Abstract
Cloud computing brings important benefits and it is expected to play a key role in facilitating the uptake of emerging technologies and applications, including artificial intelligence, blockchain, and high-performance computing. Despite its potential to deliver cost and time-efficient services, the majority of businesses in the EU have still not implemented cloud computing. This illustrates the need for a more widespread adoption of the technology. Yet, recent regulatory initiatives may obstruct the uptake of cloud services. This is arguably because such initiatives do not reflect a proper understanding of the market, which our paper intends to provide. To that end, the paper examines what cloud computing is and how it works. It subsequently discusses the EU’s attempts to regulate cloud computing, including the Digital Markets Act, the Digital Services Act, and the Data Act proposal. Our analysis demonstrates that the logic of these instruments and the obligations they establish do not fit the characteristics and workings of cloud computing. The paper concludes by noting that future regulation must mirror the specificities of the cloud, which has a value chain and traits that differ significantly from other digital services, most notably online platforms.
I. Introduction
Cloud computing is a widespread technology bringing important benefits to millions of consumers and enterprises across the world. According to a recent report, cloud computing is the most widely adopted technology across industries.Footnote1 Cloud computing is also being used in public administration and has important applications in the daily lives of consumers, ranging from streaming platforms to email services. In addition, cloud computing plays a crucial role in facilitating the uptake of key emerging technologies and applications such as artificial intelligence, blockchain, the Internet of Things and high-performance computing.Footnote2
Considering the versatility and efficiency of cloud computing, it is not surprising that the value of the global cloud computing market is on track to exceed 1 trillion dollars by 2030.Footnote3 The current growth will likely be accelerated by the increasing popularity of new applications of cloud computing technology, such as cloud gaming.Footnote4
Despite its potential, many businesses do not use cloud computing.Footnote5 This highlights the need for a more widespread adoption of the technology. However, recent regulatory initiatives pursued by the European Union (‘EU’) Digital Markets Act (‘DMA’),Footnote6 the Digital Services Act (‘DSA’),Footnote7 and the proposal for the Data Act (‘DA’),Footnote8 may run counter to the uptake of cloud services. This is because such initiatives do not reflect a proper understanding of the market, which this paper intends to provide. To that end, the paper is divided into three parts. Part I examines what cloud computing is and how it works. Part II discusses the ways in which the EU has regulated cloud computing. It focuses on the DMA, the DSA, and the proposed DA, showing that the logic of these instruments and the obligations they establish do not fit the characteristics and workings of cloud computing. Part III concludes by noting that future regulation must mirror the specificities of cloud computing, which has a value chain and traits that differ significantly from other digital services, such as online platforms. The EU has taken the lead in regulating this area; however, the analysis of the relevant regulatory initiatives demonstrates why the EU’s approach to cloud computing is an example that regulators in other jurisdictions should pay close attention to and avoid simply replicating.
II. What is cloud computing?
This Part defines cloud computing services and discusses the key characteristics of cloud technology (Section A). It subsequently examines the ways in which cloud computing can be provided, also known as cloud computing service models (Section B).
A. Definitions and key characteristics of cloud computing
Cloud computing can be described as the delivery of computing services (e.g. servers, storage) over the internet.Footnote9 A technical definition that is often used to describe cloud computing is the definition provided by the United States National Institute of Standards and Technology (‘NIST’):
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics [and] three service models.Footnote10
On demand self-service means that the customer can request (and receive) access to a service (for example their Outlook inbox) without an administrator or a support person having to fulfil that request manually. This increases the speed of such operations and decreases the burden placed on the cloud service provider in question.
Broad network access has three in-built requirements.Footnote11 First, cloud computing services should not require more than a normal connection to the Internet. Second, they should not require the installation of any software. If they do, the software should not require large storage space and should be easy to install. Third, cloud services should be accessible from a wide variety of devices, such as laptops, desktops, smartphones, and tablets.
Resource pooling means that when resources are not being used by one customer, they should be used by another. This can be achieved through virtualization, a process through which software is used to divide the hardware elements of a single computer owned by the cloud service provider (e.g. processors, memory) into multiple virtual computers, each functioning as an independent computer.Footnote12 These virtual computers (or ‘virtual machines’) can then be used to serve different clients at the same time.
Rapid elasticity or expansion is a feature of cloud computing whereby physical or virtual resources can be adjusted to quickly increase (or decrease), depending on demand. This allows users to automatically request additional space in the cloud, without experiencing constraints. Unlike older storing systems, cloud computing resources are automatically available.
Finally, measured service means that cloud computing services must be able to quantify usage to enable the use of a ‘pay-as-you-go’ plan, which allows customers to pay only for their actual use of the service.
In view of its simplicity, scalability and flexibility of use, cloud computing is highly attractive to businesses.
B. The service models of cloud computing
The service models of cloud computing are the following: software, platform, and infrastructure. The terms software-as-a-service (‘SaaS’), platform-as-a-service (‘PaaS’) and infrastructure-as-a-service (‘IaaS’) emanate from those service models. A fourth model, known as ‘serverless’, has also recently emerged.
