Can a CADA authority refuse a mutual assistance request?

Summary Under the proposed Cloud and AI Development Act (CADA), a national competent authority cannot arbitrarily refuse a request for mutual assistance from another Member State. Article 27(3) of the proposal establishes a binding obligation: the receiving authority "shall comply with such request." However, this obligation is not absolute; compliance may be delayed or withheld only if the authority is "duly justified" in doing so. Crucially, even in such cases, the authority must inform the requesting authority of the action taken "as soon as possible and no later than two months after receipt of the request." This framework prioritizes rapid cross-border enforcement while allowing for narrow, substantive legal or operational constraints.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a Union-wide cloud computing sovereignty framework that relies heavily on seamless cross-border cooperation to ensure uniform enforcement. Because cloud service providers often operate across multiple Member States, the ability of national competent authorities to share information and coordinate investigations is critical. Article 27 of the proposal, titled "Mutual assistance," provides the legal mechanism for this cooperation, specifically governing how authorities exchange information to exercise their investigative powers under Article 26.

The Binding Obligation to Comply

The core principle of the mutual assistance regime is the presumption of compliance. Article 27(2) empowers a competent authority to request "specific information in their possession relating to a specific cloud computing service provider" from another competent authority. This typically occurs when the authority of establishment (where the provider is based) needs data located in another Member State to investigate a suspected infringement.

Article 27(3) then imposes a strict duty on the receiving authority:

"The competent authority receiving the request pursuant to paragraph 2 shall comply with such request and inform the competent authority of establishment about the action taken, as soon as possible and no later than two months after receipt of the request, unless duly justified."

This language creates a mandatory obligation. The receiving authority does not have the discretion to simply decline a request because it disagrees with the investigation's premise or because the request is inconvenient. The default position is full cooperation. The request must be for "specific information," ensuring that the mechanism is targeted and relevant to the investigative powers granted under Article 26, which includes powers to require information, carry out inspections, and ask for explanations.

The Narrow "Duly Justified" Exception

While the obligation to comply is the rule, Article 27(3) explicitly carves out a single exception: "unless duly justified." The proposal does not provide an exhaustive list of what constitutes a "duly justified" reason within the text of Article 27 itself. However, in the context of EU administrative law and the broader CADA framework, this exception is interpreted narrowly. It is not a loophole for administrative inertia or political disagreement.

Potential grounds for a "duly justified" refusal or delay would likely include:

1. Fundamental Rights and Data Protection: If complying with the request would violate the General Data Protection Regulation (GDPR) or the Charter of Fundamental Rights, and no adequate safeguards or legal basis exist to override these protections, the authority may be justified in withholding information. CADA explicitly states in Recital 63 that it does not affect obligations under Regulation (EU) 2016/679 (GDPR).
2. National Security and Public Order: If the disclosure of specific information would jeopardize national security, public order, or the integrity of an ongoing criminal investigation within the receiving Member State, this could constitute a valid justification. This aligns with CADA's broader objective of protecting public order through sovereign cloud standards.
3. Technical or Operational Impossibility: If the requested information is genuinely not in the possession of the receiving authority, or if the technical means to retrieve it do not exist (e.g., the data has been deleted in accordance with lawful retention policies), the authority may be justified in its inability to comply.
4. Lack of Specificity: Article 27(2) requires requests to be for "specific information." If a request is overly broad, vague, or amounts to a "fishing expedition" unrelated to a specific suspected infringement, the receiving authority might argue that the request itself is not properly formed, thereby justifying a refusal or a request for clarification.

It is important to note that the burden of proof for a "duly justified" refusal lies with the receiving authority. They cannot simply remain silent; they must have a substantive, defensible reason for non-compliance.

The Strict Two-Month Deadline and Notification Duty

Even if a receiving authority believes it has grounds to refuse or delay a request, Article 27(3) imposes a strict procedural duty to communicate. The authority must "inform the competent authority of establishment about the action taken."

This notification must occur:

• "As soon as possible": Encouraging immediate action where feasible.
• "No later than two months after receipt of the request": This is a hard statutory deadline.

