What is GDPR Article 48, and why does it matter for cloud sovereignty under CADA?

Summary GDPR Article 48 provides that a third-country court or administrative order requiring a controller or processor to transfer or disclose personal data is recognised or enforceable only if it is based on an international agreement, such as a mutual legal assistance treaty (MLAT). It is a cornerstone of EU data sovereignty, blocking extraterritorial laws like the US CLOUD Act from bypassing EU safeguards. As proposed, the Cloud and AI Development Act (CADA) complements it by requiring public sector bodies to procure cloud services meeting specific "Union assurance levels" (Article 16), so sovereignty risks from third-country control are managed proactively at procurement, not just blocked reactively.

Detail

The barrier: GDPR Article 48 and extraterritorial orders

Article 48 of the General Data Protection Regulation (GDPR) is the EU's primary legal shield against the extraterritorial reach of foreign surveillance and data-access laws. It provides that any judgment of a court or tribunal, or any decision of an administrative authority, of a third country requiring a controller or processor to transfer or disclose personal data may be recognised or enforceable only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State (without prejudice to other grounds for transfer under Chapter V).

This matters for sovereignty because it legally insulates EU data from foreign legal regimes that do not offer equivalent protection for fundamental rights. Without Article 48, a foreign authority could compel a company to hand over data stored in the EU, effectively overriding EU law. Article 48 keeps such data flows governed by EU law and international treaties, preserving the EU's regulatory autonomy.

The conflict: the US CLOUD Act

The tension between Article 48 and US law is clearest with the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). It added 18 U.S.C. § 2713, requiring providers of electronic communication or remote computing services to preserve, back up, or disclose the contents of communications and any record or other information within their "possession, custody, or control," regardless of whether that data is located inside or outside the United States.

That creates a direct conflict. A US-based provider storing data in an EU data centre could be served with a US order to produce it. Under GDPR Article 48, the provider cannot lawfully comply on the basis of that order alone unless the request rests on a treaty basis such as an MLAT or an executive agreement of the kind authorised under 18 U.S.C. § 2523. Complying without such a basis risks infringing GDPR, exposing the provider to significant penalties and liability in the EU.

Recital 46 of the CADA proposal acknowledges this landscape, noting that the Union remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries, which exposes it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws." This is why mere compliance with GDPR transfer rules is, as proposed, insufficient for genuine sovereignty.

The CADA response: Union assurance levels

Where GDPR Article 48 is a reactive barrier to unlawful data flows, the proposed CADA would add a proactive framework that mitigates sovereignty risks at the procurement stage. CADA does not replace GDPR; it would complement it by addressing the structural dependence that makes Article 48 conflicts likely in the first place.

Central to this is Article 16, which would establish a "Union cloud computing sovereignty framework" of four Union assurance levels, with criteria set out in Annex II that providers must meet to serve Union entities and public sector bodies.

• Union assurance level 1 would require providers to be established in the Union, with infrastructure and assets located in the Union, and customer data kept exclusively within the Union unless the public sector body explicitly requires otherwise. Where the provider is subject to third-country control, it must guarantee — demonstrated by independent sources — that no laws or practices in that third country require it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited.
• Union assurance levels 2 to 4 are audited and add stricter requirements. Levels 3 and 4 require, in principle, that the audited provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country — at level 3 with a narrow derogation for "associated third countries" (Article 18), and at level 4 with none. Across the audited levels, data generated by using the service may not be used to train or fine-tune AI systems operated by a third country, and technical support must be initiated and performed within the Union.

By tying public procurement to these levels, CADA would ensure the EU's most sensitive data sits on infrastructure that is legally and technically insulated from extraterritorial interference, reducing the likelihood that a provider is ever caught between a US order and GDPR Article 48.

Why this matters for in-house counsel

For in-house counsel and compliance officers, the intersection of Article 48 and the emerging CADA framework calls for a dual-track strategy.

1. Immediate GDPR compliance. Ensure any provider has clear contractual mechanisms to resist foreign orders lacking a treaty basis. For US-based providers, verify appropriate safeguards consistent with Chapter V and the discipline of Article 48.
2. Future-proofing with CADA. As proposed, public sector bodies — and private entities in NIS2 high-criticality sectors that opt to (Article 31) — would run risk assessments (Article 29) to determine the appropriate Union assurance level. Begin auditing current contracts against the Annex II criteria: if a provider is third-country controlled, can it demonstrate the legal and technical separation needed for level 2 or 3?

On enforcement, GDPR infringements of Article 48 can attract fines up to EUR 20 million or 4% of total worldwide annual turnover. Separately, under the proposed CADA, Member States would set penalties for infringements by cloud computing service providers that are effective, proportionate and dissuasive (Article 24); specific amounts would be set in national law, but the direction toward firm enforcement of sovereignty criteria is clear.

What this means for you

• Audit your cloud contracts. Review data processing agreements and SLAs. Do they require notification of foreign legal requests, and a commitment to challenge requests lacking a valid MLAT or executive-agreement basis?
• Map your data flows. Identify where personal data is stored and processed. For any third-country processing, ensure a valid Chapter V transfer mechanism is in place alongside Article 48 discipline.
• Prepare for CADA risk assessments. Public sector bodies, and private entities in high-criticality sectors that choose to assess, should ready themselves for Article 29 risk assessments and check whether current providers can meet the required Union assurance level.
• Monitor third-country control. For providers under third-country control, verify against the Annex II criteria — particularly prevention of third-country data access and of service disruption.

Common misconceptions

• "GDPR Article 48 bans all data transfers to third countries." Article 48 addresses transfers compelled by foreign court or administrative orders lacking a treaty basis. It does not ban commercial transfers, which are governed by Chapter V of the GDPR (adequacy decisions, standard contractual clauses, and so on).
• "The CLOUD Act automatically overrides GDPR." The CLOUD Act and GDPR conflict, but Article 48 remains valid EU law. EU courts and regulators will enforce the GDPR, and providers must reconcile both — often by challenging foreign orders or relying on a treaty or executive-agreement basis.
• "CADA replaces GDPR for data protection." As proposed, CADA focuses on sovereignty and operational autonomy. It would complement GDPR by ensuring the hosting infrastructure is resilient to third-country interference; it would not replace GDPR's fundamental-rights protections.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why can't GDPR deliver cloud sovereignty? CADA and the gap
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
• Why is sovereignty a competitiveness issue, not just a security one? | CADA

This is general information about a draft EU regulation, not legal advice.