SaaS, which is the original and most popular cloud service model also known as ‘on-demand software’, is a software licensing model whereby software is licensed on a subscription basis and is centrally hosted. It involves the provision of applications and data services remotely (through the cloud) rather than on local machines. This can be done both under a Platform-to-Business (‘P2B’) model whereby cloud services are provided to a business which manages its employees’ access. A Platform-to-Consumer (‘P2C’) model is also possible. In this case, anyone can sign up to access the cloud services concerned (e.g. Duolingo, Spotify, Netflix). Other popular examples of SaaS include Outlook 360, Dropbox, Google Workspace, and Salesforce.Footnote13
PaaS provides a framework which allows its users to develop applications. It includes infrastructure such as servers, storage, and database management systems. PaaS is mainly marketed under the P2B model.Footnote14 Among the most popular examples of PaaS are SAP Cloud, Amazon Web Services (‘AWS’) Lambda and Oracle Cloud.Footnote15
IaaS provides basic infrastructure services to customers. These services may include physical machines, virtual machines, networking, storage, or a combination thereof. Put differently, consumers virtually rent infrastructure rather than having to buy or build their own. These services are usually supplied on a ‘pay-as-you-go’ basis. IaaS is mainly marketed under the P2B model. Examples include Microsoft Azure (which also provides PaaS), SAP Cloud Platform Integration, AWS, and Google Compute Engine.
While the differences between SaaS and the other two models seem straightforward, this is not the case with the distinction between PaaS and IaaS. A useful way of distinguishing the former from the latter is to think about the purpose for which the infrastructure is provided through the cloud. Taking the example of a website, IaaS could be used to host it. If a developer would like to add custom features, for example through the creation of custom applications, then PaaS would be needed.Footnote16
Finally, serverless computing offers users the possibility to write and deploy code without the need to manage servers.Footnote17 These servers still exist, but they are run and managed by the cloud service provider, on a ‘pay-as-you-go’ basis.
As regards market players, United States-based companies, such as Amazon, Microsoft, Google, Oracle, IBM, and Salesforce, are in the lead. Other important providers include Alibaba, Tencent and SAP.
III. The EU’s approach to cloud computing
This Part examines recent initiatives undertaken by the EU that regulate cloud computing, namely the DMA (Section A), the DSA (Section B), and the DA proposal (Section C). It discusses whether these instruments adequately consider the characteristics and workings of cloud services. The EU is the first jurisdiction that has adopted sector-specific rules for cloud computing. It follows that these three Acts will serve as prominent examples for other jurisdictions that are adopting their own regulation. By analysing the EU experience, this Part demonstrates why other regulators should not necessarily combine cloud computing with other technology services (e.g. online platforms) and why they should make sure that the aims of any digital regulation carefully consider the specific characteristics of cloud services.
A. Cloud computing services under the DMA
This Section examines the implications of cloud computing services falling under the scope of the DMA.Footnote18 It first sets out the objectives of the DMA (sub-section 1). It then critically discusses whether cloud services should have been regulated by the DMA (sub-section 2). Finally, it examines how the DMA obligations will apply to cloud computing (sub-section 3) and whether cloud computing providers may escape or successfully challenge designation under the DMA (sub-section 4).
1. Objectives of the DMA
The adoption of the DMA comes as a response to the increasing importance that online platforms play in the economy, with certain platforms serving as ‘gateways’ for businesses to reach consumers.Footnote19 The DMA is primarily concerned with the reduced contestability of the core platform services those platforms offer and the unfair practices in which they engage vis-à-vis business users and consumers.Footnote20 To address these concerns, the DMA imposes a series of obligations on undertakings designated as gatekeepers, the most important of which are laid down in Article 5 (self-executing obligations) and Article 6 (obligations which are susceptible of being further specified).
2. The implications of treating cloud computing services as core platform services under the DMA
According to Article 3 of the DMA, an undertaking shall be designated as a ‘gatekeeper’ if it meets three overarching qualitative requirements, namely it has a significant impact on the internal market; it operates a core platform service (‘CPS’) which serves as an important gateway for business users to reach end users; and it enjoys an entrenched and durable position in its operations. An undertaking is presumed to satisfy these qualitative conditions if it meets the quantitative thresholds laid down in Article 3(2) (e.g. the core platform service must have at least 45 million monthly active users). The DMA lists several services that qualify as CPSs, including cloud computing services. The latter are defined by reference to Directive 2016/1148, according to which cloud computing means ‘a digital service that enables access to a scalable and elastic pool of shareable computing resources.’Footnote21
The decision to introduce cloud computing services in the list of CPSs is controversialFootnote22 for at least three reasons, namely the contestability of the cloud computing market; the (lack of) multi-sidedness of cloud computing services; and the related difficulties in determining the business and end users of cloud computing services. These concerns, which are discussed in more detail below, should be carefully considered by other jurisdictions that are contemplating similar ex ante rules for digital markets.
