CADA vs GDPR and the EU-US Data Privacy Framework

Summary As proposed, the Cloud and AI Development Act (CADA) would complement the GDPR and the EU-US Data Privacy Framework (DPF) by addressing operational autonomy and strategic dependencies, not just data privacy. While the GDPR governs personal-data processing and the DPF facilitates transatlantic transfers, CADA would introduce a sovereignty framework with risk assessments aimed at unlawful third-country access and service disruption. Notably, under Article 18, CADA would link a third country's eligibility for assurance-level-3 audits to a GDPR adequacy decision, creating a layered obligation for public-sector procurement.

Detail

The relationship between CADA, the GDPR, and the EU-US Data Privacy Framework is one of complementary scope. The GDPR remains the primary instrument for protecting personal data. The DPF addresses the specific mechanism of EU-US personal-data transfers. As proposed, CADA would expand the regulatory perimeter to include non-personal data, operational continuity, and technological sovereignty.

CADA's Scope Beyond Data Privacy The explanatory memorandum states the proposal is consistent with existing rules on the processing of personal data, including the GDPR. It also states that while the EU-US Data Privacy Framework "addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers," and that the proposal "complements the EU-US Data Privacy Framework as the notion of sovereignty goes beyond data transfers and relates to operational autonomy too." In other words, the DPF helps with privacy safeguards for transfers, but does not guarantee that a provider cannot be compelled by third-country laws to disrupt service continuity or that public-order risks from dependence are addressed. As proposed, CADA would target these gaps through its sovereignty framework.

The Sovereignty Framework and Risk Assessments CADA would establish a Union cloud computing sovereignty framework with four assurance levels (Article 16). To determine which level is required, Member States and Union entities would conduct risk assessments (Article 29). Under Article 29(2), these assessments must consider at least: the sensitivity, criticality, and magnitude of the non-personal data processed (and the nature, scope, context and purpose of any personal-data processing); the risk and impact on public order of unlawful access to such data by a third country or an entity established in a third country; and the risk and impact of possible service disruption. This is distinct from a GDPR Data Protection Impact Assessment (DPIA), though the two may overlap.

Article 18 and the Link to GDPR Adequacy A key intersection occurs in Article 18 ("Associated third countries"). It would allow the Commission, by implementing act, to identify third countries whose providers (or providers controlled by an entity in that country) may be audited against the criteria for Union assurance level 3, provided the third country fulfils cumulative criteria. One criterion is that the country "is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679" (the GDPR).

This creates a direct dependency for level-3 eligibility: the EU must already have deemed that country's data-protection regime adequate under the GDPR. If the DPF or another adequacy mechanism were challenged or invalidated, it could affect the eligibility of providers from that jurisdiction under CADA's assurance level 3. Note that Article 18's mechanism is specific to level 3; it is not a general gateway for levels 2 and 4.

Operational Autonomy vs. Data Transfer The GDPR focuses on the legality of data flows. As proposed, CADA would focus on the resilience and autonomy of the infrastructure. A provider might comply with GDPR transfer mechanisms yet still be subject to laws permitting a host government to compel disruption of services. CADA's higher assurance levels would be verified through independent audits (Article 20) against Annex II criteria, which address freedom from third-country control and resistance to compelled access or service disruption.

What this means for you

For in-house counsel and compliance officers, the interplay between these instruments calls for a dual-track strategy:

1. Decouple Privacy from Sovereignty: Do not assume GDPR compliance or DPF reliance satisfies CADA's sovereignty criteria. As proposed, you would separately assess operational risks, including service disruption and access to non-personal data.
2. Monitor Adequacy Status: Under Article 18, a third country's eligibility for the assurance-level-3 audit route would be tied to a GDPR adequacy decision. Monitor the status of the DPF and other adequacy rulings; if one is suspended or invalidated, providers from that jurisdiction could lose level-3 eligibility, making migration planning prudent.
3. Conduct Dual Assessments: Public-sector bodies would conduct CADA risk assessments (Article 29) alongside GDPR DPIAs. The CADA assessment specifically addresses unlawful third-country access and service-disruption risks, which are not the primary focus of a standard DPIA.
4. Audit Readiness for Higher Levels: Providers seeking to serve the public sector at assurance levels 2, 3, or 4 should prepare for independent third-party audits (Article 20) against Annex II criteria, scrutinising the ability to resist third-country legal demands well beyond standard privacy certifications.
5. Contractual Clauses: Review contracts to align with CADA's sovereignty criteria, including provider commitments relevant to third-country access requests and service continuity.

Common misconceptions

• Misconception: "If we use the DPF, we are CADA-compliant."
  • Reality: As proposed, the DPF addresses privacy safeguards for transfers; CADA addresses operational sovereignty, including the risk of service disruption and access to non-personal data. A provider can be DPF-compliant yet not meet CADA's higher assurance criteria.
• Misconception: "CADA replaces the GDPR for cloud services."
  • Reality: As proposed, CADA is complementary. The GDPR continues to govern personal-data processing; CADA would add sovereignty and resilience requirements, particularly for public-sector procurement.
• Misconception: "Only personal data matters for CADA risk assessments."
  • Reality: Article 29(2) requires assessments to consider non-personal data, its sensitivity, criticality and magnitude, and the risk of unlawful third-country access and service disruption — not just personal data.
• Misconception: "Article 18 lets any DPF-compliant third-country provider compete at level 3."
  • Reality: Article 18 requires cumulative criteria. A GDPR adequacy decision is one condition; the third country must also, among other things, have no measures to compel service disruption, no measures impeding state-of-the-art technology, and maintain an open market to Union cloud services. Adequacy is necessary but not sufficient.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What is CADA's data centre deployment framework at a high level?
• How does CADA relate to the Data Act?
• How does CADA relate to the Digital Decade Policy Programme?
• CADA and the Chips Act 2.0: how the two relate
• How CADA Interacts With GDPR, the AI Act, NIS2 and EU Digital Law

This is general information about a draft EU regulation, not legal advice.