This research attempts to answer the following question: Is it feasible to implement a self-governing model for cloud platforms to prevent vendor lock-in?
Taking into consideration that cloud computing is a new paradigm in the offering of IT capabilities as ‘services’ it is important to understand that the interactions among participants (at the B2C and B2B levels) will be shaped by their contractual agreements.
At the B2C level, the asymmetric relationship between cloud providers and consumers, can lead to disadvantageous arrangements particularly for non-professional consumers, which might cause market distortions and vendor lock-in. Therefore, certain regulatory interventions such as the right to portability of personal data, as per Article 20 GDPR and other portability rules in Article 16(4) of the Directive on the contracts for the supply of digital contents and services seek to empower the data subject in relation to their data and facilitate switching, which should enhance competition and enable the creation of new services. As a first step, this research looked into the interpretation and implementation of these pieces of legislation where the definition of personal data plays a main role.
At the B2B level, the current literature has stated the difficulty in justifying any regulatory intervention for a mandatory requirement of data portability outside from the already well stablished Competition Law mechanisms in the case of abuse of dominant position. This research also reviews the possible justifications for regulatory intervention at this level for the specific case of cloud computing services. Businesses have, nevertheless, repeatedly stated the need of the scheme to facilitate the flow of business data. In this case, a ‘soft-law’ approach might be more suitable, where companies can voluntarily agree to improve their data flows via codes of conducts and standard contractual clauses. The main areas where cloud contracts might reduce burdens would be in relation to data portability attributes, namely: the data transfer rate, format, interfaces, and remedies. The Free Flow of Non-Personal Data Regulation has already stablished this approach. This research will ultimately analyze the possible implementation and effectiveness of the above-mentioned codes of conducts and standard contractual clauses, where ‘business data’ is understood to be comprised of both personal and non-personal data.