Contestability of cloud computing: One of the main goals of the DMA is to improve contestability in digital markets. The DMA will affect several markets with different structures. Those are mainly markets dominated by a single platform (e.g. Google in online search engines) and oligopolistic markets, such as cloud computing, online travel, or number independent interpersonal communications.Footnote23 However, the mere oligopolistic structure of a market does not provide much insight into the state of contestability in the market. On the contrary, as the OECD emphasizes, oligopolistic markets can be contestable.Footnote24 The cloud computing industry is fiercely competitive, with first-movers currently being under pressure from other providers.Footnote25 Given that the DMA seeks to protect contestability, it is unclear why it should apply to cloud computing services.
Lack of multi-sidedness: The DMA exclusively targets digital platforms which intermediate between business users and end users. Indeed, an undertaking can be designated as a gatekeeper only if it provides a CPS which serves as an ‘important gateway for business users to reach end users.’Footnote26 A key economic characteristic of CPSs should therefore be their multi-sided nature (the fact that they connect business users to end users), as repeatedly mentioned in the preamble to the DMA.Footnote27 This is also reflected in the Impact Assessment accompanying the DMA proposal, which excluded certain digital services (e.g. on-demand streaming services) from the scope of the DMA precisely on the grounds that they are not multi-sided.Footnote28
Against this background, the inclusion of cloud computing services in the list of CPSs is striking. Indeed, cloud computing services do not exhibit multi-sidedness, and they do not perform an intermediary function. An app store (which qualifies as an ‘online intermediation service’ under the DMA) intermediates between app developers and app users. Likewise, an operating system intermediates between software developers and users, and a search engine intermediates between websites and Internet users. By contrast, cloud computing services do not intermediate between businesses and end users; rather, they merely provide tools that help businesses in their operations, such as website hosting, network storage, data analytics, or developer tools.Footnote29 These services are merely an input used by businesses. While the Impact Assessment accompanying the Commission’s DMA proposal contains a section dedicated to the identification of CPSs, it falls short of providing a conclusive argument in favour of including cloud computing services in the list of CPSs.Footnote30 Therefore, other jurisdictions considering similar regulation should carefully consider its intended scope and purpose. Where that scope might extend to cloud computing, they should take care to avoid the EU’s approach, which has led to an inconsistency between the stated purpose of the DMA and the services that are listed as a CPS.
Difficulties in identifying business and end users of cloud computing: The problems arising from the inclusion of cloud computing services as a CPS despite their lack of multi-sidedness are illustrated by the difficulties one encounters in identifying (and counting) the business and end users of cloud computing services. This is necessary for determining whether the quantitative thresholds laid down in Article 3(2)(b) of the DMA are met.Footnote31
The DMA includes an Annex laying down the methodology for determining the number of active end and business users for all CPSs. In the case of cloud computing, the Annex defines end users as ‘unique end users who engaged with any cloud computing services from the relevant provider of cloud computing services at least once in the month, in return for any type of remuneration, regardless of whether this remuneration occurs in the same month.’ Business users are defined as ‘unique business users who provided any cloud computing services hosted in the cloud infrastructure of the relevant provider of cloud computing services during the year.’
The guidance provided in the Annex is far from clear with respect to cloud computing. On the one hand, the definition of ‘end users’ broadly refers to users that pay to obtain cloud computing services from the potential gatekeeper, thereby potentially including business users. The definition of ‘business users’ suggests that business users are themselves providers of cloud computing services. More importantly, the Annex fails to establish a relationship between business and end users, as it does not explain how business and end users interact (for instance, do end users need to use the cloud computing services of business users?), and how their interaction is intermediated by the provider of cloud computing services. By means of example, in the case of online intermediation services (which are also included in the list of CPSs), the Annex explains that, depending on the platform, end users are those that concluded a transaction through the online intermediation service, and business users are those that concluded a transaction enabled by the online intermediation service.Footnote32 No such link is drawn with respect to the business users and end users of cloud services.
3. Obligations for gatekeepers under the DMA
The DMA lists several obligations that designated gatekeepers must observe, yet many of those obligations are tailored to specific services such as search engines (e.g. Article 6(11)) or app stores (e.g. Article 6(12)), and in any event services that intermediate between businesses and end users. By contrast, the obligations relevant to cloud computing seem to be limited.
As regards Article 5, the most relevant obligations are the requirement to obtain user consent to engage in data combination,Footnote33 and the prohibition to require business users or end users to subscribe to any core platform services offered by a gatekeeper as a precondition for using its cloud services.Footnote34
Moving on to Article 6, the most relevant obligations are: the prohibition to use business user data to compete against those business users;Footnote35 the obligation to provide end users with effective data portability;Footnote36 and the obligation to provide business users with real-time access to data provided for or generated in the context of the use of the relevant CPS.Footnote37
Such limited applicability of the DMA obligations to cloud services is further evidence that cloud services do not fit the logic of this instrument. Again, this serves as a lesson for other jurisdictions that it is necessary to take deeper care than the EU to align the scope and purpose of an instrument that regulates digital markets.
4. Looking forward: the potential inapplicability of the DMA to cloud computing providers
The preceding section has explained why cloud computing services do not fit the logic of the DMA. For our purposes, it is worth noting that the Commission has recently designated certain companies as gatekeepers for several core platform services and that none of these companies has been designated as a gatekeeper for cloud services.Footnote38 This may be attributed to several parameters, including a failure to notify the Commission that a cloud service meets the quantitative criteria of the DMA. In other words, that no cloud services have been designated yet does not exclude designation in the (near) future. If designated, cloud computing providers may escape or successfully challenge designation under the DMA as set out below.
