Does CADA require data localisation that GDPR does not?

Summary As proposed, the Cloud and AI Development Act (CADA) does not impose a blanket data localisation mandate that overrides the GDPR. Instead, it introduces a four-tier "Union assurance" framework (Article 16) that restricts third-country control and access to data, while explicitly preserving the free flow of data within the EU (Recital 64). While GDPR Chapter V governs the lawfulness of transferring personal data outside the EU, CADA addresses operational autonomy and public order, requiring public sector bodies to procure cloud services that meet specific sovereignty criteria. For high-risk activities, these criteria effectively require data and infrastructure to remain within the Union, but this is a sovereignty requirement distinct from GDPR's data protection rules.

Detail

The interaction between the proposed Cloud and AI Development Act (CADA) and the General Data Protection Regulation (GDPR) regarding data localisation is often misunderstood. The two instruments address fundamentally different regulatory objectives: the GDPR protects fundamental rights and the privacy of personal data, whereas CADA aims to strengthen the EU's technological sovereignty, resilience, and independence from third-country dependencies. Understanding their interaction requires distinguishing between data transfer legality (the domain of GDPR) and service sovereignty (the domain of CADA).

GDPR Governs Transfers, Not Sovereignty

Under the GDPR, the primary mechanism for controlling data leaving the EU is Chapter V, which regulates international transfers of personal data. This framework relies on adequacy decisions, standard contractual clauses (SCCs), and binding corporate rules to ensure that personal data transferred to third countries receives a level of protection essentially equivalent to that within the EU.

However, the GDPR does not inherently address broader sovereignty concerns, such as operational continuity, vendor lock-in, or the risk of a third country disrupting cloud services or accessing non-personal data. As noted in the CADA proposal's explanatory memorandum, while the EU-US Data Privacy Framework addresses transatlantic data transfers, it "does not remove sovereignty concerns about dependence on third-country providers." The GDPR ensures that if data leaves the EU, it is protected; CADA asks whether the data should leave the EU at all to preserve the Union's strategic autonomy.

CADA's Sovereignty Framework: Assurance Levels, Not Blanket Localisation

CADA introduces a Union cloud computing sovereignty framework comprising four Union assurance levels (Article 16). These levels are not about where data physically sits in every instance, but about who controls the infrastructure, who has access to the data, and whether the service is subject to third-country jurisdiction.

Union Assurance Level 1: The Baseline

This is the minimum requirement for all public sector cloud procurement (Article 30(2)). The criteria for Level 1 (Annex II, Section 1) require that customer data, including metadata and telemetry, remain exclusively within the Union "unless the public sector body explicitly requires otherwise."

• Flexibility: This clause allows for some flexibility, meaning a public body could theoretically authorise data to leave the Union if justified.
• Establishment: The provider must be established in the Union.
• Third-Country Control: If the provider is subject to third-country control, it must guarantee that no laws in that third country require reporting software vulnerabilities to authorities before they are exploited.

Union Assurance Levels 2, 3, and 4: Stricter Sovereignty

These higher levels are triggered by risk assessments (Article 29) for activities contributing to public order, such as national security, defence, justice, or law enforcement. The criteria become significantly stricter, effectively mandating localisation for these specific use cases:

• Level 2: Requires that infrastructure, assets, and personnel be located in the Union. It also mandates that data generated by the service is not used to train AI systems operated by a third country.
• Level 3 & 4: Add requirements for Union citizenship for personnel (conditional at Level 2 if the public body requires it; mandatory at Levels 3 and 4) and stricter separation from third-country subsidiaries.
• Data Localisation: At these levels, the criteria prohibit the use of infrastructure or personnel located outside the Union for the provision of the service. Consequently, for public order-relevant activities, data localisation within the Union becomes a de facto requirement to meet the assurance criteria.

The Free Flow of Data Within the EU

A critical distinction in CADA is its explicit support for the free flow of data within the EU. Recital 64 states: "To promote the free flow of data within the Union and to support the functioning of the internal market, it is appropriate that Member States ensure that data is not confined to the territory of a single Member State and may be stored and processed across the Union without unjustified restrictions."

This means CADA does not create data silos at national borders. A French public authority can use a cloud service hosted in Germany, provided the service meets the relevant Union assurance level. The restriction is not on cross-border movement within the EU, but on movement outside the EU and on the legal jurisdiction governing the provider.

Risk Assessments and Procurement Obligations

The trigger for higher assurance levels is the risk assessment conducted by Member States and Union entities under Article 29. These assessments must identify public sector activities that contribute to the preservation of public order.

