EU-US Data Privacy Framework vs CADA

Summary As proposed, the Cloud and AI Development Act (CADA) complements but does not replace the EU-US Data Privacy Framework. While the Framework addresses the legality of transatlantic data transfers, CADA's sovereignty framework targets operational autonomy, infrastructure control, and critical dependencies on third-country providers that the Framework does not resolve. Consequently, even if data transfers are lawful under the Framework, public sector bodies may still be required to procure cloud services meeting CADA's strict Union assurance levels to preserve public order. The two instruments operate on parallel tracks: one ensures data protection; the other ensures strategic autonomy.

Detail

The relationship between CADA and the EU-US Data Privacy Framework is one of functional complementarity rather than substitution. CADA introduces a distinct regulatory layer focused on technological sovereignty and operational resilience, addressing risks that data protection adequacy decisions do not cover.

Complementarity, Not Replacement

The CADA explanatory memorandum explicitly states that the proposal is "consistent with existing rules on the processing of personal data, including the General Data Protection Regulation (GDPR) and the EU-US Data Privacy Framework." However, it draws a sharp distinction between data privacy and sovereignty. The memorandum notes that "while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers."

CADA argues that the notion of sovereignty "goes beyond data transfers and relates to operational autonomy too." Therefore, CADA "complements the EU-US Data Privacy Framework" by ensuring that European users are not exposed to risks related to operational discontinuity or unilateral decisions by third-country actors that could disrupt service provision, regardless of whether the data transfer itself is legally compliant under GDPR.

The Framework was designed to resolve the legal uncertainty surrounding the transfer of personal data to the United States following the invalidation of previous arrangements. It establishes a framework for the protection of personal data transferred from the EU to the US. However, as the CADA proposal highlights, this legal mechanism does not alter the underlying market reality: the EU remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries.

The Persistence of Dependency Risks

Despite the existence of the EU-US Data Privacy Framework, the EU remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries. Recital 46 of CADA highlights that this dependence exposes the Union to critical strategic dependencies, including vulnerabilities arising from the extraterritorial application of third-country laws.

The explanatory memorandum emphasizes that current market dynamics, where three non-EU hyperscalers control over 70% of the European cloud market, create risks that data transfer mechanisms alone cannot mitigate. These risks include:

• Operational Discontinuity: The risk that unilateral decisions by third-country actors could disrupt service provision.
• Loss of Control: Reduced oversight over infrastructure and assets.
• Extraterritorial Legal Reach: The application of laws that may conflict with EU fundamental rights, even if specific data transfers are covered by adequacy decisions.

The Framework ensures that personal data is protected during transfer. It does not, however, prevent a third-country government from compelling a provider to disrupt service continuity, degrade service quality, or access non-personal data and infrastructure. CADA is designed specifically to address these "non-technical risks" and "sovereignty concerns" that persist even when data privacy is secured.

CADA's Sovereignty Framework vs. Data Privacy

CADA establishes a Union cloud computing sovereignty framework consisting of four Union assurance levels (Article 16). This framework is designed to mitigate risks stemming from the EU's reliance on third countries for cloud computing services. It provides a harmonised and auditable set of criteria at different levels of sovereignty.

Crucially, the presence of an adequacy decision, such as the EU-US Data Privacy Framework, does not automatically exempt a provider from CADA's sovereignty requirements. While the Framework ensures a sufficient level of protection for personal data, it does not guarantee that a provider is free from the control of a third country in a manner that could disrupt service continuity or allow for unauthorized access to non-personal data or infrastructure.

The CADA framework operates on the premise that "sovereignty" encompasses more than just the flow of data; it encompasses the ability of the Union to act autonomously. This includes the capacity to ensure that cloud services remain available, that infrastructure is not subject to foreign coercion, and that the supply chain is resilient.

Article 18: Associated Third Countries and Union Assurance Level 3

The interaction between CADA and third-country frameworks like the EU-US Data Privacy Framework is most clearly defined in Article 18, which sets out conditions for the recognition of third countries for Union assurance level 3.

Under Article 18(1), the Commission may adopt decisions identifying third countries for which cloud computing service providers subject to the control of that third country may be audited against the criteria for Union assurance level 3. This is permitted only if the third country fulfills specific cumulative criteria.

One of these critical criteria, set out in Article 18(1)(a), is that the third country "is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679." This directly links the possibility of a third-country provider achieving a high level of CADA sovereignty recognition (Level 3) to the existence of a data protection adequacy decision, such as the EU-US Data Privacy Framework.