In the first place, under the DMA, an undertaking meeting the quantitative thresholds may rebut the presumption that it qualifies as a gatekeeper.Footnote39 In the context of the rebuttal process, the provider of cloud computing services may explain that its services do not serve as an ‘important gateway’ for business users to reach end users, for the simple reason that they do not intermediate between business users and end users (see sub-section 2 above).
A cursory look at the text of the DMA might give the impression that, for the purposes of rebutting the presumption that it qualifies as a gatekeeper, an undertaking may rely solely on quantitative evidence (e.g. size, including turnover and market capitalization).Footnote40 However, were the Commission to ignore qualitative arguments (e.g. lack of intermediation), any designation decision subsequently adopted would be exposed to legal challenge before the EU Courts:
- First, disregarding qualitative arguments would likely fall foul of the principle of proportionality, for it is disproportionate to the objective of the DMA (which is to regulate genuine gatekeepers) to ignore parameters relevant to the lack of gatekeeping power. Otherwise, the DMA would be overinclusive and capture undertakings that do not act as gateways for businesses to reach consumers.
- Secondly, focusing solely on quantitative parameters would also likely breach the principle of non-discrimination, according to which comparable situations must not be treated differently. The reason is that, when assessing whether an undertaking that does not meet the quantitative thresholds qualifies as a gatekeeper, the Commission may consider a range of qualitative parameters (e.g. network effects from which the intermediary benefits).Footnote41 But it is far from clear why the Commission should assess gatekeeping power for undertakings that meet the thresholds differently from undertakings that do not meet the thresholds.
- Thirdly, ignoring qualitative arguments that have been raised during the rebuttal process can amount to a breach of the rights of defence, and thus an infringement of an essential procedural requirement. This is a ground for bringing an action for annulment against a decision adopted by the Commission.Footnote42
In the second place, a provider of cloud computing services that has been designated as a gatekeeper could challenge the designation decision, among others on the grounds that the DMA itself falls foul of the principle of proportionality insofar it includes cloud computing services within the list of core platform services.Footnote43 Indeed, to the extent the DMA’s objective is to regulate services that act as ‘important gateways’ for business users to reach end users, it is manifestly disproportionate to include within its scope services which by their very nature do not intermediate between business and end users, such as cloud computing services.
Overall, the existing legal framework offers tools to address the problems arising from including cloud computing services in the scope of the DMA. Policymakers should adopt a sensible approach to the use of these tools, for cloud services are distinct from the online platforms which the DMA regulates and which act as intermediaries between businesses and consumers. Furthermore, the potential of these challenges should serve as a warning to policymakers in other jurisdictions. Should their regulation contain similar inconsistencies between the stated aims and scope then they open themselves up to the same risk of litigation and judicial review.
B. Cloud computing services under the DSA
This Section examines the applicability of the DSA to cloud computing. It first sets out the objectives of the DSA (sub-section 1) and then discusses the implications of treating cloud services as hosting services or online platforms under the DSA (sub-section 2).
1. Objectives of the DSA
The aim of the DSA is to contribute to the proper functioning of the internal market for intermediary services by setting out harmonized rules for a safe, predictable, and trusted online environment that facilitates innovation whilst ensuring an adequate level of protection of fundamental rights.Footnote44
The DSA lays down rules on the provision of ‘intermediary services’ in the EU. It establishes rules for the conditional liability exemption in cases where illegal content is disseminated, and rules on specific due diligence obligations intermediary services must respect.Footnote45 Such obligations depend on the type and size of the intermediary concerned. The DSA distinguishes between four different categories, namely intermediary services, hosting services (including online platforms), online platforms, and very large online platforms. A graduated approach applies whereby the obligations become stricter moving from one category to the next.
2. The implications of including cloud computing services in the DSA
The DSA refers to cloud computing services as an example of hosting services.Footnote46 However, it further explains that cloud services could also qualify as online platforms.Footnote47 The key difference between a hosting service and an online platform is the dissemination of information to the public. If the provider concerned disseminates information to the public and this activity is not a minor and ancillary feature of another service or a minor functionality of the cloud service itself,Footnote48 the cloud service in question qualifies as an online platform.Footnote49
That cloud services qualify as hosting services and online platforms for the purposes of the DSA is problematic for at least two reasons. First, the concept of ‘hosting services’ is overly broad because it includes hosting services which are provided exclusively to enterprises (e.g. data storage and processing, data analytics, customer relations management). It is difficult to gauge how cloud services offered exclusively to enterprises will be able to comply with the obligations that apply to hosting services, including the obligation to remove any illegal content made available on the hosting service.Footnote50 This is because, in many cases, cloud service providers do not have the technical ability to identify and remove content that enterprises (or the customers of these enterprises) store on such services.
