Does CADA conflict with GDPR for health data in the cloud?

Summary The proposed Cloud and AI Development Act (CADA) does not conflict with the General Data Protection Regulation (GDPR) regarding health data in the cloud; rather, the proposal is explicitly designed to be fully compatible and complementary. Under CADA, specific technical and organisational measures required to achieve Union assurance levels can be embedded directly into the mandatory data processing agreements required by the GDPR. This integration allows public sector bodies and healthcare providers to satisfy both data protection obligations and sovereignty requirements simultaneously through a single contractual instrument. As proposed, CADA ensures that health data remains under EU jurisdiction and operational autonomy while maintaining the high cybersecurity standards mandated by the GDPR.

Detail

The relationship between the proposed Cloud and AI Development Act (CADA) and the General Data Protection Regulation (GDPR) is one of deliberate complementarity, not contradiction. A primary concern for legal counsel in the healthcare sector is whether the sovereignty and assurance requirements of CADA create a regulatory burden that duplicates, contradicts, or supersedes existing data protection laws. The source text explicitly clarifies that CADA is "consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR)" (Explanatory Memorandum, "Consistency with other Union policies").

The Legal Mechanism for Compatibility: Recital 63

The definitive guidance on the interaction between these two regimes is found in Recital 63 of the CADA proposal. This recital addresses the specific scenario where cloud computing services are used to process personal data, including sensitive health data. It states that the GDPR provides an obligation for controllers and processors to agree on organisational and technical measures. Crucially, the recital provides the bridge between the two frameworks:

"Where specific technical and organisational measures should be implemented pursuant to this Regulation to ensure that personal data are processed in line with this Regulation, such specific measures could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 and could be relied on to demonstrate that the necessary Union assurance levels are met."

This provision effectively merges the compliance tracks. Under the GDPR, specifically Article 28, controllers and processors must establish a data processing agreement (DPA) that outlines the technical and organisational measures (TOMs) for data security. CADA recognises that these same agreements can serve as the vessel for demonstrating compliance with CADA's Union assurance levels. Instead of creating a parallel, disjointed compliance track, CADA allows the TOMs required for GDPR compliance to double as the evidence for CADA assurance. This means that a clause in a DPA ensuring data residency or restricting third-country access satisfies both the GDPR's requirement for appropriate safeguards and CADA's sovereignty criteria.

Union Assurance Levels and the Specificity of Health Data

CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16), with criteria detailed in Annex II. These levels range from Level 1 (basic establishment and data residency in the Union) to Level 4 (the strictest requirements, including Union citizenship for personnel and a complete absence of third-country control).

Health data, classified as "special category data" under Article 9 of the GDPR, carries heightened risks regarding privacy and potential harm. CADA's risk assessment mechanism (Article 29) requires Member States and Union entities to determine which assurance level is appropriate for specific public sector activities. If the processing of health data is deemed to contribute to the preservation of public order (e.g., in national health registries, pandemic response, or critical hospital infrastructure) or involves high sensitivity, a higher assurance level (2, 3, or 4) may be required.

The criteria for these levels in Annex II align closely with GDPR principles but add a layer of sovereignty:

• Data Residency: For Union Assurance Level 1, customer data, including metadata and telemetry, must "remain exclusively within the Union" unless the public sector body explicitly requires otherwise. This aligns with the GDPR's restrictions on third-country transfers, particularly for sensitive health data where the risk of unauthorized access is high.
• Personnel and Control: For Levels 3 and 4, the criteria become more stringent. Annex II requires that personnel involved in the service be "Union citizens" and that the provider is "not subject to the control of a third country." This addresses the "operational autonomy" gap that the GDPR alone does not cover, ensuring that even if data is legally protected, the infrastructure itself cannot be compromised by extraterritorial laws (such as the US CLOUD Act).

By embedding these CADA assurance criteria into the GDPR-mandated DPA, a healthcare provider or public health authority ensures that their cloud provider is contractually bound to both GDPR data protection standards and CADA sovereignty standards.

The Role of the Data Act and Interoperability

The CADA proposal also references the Data Act, noting that CADA is consistent with rules on switching between data processing services. The Data Act aims to reduce vendor lock-in and ensure interoperability. CADA builds on this by providing a framework for sovereign cloud services. For health data, this means that the technical measures required to keep data within the Union (a CADA requirement) and the measures required to ensure data portability and security (a GDPR/Data Act requirement) are mutually reinforcing.

The Explanatory Memorandum states that the Data Act "opens the path towards a possible reduction of dependencies on non-EU providers" but does not build the road towards sovereignty; CADA provides that sovereign framework. This ensures that while the GDPR protects the rights of the data subject, CADA protects the infrastructure and supply chain that processes that data.

No Conflict with Third-Country Transfers

A frequent point of confusion is whether CADA imposes stricter bans on third-country transfers than the GDPR. The proposal clarifies that while the EU-US Data Privacy Framework addresses transatlantic data transfers, it "does not remove sovereignty concerns about dependence on third-country providers." CADA goes beyond data transfer mechanisms by addressing operational autonomy.

However, it does not negate the GDPR. Instead, it adds a layer of scrutiny. For example, Union Assurance Level 3 allows for services from third countries only if the Commission has adopted a specific decision recognizing that the third country provides sufficient assurances (Article 18). This is a more stringent, sovereignty-focused test than the GDPR's adequacy decisions, but it operates in parallel. If a provider cannot meet the CADA assurance level, they may still comply with the GDPR for general commercial use, but they would not be eligible for public sector procurement of sensitive health data under CADA's demand-side measures (Article 30).

