On April 20, 2023, the French Competition Authority (the “FCA”) issued an opinion on three articles of an incoming French law aimed at securing and regulating the digital space (the “French draft legislation”), pending the coming into force of EU-wide rules (the “European Data Act”).
In short, the French draft legislation provides measures to ensure that cloud computing markets are as contestable as possible, notably through the regulation of certain potentially harmful commercial practices, such as the risk of lock-in due to the costs of setting up cloud architecture and difficulties in migrating between rival providers.
In particular, the provisions concerned aim at:
- preventing cloud computing service providers from granting cloud credits with a duration exceeding one year or subject to an exclusivity condition (article 7, II of the French draft legislation) and from charging fees for the transfer of data to the customer’s own infrastructure or to another provider’s infrastructure (article 7, III);  and
- compelling cloud computing service providers to ensure their services’ interoperability with the customers’ services or with those provided by other providers and to ensure portability of digital assets towards the customers’ services or towards those provided by other providers, notably through the free provision of necessary interfaces (article 8, II).
In its opinion, the FCA agrees with such measures and provides the following five recommendations:
Recommendation no. 1: ensure consistency with the future European Data Act
Considering the European regulatory context in which the French draft legislation is being introduced, the FCA considers that insufficient alignment of the national regulation with the future European framework may cause temporary distortions and sunk adaptation costs for stakeholders operating on the French market. The FCA thus calls for the best possible alignment of the French draft legislation (which by virtue of the principle of the primacy of European Union law should be transitional) with the future European Data Act.
Recommendation no. 2: clarify the definitions of “cloud computing services” and “cloud computing assets”(or “cloud credits”)
To better align with the European Data Act, the FCA in particular recommends clarifying the definition of:
- “cloud computing services” (or “data processing services” under the European Data Act), which are currently defined as digital services that provide access to a modular and variable set of IT resources that can be shared. To clarify the rules applicable, the FCA recommends completing this definition with the same distinction as the one envisaged at EU-level between Infrastructure as a Service (“IaaS”), Platform as a Service (“PaaS”) and Software as a Service (“SaaS”) as these categories of services correspond to different levels of shared responsibility between the cloud service provider and the customer company;  and
- “cloud computing assets” or “cloud credits,” which are currently defined as units of a virtual currency handed out by cloud suppliers to allow users to perform certain tasks involving cloud services. The draft French legislation limits cloud credits to monetary forms, although these can also come in non-monetary forms, such as, in particular, (i) free trial offers aimed at attracting new clients during the first months of a subscription to cloud computing services or (ii) business support programs which are subject to higher fees in exchange for longer-term (i.e., years’) access. The FCA recommends clarifying the definition and scope of cloud credits by making a clear distinction among cloud credits between monetary/non-monetary and free trial/support programs and identifying the undertakings concerned by each form of cloud credits.
Recommendation no. 3: clarify the conditions for the duration and renewal of cloud credits
Relatedly, the FCA considers that the business support program form of cloud credits could raise competitive concerns due to its higher cost and longer duration. Such credits could, if handed out by dominant companies (in particular, the “hyperscalers” defined below), in addition to tying customers within a single cloud environment, have potentially anticompetitive effects on the smallest suppliers who could not profitably replicate such terms. In the FCA’s opinion, setting clearer terms and conditions to ensure equitable competition between the different cloud service providers is key and should be done after consultation with clients and suppliers.
Recommendation no. 4: ensure a gradual removal of “egress fees”
The FCA notes that the cloud market in France appears to be consolidated around a group of so-called “hyperscalers” (e.g., AmazonWeb Services, Google Cloud and Microsoft Azure). Hyperscalers are cloud service providers whose policy is to charge clients depending on their utilization of the outgoing bandwidth and to charge fees for the transfer of data to a destination outside of the provider’s cloud environment and infrastructure (namely, “egress fees” or “data transfer fees”). The FCA fears that egress fees are potentially disconnected from the costs directly incurred by hyperscalers regarding data transfers. Also, since those fees are proportionate to the volume of data transferred, it may be difficult for customers to anticipate how much they will spend, as this will depend on future needs. According to the FCA, this uncertainty may lead to customer lock-in by making it more difficult to migrate cloud services to another provider, or to use several providers at once.
The FCA therefore agrees that egress fees should be removed, notably to ensure the possibility of multi-homing cloud services (i.e., using several providers at once), but considers that this should be done gradually. The FCA cites as reference the European Data Act, which provides for a transition period of three years to phase-out egress fees (rather than an outright ban).
Recommendation no. 5: ensure that measures relating to interoperability of cloud services and data portability are aligned with the future European Data Act
The French draft legislation fails to provide a definition of key cloud sector concepts such as “interoperability of services” or “data portability.” The FCA thus recommends clarifying these terms and ensuring their consistency with the European Data Act, in particular to allow customers to easily use third-party cloud computing services.
Furthermore, the French draft legislation sets forth an obligation for cloud providers to ensure interoperability between services that cover “the same type of service.” The FCA, however, considers this obligation as being too broad since it does not specify which service is targeted by the obligation (i.e., IaaS, PaaS or SaaS). In any case, the FCA, together with the French Electronic Communications, Postal and Print media distribution Regulatory Authority (the “ARCEP”), shall ensure that obligations of interoperability and portability respond to harmonized standards set by the framework enshrined in the future European Data Act.
In parallel, the FCA’s cloud sector inquiry
On June 29, 2023, the FCA published a 200-page report detailing the results of the ex officio market study of the cloud industry it had been conducting since January 2022.  In short, the FCA considers that enforcement action may be necessary against the hyperscalers to address concerns that customers are being locked into their rapidly-growing cloud ecosystems. The FCA’s detailed report will be presented in a separate article.
 FCA opinion No. 23-A-05 of April 20, 2023 on the French draft legislation to secure and regulate the digital space (Articles 7 to 9). For detailed information on the future European Data Act, which was formally issued on February 23, 2022 but is still at the stage of a proposal, see: https://www.eu-data-act.com/ or, in general terms, the European Commission’s press release of February 23, 2022, available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1113. The French draft legislation aimed at making more secure and regulating the digital sector is available at: https://www.senat.fr/leg/pjl22-593.html.
 Fees relating to a change of provider are authorized until the date of entry into force of the European Data Act, provided that they are limited to the actual costs directly linked to this change and that they are communicated transparently to users.
 In short, IaaS is the least outsourced model, in which the supplier provides the user with IT infrastructure, such as servers or storage. PaaS is an intermediate model. It provides an environment where customers can benefit from software and tools to develop their applications without having to create or maintain the infrastructure or platform usually associated with the process. SaaS is the most outsourced model. It gives users direct access to applications, managed entirely by the supplier, from any connected device.
 Cloud sector’s use of exit fees concerns French antitrust watchdog, N. Hirst, MLex, May 11, 2023.
 After the transition period, failure to comply with this ban on egress fees could then, subject to the draft European Data Act being adopted in its current form, result in a fine of up to €1 million (or even €2 million in the event of a repeat offense by the cloud service provider).
 See “The Autorité de la concurrence issues its market study on competition in the cloud sector”, FCA, June 29, 2023.