Secondly, the definition of ‘online platform’ does not fit cloud services. As discussed above, dissemination to the public is the key feature of an online platform. Nonetheless, it is not clear what ‘public’ means. This term could be subject to an unjustifiably broad interpretation and include cloud services that do not necessarily qualify as online platforms. A good example is OneDrive, a cloud computing storage service that allows its users to share content (for example through a link),Footnote51 which in turn could be shared with a potentially unlimited number of people through social media platforms.
Moving forward, the implementation of the DSA should prevent any unintended consequences arising from an extensive interpretation of the term ‘public’, which would disproportionately require compliance with obligations that are irrelevant to the cloud. Notably, the term ‘public’ should be interpreted by reference to the overall purpose of a service, to distinguish between social media platforms (which are expressly designed to allow content to reach a broad audience) and products with social features, such as OneDrive. Moreover, the term ‘public’ should also be interpreted by reference to the ability of a service to reach a potentially unlimited number of people. Using the same example, a link to content saved on OneDrive could not be shared with a potentially unlimited number of people without the use of a social media platform.
Overall, similar to the points made above on the DMA, the DSA should be implemented sensibly to ensure that it reflects the specificities of cloud computing services. Imposing on cloud computing providers obligations that are meant for online platforms would place an unnecessary regulatory burden on the former, raising proportionality concerns. The EU’s overextension of its regulation to include cloud computing is therefore something that policymakers in other parts of the world should avoid if they want to implement effective regulation that can achieve its stated aims.
C. Cloud computing services under the proposed Data Act
This Section discusses the Commission’s recent proposal for a Data Act (‘DA’). First, it sets out the objectives of the DA (sub-section 1). Secondly, it examines the implications of the DA for cloud computing service providers (sub-section 2).
1. Objectives of the Data Act
According to the Commission, the DA will ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation, and make data more accessible.Footnote52 The proposal attempts to achieve these objectives by, inter alia, introducing rights and obligations that enable access to data by consumers and businesses; facilitate switching between services that fall in scope; safeguard international transfers of non-personal data; and promote interoperability.
Since the legislative process has not been completed, the text will certainly evolve. However, the DA proposal is worth discussing for two reasons. First, one of the main objectives of the DA is to establish fair and competitive conditions in cloud computing (e.g. the DA would establish rights and obligations to facilitate switching between different cloud service providers).Footnote53 Secondly, as the next section illustrates, there is room to improve the proposal, which at present does not adequately consider the specific characteristics of cloud computing services.
2. The implications of including cloud computing services in the Data Act
As the proposal currently stands, there are two main concerns for cloud computing. First, there is considerable confusion arising from the definitions established in the DA proposal to determine its scope. Clearly, such definitions will affect the extent to which cloud computing services will need to comply with the DA. Secondly, several substantive obligations laid down in the DA proposal fail to consider the workings of cloud computing. These issues are discussed below.
Lack of clarity with respect to scope: The DA proposal has an extensive scope. It covers personal and non-personal data,Footnote54 and it applies to entities that are defined in broad terms. For example, most of the obligations it establishes apply to ‘data holders’, which are legal or natural persons who have the right, the obligation, or the ability to make available certain data.Footnote55 This definition covers a wide range of players, from IoT product manufacturers to cloud computing service providers.
As a result of this extensive scope, it is unclear how the exercise of user rights established in the DA would work in practice. For example, under Article 3(1) of the proposal, ‘[p]roducts shall be designed and manufactured [by data holders], and related services shall be provided [by data holders], in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user’.
IoT products are often powered by cloud services. Based on the wording of Article 3(1), it is unclear what is expected of cloud service providers.Footnote56 Are both IoT product manufacturers and cloud service providers considered ‘data holders’ vis-à-vis end-users?Footnote57 Or, are cloud service providers considered data holders vis-à-vis IoT product manufacturers (which also qualify as data holders)?Footnote58 This question becomes more complex in B2B environments where different players form part of ecosystems of ‘products’ and ‘related services’.Footnote59 This issue could be addressed by excluding from the scope of ‘data holders’ infrastructure or software providers (including cloud service providers), which are contractually prevented from generating data within the meaning of Article 3(1) of the DA.Footnote60
Another example that illustrates that the scope of the DA proposal falls short of acknowledging the specificities of cloud computing is the definition of ‘service type’. According to the DA proposal, ‘service type means a set of data processing services that share the same primary objective and basic data processing service model.’Footnote61 Cloud computing services fall under the definition of data processing services.Footnote62
The practical implication of defining the ‘service type’ of data processing services is that the DA would establish several obligations to facilitate switching and interoperability between data processing services of the same service type. For example, under Article 23(1) of the DA proposal, providers of data processing services must take measures to ‘ensure that customers of their service can switch to another data processing service, covering the same service type, which is provided by a different service provider’. However, in the context of cloud computing, the definition of ‘service type’ is problematic because it does not reflect the complexity of the value chain, that is, the different service types (or service models) identified in Part I.Footnote63 What is more, this definition does not consider that different cloud services of the same model may share certain features with competing offerings, but vary significantly in terms of how they are delivered to customers.Footnote64 This means that complying with obligations established in the DA, such as those imposed by Article 23(1) may prove difficult in practice.Footnote65
