Cloud interconnection and innovation

Briefing Note

DeepDive podcast, available on Chrome

https://notebooklm.google.com/notebook/cee69ad3-4663-41b3-b16b-2c30bce95093/audio

BRIEFING NOTE

Cloud, Data Act and interoperability

Source:

Ennis, S. and Evans, Ben (2024) "Cloud Portability and Interoperability under the EU Data Act: Dynamism versus Equivalence" SSRN. 13 April 2023. https://ssrn.com/abstract=4395183.

Executive Summary

This working paper examines the potential impact of the European Data Act on cloud services, focusing on its provisions relating to portability and interoperability . The authors express concerns about the requirement for “ functional equivalence ,” fearing that it does not adequately take into account the dynamic and customized nature of the cloud industry. They suggest that, far from fostering competition, this approach could hamper innovation , disadvantage smaller players, and potentially oversimplify the offerings available to European users.

Key words:

European Data Law

Portability Interoperability Cloud

"Equivalence" concept

Cloud Industry Dynamism

Intellectual Property Data

Main points:

This article by Sean Ennis and Ben Evans analyzes the provisions of the European Data Act regarding the portability and interoperability of cloud computing services. The authors argue that the Data Act, particularly its requirements for “equivalence” between services, does not adequately address the dynamic and highly customized nature of the cloud industry. They fear that the law, with its emphasis on standardization and unbundling, will discourage innovation, harm smaller providers, and strengthen the position of established players. Applying standardized concepts, inspired by other sectors such as open banking, to a complex and rapidly evolving area such as the cloud could have unintended consequences, including a simplification of service offerings to the “lowest common denominator” and a reduction in the variety of services available to European customers. The authors propose a more nuanced regulatory approach that protects and stimulates dynamic competition and innovation.

The Data Act and the Portability and Interoperability Provisions:

The Data Act, as part of establishing a governance framework for the data economy, contains strict provisions on portability and interoperability between cloud service providers.

These rules apply to "data processing" services, a category that, while potentially broad, is defined to encompass cloud services.

One of the key concepts is establishing “equivalence” between cloud services to facilitate switching between providers and interoperability.

While the goal of making it easier to switch providers is laudable, a broad definition of "equivalence" could have negative consequences.

The Concept of “Equivalence”:

Equivalence in the Data Act is based on two interrelated concepts: “same type of service” and “functional equivalence”.

The "same service type" is defined as a set of services sharing the same primary purpose, data processing service model, and core functionality. The authors criticize this definition as a "significant analytical shortcut" because it is disconnected from the technical realities and rapid innovation of the cloud industry.

“Functional equivalence” depends on a finding of “same type of service” and aims to re-establish a “minimum level of functionality” after the switching process, where the destination service provides a “materially comparable result” in response to the same input for shared functionality.

Although the final text provided clarifications (e.g., limiting the application of functional equivalence to IaaS providers and specifying “exportable data”), the authors believe that the provision remains “disproportionately burdensome.”

Source providers are required to “take all reasonable steps within their power to facilitate the customer, after the change of service covering the same type of service, achieving functional equivalence in the use of the destination data processing service.” This includes providing “capabilities, adequate information, documentation, technical support and, where applicable, the necessary tools.”

The authors note an exemption for "custom-built" services, but consider this concept "very nebulous" and in need of further clarification.

Criticism of “Equivalence” in a Dynamic Market:

The cloud industry is characterized by dynamic competition and a high level of innovation and customization of services.

The requirement to achieve "functional equivalence" could provide an incentive for companies not to offer capabilities greater than those available from other companies in order to ensure compliance with the rule.

This could lead to reduced variance within each feature (leading to a 'lowest common denominator') and a hesitancy to introduce new features not available on other services, as customers would not be able to move to other providers.

"Instead, they would be incentivized to 'dumb down' their product to ensure that there is no difference between the exact capacity in their feature and that of other companies."

"This would have two implications. First, for the variation found within a feature that would reduce (and in the limit go to 0) so that customers would not be worse off from a switch. This would lead to a lowest common denominator approach within each feature. Secondly, for features that are not available on other services, companies would be extremely hesitant (and in the limit would prefer not) to introduce a feature not currently available in the market, because then customers would not be able to move to other providers."

This "Brussels effect" could thus result in a lowering of standards and a reduction in the variety of solutions available in the EU, potentially putting European companies at a disadvantage compared to those in other jurisdictions.

Portability and Interoperability - Distinct Concepts:

The authors criticize the Data Act's "analytical shortcuts" regarding portability and interoperability.

Portability: Although the Data Act does not explicitly define it, it covers both data and applications. The authors emphasize that data and application portability are distinct concepts that manifest differently across cloud service models (IaaS, PaaS, SaaS). Application portability is a more significant issue at the IaaS and PaaS levels due to the use of proprietary APIs.

