smart 2016/0032 switching of cloud services...

SMART 2016/0032 Switching of Cloud Services ProvidersCloud St akeholders’ Meet ing

Brussels, 12 Decem ber 2017

Arthur van de r Wees, Arthur ’s Legal & Douglas Hayward , IDC

© IDC

All rights reserved, Arthur’s Legal B.V.

Start with Common Understanding: Definitions

Data is not a four letter word

International Telecommunication Union (TU-Y Y.2060) and The Internet of Things European Research Cluster (IERC)

Data

Data of any form, nature or structure, that can be created, uploaded,inserted in, collected or derived from or with cloud services and/or cloudcomputing, including without limitation proprietary and non-proprietarydata, confidential and non-confidential data, non-personal and personaldata, as well as other human readable or machine readable data.

EC Cloud Service Level Agreement Standardisation Guidelines

3D approach | Multi-story of connected data types | Classified data | Sensitive data | Personal data | Derived data | Proprietary data | IPR |

Encrypted data, with or without Tokenization | Distributed Data

Every (sub)category of data needs to be addressed separately

‘You may retrieve Your Content from the Services,Effect of Termination

only if you have paid any charges for any post-termination use of the Service Offerings and all other amounts due, and (…)’

‘You will not have access to your data stored on the Services during a suspension or following termination.’

Access to Data

To the Service Offerings‘We may change, discontinue or depreciate any of the Service Offerings.’

‘ ...we will provide you with the same post-termination data retrieval assistance that we generally make available to all customers.’

Post-Termination

In publicly available Cloud MSAs & SLAs:

Main Strategic & Legal Challenges found in this Study 2016-0032

1. Absence of an Exit Plan2. Lack of Transparency3. Lack of Communication and Cooperation4. ‘Take it of Leave it’ Approach5. Ineffective & inconsistent Use of Standards6. No Relevant Attributes or adequate services levels in place 7. No Remedies or Lack of Sufficient Remedies

60% 60% 0% 0%Most do not specify the amountof time that data is retained or deletes data upon termination.

Data Retention

Most do not specify the amount of time granted or deletes data

upon termination

None of the scrutinizes CSPsspecify a mechanism for data

transport

None of the scrutinized CSPsspecify the format for data

transport

Data Retrieval Interface Format

1. Assessment2. Preparation

3. Negotiation & Contracting4. Execution & Operation

5. Updates & Amendments6. Escalation

7. Termination & Post

Repeat

The Portability Legal Life Cycle:When should Portability be considered? In all Phases.

© IDC7

Use Case Phases 1, 2 & 3: Pre-Agreement Phases 4, 5 & 6: ExecutionPhase 7: Termination & post-Termination

Total (€)

Simple

• Internal resource cost for data classification and deriving data structure and patterns (24*75 = EUR 1.800,-)

• External resource cost for exit procedure support (40*125 = EUR 5.000,-)

Internal resource cost for executing the exit procedure (160*75 = EUR 12.000)

LimitedEUR 18.800,- + limited cost in phase 7

Medium Complex

• Internal resource cost for data classification and deriving data structure and patterns and requirements (48*75 = EUR 3.600,-)


Assuming that the customer in this use case had stored quite a large amount of data in these cloud services, migration may take for example 3 months, for 2–3 FTE, which indicates a maximum internal resource cost of EUR 100.800,- (3*160*3*70 = EUR 100.800,-)

Medium-LargeEUR 119.400,- + medium-large cost in phase 7

Complex


• External resource cost for exit procedure support, including extensive impact scenario analysis, and exit plan preparations (200*125 = EUR 25.000,-)

In case the customer succeeds in transferring the services, this may take for example 6 months, for 2 –3 FTE, which indicates a maximum internal resource cost of EUR 201.600,- (6*160*3*70 = EUR 201.600,-)

Very large (company may fail)

EUR 231.400,- + verylarge cost in phase 7

Analysis of portability costs: Use cases

Use Case Phases 1, 2 & 3: Pre-Agreement Phases 4, 5 & 6: ExecutionPhase 7: Termination & post-Termination

Total (€)