Compliance challenges arising from the substantive obligations of the DA: The DA is meant to facilitate switching between cloud service providers.Footnote66 However, the DA proposal does not take account of the fact that switching involves two providers. As the text currently stands, the burden is primarily placed on the exporting provider.Footnote67 For example, according to Article 26(1), exporting service providers must ‘ensure that the customer, after switching to a service covering the same service type offered by a different provider of data processing services, enjoys functional equivalence in the use of the new service’. By means of comparison, the switching obligations under Article 106 of the European Electronic Communications Code (‘EECC’) are imposed on both the transferring provider and the receiving provider. In a similar vein, Article 26 (1) should reflect the responsibilities that should be borne by the importing cloud service provider. This is an issue addressed by the Council’s mandate on the DA proposal, which has proposed an amendment to Article 26(1) whereby exporting service providers must ‘take all measures in their power, including in cooperation with the data processing service provider of the destination service to facilitate that the customer, after switching to a service covering the same service type offered by a different provider of data processing services, enjoys functional equivalence in the use of the new destination service’.Footnote68 A similar proposal is made by the European Parliament.Footnote69 Related to the above obligation, which requires the exporting cloud service provider to ensure that the customer enjoys ‘functional equivalence’ in the use of the new service, it is not clear how full ‘functional equivalence’ can be ensured in the context of cloud computing. It is impossible for cloud service providers to be aware of all the functionalities of other services, including security aspects and performance levels. Such issues should fall outside the definition of ‘functional equivalence’, rendering compliance with the relevant obligation feasible.Footnote70
Another problem arising from the concept of ‘functional equivalence’ is that a cloud service will have features that are unique to that service. Even the functionalities that could be regarded as ‘equivalent’ would be implemented differently because developers understand differently the needs of the same customers.Footnote71 It is therefore impossible to compile a list of all known ‘service types’ with a view to ensuring functional equivalence. In other words, despite what the DA proposal suggests,Footnote72 there can be no functional equivalence between cloud services of the same service type. A more feasible solution that could be envisaged for the purposes of implementing the DA is to create an environment where users can extract their data in standardized or in structured, commonly used, and machine-readable formats.Footnote73 As a result, moving data from one service to another can be dealt with by custom or open-source tools that can account for the uniqueness of each pair of data transfer scenarios.Footnote74
Overall, as the above examples illustrate, the DA proposal misses the mark in several instances. The DA would bring about considerable changes in how cloud services are offered to customers. But, the scope of the DA and the obligations it establishes misconstrue several aspects relating to how cloud computing services are designed and offered. Policymakers in other jurisdictions could learn from the experience of the DA. Cloud computing services are substantially different from other digital services and not fully appreciating such differences when drafting new rules can lead to the implementation of regulation that is inappropriate in its application or disproportionate in its scope.
IV. Conclusions
Several regulatory initiatives are emerging in the EU which will affect how cloud services are provided to businesses and consumers alike. Prominent initiatives include the DMA, the DSA and the DA. These initiatives may be the most advanced, but it is likely that similar initiatives will follow in other jurisdictions.
Against the backdrop of such initiatives and the technological and market aspects of cloud computing, policymakers both inside and outside the EU must carefully reflect on whether (and if so, how) to regulate such services. Notably, the DMA and the DSA illustrate that cloud services do not fit the logic of regulating online platforms whereas the DA does not adequately reflect how cloud services are designed and provided to customers.
Before proposing or implementing regulation for cloud computing, the policymaker must consider the complex value chain of cloud computing (e.g. SaaS and IaaS have many differences); recognize that the way cloud computing works is not similar to services (e.g. search engines) that have attracted regulatory attention in recent years; and establish obligations that reflect how cloud services are placed on the market (by e.g. restricting the scope of functional equivalence to aspects for which such equivalence is feasible). Regulating cloud computing without considering its specific characteristics will undermine the uptake of this promising technology, which is expected to play a major role in reaping the benefits of the digital economy.
****
Acknowledgments
The authors would like to thank Dimitrios Katsifis and Alexandru Circiumaru for their excellent research assistance and comments on earlier drafts.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 Gabriella Cattaneo, Filippo Vanara and Alessandra Massaro, ‘Advanced Technologies for Industry – AT Watch: Technology Focus on Cloud Computing’ (ATI Watch Report Series, European Commission, Europa, 2020) <https://ati.ec.europa.eu/reports/technology-watch/technology-focus-cloud-computing> accessed 13 September 2023.
2 European Commission, ‘Shaping Europe’s Digital Future: Backbone Networks for Pan-European Cloud Federations’ Europa (21 October 2022) <https://digital-strategy.ec.europa.eu/en/activities/backbone-networks-cloud-federations> accessed 13 September 2023.
3 Will Forrest and others, ‘Cloud’s Trillion-dollar Prize is Up for Grabs’ McKinsey Quarterly (26 February 2021) <www.mckinsey.com/business-functions/mckinsey-digital/our-insights/clouds-trillion-dollar-prize-is-up-for-grabs> accessed 13 September 2023.
