CADA vs Free Flow of Non-Personal Data

Summary As proposed, the Cloud and AI Development Act (CADA) does not restrict the free movement of data within the European Union. Instead, its sovereignty framework specifically targets access by third-country actors and mandates that customer data remain exclusively within the Union unless a public sector body explicitly requires otherwise. This approach is explicitly designed to be consistent with the Free Flow of Non-Personal Data Regulation (Regulation (EU) 2018/1807). Recital 64 of the CADA proposal reaffirms that "the free flow of data within the Union is an essential condition for the proper functioning of the internal market" and that data "may be stored and processed across the Union without unjustified restrictions." For in-house counsel, this means that while intra-EU data flows remain unrestricted, you must ensure your cloud providers meet specific Union assurance levels to prevent data exfiltration to non-EU jurisdictions, particularly when serving public sector clients.

Detail

The relationship between the proposed Cloud and AI Development Act (CADA) and the Free Flow of Non-Personal Data Regulation (Regulation (EU) 2018/1807) is one of complementary reinforcement rather than conflict. CADA aims to strengthen the EU's cloud and AI ecosystem by reducing dependencies on non-European providers, while the Free Flow Regulation removes restrictions on the cross-border movement of non-personal data within the EU.

Recital 64: Reaffirming the Free Flow Principle

The CADA proposal explicitly addresses the potential tension between data sovereignty and the internal market. Recital 64 states: "The free flow of data within the Union is an essential condition for the proper functioning of the internal market. To promote the free flow of data within the Union and to support the functioning of the internal market, it is appropriate that Member States ensure that data is not confined to the territory of a single Member State and may be stored and processed across the Union without unjustified restrictions."

This recital confirms that CADA's sovereignty measures are not intended to create data localization barriers within the EU. Instead, they are designed to prevent third-country access and ensure operational autonomy. The proposal distinguishes between data localization (where data is stored) and data sovereignty (who has access to and control over the data). CADA's Union assurance levels (1 through 4) focus on the latter, ensuring that even if data moves freely between Member States, it remains protected from extraterritorial legal claims by non-EU governments.

Article 29: Risk Assessments and Public Order

Article 29 of the CADA proposal outlines the obligation for Member States and Union entities to conduct risk assessments. These assessments determine which Union assurance level is appropriate for specific public sector activities. The article mandates that these assessments consider:

• The sensitivity, criticality, and magnitude of non-personal data processed.
• The risk of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk of service disruption.

Crucially, Article 29 does not prohibit the storage of data in another Member State. Instead, it requires that the cloud computing service provider meets specific criteria (detailed in Annex II) to ensure that third-country actors cannot access the data. For example, Union assurance level 2 requires that customer data, including metadata and telemetry data, remain exclusively within the Union unless the public sector body explicitly requires otherwise. This aligns with the Free Flow Regulation's goal of allowing data to move freely across borders within the EU, while adding a layer of security against external threats.

Consistency with the Free Flow of Non-Personal Data Regulation

The Free Flow of Non-Personal Data Regulation prohibits Member States from restricting the storage or processing of non-personal data within the EU, with limited exceptions for public security and national security. CADA's sovereignty framework operates within these exceptions but is narrowly tailored to address third-country dependencies rather than intra-EU fragmentation.

Recital 47 of CADA notes that existing Union law addresses cybersecurity and data protection but lacks a cross-cutting framework for trusted cloud computing services. CADA fills this gap by providing a harmonized mechanism for assessing sovereignty risks. This harmonization is essential because divergent national approaches to data sovereignty could otherwise fragment the internal market, undermining the Free Flow Regulation. By establishing EU-wide assurance levels, CADA ensures that a cloud service provider recognized in one Member State can operate across the Union without facing conflicting national data localization rules.

Implications for Data Movement and Storage

For cloud service providers and their customers, CADA's requirements mean that:

1. Intra-EU Data Flows Remain Unrestricted: Data can be stored and processed in any Member State, provided the cloud service provider meets the relevant Union assurance level.
2. Third-Country Access is Restricted: Providers must implement technical and organizational measures to prevent third-country actors from accessing data, even if the data is stored within the EU. This includes blocking remote features that could tamper with or disrupt services.
3. Explicit Consent for Non-EU Transfer: Data may only be transferred outside the EU if the public sector body explicitly requires it. This is a narrow exception and does not apply to general business operations.

Deadlines and Compliance

Member States must designate national competent authorities by one year after the regulation's entry into force. Cloud service providers seeking recognition under Union assurance levels 2, 3, or 4 must undergo independent third-party audits. The recognition process involves submission of evidence to the national competent authority of establishment, which then assesses compliance within 60 days. For public sector bodies, risk assessments must be carried out by one year after the regulation's entry into force and repeated every two years or whenever necessary.

Penalties

Article 24 of CADA empowers Member States to lay down rules on penalties for infringements of the sovereignty framework. These penalties must be effective, proportionate and dissuasive. Factors considered in imposing penalties include the nature, gravity, scale, and duration of the infringement, as well as the financial benefits gained or losses avoided by the infringing party. While specific fine amounts are left to Member States, the framework ensures that non-compliance carries significant legal and financial risks.

What this means for you

For in-house counsel and compliance officers, the interaction between CADA and the Free Flow of Non-Personal Data Regulation requires a nuanced understanding of data governance.

1. Audit Your Data Flows: Ensure that your cloud service providers can demonstrate compliance with Union assurance levels, particularly if you serve public sector clients. This includes verifying that data remains within the EU and that third-country access is blocked.
2. Review Contracts: Update cloud service agreements to include clauses that align with CADA's sovereignty requirements. This may involve specifying data residency within the EU and requiring providers to disclose any third-country ownership or control.
3. Prepare for Risk Assessments: If you are a public sector body, begin preparing for the mandatory risk assessments under Article 29. Identify which activities contribute to the preservation of public order and determine the appropriate Union assurance level for each.
4. Monitor Regulatory Developments: CADA is a proposal and may change during the legislative process. Stay informed about updates to the Union assurance levels and the criteria for third-country recognition, as these will impact your compliance strategy.
5. Engage with Competent Authorities: Build relationships with your national competent authority to understand the specific requirements for recognition and audit processes. Early engagement can help streamline compliance and avoid potential penalties.

Common misconceptions

Misconception 1: CADA prohibits cross-border data storage within the EU. This is incorrect. Recital 64 explicitly supports the free flow of data within the Union. CADA's sovereignty framework restricts third-country access, not intra-EU data movement. Data can be stored in any Member State, provided the cloud service provider meets the relevant assurance level.

Misconception 2: CADA applies only to personal data. CADA applies to both personal and non-personal data. The sovereignty framework is designed to protect all customer data, including metadata and telemetry data, from third-country access. This is consistent with the Free Flow of Non-Personal Data Regulation, which also covers non-personal data.

Misconception 3: CADA conflicts with the Free Flow of Non-Personal Data Regulation. CADA is designed to be consistent with the Free Flow Regulation. By harmonizing sovereignty criteria across the EU, CADA prevents national fragmentation that could undermine the free flow of data. The proposal's focus on third-country dependencies rather than intra-EU restrictions ensures compatibility with existing EU data laws.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Free Flow vs. Sovereignty: How Data Moves Under the Proposal
• How CADA and the Data Act reduce non-EU cloud dependency
• Why does CADA call the Data Act an 'enabler'?
• CADA vs NIS2: What Data Centre Operators Must Know
• CADA and EHDS: What hospitals must know about sovereign cloud for health data

This is general information about a draft EU regulation, not legal advice.