Negotiating contracts with Cloud Service Providers is a complex yet critical endeavour for organisations. As the ‘voice of the business user’, we are committed to keeping our members well-informed and prepared. Together with our sister associations Cigref (France), CIO Platform (Netherlands) and VOICE e.V. (Germany), we have put together concrete Recommendations plus a Data Portability Questionnaire, based around the recently published SaaS Code of Conduct (CoC) from SWIPO.
Overcoming roadblocks to porting your data
SWIPO (SWitching from provider and POrting non-personal data) is the name for the working groups, comprising users and providers, set up to address EU Regulation 2018/1807 on the free transfer of non-personal data in the EU. One goal of the Regulation is to resolve the legal, contractual and technical roadblocks that make it difficult or impossible for companies using data processing services, to port their data from one service provider to another, or even back to their own systems.
The SWIPO working groups are drafting self-regulating ‘Codes of Conduct’ to address these roadblocks. These codes should define best practices and information requirements that reduce vendor lock-in, by making it smoother to switch providers and simplifying data porting. And they should ensure that Cloud Service Providers supply business users with detailed, clear and transparent information before signing a contract for data storage and processing.
The general SWIPO Principles
1. Switching between service providers and data porting must be possible, effective, not cost consuming, and easy.
2. The ability to port data without hindrance is a key factor in facilitating user choice and effective competition on markets for data processing services. [Consideration 29]
3. In order to take full advantage of the competitive environment, professional users should be able to make informed choices and to easily compare the individual components of various data processing services offered in the internal market, including in respect of the contractual terms and conditions of porting data upon the termination of a contract. [Consideration 30]
4. Trust enhancement in the security of cross-border data processing is a key factor to improve the legal certainty for companies as regards compliance with the applicable security requirements when organisations outsource their data processing activities to service providers, including to those in other Member States. [Consideration 33]
5. All security requirements related to data processing that are applied in a justified and proportionate manner on the basis of Union or national law in compliance with Union law in the Member State of residence or establishment of the natural or legal persons whose data are concerned, will continue to apply to processing of that data in another Member State. [Consideration 34]
(Source: SWIPO Common Scope and Approach Version 0.10 10 June 2019, our bold and references to the corresponding considerations of the Regulation.)
The above principles do not appear in the 2020 version of the document. This is very unfortunate, as they could be inspirational for the future evolution of the Code of Conduct.
CoC for SaaS and IaaS: strengths and gaps
So far, Codes of Conduct (CoC) have been created for SaaS and IaaS (you can find them on the SWIPO website). They cover several important details, for example the current version of the SaaS CoC handles the technical aspects of porting rather adequately.
However, there are a number of gaps: it does not assure data export for interoperability, nor porting at all time; it does not assure data export in case of organisational change; it does not address cost moderation; it does not protect users from unilateral changes in contract terms; and more.
Our recommendations and observations
While Beltug and our sister organisations do encourage Cloud Service Providers to adhere to the CoC, this in itself is not enough for users to be confident that all of their needs are being met.
'SWIPO. A new Code of Conduct for data import and data export for SaaS Suppliers: Observations and recommendations' explains the background of SWIPO, provides observations on the strengths and gaps of the CoC, and gives recommendations on what your organisation can do when preparing tenders, and negotiating with Cloud Service Providers. This includes a Data Portability Questionnaire (linked in the Recommendations) that you can use with providers who do and who do not adhere to the SaaS CoC.
We encourage you to share this document with all those involved in the selection of a SaaS application: business project leads, technical staff, buyers, contract drafters and legal counsellors.