4 Grand View Research, ‘Cloud Gaming Market Size, Share & Trends Analysis Report By Type (File Streaming, Video Streaming), By Device, By Gamer Type, By Region, and Segment Forecasts, 2022–2030’ (2023) <www.grandviewresearch.com/industry-analysis/cloud-gaming-market> accessed 13 September 2023.
5 For example, in 2021 only 41% of businesses across the EU had implemented cloud computing. See: Eurostat, ‘Cloud Computing – Statistics on the Use by Enterprises’ Europa (2021) <https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Cloud_computing_-_statistics_on_the_use_by_enterprises> accessed 13 September 2023.
6 Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) [2022] OJ L 265/1 (‘DMA’).
7 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L 277/1 (‘DSA’).
8 European Commission, ‘Proposal for a Regulation of The European Parliament and of The Council on harmonised rules on fair access to and use of data (Data Act)’ COM (2022) 68 final (‘DA Proposal’).
9 Microsoft Azure, ‘What is Cloud Computing? A Beginner’s Guide’ <https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-cloud-computing/> accessed 13 September 2023.
10 Peter Mell and Tim Grance, ‘The NIST Definition of Cloud Computing’ (NIST, 2011) <https://csrc.nist.gov/publications/detail/sp/800-145/final> accessed 13 September 2023.
11 Derrick Rountree and Ilena Castrillo, ‘The Basics of Cloud Computing: Understanding the Fundamentals of Cloud Computing in Theory and Practice’ (Syngress, 2013) 3–4.
12 IBM Cloud Education, ‘What is Virtualization’ <www.ibm.com/cloud/learn/virtualization-a-complete-guide> accessed 13 September 2023.
13 Stephen Watts and Muhammad Raza, ‘SaaS vs PaaS vs IaaS: What’s The Difference & How to Choose’ BMC Blogs (15 June 2019) <www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats-the-difference-and-how-to-choose/> accessed 13 September 2023.
14 Hossein Ashtari, ‘Platform as a Service (PaaS) vs. Software as a Service (SaaS): Key Differences and Similarities’ Spiceworks (18 February 2022) <www.spiceworks.com/tech/cloud/articles/paas-vs-saas/#:~:text=It%20is%20more%20common%20for,marketed%20exclusively%20for%20B2B%20applications> accessed 13 September 2023.
15 Timothy Shim, ‘15 Popular Platform as a Service (PaaS) Examples’ Web Hosting Services Revealed (16 February 2023) <www.webhostingsecretrevealed.net/blog/web-business-ideas/paas-examples/> accessed 13 September 2023.
16 Sophia Bernazzani, ‘IaaS vs. PaaS vs. SaaS: Here's What You Need to Know About Each’ HubSpot Blog (4 July 2022) <https://blog.hubspot.com/service/iaas-paas-saas> accessed 13 September 2023.
17 Microsoft Azure, ‘Serverless Computing – An Introduction to Serverless Technologies’ <https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-serverless-computing/> accessed 13 September 2023.
18 DMA (n 6) Article 2(1)(i).
19 ibid. Recital (1).
20 ibid. Recitals (3) (referring to reduced contestability) and (4) (referring to the risk of serious imbalances in bargaining power and of unfair practices and conditions for business users, as well as end users of core platform services).
21 ibid. Article 2(13), referring to Article 4(19) of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union [2016] OJ L 194/1.
22 Mario Mariniello and Catarina Martins, ‘Which Platforms will be Caught by the Digital Markets Act? The ‘Gatekeeper’ Dilemma’ Bruegel (14 December 2021) <www.bruegel.org/blog-post/which-platforms-will-be-caught-digital-markets-act-gatekeeper-dilemma> accessed 13 September 2023.
23 Heike Schweitzer, ‘The Art to Make Gatekeeper Positions Contestable and the Challenge to Know What is Fair: A Discussion of the Digital Markets Act Proposal’ (2021) 3 Zeitschrift fur Europaisches Privatrecht 503.
24 OECD, ‘Oligopoly Markets’ <www.oecd.org/daf/competition/oligopoly-markets.htm> accessed 13 September 2023.
25 See, for example: Nico Grant, ‘Google is Searching for a Way to Win the Cloud’ Bloomberg (2 February 2022) <www.bloomberg.com/news/articles/2022-02-02/google-searches-for-way-to-win-cloud-share-from-amazon-web-services-microsoft> accessed 13 September 2023.
26 DMA (n 6) Article 3(1)(b).
27 See for example: DMA (n 6) Recital (2) (referring to the multi-sidedness of CPS as one of their main characteristics); Recital (3) (referring to the ability to connect many business users with many end users); Recital (15) (explaining that the DMA obligations should only apply to undertakings designated as gatekeepers, and should only apply to those of their core platform services that individually constitute an important gateway for business users to reach end users).
28 European Commission, ‘Commission Staff Working Document – Impact Assessment Report Accompanying the Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act)’, SWD(2020) 363 final (‘DMA Impact Assessment’) 38, explaining that video streaming services and video on-demand services were considered but eventually excluded from the scope of core platform services as they ‘lack multi-sided market characteristics’.
