12 associations, representing cloud customers and cloud vendors operating on the European Digital Single Market have issued a joint letter expressing their deep concern about the upcoming restrictions on data flows and cloud services foreseen by Article 27 of the proposed European Data Act. According to the signatories, the Data Act in its current form would harm SMEs, start- ups, and large enterprises providing modern services and products, as they would no longer be able to rely on scalable digital technologies that are needed for building a competitive, innovative and resilient digital economy in Europe.

Conflicting regulations

Addressing European officials and national authorities, the joint letter highlights the clear conflict between the Data Act and data transfer rules of the General Data Protection Regulation (GDPR). “In the digital market reality, cloud providers do not know the content of customers’ data and are unable to identify whether the data they process on behalf of their customers constitute personal data or non-personal data. It is impossible to provide separate processing infrastructure for each of those datasets,” explains Michał Kanownik, Chairman of Digital Poland Association, one of the letter’s signatories.

The signatories call on the Data Act negotiators to recognise cloud providers’ adherence with GDPR provisions for the transfer of personal data as fulfilling the requirements of Article 27(1) of Data Act for transfer of non-personal data. “We invite Council and Parliament negotiators to adopt clear and pragmatic obligations for European cloud providers operating internationally and global cloud providers operating in Europe” the joint letter by 12 organizations underlines.

– Article 27 of the proposed Data Act, creating a parallel, yet different regime for the transfer of non-personal data outside the EU - may lead to prohibition of transferring personal data to a third country, despite providing an ‘adequate’ level of data protection status. This renders “adequacy decisions” and other GDPR data transfer rules null and void, creating a dangerous legal uncertainty and a risk of great disruption in the European Union,” Kanownik adds.

Limited access to cloud solutions and risk fragmentation of the Digital Single Market

The letter’s signatories are also concerned that Article 27(1) of the Data Act may lead to the development of discriminatory ‘immunity requirements’ against non-EU cloud providers and to disproportionate obligations for European cloud providers running global operations. Instead, legitimate concerns about extraterritorial government access to EU non-personal data should be addressed separately and strategically, through constructive discussions with like-minded security and commercial partners, without resorting to vague, disproportionate unilateral measures as part of the Data Act.

Potential discriminatory requirements against cloud vendors risk d reducing Europe’s cloud computing capacity and fragmentating the EU Digital Single Market - We invite negotiators to avoid foreclosing any future political, evidence-based debate which several Member States and MEPs have requested before. Otherwise, we may also face increased cybersecurity risks and even break international trade rules” argues Michał Kanownik. The European Data Act is currently the subject of EU institutions’ trilogue negotiations, that will result in the final, adopted text of the regulation, which is foreseen to happen at the end of June. The Act aims to boost innovation by removing barriers to consumers’ and businesses’ access to the data they generate and to facilitate switching between cloud providers for users. A heated debate regarding which types of data will fall in scope, whether sufficient safeguards for trade secrets are provided, and the complex interplay between the Data Act and the GDPR are still ongoing.