The new European regulation on the free movement of non-personal data, an important step in the battle against vendor lock-in practices

On 9 November 2018, the reform on the free flow of non-personal data in the EU was adopted. Described as the "fifth freedom" – after the freedom of people, goods, services and capital – the “framework for the free flow of non-personal data in the European Union” supplements the recent GDPR. For IT infrastructure providers in the cloud, this regulation will be implemented through a European code of conduct led by OVH. Alban Schmutz, Vice President of Development and Public Affairs at OVH, explains.

What do you think of the new European regulation?

Alban Schmutz – This new European regulation complements the GDPR. It may be less newsworthy due to its B2B aspect, but it marks an essential step in the creation of a single European space for the free flow of data. On the one hand, it removes most of the geographical restrictions on the storage and processing of non-personal data in Europe (which mainly concerns public entities). But it will also make it easier for customers of cloud providers (infrastructure or software) to switch providers.

So this is excellent news for European cloud providers and particularly their customers. In addition to creating a truly free space for EU members, this regulation will help the European data market to reach an estimated 4% of GDP by 2020, or an increase of around €8 billion per year according to Deloitte.

What impact does it have on OVH and its customers?

A. S. -  Article 6 of the Free Flow of Data regulation is particularly relevant to us and will directly benefit our customers. It deals in detail with the portability of non-personal data in Europe from one cloud provider to another, without any constraints. It marks an important step in combating the vendor lock-in practices of some cloud providers that can block or strongly discourage the possibility of migration to other providers. Chief Information Officers will be able to compare the competitiveness of their providers more easily and take back control in negotiations. In our opinion, this is a fundamental measure that is in line with the values we have defended since OVH was born: freedom of choice and the promotion of open standards. The portability of non-personal data is actually a way to ensure reversibility. Ideally we could go even further, particularly in the area of technical automation, but that is not the purpose of this regulation.

How can we ensure that these regulations are properly applied?

A. S. - This new legislation on the free movement of non-personal data requires players in the European market to adopt codes of conduct to ensure its implementation. Through CISPE, the association of Cloud Infrastructure Service Providers in Europe, OVH took the lead in early 2018 by drafting such a code on IAAS (Infrastructure as a Service) in coordination with EuroCIO, the European association of CIOs. This work has been part of a process formalised by the European Commission since April 2018. Called SWIPO (SWItching and POrting), it involves two working groups (IAAS and SAAS). The final version of the IAAS code of conduct will be published within a few weeks.

When will it fully enter into force?

A. S. - The regulation was passed by the European Parliament on 4 October 2018. On 9 November, a common and final version between the European Parliament and the Council (Member States of the European Union) was adopted. This will be published in the Official Journal of the European Union within a few weeks. We will officially present the final version of the code of conduct on 4 December 2018 in Vienna at the major ICT2018 event organised by the European Commission. Additional documents with practical examples will be available in February 2019. So it will be implemented during 2019 by the providers who subscribe to it.

What is the next step?

A. S. - On top of our contribution on cloud infrastructure (IAAS), it will first of all be necessary to ensure that all cloud services are covered, in particular SAAS. It is essential for our customers, as well as for the innovation and health of the European technology ecosystem, to ensure that the entire cloud market remains open and applies reversibility principles.  Then, just as many non-European states have adapted their national legislation to comply with the requirements of the GDPR, this regulation will snowball until it is applied worldwide. CIOs around the world all need this, and they will not understand why what is done in Europe by their providers is not done for them. For the second time after the GDPR, the European Union will be able to demonstrate its extraterritorial impact in the regulations it adopts.