What happens to seized information after a CADA investigation?

Summary Under the proposed Cloud and AI Development Act (CADA), when national competent authorities seize, take, or copy information during an investigation, the subsequent handling, retention, and destruction of that material are strictly governed by applicable national law and the general principles of Union law. As proposed in Article 26(4), the exercise of these investigative powers is subject to adequate safeguards, including the right to respect for private life and the rights of defence. CADA does not establish a separate, EU-wide retention or destruction schedule for seized data; instead, providers must rely on their national jurisdiction's procedural rules for data protection and evidence handling, ensuring that any seizure remains proportionate to the suspected infringement.

Detail

The Cloud and AI Development Act (CADA) establishes a robust framework for the supervision of cloud computing service providers, particularly regarding the recognition of Union assurance levels and the enforcement of sovereignty criteria. To enforce these rules effectively, the proposal mandates that Member States designate national competent authorities equipped with specific investigative and enforcement powers. The handling of information seized during these investigations represents a critical intersection between regulatory oversight and fundamental rights protection.

Investigative Powers and the Scope of Seizure

The authority to seize information is explicitly granted to national competent authorities of establishment. As proposed in Article 26(1)(b), these authorities have the power to "carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons acting for purposes related to their trade, business, craft or profession, use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium."

This provision grants authorities broad discretion to access both physical and digital premises. The phrase "in any form, irrespective of the storage medium" is significant; it indicates that authorities can seize hard drives, cloud storage access keys, physical documents, electronic logs, or any other medium containing relevant data. However, the power to seize or take information is legally distinct from the power to retain or process that information indefinitely after the seizure. CADA does not create a standalone EU regime for post-seizure data handling, leaving the operational details to national procedural frameworks.

Governance by National Law and Union Principles

The crucial constraint on these investigative powers is found in Article 26(4). This paragraph stipulates that Member States must set out specific rules and procedures for the exercise of the powers listed in Article 26(1) and (2). It explicitly states that any exercise of those powers "shall be subject to adequate safeguards under applicable national law in compliance with the general principles of Union law."

This compliance requirement ensures that the exercise of power is not arbitrary. The safeguards mandated by Article 26(4) include:

1. The right to respect for private life: Authorities must balance investigative needs against the privacy rights of the provider, its employees, and any data subjects whose information is seized.
2. The rights of defence: This includes the right to be heard and the right to have access to the file, ensuring that providers can challenge the scope or validity of the seizure.
3. Effective judicial remedy: All affected parties must have the right to challenge the seizure or its outcomes in court.

Because CADA defers to national law for these procedural safeguards, the practical experience of a provider will vary significantly depending on the Member State of establishment. In some jurisdictions, seized digital media may be imaged on-site and returned immediately, while in others, physical drives may be retained for extended periods pending legal review or court orders.

Confidentiality, Proportionality, and Data Protection

While Article 26 focuses on the procedural safeguards of the seizure itself, the broader context of data handling is informed by the General Data Protection Regulation (GDPR) and national data protection laws. If the seized information contains personal data, the authority's processing of that data must comply with the GDPR. The CADA proposal acknowledges this in its recitals, noting that the proposal is consistent with existing rules on the processing of personal data.

Furthermore, Article 26(3) requires that measures taken by national competent authorities be "effective, dissuasive and proportionate." This proportionality principle acts as a vital check on excessive seizures. Authorities cannot seize vast amounts of irrelevant data simply because it is convenient; the scope of the seizure must be justified by the nature, gravity, recurrence, and duration of the suspected infringement, as well as the economic and technical capacity of the provider. This ensures that the intrusion into the provider's operations is limited to what is strictly necessary to address the suspected infringement.

No EU-Wide Retention Period

A notable absence in the CADA text is a specific EU-wide retention period for seized information. Unlike some other regulatory frameworks that mandate the destruction of evidence after a certain period if no charges are filed, CADA leaves this entirely to national procedural laws. Providers must therefore consult local legal counsel to understand how long seized data can be held and under what conditions it must be returned or destroyed. The proposal does not override national rules regarding the statute of limitations for evidence or the specific timelines for data return in administrative proceedings.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the deferral to national law presents both a challenge and an opportunity for preparation.

1. Audit Your National Jurisdiction: Identify the Member State where your main establishment is located, as this determines which national competent authority has exclusive competence (Article 25(4)). Research that country's specific laws regarding digital evidence seizure, retention, and return. Does the local law allow for on-site imaging? Are there mandatory waiting periods before data can be returned?
2. Prepare Incident Response Protocols: Ensure your IT security teams have a protocol for regulatory inspections. This should include procedures for verifying the identity of authorities, confirming the legal basis of the inspection (e.g., a judicial order if required by national law), and documenting exactly what is seized.
3. Segregate Sensitive Data: While authorities can seize information "irrespective of the storage medium," maintaining clear segregation of personal data, trade secrets, and irrelevant business data can help in challenging overbroad seizures. If a seizure includes trade secrets, you may be able to invoke protections under national law and the general principles of Union law mentioned in Article 26(4).
4. Legal Access: Ensure you have legal counsel ready to exercise the "rights of defence" and "right to have access to the file" immediately after a seizure. Early intervention can prevent the unnecessary retention of sensitive data and ensure that the proportionality principle is respected.

Common misconceptions

• Misconception: CADA sets a strict EU-wide timeline for how long seized data can be kept.
  • Reality: CADA does not specify retention periods. This is governed entirely by national procedural laws and the GDPR, subject to the safeguards in Article 26(4).
• Misconception: Authorities can seize any data they find on a company's servers without limitation.
  • Reality: Seizures must be proportionate to the suspected infringement (Article 26(3)). Overbroad seizures can be challenged on the grounds of proportionality and the right to respect for private life (Article 26(4)).
• Misconception: The CADA authority alone decides the safeguards for seized data.
  • Reality: The safeguards are determined by national law, which must comply with EU general principles. National courts often play a key role in approving or reviewing these seizures to ensure the right to respect for private life is upheld.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What happens during a CADA investigation, step by step?
• What triggers a CADA investigation into a cloud provider?
• CADA Cross-Border Disputes: What Happens When Authorities Disagree?
• What happens if a provider stops meeting Annex II requirements under CADA?
• What happens if a provider ignores a CADA investigative order?

This is general information about a draft EU regulation, not legal advice.