CADA vs GDPR

Summary The proposed Cloud and AI Development Act (CADA) does not replace the GDPR's transfer rules but adds a critical layer of technological sovereignty. While GDPR Chapter V governs the legality of cross-border data flows, CADA targets the risk of unauthorised third-country access and operational disruption. CADA introduces "Union assurance levels" (1–4) for cloud services used by the public sector. Crucially, Levels 3 and 4 function as a form of "foreign-law immunity," requiring providers to be free from third-country control or, for Level 3, from countries certified by the Commission as lacking extraterritorial reach. As stated in Recital 63, the EU-US Data Privacy Framework addresses transfers but "does not remove sovereignty concerns about dependence on third-country providers," as sovereignty "goes beyond data transfers and relates to operational autonomy too."

Detail

The interaction between CADA and the GDPR represents a fundamental shift from a purely data-protection compliance model to a comprehensive technological sovereignty framework. To navigate this, legal and compliance teams must distinguish between the legality of a data transfer (the domain of the GDPR) and the structural independence of the service provider (the domain of CADA).

GDPR Chapter V vs. CADA's Sovereignty Framework

The General Data Protection Regulation (GDPR) Chapter V establishes the rules for transferring personal data outside the European Economic Area (EEA). It relies on mechanisms such as adequacy decisions (e.g., the EU-US Data Privacy Framework), Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs). The GDPR's primary concern is whether the recipient country ensures an "essentially equivalent" level of protection for fundamental rights.

However, the CADA proposal explicitly recognises that GDPR compliance alone is insufficient to mitigate strategic dependencies. Recital 63 of the explanatory memorandum states: "However, while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers. The proposal thus complements the EU-US Data Privacy Framework as the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."

Consequently, CADA establishes a parallel regime focused on the structural and legal independence of cloud service providers. It does not alter the GDPR's rules on data flows but imposes additional procurement constraints on public bodies to ensure that the infrastructure processing that data is resilient against extraterritorial legal orders.

The Union Assurance Levels: A Tiered Approach to Immunity

Article 16 establishes the "Union cloud computing sovereignty framework," comprising four assurance levels. These levels dictate the criteria a cloud service must meet to be procured by Union entities and public sector bodies. The interaction with GDPR transfers becomes most critical at Levels 3 and 4, where CADA imposes restrictions that function similarly to "foreign-law immunity."

Union Assurance Level 1: The Baseline

Level 1 requires the provider to be established in the Union, with infrastructure and assets located in the Union. Customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, 1.1(c)). This level allows for some third-country control but mandates that no existing laws in the controlling third country require the provider to report software vulnerabilities to foreign authorities before they are exploited in the EU.

Union Assurance Levels 3 and 4: The Immunity Shield

Levels 3 and 4 introduce stringent barriers against third-country influence, effectively creating a shield against extraterritorial legal orders.

• Level 3 Criteria: Under Annex II, 3.1(g), providers and subcontractors must not be subject to the control of a third country or a legal entity established in a third country. This is a hard prohibition, with a narrow, specific derogation mechanism.
• The Derogation (Article 18): The Commission may adopt implementing acts to identify specific third countries whose providers can still qualify for Level 3. To qualify, the third country must meet cumulative criteria, including:
  • Being subject to a relevant adequacy decision under Article 45 of the GDPR (Article 18(1)(a)).
  • Having no measures enabling it to exercise control over the provider in a way that conflicts with lawful access to non-personal data set out in Article 32 of the Data Act (Regulation (EU) 2023/2854) (Article 18(1)(b)).
  • Having no measures compelling the provider to degrade or disrupt service continuity (Article 18(1)(c)).
  • Having no measures impeding the provision of state-of-the-art technologies (Article 18(1)(d)).

This structure means that for a provider from a third country (e.g., the US) to offer services at Level 3, the Commission must formally determine that the country's laws do not allow for the type of extraterritorial access that threatens EU public order. This goes beyond the GDPR's adequacy assessment, which focuses on data protection, to include operational continuity and technological autonomy.

• Level 4 Criteria: This highest level removes the derogation entirely. Annex II, 4.1(g) strictly prohibits the audited provider and subcontractors from being subject to the control of a third country or a legal entity established in a third country. There is no Article 18-style exception for Level 4. This ensures absolute immunity from foreign legal compulsion regarding data access and service disruption.

Risk Assessments and Procurement Obligations

The mechanism that activates these protections is the risk assessment. Under Article 29, Member States and Union entities must conduct risk assessments to determine which public sector activities concern "public order." This includes sectors falling under Annex I or II of the NIS2 Directive, as well as national security, defence, justice, and law enforcement.

