What evidence can CADA authorities collect during an investigation?

Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities would possess extensive investigative powers to verify compliance with the Union cloud computing sovereignty framework. As proposed in Article 26, authorities would be empowered to require the immediate provision of relevant information, conduct inspections of business premises, and seize or copy data stored on any storage medium. Crucially, while authorities could record explanations from staff or representatives, this specific action would strictly require the individual's consent. These powers are designed to ensure that cloud providers meet the rigorous criteria for Union assurance levels, extending beyond the provider to include auditors and subcontractors.

Detail

The Cloud and AI Development Act (CADA) introduces a harmonised sovereignty framework for cloud computing services in the EU, categorised by four "Union assurance levels." To enforce this framework, the proposal grants national competent authorities significant investigative powers. These powers are detailed in Article 26 of the proposal, which outlines the mechanisms authorities would use to verify whether a cloud computing service provider complies with the technical, legal, and organisational criteria required for recognition.

The scope of these powers is broad, reflecting the complexity of modern cloud infrastructure where data, personnel, and control mechanisms are often distributed across various physical and digital environments. Article 26(1) explicitly lists the investigative powers that competent authorities of establishment would hold when carrying out their tasks under the recognition process (Article 17) and the broader sovereignty framework.

1. The Power to Request Information

Under Article 26(1)(a), competent authorities would have the power to require any cloud computing service provider, as well as "any other persons acting for purposes related to their trade, business, craft or profession," to provide information as soon as possible. This obligation extends to anyone who may reasonably be expected to be aware of information relating to a suspected infringement.

This provision is critical for ensuring a complete audit trail. It explicitly includes auditing organisations, ensuring that the audit trail itself is subject to scrutiny if irregularities are suspected. If a provider claims compliance based on an audit report, the authority can compel the auditor to provide the underlying evidence, methodology, and data used to reach that conclusion. The obligation to provide information "as soon as possible" implies a strict timeline for cooperation, preventing delays that could hinder an investigation into potential sovereignty breaches.

2. Premises Inspections and Data Seizure on Any Medium

One of the most intrusive powers granted is the ability to conduct physical or remote inspections of business operations. Article 26(1)(b) states that authorities would have the power to carry out, or request a judicial authority to order, inspections of any premises that the provider or related persons use for their trade, business, craft, or profession.

The purpose of these inspections is to "examine, seize, take or obtain copies of information relating to a suspected infringement." The proposal uses precise and expansive language regarding the form of this information. It specifies that authorities may access information "in any form, irrespective of the storage medium."

This phrasing is legally significant for several reasons:

• Technology Agnosticism: It ensures the regulation remains effective regardless of future technological shifts. Whether data is stored on traditional hard drives, solid-state drives, magnetic tapes, or emerging quantum storage formats, the authority's power applies.
• Physical and Digital Scope: The power covers both physical hardware (servers, laptops, backup tapes) and digital data streams. Authorities could seize a physical server to perform forensic analysis or "take or obtain copies" of data from a live system without necessarily removing the hardware.
• No Safe Havens: The "irrespective of the storage medium" clause prevents providers from attempting to hide evidence by using obscure storage solutions, encrypted personal devices used for business, or non-standard data repositories. If the information relates to a suspected infringement of the sovereignty framework, the medium on which it resides does not grant immunity.

The power to "seize" implies the temporary removal of hardware or media for forensic analysis to ensure the integrity of the evidence. Conversely, "take or obtain copies" allows for the extraction of digital evidence without necessarily removing the physical asset, which is crucial for maintaining the operational continuity of cloud services while still gathering necessary proof.

3. Recorded Explanations with Consent

While the power to inspect and seize is broad, the proposal introduces a specific safeguard for individual testimony to protect the rights of defence and privacy. Article 26(1)(c) grants authorities the power to ask any member of staff or representative of the provider to give explanations in respect of any information relating to a suspected infringement.

However, a critical limitation applies to the recording of these interactions. The text states that authorities may record answers "by any technical means" only "with their consent." This distinction is vital:

• Obligation to Speak: Staff and representatives are generally obligated to provide explanations regarding the suspected infringement.
• Right to Refuse Recording: While they must answer, they retain the right to refuse to have their answers recorded via audio, video, or other technical means.
• Safeguard: This prevents the state from creating a permanent, unconsented record of statements that could be used in ways beyond the immediate investigation, balancing the need for evidence with individual privacy rights.