However, the adequacy decision is merely a prerequisite. Article 18(1) imposes additional, stringent conditions that go beyond data privacy:

• No Conflicting Control: The third country must have no measures in place that enable it to exercise control over the provider in a way that conflicts with lawful access to non-personal data (Article 18(1)(b)).
• No Service Disruption: The third country must have no measures in place to compel the provider to degrade or disrupt service continuity (Article 18(1)(c)).
• No Impediment to Technology: The third country must not impede the provision of state-of-the-art technologies (Article 18(1)(d)).
• Open Market and Reciprocity: The third country must maintain an open market to Union cloud services and grant equivalent levels of access to public procurement procedures (Article 18(1)(e) and (f)).

If available information reveals that a third country no longer fulfills these requirements, the Commission shall repeal, amend, or suspend the decision (Article 18(2)). This means that even if the EU-US Data Privacy Framework remains in force, a US-based provider could lose eligibility for Union assurance level 3 under CADA if other sovereignty criteria are not met. The Framework addresses the transfer of data; Article 18 addresses the control of the provider and the continuity of the service.

Public Procurement Implications

For public sector bodies, the distinction is operationally significant. Article 30 of CADA mandates that contracting authorities whose activities contribute to the preservation of public order must only procure cloud computing services recognized as having Union assurance level 2, 3, or 4.

If a US-based provider is recognized only for Union assurance level 1 (via self-assessment) or fails to meet the additional criteria for level 3 under Article 18, it may be ineligible for procurement in critical public sector use cases, even if its data transfer mechanisms are fully compliant with the EU-US Data Privacy Framework. The Framework ensures data privacy; CADA ensures operational sovereignty.

A contracting authority conducting a risk assessment under Article 29 might determine that a specific public sector activity (e.g., law enforcement or critical infrastructure) requires Union assurance level 3. If the US has not been designated as an "associated third country" under Article 18, or if the specific provider cannot demonstrate compliance with the Article 18 criteria, that provider cannot be used for that activity, regardless of its GDPR compliance status.

What this means for you

For in-house counsel and compliance officers, the key takeaway is that GDPR compliance via the EU-US Data Privacy Framework is necessary but insufficient for public sector cloud procurement under CADA.

1. Dual Compliance Track: You must maintain compliance with the EU-US Data Privacy Framework for data transfers involving personal data. Simultaneously, you must assess your eligibility for CADA's Union assurance levels. These are two separate legal obligations with different scopes.
2. Assessing Level 3 Eligibility: If you are a US-based provider targeting critical EU public sector contracts, you must monitor whether the Commission has adopted a decision under Article 18 recognizing the US as an "associated third country" for Union assurance level 3. This recognition depends on more than just the adequacy decision; it requires demonstrating that US laws do not compel service disruption or unauthorized access to non-personal data.
3. Operational Autonomy Documentation: Prepare to document measures that ensure operational autonomy. CADA's audit criteria for levels 2-4 (Article 20) will scrutinize your ability to resist third-country compulsion to disrupt services or access data, a concern distinct from data privacy.
4. Procurement Strategy: Public sector clients will increasingly separate data privacy assessments from sovereignty assessments. Ensure your contracts and technical documentation address operational continuity and supply chain resilience, not just data protection clauses.

Common misconceptions

• Misconception: "If we comply with the EU-US Data Privacy Framework, we are automatically compliant with CADA."
  • Reality: The Framework addresses personal data transfers. CADA addresses operational sovereignty, infrastructure control, and service continuity. A provider can be GDPR-compliant but fail to meet CADA's sovereignty criteria for critical public sector use cases.
• Misconception: "CADA replaces the need for adequacy decisions."
  • Reality: CADA complements the Framework. Article 18 explicitly requires an adequacy decision as a prerequisite for recognizing a third country for Union assurance level 3. The two regimes are interlinked, not mutually exclusive.
• Misconception: "US providers are banned from the EU public sector."
  • Reality: US providers can participate, but they must meet specific sovereignty criteria. If the Commission recognizes the US under Article 18, US providers can be audited for Union assurance level 3. Without such recognition, they may be limited to lower assurance levels or excluded from critical procurement.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA Multi-Cloud Guidance vs. Data Act: How They Interact
• CADA vs the Data Governance Act: How do they interact?
• How does CADA interact with the Data Act?
• Why does CADA call the Data Act an 'enabler'?
• CADA vs NIS2: What Data Centre Operators Must Know

This is general information about a draft EU regulation, not legal advice.