If a risk assessment identifies an activity as contributing to the preservation of public order, Article 30(3) mandates that contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This creates a direct link between the nature of the data/workload and the required level of foreign-law immunity. For standard administrative tasks, Level 1 may suffice. For critical infrastructure or sensitive government functions, the procurement rules force the buyer to select a provider that is either EU-controlled or, in the case of Level 3, from a country certified by the Commission as not exerting extraterritorial control.

Interaction with the EU-US Data Privacy Framework

The EU-US Data Privacy Framework is an adequacy decision under GDPR Article 45. It facilitates the transfer of personal data to US companies by asserting that the US provides adequate protection. However, CADA treats this as merely one criterion among many for Level 3 recognition.

Recital 61 notes that for Level 3, the Commission will assess whether the adequacy decision applies generally or is limited to specific sectors. Crucially, even if an adequacy decision exists, the Commission must verify under Article 18(1)(c) that the US has no measures in place to "compel the cloud computing service provider to degrade or disrupt service continuity." This addresses the "operational autonomy" gap left by GDPR. A US provider might be GDPR-compliant via the Data Privacy Framework, but if it cannot demonstrate immunity from US laws that could disrupt service (e.g., sanctions or executive orders), it may fail to meet CADA's Level 3 criteria unless the Commission issues a specific implementing act waiving this based on other safeguards.

What this means for you

For in-house counsel and compliance officers, CADA introduces a new layer of due diligence that sits atop existing GDPR transfer mechanisms.

1. Map Your Assurance Levels: Identify which of your cloud workloads fall under "public order" as defined by your national risk assessment. If your organisation is a public body or a critical entity under NIS2, you must determine if your current providers meet Level 2, 3, or 4 criteria.
2. Audit Third-Country Control: For providers seeking Level 3 or 4 recognition, scrutinise their ownership structures. Under Annex II, providers must demonstrate they are not subject to third-country control. If your provider is US-based, verify if the Commission has adopted an implementing act under Article 18 recognising the US for Level 3. If not, US providers may only qualify for Level 1 or 2, restricting their use in critical public sector contracts.
3. Review Transfer Impact Assessments (TIAs): While TIAs under GDPR assess data protection risks, CADA requires a broader "sovereignty risk assessment." Document not just data access risks, but also operational disruption risks. Ensure your contracts include clauses that allow you to refuse compliance with foreign legal orders that conflict with EU sovereignty, aligning with the spirit of CADA's assurance levels.
4. Monitor Commission Decisions: Watch for implementing acts under Article 18. The list of third countries eligible for Level 3 will be published by the Commission. Changes to this list will directly impact your procurement options.
5. Prepare for Penalties: Article 24 mandates that Member States lay down effective, proportionate and dissuasive penalties for infringements. While specific fine amounts are left to national implementation, non-compliance with procurement rules (Article 30) could lead to significant administrative fines and contractual liabilities.

Common misconceptions

"CADA replaces the GDPR." Incorrect. CADA does not repeal or amend the GDPR. It operates in parallel. GDPR governs the flow of personal data; CADA governs the sovereignty of the infrastructure processing that data. You must still comply with GDPR Chapter V, even if your provider meets CADA Level 4.

"EU-US Data Privacy Framework ensures CADA compliance." Incorrect. The Data Privacy Framework is an adequacy decision for data transfers. It does not automatically grant a US provider CADA Level 3 status. The provider must still meet the cumulative criteria in Article 18, including operational autonomy and lack of disruptive legal measures.

"Level 1 is sufficient for all government data." Incorrect. Article 30 mandates that activities identified as contributing to public order must use Level 2, 3, or 4 services. Level 1 is only for non-critical public sector activities. Misclassifying a workload could lead to procurement irregularities and security vulnerabilities.

"CADA prohibits all non-EU providers." Incorrect. CADA allows non-EU providers to qualify for Level 3 if the Commission adopts an implementing act under Article 18. However, Level 4 strictly prohibits third-country control. The framework is risk-based, not a blanket ban.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA vs FIDA: How the Cloud Act interacts with Financial Data Access
• Does CADA require data localisation that GDPR does not?
• Why is the GDPR not enough to achieve cloud sovereignty under CADA?
• Why does CADA call the Data Act an 'enabler'?
• CADA and the Apply AI Strategy: How the EU's Cloud Law Underpins AI Adoption

This is general information about a draft EU regulation, not legal advice.