Compliance Mechanics: The Integrated DPA

For in-house counsel, the practical implication is that the data processing agreement becomes the central compliance document. When drafting or reviewing DPAs for cloud providers hosting health data, legal teams must ensure that the TOMs explicitly address CADA's assurance criteria if the service is intended for public sector use or high-criticality private sector use. This includes verifying:

1. Data Residency: Explicit clauses confirming data remains in the Union (Annex II, Level 1 criteria).
2. Subcontractor Oversight: Due diligence on subcontractors, ensuring they also meet the assurance level (Annex II, Level 1 criteria).
3. Third-Country Control: Demonstrations that no third-country laws compel the provider to access data or disrupt service (Annex II, Level 2 and 3 criteria).

By integrating these clauses into the GDPR DPA, organizations create a single contractual instrument that satisfies both regulatory regimes.

What this means for you

For in-house counsel and compliance officers in the healthcare sector, the adoption of CADA (if passed in its current form) will require a strategic review of existing cloud contracts, particularly those involving public sector bodies or sensitive health data.

1. Audit Existing Data Processing Agreements (DPAs) Review current DPAs with cloud providers. Identify the Technical and Organizational Measures (TOMs) currently in place. Determine if these TOMs already satisfy the criteria for the relevant Union Assurance Level under CADA. If not, you must negotiate amendments to include specific CADA-compliant measures, such as strict data residency guarantees, subcontractor oversight protocols, and clauses preventing third-country access to data.

2. Align Risk Assessments with CADA Assurance Levels Public sector health authorities will need to conduct risk assessments under Article 29 to determine the required assurance level for their cloud services. Private sector entities in high-criticality sectors (as defined in Annex I of the NIS2 Directive) may also conduct similar impact assessments under Article 31. Ensure your internal risk registers map data sensitivity (e.g., genomic data, patient records, mental health data) to the appropriate CADA assurance level. If the risk assessment determines that the activity contributes to public order, you may be legally required to procure only Level 2, 3, or 4 services.

3. Prepare for Procurement Changes CADA introduces demand-side measures. Public sector contracting authorities will be obligated to procure cloud services that meet at least Union Assurance Level 1 (Article 30). For activities contributing to public order, levels 2, 3, or 4 may be mandatory. Ensure your cloud providers can provide the necessary audit reports or statements of conformity to meet these procurement criteria. If a provider cannot demonstrate compliance, they may be excluded from public health tenders.

4. Monitor Third-Country Controls For providers with global operations, ensure that legal, technical, and organizational measures are in place to separate Union operations from third-country subsidiaries. Annex II requires effective separation to prevent third-country access to Union data. Document these separation measures in your GDPR DPA to serve as evidence for CADA compliance. This is critical for health data, where the risk of foreign surveillance is a primary concern.

5. Leverage the "No Conflict" Principle Use the explicit compatibility stated in Recital 63 to streamline compliance. Instead of maintaining separate documentation for GDPR and CADA, integrate CADA assurance criteria into your standard GDPR DPA templates. This reduces administrative burden and ensures consistent contractual obligations across both regimes.

Common misconceptions

Misconception 1: CADA replaces the GDPR for cloud services. Correction: CADA does not replace the GDPR. It complements it by adding sovereignty and operational autonomy requirements. The GDPR remains the primary law for personal data protection, while CADA addresses the strategic dependency and security of the cloud infrastructure itself.

Misconception 2: CADA's data residency requirements conflict with GDPR's free flow of data. Correction: CADA's requirement for data to remain in the Union (for certain assurance levels) is a specific condition for public sector procurement and high-assurance services. It does not ban all cross-border data transfers under the GDPR. However, for services claiming Union Assurance Level 1-4, data must remain in the Union unless explicitly authorized by the public sector body. This is a contractual and regulatory condition for specific high-trust services, not a general ban on EU data flows.

Misconception 3: Compliance with CADA is optional for private sector healthcare providers. Correction: While CADA's mandatory procurement rules (Article 30) directly target public sector bodies, the private sector is indirectly affected. Providers seeking to serve public sector clients must obtain Union assurance recognition. Furthermore, Article 31 allows private sector entities in critical sectors (under NIS2) to conduct similar impact assessments. Market pressure will likely drive private healthcare providers to adopt CADA-compliant standards to remain competitive and trustworthy.

Misconception 4: CADA creates a new, separate certification process that duplicates GDPR audits. Correction: Recital 63 explicitly states that CADA measures can be embedded in GDPR mandatory agreements. The audit evidence for CADA assurance levels (Annex III) can be aligned with GDPR compliance audits. Organizations should aim to integrate these processes rather than treating them as separate, duplicative efforts.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA for Pharma: Frontier AI, Health Data Reuse & NIS2 Impact Assessments
• How does CADA support health-data reuse for AI models?
• CADA for connectivity and submarine-cable operators: NIS2, risk assessments and sovereign data flows
• CADA and Data Centre Energy Efficiency: How the Proposal Aligns with EU Rules
• CADA and the Renewable Energy Directive: How data centres fit the twin transition

This is general information about a draft EU regulation, not legal advice.