Timely reminder of risks in cloud contracts
Over the last decade, cloud solutions have become popular tools to facilitate the digital transformation of businesses, and the retail sector is no exception in its uptake of cloud services.
The benefits of cloud are clear – it is invariably quick and easy to scale and flex cloud usage to suit an organisation's changing requirements, cloud back up and disaster recovery options have offered businesses data safety and reliability, and customers can benefit from a cloud provider's advanced security features, all without the need for capital expenditure.
Although cloud services can positively impact data access and business operations, there are risks inherent in moving to (or within) the cloud which retailers, consumer brands, hospitality businesses and other customers should consider, including:
- possible service downtime and inability to access data;
- whether the security and privacy measures undertaken by the cloud provider are sufficient for the customer's data and any obligations (regulatory or contractual) in relation to the same;
- integration complexity with existing systems; and
- compliance issues, in particular in the context of having little control over the underlying cloud infrastructure, and data storage and transfers.
In addition, the risk of 'vendor lock-in' should always be assessed and mitigated by customers. Difficulty in moving from one cloud provider to another can arise due to a number of factors, such as prohibitive egress fees imposed by cloud providers (ie the costs of data transfer), the use of provider proprietary formats and technology which impacts data portability through configuration complexities, and simply the length of time it takes to transfer large amounts of data from one provider to another. Given retailers' and consumer brands' reliance upon the use of data (such as consumer data or supply chain management data) and the growing need for the retail industry to quickly respond and adapt to ever-changing consumer demands, it is increasingly important for businesses to ensure that they have the flexibility to contract with appropriate vendors, and are not restricted from using their data in the manner they wish to.
Legislative changes to help customers?
In comes the EU's proposal for an EU Data Act (the "Act"). Part of the EU's broader Data Strategy to establish greater data governance across the region, the Act seeks to help to increase the ability to use and access non-personal, industrial data in the region and will also establish interoperability requirements to make it easier for users of cloud solutions to move between cloud providers and to also utilise the products of different cloud providers concurrently. One of the overarching aims of EU legislators is to create a commercial environment that fosters innovation and competition.
The Act will achieve this by introducing the following:
- measures to limit the charges cloud providers can apply to users seeking to switch to another cloud provider to improve competition;
- new contractual obligations on cloud providers, including a termination right requirement in favour of cloud customers;
- a new standardisation framework to facilitate interoperability to remove barriers to the sharing of data across platforms; and
- safeguards against unlawful data transfers by cloud providers to enhance user trust.
What's next and how is the UK affected?
The European Parliament and Council reached political agreement on the Act on 27 June 2023, which now awaits formal approval. After it has been adopted, it will enter into force on the 20th day following publication in the Official Journal. It will then apply 20 months after entry into force.
The Act is expected to have extra-territorial effect, which means that products and services supplied to the EU will also be within scope. In addition to this, UK-domestic legislative changes could be on the horizon. Earlier this month Ofcom published its cloud services market study looking at the supply of cloud services in the UK. Given Ofcom's concerns set out in the market study as to a number of barriers to customers in switching cloud providers and using multi-cloud solutions, Ofcom referred the matter to the Competition and Markets Authority (CMA) to carry out its own investigation to decide whether there is an adverse effect on competition by virtue of such barriers, and if so, whether the CMA should take action or recommend others to take action. The CMA have an 18 month window to conclude their investigation.
Cloud providers will no doubt be preparing to incorporate the new contractual requirements set out in the Act into their terms and other practical methods to comply with the proposed requirements and any changes required by local regulatory developments. However, whilst providers get their ducks in a row, cloud customers may wish to use the new legislation as leverage to raise the issues we have highlighted (and others) with their cloud providers in order to negotiate more favourable terms and to minimise risk.