Simple

• Internal resource cost for data classification and deriving data structure and patterns (24*75 = EUR 1.800,-)


Internal resource cost for executing the exit procedure (160*75 = EUR 12.000)

LimitedEUR 18.800,- + limited cost in phase 7

Medium Complex



Assuming that the customer in this use case had stored quite a large amount of data in these cloud services, migration may take for example 3 months, for 2–3 FTE, which indicates a maximum internal resource cost of EUR 100.800,- (3*160*3*70 = EUR 100.800,-)

Medium-LargeEUR 119.400,- + medium-large cost in phase 7

Complex


• External resource cost for exit procedure support, including extensive impact scenario analysis, and exit plan preparations (200*125 = EUR 25.000,-)

In case the customer succeeds in transferring the services, this may take for example 6 months, for 2 –3 FTE, which indicates a maximum internal resource cost of EUR 201.600,- (6*160*3*70 = EUR 201.600,-)

Very large (company may fail)

EUR 231.400,- + verylarge cost in phase 7

Analysis of portability costs: Use cases

Example Pre-Contractual Cost (per deal): EUR 18.800

Annual Cloud Services Running/ Subscription Cost: EUR 15.000





Ethics & Accountability

Law & Legislation Official Policies

Standardisation & Certification

Market Self-regulatory& Contractual

Risk Allocation& Insurance

Technology

Case Law

Human & Society

Ecosystem for Technology & The Rule of Law

Next Generation Policy InstrumentsTechnology Neutral

Business Model NeutralInterpretation Neutral

HybridPrinciple-Based

Semantic InteroperableObjective & Measureable

Facitating both CSCs and CSPs

Personal Data Processing & Article 20 GDPR

Right to Data Portability20.1 The data subject shall have the right to receive the personal data concerninghim or her, which he or she has provided to a controller, in a structured,commonly used and machine-readable format and have the right to transmit thosedata to another controller without hindrance from the controller to which thepersonal data have been provided, …

Personal Data Processing & Article 20 GDPR

Right to Data Portability20.2. In exercising his or her right to data portability pursuant to paragraph 1, thedata subject shall have the right to have the personal data transmitted directly fromone controller to another, where technically feasible.

20.3. The exercise of the right referred to in paragraph 1 of this Article shall bewithout prejudice to [the right to be forgotten]. […]

20.4. The right referred to in paragraph 1 shall not adversely affect the rights andfreedoms of others.

Customer Data both personal & non-personal Data

What Right to Data Portability?

All rights reserved, Arthur’s Legal B.V.

EC StudySMART 2016-0032

• Main goals of this study and methodological approach• Assessment of Technical and Economic and Legal issues• Analysis of portability costs and compliance costs• Assessment of potential measures and policy scenarios• Economic impacts of portability policy scenarios • Conclusions and recommendations

16© IDC

Summary of key findings

Goals of the study

17

The m ain objective of th is study is to ga the revidence on practices re la ting to switch ing ofcloud se rvices provide rs, with a specific focus ont he bar r iers pot ent ial ly prevent ing dat apor t abil it y and/or applicat ion por t abil i t y, andt he policy m easures needed t o overcom et hese bar r iers.

The study a im s a t suppor t ing policy-m ak inga im ed a t facilita ting switch ing of cloud se rvicesproviders by business users and priva te use rs, inthe con text of the DSM.

The study is expected to cont r ibut e inpar t icular t o t he European Cloud Init iat iveand t he Free Flow of Dat a In it iat ive.