Interoperability: The Data Act defines interoperability by focusing on the exchange and use of data. The authors argue that this definition is too narrow and ignores the “technical breadth of interoperability,” which includes the ability of different clouds and systems to understand application and service interfaces, configuration, authentication, authorization, data formats, and more.

The authors consider the provisions on mandatory "open interfaces" and standardization, especially for non-IaaS providers, unjustifiable in the absence of clear evidence of widespread market failures.

They express optimism about the emergence of market-based interoperability solutions and are concerned about the imposition of mandatory standards that could favor established players and hinder differentiation.

Complexity of Cloud Services Compared to Open Banking:

The authors criticize the analogy sometimes made with open banking to justify portability and interoperability rules in the cloud.

They point out that cloud services are "much more complex than a standard bank account and are experiencing relatively rapid innovation."

Open banking involves a relatively simple product with a limited number of key features and a low level of innovation, whereas cloud computing involves many variables (features) with substantial variance within each and high innovation potential, as indicated by patent data.

“We may think of demand, almost as a result of the variety in offering features, as spread out over features and the “level” of each feature.”

A cited market study shows that even for a specific category of cloud services (backup storage), providers offer a widely varying number of features, suggesting significant product differentiation.

Rights to Cloud-Based Assets and Intellectual Property:

The authors are concerned about the potential impact of the Data Act's provisions on the protection of cloud service providers' intellectual property rights and trade secrets.

The requirement to facilitate functional equivalence by providing "capabilities, adequate information, documentation, technical support and, where appropriate, the necessary tools" represents, according to them, a "deep incursion" into intellectual property rights.

The requirement to make "open interfaces" available could also infringe intellectual property rights and trade secrets.

The concept of unbundling services is considered potentially impractical for complex and interconnected cloud services.

Although the final text contains clarifications aimed at protecting trade secrets and intellectual property (for example, by allowing the exemption of certain categories of exportable data and by specifying that suppliers are not required to develop new technologies or disclose protected assets), the authors highlight the ambiguity of terms such as "hinder or delay" and the risks of conflicting interpretations.

The authors also discuss the interpretation that the Data Act establishes a statutory right to customer data, aligning with the idea of ​​a "data holder's right" rather than classic intellectual property over raw data. They highlight the risks associated with the lack of a clear legislative discussion on establishing such a right and the unsupported assumptions regarding the incentives for data creation.

Operationalization and Compliance:

Operationalizing cloud equivalence is considered “very difficult” due to its complexity compared to simpler products like bank accounts.

The provisions imposing maximum deadlines for the start of the change process (two months) and the transition period (30 days) are considered “significant interventions” in the commercial freedom of providers and demonstrate a lack of understanding of the realities of long-term cloud contracts.

These delays could harm small businesses and new entrants due to demand uncertainty and high compliance costs.

The authors question the analogy with number portability in telecommunications to justify a mandatory transition period.

They welcome the "technical feasibility" requirement as an important safeguard, but criticize the time limits imposed for notification and justification of technical infeasibility.

Extending portability and interoperability provisions to cases where a customer uses services from two different providers simultaneously is considered problematic and potentially impractical, as providers do not necessarily have visibility into simultaneous usage by customers.

The authors suggest that requiring zero-cost switching to the customer, when there are real costs of moving data, represents a substantial intervention in the market and could lead to increased prices for other parts of the process.

The authors cite a study on the impact of GDPR on innovation to illustrate the “potential unintended consequences of complex regulation leading to high compliance costs,” suggesting that a trade-off exists between privacy benefits and lost innovation.

Conclusion and Recommendations:

The authors conclude that the Data Act's provisions on portability and interoperability, based on the concept of "equivalence," require urgent attention.

They believe that the concepts of "type of service" and "equivalent service" are disconnected from the technical realities of the cloud industry and that the distinction between IaaS and PaaS layers is artificial.

They stress that data and application portability are distinct concepts and criticize the shortcomings of interoperability provisions, preferring market-based solutions.

Key concepts such as “tailor-made” and “technical feasibility” are insufficiently defined, creating legal uncertainty.

The authors are concerned that many provisions, including mandatory contract law, will defeat the purpose of regulation and disadvantage small businesses and new entrants.

Although the final text represents an improvement over the initial proposal, the persistent ambiguity, often relegated to the recitals, could lead to litigation.

One suggested solution would be to limit the portability and interoperability requirement to "plain vanilla" services (basic services offered by all providers) rather than to customized and complex services.

The authors argue that customers are already aware of the risks of lock-in and that their incentives are aligned to assess the feasibility of switching at the time of contract.

They conclude that the Data Act, as adopted, could restrict competitive differentiation and reduce the options available to European customers, unless the legislature clearly demonstrates widespread ma

Paper Summary Initial Draft By NotebookLM