• Public Order Activities: If an activity is deemed sensitive (e.g., handling classified information or critical infrastructure data), the contracting authority must procure only from services recognised as offering Union assurance levels 2, 3, or 4 (Article 30(3)).
• Non-Public Order Activities: For activities not identified as contributing to public order, the minimum requirement is Union assurance level 1 (Article 30(2)). Even at Level 1, the criteria in Annex II heavily favour intra-EU processing, but allow exceptions if explicitly required by the public sector body.

This creates a layered approach: baseline sovereignty for all public cloud use, and strict localisation/control for sensitive public functions.

Distinction from GDPR's Scope

The scope of application differs significantly:

1. Data Type: GDPR applies only to personal data. CADA applies to all cloud computing services used by the public sector, regardless of whether the data processed is personal or non-personal. A public authority using a cloud service to process non-personal operational data (e.g., traffic flow data, energy grid metrics) is still subject to CADA's sovereignty requirements if the activity is deemed relevant to public order. GDPR would not apply to this non-personal data, but CADA does.
2. Risk Focus: CADA addresses risks that GDPR does not, such as the risk of service disruption by a third country. Article 18 allows the Commission to recognise third countries for Level 3 assurance only if they meet strict criteria, including having no measures in place to compel service degradation or disruption. This is a sovereignty and security concern, not a data protection one.

What this means for you

For in-house counsel, compliance officers in the public sector, and private entities supplying the public sector, CADA introduces new procurement and compliance obligations that run parallel to GDPR.

1. Procurement Strategy

Review all cloud computing service contracts. Under CADA, public sector bodies must procure only from services recognised as offering at least Union assurance level 1 (Article 30(2)). If your organisation handles sensitive public order activities, you must procure from Level 2, 3, or 4 services. Ensure your tender documents explicitly require these assurance levels and verify the provider's recognition status in the central repository (Article 22).

2. Risk Assessments

Member States and Union entities must conduct risk assessments every two years (Article 29(1)) to determine which activities require higher assurance levels. Compliance teams should engage with these assessments early to understand which of their cloud workloads will fall under stricter localisation and control requirements. The assessment must consider the sensitivity of data, the risk of unlawful access by a third country, and the risk of service disruption.

3. Provider Due Diligence

For private cloud providers aiming to serve the public sector, you must seek recognition under the CADA framework. This involves:

• Self-assessment for Level 1 (Article 19).
• Independent third-party audits for Levels 2-4 (Article 20). Prepare documentation demonstrating compliance with Annex II criteria, including evidence of data localisation within the Union, personnel location, and absence of third-country control.

4. Data Architecture

While GDPR focuses on transfer mechanisms (e.g., SCCs), CADA focuses on infrastructure location and control. Ensure your cloud architecture can demonstrate that data, metadata, and telemetry remain within the Union unless explicitly required otherwise. For Level 2-4 services, ensure all infrastructure and personnel involved in service provision are located in the Union.

5. Third-Country Subsidiaries

If your provider has subsidiaries in third countries, you must demonstrate effective legal, technical, and organisational separation (Annex II, Levels 2-4). This includes ensuring that third-country subsidiaries have no access to Union customer data or privileged accounts.

Common misconceptions

"CADA bans all data transfers outside the EU."

• Reality: CADA does not ban all transfers. At Union assurance level 1, data may leave the Union if the public sector body explicitly requires it. However, for higher assurance levels (2-4), data must remain exclusively within the Union. The restriction is tiered based on risk.

"CADA replaces GDPR."

• Reality: CADA and GDPR are complementary. GDPR continues to govern the lawfulness of processing personal data and international transfers. CADA adds a layer of sovereignty requirements for public sector cloud procurement, covering both personal and non-personal data, and addressing risks like service disruption and third-country control.

"CADA prevents cross-border data flows within the EU."

• Reality: Recital 64 explicitly promotes the free flow of data within the Union. CADA prohibits unjustified restrictions on data moving between Member States. A service hosted in one Member State can be used by authorities in another, provided it meets the relevant assurance level.

"Only personal data is subject to CADA's localisation rules."

• Reality: CADA applies to all customer data, including metadata, telemetry, and non-personal data. This is broader than GDPR, which only applies to personal data.

"CADA is just about data location."

• Reality: CADA is about control. It restricts third-country access, ensures operational autonomy, and prevents service disruption. Data localisation is a means to these ends, not the sole objective.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Does CADA Level 4 effectively require avoiding US CLOUD Act exposure that GDPR allows?
• Why is the GDPR not enough to achieve cloud sovereignty under CADA?
• CADA vs GDPR: How foreign-law immunity interacts with data transfers
• Does the Data Act govern cloud contracts that CADA tiers depend on?
• Does FIDA require sovereign cloud for open-finance data?

This is general information about a draft EU regulation, not legal advice.