Increasing Awareness of Lock-in in Public Sector Organisations

New research on Swedish public sector organisations shows that there is a need for more awareness and understanding of lock-in risks when procuring cloud services

Published on: 01/02/2021

In a recent paper, researchers at the University of Skövde in Sweden ask the question: “How do, and by which strategies should, public sector organisations address lock-in effects before use of commercial SaaS solutions?”. This analysis plays into one of the most relevant debates related to open source in the public sector.

Public sector lock-in to proprietary solutions has been central in arguments put forward by advocates for more use of open source software by public institutions. This research follows earlier academic findings showing how lock-in effects can impose many different types of technical, legal, economic and societal challenges for public sector organisations. But this latest paper analyses the awareness of these risks in the processes of public sector procurement of cloud services.

The authors find that municipalities adopt and use cloud solutions from large global suppliers “under potentially problematic contract terms”. The main example given is the City of Gothenburg, who entered into an agreement with Microsoft for adopting Office365. The City uses Office365 for large scale data processing but has not carried out an impact assessment outlining the jurisdictions in which data can be, and has been, processed.

“The findings are relevant to all European public sector organisations, as it’s legally risky to enter into a licensing agreement for a cloud service if you lack access to all contract terms” says one of the lead authors Professor Björn Lundell. “Our finding is that there is a worrying lack of deep analysis of the different rules and frameworks the public sector acts under while using these cloud services.”

More specifically, the researchers find that none of the studied public sector organisations has undertaken actions to obtain all contract terms related to third party rights; none has obtained, or even considered the need to obtain, the licences from third parties as detailed in the contract terms of the studied cloud service; there is a general unawareness concerning the justdictions in which data processing and maintenance of the public sector data has taken and can take place; and they find no evidence that the public sector organisations studied have an effective exit strategy that can be implemented if they want or need to end the usage of the cloud service, or even have considered potential risks related to Standard Essential Patents (SEPs) related to the data formats used. 

Professor Lundell states that “there is a lack of consideration of the current legal environment, such as the GDPR, and at a broader level the political risks related to data sovereignty and autonomy”. In the analysis of the Swedish municipalities, he finds that the responsible parties have “no clue of how they could end the contracts and agreements they have entered into or how their digital artifacts can be sustainably managed.”

As cloud services are becoming more ubiquitous in the public sector, this research indicates concepts such as lock-in and total cost of ownership keeps on being relevant for the ICT procurers. With increased concerns about digital sovereignty and data handling, as well as an increased interest in open source and open standards-based procurement, ongoing analyses of contracts, data formats and SEPs will be crucial.