Enforcement Powers and Procedural Safeguards

Beyond the investigative phase, Article 26(2) outlines the enforcement powers available once an infringement is identified. Authorities could order the cessation of infringements, impose remedies proportionate to the violation, or levy fines. They could also impose periodic penalty payments to ensure compliance with investigative orders, such as a refusal to provide information or allow an inspection.

However, these powers are not unlimited. Article 26(3) mandates that measures taken must be "effective, dissuasive and proportionate." Authorities must consider the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider. This ensures that a small provider is not crushed by disproportionate enforcement actions.

Furthermore, Article 26(4) requires Member States to establish specific rules and procedures for exercising these powers, ensuring they are subject to adequate safeguards under national law. These safeguards include:

• Respect for the right to private life.
• The rights of defence, including the right to be heard.
• The right of access to the file.
• The right of all affected parties to an effective judicial remedy.

This ensures that while authorities have strong tools, their use is checked by judicial oversight and fundamental rights protections.

The Role of Auditing Organisations

The investigative powers extend significantly to auditing organisations, which play a central role in the CADA framework for Union assurance levels 2, 3, and 4. Since providers must submit audit reports and opinions to gain recognition, these organisations hold critical evidence regarding compliance. Article 26(1)(a) explicitly includes auditing organisations within the scope of persons who must provide information. This prevents a situation where a provider claims compliance based on an audit, but the auditor's methodology, data, or findings are shielded from regulatory scrutiny. If an audit is found to be flawed or fraudulent, the authorities can compel the auditor to provide all relevant evidence.

What this means for you

For CTOs, architects, compliance officers, and SMEs evaluating the practical impact of CADA, these provisions necessitate robust internal governance and clear data handling protocols.

1. Prepare for On-Site and Remote Inspections: You must assume that authorities could inspect your facilities or request access to your systems at short notice. Ensure that your infrastructure documentation, access logs, and security policies are readily accessible and up-to-date. The phrase "irrespective of the storage medium" means you cannot hide evidence by using obscure storage solutions or encrypted personal devices if those devices are used for business purposes.
2. Train Staff on Consent Rights: Employees and representatives should be trained on their rights during an investigation. While they are obligated to provide explanations, they have the right to consent before any recording takes place. Establishing clear internal protocols on how to handle such requests can prevent legal complications and ensure that interactions with authorities are conducted professionally and legally.
3. Maintain Comprehensive Audit Trails: Since auditing organisations are also subject to investigation, ensure that your chosen auditors maintain rigorous, transparent records. If your provider status is challenged, the integrity of your audit evidence will be scrutinised. Keep detailed records of all interactions with auditors, including the data provided and the methodologies used.
4. Implement Strong Data Governance: The power to seize or copy data means that data sovereignty and security are not just contractual issues but legal compliance issues. Ensure that your data handling practices align with the Union assurance levels you claim. If you claim Level 3 or 4, your data localisation and third-country control measures must be verifiable at a moment's notice.

Common misconceptions

• Misconception: "Authorities can record my statements without my permission."
  • Reality: As per Article 26(1)(c), while authorities can ask for explanations, they must obtain your consent to record those answers by any technical means. You can speak, but you can refuse to be recorded.
• Misconception: "Only the cloud provider is subject to investigation."
  • Reality: The proposal explicitly includes "any other persons acting for purposes related to their trade, business, craft or profession," including auditing organisations (Article 26(1)(a)). Subcontractors and partners may also be within scope if they hold relevant information.
• Misconception: "Data stored on personal devices is safe from seizure."
  • Reality: The power to inspect and seize applies to information "irrespective of the storage medium" (Article 26(1)(b)). If a personal device is used for business purposes related to the cloud service, it could be subject to inspection or data extraction.

Related

• Can CADA authorities coordinate a joint investigation?
• What remedies can CADA authorities impose on providers?
• What happens during a CADA investigation, step by step?
• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities require information from a provider's suppliers?

This is general information about a draft EU regulation, not legal advice.