The EU Data Act is a lot bigger than iCloud

If you use a data processing service provider of any kind, you may be happy to hear about the Data Act coming out of the EU. It requires service providers to make it easier to move your business data between services, demands interoperability, and gives users power over how their data is used.

A big step against vendor lock-in

At first sight, all these requirements are very positive, as they prevent service providers from forcing clients to stick with them because of the challenge of shifting data to other providers. This has been a sticking point for most “as-a-service” users in both enterprise and consumer markets for much too long.

If and when the proposed laws wend their way through the EU, the first experience for many that something has changed is it will become much easier to shift data from iCloud to other services. (Though any old DRM-infested iTunes purchases you might still have lying around may remain problematic.)

User-focused lock-in?

Apple will likely argue that as you can already download all your data to your local device and upload it elsewhere, not much change is required. It might have a point, as creating a system to automate shifting your information elsewhere could be seen as a security vulnerability to be exploited.

Perhaps it is better for personal users to maintain complete control over the data transfer service by doing so manually — though I think every Photos user would like some way to archive vast collections other than downloading to a local drive at huge cost of bandwidth.

But the act isn’t really about consumer cloud services such as iCloud.

More of an industry thing, actually

It’s aimed at Internet of Things, industrial data, and the information generated by devices and services related to those devices.

That’s actually a huge quantity of information, but while some may argue that this should be kept opaque to protect privacy, others will counter that ownership oof your own information is equally important. A few highlights from the Data Act include:

• Users of connected systems will be able to access the data generated by them and share that information with third parties.
• Unfair, unilaterally imposed contracts will be stopped.
• Public sector bodies will be able to access and use data held by the private sector, though the act seems to specify this will only be in case of public emergency.
• Interoperability in data-sharing and processing will get a boost.

However, for most business users, the key change is that the rules “grant customers the freedom to switch between various cloud data-processing service providers.”

That rule is aimed quite accurately at all the many service providers using proprietary formats around client data, which makes migration to alternative providers much harder than it should be. “Tonight’s agreement on the Data Act is a milestone in reshaping the digital space…. We are on the way of a thriving EU data economy that is innovative and open — on our conditions,” tweeted EU industry chief Thierry Breton.

Interoperability without uniformity?

One aspect of the rules is challenging. Not every service is equal, not all are built on the same code or operating system, and to some extent an element of lock-in seems inevitable. It isn’t clear the extent to which the EU has considered this, nor if has deeply considered the complexity of building completely interoperable systems while maintaining trade secrets and security. The proof of that particular pudding will be in the pie.

It is also unclear whether egress charges (the cost of transferring data across services) are within the scope of the act. Meanwhile, Gartner confirms that the use of cloud services by business and personal users continues to grow at a rapid clip.

Opposers are opposing

Service providers aren’t pretending to be happy. They lobbied to ensure some rights to refuse data-sharing requests when trade secrets might be exposed, and the Information Technology Industry Council (ITI) said in a statement:

“We have ongoing concerns regarding the Act’s broad and ambiguous approach to data sharing, including on the expansion of the products and services originally in scope and the safeguards for trade secrets protection, as well as the rules impacting international transfers of non-personal data.”

The ITI teamed up with 12 other trade associations in early 2023 to publish a joint letter critical of some aspects of the act. “We share the concern that several provisions, in their current form, present significant technical and legal challenges for companies. They will also create legal uncertainty as to how data will be handled, which will likely decrease the quantity and quality of the data that businesses gather and process,” they wrote.

They will no doubt continue to lobby to get sections of the act altered during the pending approvals process.

What happens next?

Europe’s Data Act isn’t approved yet. It will need to go through the lengthy approval process and even once it is adopted it will take 20 months more to come into force. That means most service providers should have time to figure out their own approach to interoperability. But, at least in theory, you’ll be able to shift your data more easily from iCloud to OneDrive.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.