Provide find ings about the ir causes, suggest counte rm easures and good practices

In te ract with the com m unity of cloud stakeholders

Assess the lega l, technica l and econom ic feasib ility of poten tia l m easures

Evidence on technica l, lega l, econom ic issues when switch ing cloud providers

Assess com petitiveness, innovation and econom ic im pacts on the cloud m arke t

Collect feedback from stakeholders

Draw conclusions and recom m endations

Methodological approach Desk re search Fie ld re search

• 16 Case stud ie s on cloud custom ers• 9 Case stud ie s on cloud se rvice p rovide rs• Additiona l on line su rvey run from March 2017

Stakeholde r va lida tion (workshop) in May 2017 Additiona l da ta collection on cloud m igra tion costs in June /Ju ly 2017 Additiona l da ta collection on com pliace costs when dea ling with ob liga tion to facilita te

switch ing, or ensure transparency in Octobe r 2017• 9 cloud se rvice providers involved , 4 responses collected

Econom ic m ode l e stim ating the poten tia l im pacts on dem and of public cloud m easured as to ta l spending in the EU, based on three a lte rna tive policy scenarios

18

Data Schema / Data Model Access of da tase ts to unde rlying in frastructure Business logic be tween da ta Sem antics / Meaning of da ta

19

Applica tion functiona lity

Middleware software

Unde rlying in frastructu re

Technical assessm entCloud use rs need to be aware of:

For da ta export to work easie r, it is requ ired an understand ing of how da ta is organ ized in a cloud se rvice

20

SaaS

PaaS

IaaS

Technical assessm entCom plexity of portab ility increases as you go up the stack

Higher com plexity

Lower com plexity

Dat a por t abil i t y works if vendors:

build se rvices based on open standards APIs and p rotocols for da ta m ovem ent

a re transparen t abou t: da ta m ode l / da ta schem a / da ta sem antics

Dat a int erdependencies tend to increase with :• Type of cloud service consum ed: h igher

com plexity in SaaS ve rsus IaaS• Size of organizat ion

Technical assessm entKey f indings:

21

• Few organizat ions have a clear cloud por t abil i t y plan in place today. Most are still experimenting with cloud consumption

• The r isk of vendor lock -in exist s if vendors st ar t t o build int ellect ual proper t y at dat a form at /access levels (e.g. proprietary APIs, proprietary data archiving, other proprietary protocols)

© IDC 22

Assessm ent of pot ent ial policy scenar ios

Introduction of portability right allowing cloud customers to export data/app from a CSP and import them to another CSP, strengthening the free exercise of choice of services for consumers and business within the DSM

The common denominator of soft law instruments (standards, codes of conduct, model contracts) is their voluntary nature and absence of redress mechanisms. Here the issue is not so much the existence or not of appropriate measures relevant for portability, but the level of engagement by the entire spectrum of stakeholders

This option would leave relevant action for portability to Member States without entailing any action at EU level. In this context, MS would be expected to implement the requirements of the Treaty of the EU regarding free movement of goods, services and establishment and deepening the engagement of stakeholders

Option 1: Mandatory EU Policy

Option 2: Soft Law Measures

Option 3: No Action

© IDC 23

Assessm ent of pot ent ial policy scenar ios

Introduction of portability right allowing cloud customers to export data/app from a CSP and import them to another CSP, strengthening the free exercise of choice of services for consumers and business within the DSM

The common denominator of soft law instruments (standards, codes of conduct, model contracts) is their voluntary nature and absence of redress mechanisms. Here the issue is not so much the existence or not of appropriate measures relevant for portability, but the level of engagement by the entire spectrum of stakeholders

This option would leave relevant action for portability to Member States without entailing any action at EU level. In this context, MS would be expected to implement the requirements of the Treaty of the EU regarding free movement of goods, services and establishment and deepening the engagement of stakeholders

Option 1: Mandatory EU Policy

Option 2: Soft Law Measures

Option 3: No Action

Positive impacts on business continuity;

Adding value to ported data;

Enhancing customer’s sense of control over data

with new guarantees of data access and ownership

These measures can be beneficial, as they may

contribute to the increase of awareness within the community of relevant

cloud stakeholder

This scenario would entail a series of negative

consequences hampering Digital Single Market both at micro and macro level

Policy impact scenario methodology

24

Cloud Type

Territory

Industry

Organ iza tion size

1. Basis: IDC public-cloud forecasts 2017-21

Scenario: No EU Policy

Act ion

Scenario: Mandat ory

Policy

Scenario: Sof t Regulat ion

2. IDC forecasts p rojected to 2021-25

3. Multip le rs added (see le ft)

© IDC 25

Econom ic im pact s of por t abil i t y policy scenar ios For each of the policy scenarios conside red by th is study, IDC estim ated the poten tia l im pacts on dem and of public cloud m easured as to ta l spending in the EU

