The Data Act and its impact on Cloud Service Providers

Use 2024 for compliance with Data Act

As the Data Act came into force in January 2024, understanding its profound impact on Cloud Service Providers (CSPs) becomes paramount for ensuring compliance and optimizing data management strategies.  From 12 September 2025 onwards, most of its rules will begin to apply. It aims to rebalance overall control over data.

The Data Act includes specific measures to allow users to gain access to the data their connected products generate and to share such data with third parties to provide aftermarket or other data-driven innovative services. It also imposes certain obligations on third parties receiving data at the request of the user.

The Data Act covers entities operating in the EU, regardless of where they are based (e.g. in the UK or USA, Canada), as long as they are involved in data sharing or data processing activities that affect EU customers.

Essential elements of the Data Act are: unlocking data generated by connected products or related services, use of fair contractual terms, making data accessible in case of emergencies, facilitating a switch between services, and protecting non-personal data.

In this blogpost, we focus on switching between Cloud Service Providers (CSP). The new rules brought about by the Data Act require CSPs to make the switching process easier and cheaper for customers. The Data Act also requires CSPs to clarify the nature and extent of their contractual obligations.

Switching Cloud Service Providers Under the Data Act: What You Need to Know  

The Data Act defines switching as the “process…. whereby the customer of a data processing service changes from using one data processing service to using another… of the same service type, or other service, offered by a different provider of data processing services, or to an on-premises ICT infrastructure.”

This has been interpreted as essentially describing the process by which a customer migrates from one CSP to another. The idea is that a customer can move its data from one Cloud Service Provider to another or take the processing in-house. 

These obligations apply to “data processing services”, defined as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction” , i.e. cloud services. A specific regime exists for custom-built services that are not offered on a broad, commercial scale and cloud services used for testing purposes.

What obligations will CSPs have with respect to their switching practices?

- Removing obstacles to switching

According to Article 23, CSPs are not allowed to impose and are required to remove “pre-commercial, commercial, technical, contractual and organizational obstacles” which would make it more difficult for a customer to switch providers. This includes anything which would inhibit the customer’s termination rights, ability to contract with a new provider and the export of customer data. Essentially, this article implies that the customer will retain control of and drive the switching activity. Unbundling of services will be allowed.

- Gradual withdrawal of switching charges

Switching charges constitute charges imposed by a CSP on a customer for switching to a different provider or migrating to on-prem. These include “egress charges” which are imposed on the customer for transferring data to another provider. The Data Act will galvanize the gradual withdrawal of such switching charges. The European Commission may  introduce a monitoring mechanism on switching charges imposed on providers of data processing services. From 12^th of January 2027, CSPs will no longer be able to impose any switching charges on customers for the switching process i.e. switching will be free. 

Information on charges must be provided by CSPs to customers in an accessible format prior to any contractual relationship.

- Contractual Obligations:

CSPs will be legally required to provide customers with a written contract at the outset, clearly setting out the switching process when moving to another CSP or from cloud to on-prem. Article 25 provides a minimum list of contractual terms that should be included in the agreement between providers of cloud services and their customers. This is comparable to the mechanism provided in Article 28 of the GDPR pertaining to data processing agreements.

As in the GDPR, the Data Act only defines in a general way what these contractual provisions should entail, but does not legislate the text of these provisions. This means that the CSP retains certain contractual freedom, as long, of course, as it does not prejudice other provisions of the Data Act.

- Technical Obligations

CSPs will be under an obligation to provide assistance services to users wishing to switch, for example by providing data migration tools and data transfer process support. The aim is to facilitate the process for the user. Article 30 requires the CSP to “take all reasonable measures in their power to facilitate” that the customer “achieves functional equivalence” in their use of the new cloud service.

Functional equivalence means “the same performance level, standards and functional features of a solution will work in a different cloud environment.” Essentially, this concept aims to break down barriers and allow customers to switch more easily.

Enforcement of the Data Act

Each Member State shall designate one or more competent authorities as responsible for the application and enforcement of the Data Act. The consequences of non-compliance will be determined at a national level by the relevant competent authorities who must ensure that penalties are effective, proportionate and dissuasive.  

The Data Act provides for a non-exhaustive list of criteria for assessing penalties (e.g. the nature, gravity, scale and duration of infringement), however, there is some uncertainty as to how each competent authority will conduct this assessment.

What can CSPs do now in 2024?

CSPs are being recommended to take action and undertake practical steps ahead of implementation. Such practical steps could include, for example, the review of existing data management policies and procedures to identify areas requiring compliance, investing in technologies to facilitate switching e.g. data migration tools etc.

Edwin Jacobs

Bernd Fiten