What is the right to be heard under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the right to be heard is a fundamental procedural safeguard for cloud computing service providers facing enforcement actions by national competent authorities. Article 26(4) explicitly mandates that enforcement measures "shall be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file." This provision ensures that no penalty or corrective order is finalized without the provider having a meaningful opportunity to present their case. These rights are part of a broader framework of procedural safeguards designed to ensure that enforcement remains effective, dissuasive, and proportionate, while respecting the right to an effective judicial remedy.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous sovereignty framework for cloud computing services in the EU, requiring providers to meet specific "Union assurance levels" to serve public sector bodies. To enforce these requirements, CADA grants significant investigative and enforcement powers to national competent authorities, including the power to order the cessation of infringements, impose fines, and levy periodic penalty payments. However, the proposal carefully balances these powers with strict procedural protections for the providers under investigation, ensuring that the administrative process adheres to fundamental EU legal principles.

The Legal Basis: Article 26(4)

The core guarantee of the right to be heard is found in Article 26(4) of the CADA proposal. This provision states that measures taken by national competent authorities in exercising their investigative and enforcement powers "shall be taken only in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file, and shall be subject to the right of all affected parties to an effective judicial remedy."

This clause anchors CADA's enforcement mechanism in established EU administrative law principles. It ensures that a cloud provider cannot be subjected to a final penalty or a mandatory remedial order without first having the opportunity to present their case. The text explicitly links the right to be heard with the right of access to the file, creating a two-step defense mechanism: first, the provider must see the evidence against them; second, they must be allowed to respond to that evidence before a decision is made.

Components of the Right to Be Heard

In the context of CADA, the right to be heard encompasses several specific entitlements for the provider, derived from the general principles of EU law and explicitly referenced in Article 26(4):

1. Notification of Allegations: Before a decision is adopted, the competent authority must inform the provider of the facts, circumstances, and legal grounds on which the proposed decision is based. This allows the provider to understand exactly what they are accused of violating (e.g., failing to meet Union Assurance Level 2 criteria regarding data localization or personnel).
2. Access to the File: The right to "access to the file" means the provider must be allowed to review the evidence held by the authority that is relevant to the case. This includes audit reports, technical assessments, inspection records, and any other documentation used to establish non-compliance. This transparency is crucial for preparing a meaningful defense, particularly given the technical complexity of CADA's sovereignty criteria.
3. Opportunity to Comment: The provider must be given a reasonable period to submit written observations or evidence in their defense. This may include technical explanations, counter-evidence from independent auditors (as referenced in Article 20), or arguments regarding mitigating circumstances.
4. Oral Hearings: While CADA focuses on written procedures for efficiency, the general principle of the right to be heard in EU law often includes the right to an oral hearing if requested and if it is necessary for the proper conduct of the proceedings, particularly in complex technical cases involving cloud infrastructure audits.

Scope of Application

The right to be heard applies to all enforcement actions taken under Article 26(2), which includes:

• Orders to cease infringements and impose remedies.
• Imposition of fines for failure to comply with the Regulation.
• Imposition of periodic penalty payments to ensure compliance.

It also applies to investigative measures under Article 26(1) if those measures significantly affect the rights of the provider, such as inspections of premises or the seizure of information. However, routine information requests under Article 26(1)(a) may not trigger the full suite of rights to be heard unless they escalate into formal enforcement proceedings or lead to a decision adversely affecting the provider.

Procedural Safeguards and Proportionality

Article 26(3) requires that measures taken by national competent authorities must be "effective, dissuasive and proportionate." The right to be heard is a key mechanism for ensuring proportionality. By allowing the provider to present mitigating factors—such as the scale of the infringement, steps taken to remedy the situation, or technical constraints—the authority can tailor its response to the specific context.

Furthermore, Article 24 outlines the criteria for imposing penalties, including the nature, gravity, and duration of the infringement, and any action taken by the infringing party to mitigate damage. The right to be heard is the procedural vehicle through which a provider can demonstrate these mitigating factors to the authority before a penalty is set. Without this right, the authority might impose a penalty based on incomplete information, violating the proportionality requirement.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, understanding the right to be heard is critical for managing regulatory risk and protecting the company's interests during an investigation.

Immediate Actions During an Investigation

1. Preserve the Right to Comment: If you receive a preliminary notice of infringement or a draft decision from a national competent authority, do not ignore it. The right to be heard is not automatic; it must be exercised. You must submit your defense within the specified deadline. Failure to respond may be interpreted as an admission of the facts.
2. Request Access to the File: Proactively request access to all evidence the authority intends to use against you. Review audit reports from third-party auditors (required for Union Assurance Levels 2–4 under Article 20) carefully. If the audit evidence is flawed, incomplete, or based on incorrect technical assumptions, this is a primary ground for defense.
3. Document Mitigating Factors: Use the hearing process to highlight any voluntary compliance efforts, technical challenges, or external factors that contributed to the non-compliance. As noted in Article 24(2), authorities must consider "any action taken by the infringing party to mitigate or remedy the damage" when setting penalties.

Strategic Considerations

• Technical Expertise: CADA enforcement involves complex technical assessments of cloud sovereignty, data localization, and cybersecurity. Your defense should be backed by technical experts who can challenge the authority's findings on technical grounds, particularly regarding the criteria in Annex II.
• Cross-Border Coordination: If your company operates in multiple Member States, ensure that your defense is coordinated across all relevant national competent authorities. Article 27 and Article 28 provide for mutual assistance and cross-border cooperation, meaning evidence and decisions in one country may influence proceedings in another.
• Record Keeping: Maintain detailed records of all communications with the competent authority. These records may be crucial if the case proceeds to an effective judicial remedy, as guaranteed by Article 26(4).

Common misconceptions

• "The right to be heard is only for criminal cases." Incorrect. In EU administrative law, the right to be heard applies to all proceedings that may lead to measures adversely affecting the rights of a person. CADA enforcement actions, including fines and orders to cease operations, are administrative penalties that trigger this right.

• "I can wait until the final decision to challenge the findings." Dangerous. The right to be heard is exercised before the final decision is adopted. Failing to submit observations during this phase may limit your ability to appeal later, as the authority is not obligated to consider new evidence that was not presented during the initial hearing.

• "Access to the file means I get all internal authority documents." Not necessarily. While you have the right to access the evidence used against you, authorities may withhold certain information for reasons of confidentiality, public interest, or ongoing investigations, as permitted under Article 26(4) and general EU law principles. However, you must be given sufficient information to defend yourself effectively.

Related

• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• What is the right to compensation under CADA (Article 24)?
• Does CADA give customers a private right of action against providers?
• Do CADA enforcement powers respect the right to privacy?
• Who sets the penalty rules under CADA? Article 24 explained

This is general information about a draft EU regulation, not legal advice.