switch cloud providers.
The proposals form part of the European Data Governance & Data Act, which has been under discussion for two years and is set to be presented by the European Commission later this month. It will cover a wide range of topics around the way data is stored and processed and, according to documents seen by Euractiv, will give every EU citizen the right to access and control data generated by connected devices they own, such as smartphones and smart speakers.
But it is the potential changes to the cloud computing landscape which are likely to have a greater impact on businesses undergoing digital transformation and considering where to host workloads.
Cloud interoperability in Europe
The vast majority of businesses now use more than one cloud provider, with 92% of respondents to Flexera’s 2021 State of the Cloud report stating that they use two or more public and private cloud providers.
But moving data between platforms or switching workloads to a new provider can be fraught with difficulties says Mike Small, a senior analyst at KuppingerCole. “It may be difficult to extract the data in a form which can easily be moved to another provider,” he says. “Or the volume of data may be so great that the network cost makes it impractical.”
Further complications can arise with software-as-a-service products, where data generated may be owned by the service provider. “Then you may have to pay to get it,” Small says. For companies using infrastructure-as-a-service, “the problems lie not in just in the data but also in how tightly the workload is coupled to the specific cloud environment,” Small says. “Each has its own optimisations, and these are usually not transferrable.”
The leaked document suggests the EU data act will seek to ban providers from charging fees for switching and introduce obligatory contractual clauses to support switching and interoperability of services. Cloud companies should also offer ‘functional equivalence’ for customers that switch providers. On a practical level it is likely this can only be achieved by greater adoption of common or open standards. “One approach to this is to use an environment that is available across clouds such as VMware or OpenStack,” Small says.
The proposal says the commission is stepping in because SWIPO, a non-binding set of principles which are supposed to facilitate switching between cloud providers, “seems not to have affected market dynamics significantly.” It hopes a European standardisation organisation will be able to draft a set of standard principles for cloud interoperability, but says it will step in and mandate them if necessary.
Small believes developing standards in conjunction with industry offers the most likely chance of success. “Interoperability and portability is best achieved through accepted standards,” he says. “Regulation is helpful to prevent abuse and to clarify responsibilities.”
New rules for data transfers outside the EU?
Cloud providers may also find themselves under new obligations around data transfers, with Reuters reporting that the transfer of non-personally identifiable data outside the EU will be banned. This rule already applies to the personal information of EU citizens unless an agreement is in place with the third country. The UK currently has a data adequacy agreement with the EU allowing information to flow freely.
“Concerns around unlawful access by non-EU/EEA governments have been raised,” the document says. “Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy.”
Cloud providers and other companies that process data will have “to take all reasonable technical, legal and organisational measures to prevent such access that could potentially conflict with competing obligations to protect such data under EU law, unless strict conditions are met”.
The new laws could make the need for a data-sharing agreement between the EU and the US more pressing. The previous agreement, the Privacy Shield, was invalidated in 2020 after a court challenge from privacy campaigner Max Schrems, which raised concerns about the ability of the US government agencies to compel businesses to share user data. US commerce secretary Gina Raimondo said last year that a new agreement remains “a number one priority” for the Biden administration, but talks have yet to yield a solution.