Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities would possess explicit powers to seize data from cloud computing service providers during investigations into sovereignty compliance. Article 26(1)(b) grants authorities the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium." However, this power is not absolute; it must be exercised in accordance with strict safeguards under Article 26(4), which mandates compliance with national law, respect for the right to private life, and the rights of defence, including access to the file and the right to an effective judicial remedy.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous enforcement framework to ensure cloud computing service providers adhere to the Union's sovereignty assurance levels. A cornerstone of this framework is the investigative and enforcement authority granted to national competent authorities of establishment. For technical leaders, architects, and compliance officers, understanding the precise scope of these powersβ€”specifically the ability to seize data and hardwareβ€”is critical for risk management and operational resilience planning.

The Power to Seize Data and Information

The core provision governing the seizure of data is found in Article 26(1)(b) of the CADA proposal. This article grants national competent authorities of establishment the following investigative power:

"the power to carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium;"

This provision is significant for several technical and legal reasons:

  1. Scope of Information: The authority is empowered to seize "information relating to a suspected infringement." This is a broad mandate that could encompass technical documentation, audit reports, system logs, source code, configuration files, or business records necessary to verify whether a provider meets the criteria for a specific Union Assurance Level (UAL) under Annex II.
  2. Irrespective of Storage Medium: The explicit phrase "irrespective of the storage medium" ensures that the power applies universally to digital data. It covers data stored on physical servers, cloud infrastructure, backup tapes, portable devices, or any other medium. This prevents providers from arguing that data in a specific format, location, or virtualized environment is exempt from seizure.
  3. Seizure vs. Copying: The text grants the power to "seize, take or obtain copies." This provides authorities with operational flexibility. While they may prefer to "obtain copies" to preserve the provider's operational continuity, they retain the statutory authority to physically "seize" or "take" the media itself if necessary to secure evidence.

Context: Triggering the Power

These powers are triggered specifically by a "suspected infringement" of the Chapter on Autonomy (Title IV) of the Regulation. This includes failures to meet the cumulative criteria for Union Assurance Levels 1 through 4, as defined in Annex II and the audit evidence requirements in Annex III.

For example, if a national authority suspects a provider is failing to maintain customer data exclusively within the Union as required for Union Assurance Level 2, or suspects that third-country control exists contrary to Annex II, Section 3, they may invoke Article 26(1)(b). In such a scenario, the authority could seize logs, network architecture diagrams, or physical hard drives to verify the location of data processing and the absence of unauthorized third-country access.

Safeguards and Procedural Requirements

While Article 26(1)(b) grants broad investigative powers, Article 26(4) imposes critical safeguards to protect the rights of cloud providers and ensure the measures are proportionate:

"Member States shall set out specific rules and procedures for the exercise of the powers pursuant to paragraphs 1 and 2 and shall ensure that any exercise of those powers is subject to adequate safeguards under applicable national law in compliance with the general principles of Union law. Those measures shall be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file, and shall be subject to the right of all affected parties to an effective judicial remedy."

This creates a multi-layered protection framework:

  • National Law Compliance: The seizure must strictly follow the procedural rules of the Member State where the authority is established. In many jurisdictions, this may require a judicial warrant or prior notification, ensuring that the power is not exercised arbitrarily.
  • Rights of Defence: Providers retain the right to be heard and to access the file containing the evidence seized. This ensures transparency and allows the provider to challenge the relevance or legality of the seized material.
  • Judicial Remedy: Any affected party has the right to an effective judicial remedy, meaning they can challenge the seizure in court if they believe it violates their rights or exceeds the scope of the investigation.

Distinction from Other Investigative Powers

Article 26(1) outlines a suite of investigative powers, of which data seizure is only one:

  • Article 26(1)(a): The power to require any person to provide information.
  • Article 26(1)(c): The power to ask staff or representatives to give explanations and record their answers.

These are distinct from the physical seizure of data under Article 26(1)(b). The seizure power is inherently more intrusive and is likely to be reserved for situations where voluntary cooperation under Article 26(1)(a) is insufficient, where there is a risk of evidence destruction, or where the physical integrity of the data requires immediate securing.

Enforcement Consequences

If the data seized under Article 26(1)(b) confirms an infringement, authorities can proceed to enforcement measures under Article 26(2). These measures include:

  • Ordering the cessation of the infringement.
  • Imposing remedies proportionate to the infringement.
  • Imposing fines or periodic penalty payments to ensure compliance.

What this means for you

For CTOs, architects, and technical teams evaluating the practical impact of the proposed CADA, the seizure power under Article 26(1)(b) has several immediate implications for infrastructure and governance:

  1. Data Preservation and Integrity: Ensure that your data retention, backup, and integrity policies are robust and defensible. Authorities may seize backups or physical media; you must be able to demonstrate that data integrity has been maintained and that no unauthorized alterations occurred prior to the seizure.
  2. Granular Access Controls: Implement and document clear access controls and audit logs. If authorities seize data, you may need to prove that only authorized personnel had access, particularly if the investigation relates to third-country access or personnel citizenship requirements under Annex II.
  3. Legal Preparedness: Have legal counsel ready to respond to seizure orders immediately. Understand your specific rights under the national law of your establishment, including the right to judicial review, the right to be heard, and the right to access the file.
  4. Operational Continuity Planning: Where possible, negotiate with authorities to obtain copies rather than physical seizure of media. The proposal explicitly allows for "obtaining copies," which is significantly less disruptive to service continuity than taking physical servers or storage devices.
  5. Sovereignty Documentation: Maintain detailed, up-to-date records of your sovereignty compliance. This includes infrastructure location maps, personnel citizenship records, data flow diagrams, and software bill of materials (SBOMs). These documents are likely primary targets for seizure during an investigation into Union Assurance Level compliance.

Common misconceptions

Misconception 1: Authorities can seize any data they want. No. The power is strictly limited to "information relating to a suspected infringement." Authorities cannot conduct a "fishing expedition" for unrelated business data or trade secrets that do not pertain to the sovereignty compliance investigation. The seizure must be proportionate to the specific infringement suspected.

Misconception 2: Seizure is automatic and requires no judicial oversight. Not necessarily. Article 26(1)(b) explicitly states authorities can carry out inspections "or to request a judicial authority in their Member State to order" them. In many Member States, physical seizures of digital data will require a judicial warrant, ensuring an independent check on the authority's power.

Misconception 3: Only large hyperscalers are at risk. No. CADA applies to all cloud computing service providers seeking recognition under the Union Assurance Levels. Small and medium-sized enterprises (SMEs) providing services to public sector bodies are equally subject to these powers if they are suspected of non-compliance with the sovereignty criteria.

Misconception 4: Seizure is the only investigative tool available. No. Authorities have a graduated toolkit. They can first require information provision (Article 26(1)(a)) and interview staff (Article 26(1)(c)). Seizure under Article 26(1)(b) is a more intrusive measure, typically used when other methods are insufficient or when there is a risk of evidence tampering.

Related

This is general information about a draft EU regulation, not legal advice.