© IDC 26

Econom ic im pact s of por t abil i t y policy scenar ios

No EU Policy Scenar io - Im pact on Dem and: 18.7% CAGR dur ing t he per iod 2018-2025, m arket r ises f rom €19.5 bi l l ion in 2018 t o €64.9 bi l l ion in 2025 SMEs (unde r 250 em ployees) tend to lag beh ind la rge en te rprise s in te rm s of take -up of pub lic cloud because of

lack of skills and re la tive lower m aturity, as we ll as lower ra te s of m ovem ent towards d igita l transform ation Sectors where the re a re confidence and trust barrie rs to cloud adop tion will grow m ore slowly

Soft Law Measures - Im pact on Dem and: 19.7% CAGR dur ing t he per iod 2018-2025, m arket r ises f rom €19.5 bi l l ion in 2018 t o €68.8 bi l l ion in 2025 By 2025, European pub lic cloud dem and is p red icted to be 6% la rge r than unde r the ‘No EU Policy Action ’ scenario This represen ts a d iffe rence of €3.9 b illion in pub lic cloud dem and for 2025 be tween the th ree scenarios.

Mandat ory EU Policy Im pact on Dem and: 20.5% CAGR dur ing t he per iod 2018-2025, m arket r ises f rom €19.5 bi l l ion in 2018 t o €71.9 bi l l ion in 2025 By 2025, European pub lic cloud dem and is p red icted to be 10.9% la rge r than unde r the ‘No EU Policy Action ’

scenario This represen ts a d iffe rence of €7.1 b illion in pub lic cloud dem and for 2025 be tween the th ree scenarios.

Recommendations to the EU Mem ber St at es

27

Encourage Awareness of t he Need for ‘Exit Plans’ in cloud cont ract s Nationa l Governm ents a re invited to encourage awareness of the need for clea r and we ll-

de fined "exit p lans" tha t con ta in appropria te m easures to will guaran tee tha t da ta and /or app lica tions can be ported be tween cloud se rvices with m in im al, reasonab le and p re -agreed costs and de lays.

Encourage Dissem inat ion of Best Pract ices of cloud m igrat ion and dat a por t ing Nationa l Governm ents a re invited to encourage d issem ina tion of best p ractices facilita ting

p rom otion of grea te r leve ls of portab ility in accordance to the bu ild ing b locks and othe r com ponents

Allocat e Reasonable Levels of Resources t o Monit or Com pliance Nationa l Governm ents a re invited to a lloca te reasonab le re sources to the com pe ten t au thority

to be assigned with the supe rvisory role to m onitor com pliance . For instance , aud iting of cloud se rvice p rovide rs requ ire s investm ent in appropria te organ iza tiona l re sources and expe rtise .

Recommendations to Organizat ions

28

Im plem ent ‘Exit Plans’ f rom cloud cont ract s Com panies of a ll size s, includ ing both cloud se rvice p rovide rs and the ir custom ers, shou ld

p rovide and im plem ent concre te cloud-se rvice “exit p lans ’’.

Meaningfull and ef fect ive redress Contractua l agreem ents be tween organ iza tions of a ll sizes should provide for “m eaningfu l and

effective ’' redress, in case the portab ility re la ted requirem ents (e .g. service leve l ob jectives) se t in thecontract are not m et.

Treat Por t abil i t y St rat egically, and Plan for it . Organ iza tions of a ll size s, includ ing both cloud se rvice p rovide rs and the ir custom ers, shou ld

conside r portab ility of da ta and app lica tions stra tegic, and p rovide for it with in the ir business con tinu ity p lans.

Obt ain Dat a Subject ’s Consent Before Por t ing Their Dat a Organ iza tions acting in the ir capacity as cloud se rvice custom ers ob ta in con tractua lly

appropria te consen t in orde r to request the ir cloud se rvice p rovide r to port the da ta of the da ta sub jects.

smart 2016/0032 switching of cloud services...

Documents