This two-month limit is a critical safeguard against bureaucratic delay. It ensures that cross-border investigations do not stall indefinitely. If the receiving authority cannot comply within two months due to a "duly justified" reason, it must still inform the requesting authority of this fact and the reasons for the delay or refusal within that same two-month window. Silence beyond two months would constitute a breach of the regulation.

Scope and Limits of Assistance

The mutual assistance mechanism is designed to be efficient and targeted. Article 27(2) allows the requesting authority to ask for information "relating to a specific cloud computing service provider." This limits the scope to specific investigations rather than general data mining. The receiving authority may also involve other public authorities within its Member State if necessary to fulfill the request, facilitating a whole-of-government approach.

However, the mechanism is strictly between competent authorities. It does not grant cloud providers the right to block requests, nor does it allow authorities to bypass national legal frameworks. The "duly justified" exception serves as the necessary safety valve to ensure that mutual assistance does not override fundamental legal protections or national sovereignty in sensitive areas like security.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, the mutual assistance framework under the proposed CADA has significant implications for cross-border regulatory risk management.

1. Accelerated Cross-Border Scrutiny: The strict two-month deadline in Article 27(3) signals that regulators intend to move quickly. If a competent authority in one Member State suspects an infringement, they can rapidly request supporting evidence from authorities in other Member States. Providers should expect that information sharing between regulators will be faster and more seamless than under current fragmented regimes.
2. No "Silent" Refusals: Providers should not assume that a delay in a regulatory inquiry is due to administrative backlog. If a request is being contested under the "duly justified" exception, the receiving authority is legally required to inform the requesting authority within two months. This transparency means that regulatory deadlocks will be visible and time-bound.
3. Data Governance is Critical: Since data protection and national security are the most likely grounds for a "duly justified" refusal, providers must ensure their data governance frameworks are robust. Clear documentation of data residency, processing purposes, and legal bases for data handling will help authorities determine quickly whether a mutual assistance request can be fulfilled without violating GDPR or national security laws.
4. Preparation for Specific Requests: Because Article 27(2) limits requests to "specific information," providers should be prepared to respond to targeted inquiries. Broad, undefined requests may be challenged by authorities as unjustified, but specific requests related to a provider's Union assurance level or compliance with Article 16 criteria must be met with full cooperation.
5. Monitoring the Two-Month Clock: While the deadline applies to authorities, providers can use it to manage expectations. If a regulator in your home Member State is waiting for information from another state, the two-month rule provides a predictable timeline for when that information should be available or when a refusal should be communicated.

Common misconceptions

Misconception 1: Authorities can refuse requests at their discretion. Some believe that national competent authorities have broad discretion to refuse mutual assistance requests if they disagree with the investigation's premise or if the request is politically sensitive. In reality, Article 27(3) mandates compliance. Refusal is only permissible if "duly justified," which requires a substantive legal or operational reason, not mere policy disagreement or administrative convenience.

Misconception 2: The two-month deadline is a soft target. The phrase "no later than two months" in Article 27(3) is a hard statutory deadline for informing the requesting authority of the action taken. While "as soon as possible" allows for earlier responses, the two-month period is the maximum allowable time for the destination authority to respond. This is not a suggestion but a binding procedural requirement under the proposed regulation.

Misconception 3: Mutual assistance covers all types of data. Mutual assistance under Article 27 is limited to "specific information" relating to a specific cloud computing service provider. It does not grant authorities blanket access to all data held by a provider. Requests must be targeted and relevant to the establishment authority's investigative powers under Article 26.

Misconception 4: Providers can block mutual assistance. Cloud computing service providers cannot unilaterally block mutual assistance requests between authorities. While providers may have rights under data protection law, the mutual assistance mechanism is a direct interaction between public authorities. Providers must cooperate with the competent authority in their Member State of establishment, which then coordinates with other Member States as needed. The "duly justified" exception is a matter for authorities to resolve, not a right for providers to invoke directly against the request.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Can a CADA authority involve other public authorities in an assistance request?
• Can a CADA authority ask for more information on a cross-border request?
• CADA Mutual Assistance: How Authorities Cooperate Across Borders
• CADA enforcement deadlines: Mutual assistance and cross-border cooperation timelines
• CADA Mutual Assistance: The Two-Month Response Deadline Explained

This is general information about a draft EU regulation, not legal advice.