29 See, for example: Rima Alaily and Casper Klynge, ‘Microsoft Supports New Rules for Gatekeepers’ Microsoft EU Policy Blog (3 May 2021) <https://blogs.microsoft.com/eupolicy/2021/05/03/microsoft-supports-new-rules-for-gatekeepers/> accessed 13 September 2023.
30 See DMA Impact Assessment (n 28) 114–115, explaining that online intermediation services can ‘become a key access point for business users to reach end users’ and online search engines have ‘the capacity to affect a large number of end users and businesses alike.’ As regards cloud computing services, however, the Impact Assessment merely explains that such services provide ‘infrastructure to support and enable functionality in digital services offered by others and at the same time offer a range of products.’ Yet, this does not explain how cloud computing services intermediate between businesses and their users.
31 Article 3(2)(b) of the DMA (n 6) provides that an undertaking shall be presumed to provide a core platform service which serves as an ‘important gateway’ between business users and end users if the core platform service has more than 45 million monthly active end users established or located in the EU and more than 10,000 yearly active business users established in the EU.
32 The Annex defines end users as ‘unique end users who engaged with the online intermediation service at least once in the month […] or concluded a transaction through the online intermediation service at least once in the month.’ Business users are defined as ‘unique business users who had at least one item listed in the online intermediation service during the whole year or concluded a transaction enabled by the online intermediation service during the year.’
33 DMA (n 6) Article 5(2).
34 ibid. Article 5(8).
35 ibid. Article 6(2).
36 ibid. Article 6(9).
37 ibid. Article 6(10).
38 European Commission, ‘Digital Markets Act: Commission designates six gatekeepers’ – Press release Europa (6 September 2023) <https://ec.europa.eu/commission/presscorner/detail/en/ip_23_4328> accessed 6 September 2023.
39 ibid. Article 3(5).
40 ibid. Recital (23): ‘In its assessment of the evidence and arguments produced, the Commission should take into account only those elements which directly relate to the quantitative criteria, namely the impact of the undertaking providing core platform services on the internal market beyond revenue or market cap, such as its size in absolute terms, and the number of Member States in which it is present; by how much the actual business user and end user numbers exceed the thresholds and the importance of the undertaking’s core platform service considering the overall scale of activities of the respective core platform service; and the number of years for which the thresholds have been met.’
41 DMA (n 6) Article 3(8).
42 Consolidated Version of the Treaty on the Functioning of the European Union [2012] OJ C 326/47, Article 263.
43 From a procedural point of view, the undertaking would contest the designation decision, and then incidentally challenge the DMA (or parts thereof). This is preferable to filing an action for annulment of the DMA (or parts thereof), as it is much harder for undertakings to establish standing to challenge a Regulation.
44 DSA (n 7) Article 1(1).
45 ibid. Article 2(1).
46 ibid. Recital (27a).
47 ibid. Recital (13).
48 ibid.
49 It is worth mentioning that the DSA (n 7) attempts to clarify when cloud services do not qualify as platforms. Recital (13) notes that ‘cloud computing services […] when serving as infrastructure, such as the underlining infrastructural storage and computing services of an internet-based application, website or online platform, should not in themselves be considered as disseminating to the public information stored or processed at the request of a recipient of the application, website or online platform which they host’. Recital (13) implies that the only type of cloud services that may not qualify as platforms are IaaS.
50 DSA (n 7) Articles 14 et seq.
51 Microsoft, ‘Microsoft’s Comments on the European Commission’s Proposed Digital Services Act’ Europa (31 March 2021) <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12417-Digital-Services-Act-deepening-the-internal-market-and-clarifying-responsibilities-for-digital-services/F2164152_en> accessed 13 September 2023.
52 European Commission, ‘Data Act: Commission Proposes Measures for a Fair and Innovative Data Economy – Press Release’ Europa (23 February 2022) <https://digital-strategy.ec.europa.eu/en/news/data-act-commission-proposes-measures-fair-and-innovative-data-economy> accessed 13 September 2023.
53 DA proposal (n 8) 7.
54 ibid. Article 2(1).
55 ibid. Article 2(6).
56 Microsoft, ‘Microsoft Position Paper on the Data Act’ (October 2022) 4.
57 ibid.
58 ibid.
59 ibid.
60 ibid.
61 DA proposal (n 8) Article 2(13).
62 ibid. Article 2(12). Recital (69) explicitly refers to cloud computing services as examples of data processing services.
63 Microsoft (n 56) 5.
64 ibid.
65 ibid. In its position on the DA proposal, the European Parliament proposes an amendment whereby the providers of a data processing service should take measures to enable switching ‘within their capacity’. This is arguably not sufficient clear. See Amendments adopted by the European Parliament on 14 March 2023 on the proposal for a regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act) (COM(2022)0068 – C9-0051/2022–2022/0047(COD), Article 23(1).
66 DA proposal (n 8) Chapter VI.
67 Microsoft (n 56) 14.
68 Council of the European Union. Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act) – Mandate for negotiations with the European Parliament. Article 26(1).
69 European Parliament position on the DA proposal (n 65), Article 26(1).
70 ibid. 15.
71 ibid. 16.
72 DA proposal (n 8) Article 29(1)(c).
73 ibid.
74 ibid.