Czech Republic offers compromise on cloud switching, interoperability and governance – EURACTIV.com

The Czech Presidency of the Council of the EU has circulated a new partial compromise on the upcoming Data Law regarding the conditions for switching to the cloud, interoperability requirements and cooperation in enforcement at the level of the EU. EU.

The text of September 9 completes the first review of the rotating presidency on the proposed data law. The compromise will be debated on Thursday 15 September in the EU Council working group on telecommunications.

Scope

The IT law aims to introduce new rights for users to access the data they help to generate. The text has been changed “to clarify that references to related products or services should be understood to include virtual assistants throughout data law”.

Additionally, users will have the right to switch cloud services at no additional cost three years after the new rules take effect. A measure designed to promote competition in the cloud market. The Presidency clarifies that these provisions only apply to infrastructure as a service (Iaas), the most basic layer of IT services.

Cloud switching

The initial plan provided for a transition period of 30 calendar days to move from one cloud provider to another. The Czechs have introduced the possibility of requesting an extension in the event of exceptional circumstances motivated by technical impossibility.

The document states that at the request of the customer, the cloud service provider should migrate not only its data but also its metadata to another cloud provider or a so-called on-premises system. However, there is no language to suggest that these switching obligations apply to on-premises systems.

According to an added formulation, the outgoing cloud service should facilitate functional equivalence by taking “all measures within its power, including in cooperation with the data processing service provider of the destination service”.

In addition, the presidency wants the outgoing service to ensure high levels of cybersecurity during the transfer and the newly introduced retention period of 30 calendar days after termination of the contract.

Interoperability

The Data Act is part of a wider European data strategy which includes the establishment of sectoral data spaces with specific governance rules for the health, energy and healthcare sectors. agriculture. The Czechs clarified that the essential interoperability requirements only apply to organizations that are part of these data spaces.

Regarding essential requirements for interoperability in data spaces, the Czechs amended the text to clarify that automating the execution of data sharing agreements with tools such as smart contracts is not obligatory.

Cloud service providers must comply with EU interoperability specifications and standards within one year of their publication.

LEAK: The European Commission’s data space to free health data

The European Commission is set to propose a new governance framework for health data with cross-border interoperability requirements and pan-European infrastructure in the first sectoral legislation of its kind, according to a draft seen by EURACTIV.

Governance

The application architecture must follow the principle of the country of establishment. In other words, the competent authority of the country where the organization in question is based in the EU will conduct its cases.

If the organization does not have a legal representative in the Union, all Member States would be competent. However, it will not be possible to duplicate the same procedure in several countries.

The article on standard contractual clauses has been expanded to mandate the Commission to develop standard contractual clauses for cloud computing contracts.

An article has been added to define the role of the European Data Innovation Board in the application of data law, in particular to assist the Commission on issues related to harmonized standards, secondary legislation and guidelines in terms of interoperability.

In addition, the committee, established under the recently approved Data Governance Act, will advise the Commission to facilitate cooperation between competent authorities through capacity building, exchange of information in particular on cross-border cases and coordination in the determination of sanctions.

Punishments

The presidency reinforced the principle that an operator cannot be sanctioned twice for the same infringement of the regulation, by requiring that any sanction be shared with all national authorities and the Commission.

In terms of sanctions, the compromise proposed a set of criteria to be taken into consideration: the nature, gravity, extent and duration of the infringement, possible attempts at mitigation or reparation, previous infringements, benefits obtained by the offense and any aggravating or mitigating factors. .

Database Directive

The Data Act revises the Database Directive, European legislation from 1996 that harmonizes the application of copyright to databases, including specific rights for database creators who are not eligible for copyright protection. The Czech Presidency has proposed two options to deal with this point.

The first option involves a broader exclusion of these specific rights where the data is obtained or produced using connected products or related services.

Alternatively, Prague offers a narrower exclusion of these rights only in cases where users exercise their right to access data they have helped generate or if the user decides to share this data with a third party.

Sustainability

Two years after the Data Act comes into force, the Commission will have to carry out a review. The Czechs also want the EU executive to assess whether access rights and change obligations should be applied to other services.

[Edited by Alice Taylor]

Helen D. Jessen