Why the EU-US Data Privacy Framework doesn't solve CADA sovereignty

Summary The EU-US Data Privacy Framework (DPF) addresses the legality of cross-border personal data transfers under the GDPR, but it does not resolve the risks of technological dependence and operational disruption that define cloud sovereignty. As proposed, the Cloud and AI Development Act (CADA) is designed to complement the DPF: the Commission's explanatory memorandum states the DPF "does not remove sovereignty concerns about dependence on third-country providers," because sovereignty "goes beyond data transfers and relates to operational autonomy too." CADA is a proposal and is not yet in force.

Detail

The EU-US Data Privacy Framework (DPF) is a mechanism that facilitates transfers of personal data from the EU to the United States by recognising that participating US companies provide an adequate level of data protection. For in-house counsel evaluating cloud infrastructure, however, the DPF does not mitigate the strategic risks associated with cloud sovereignty. CADA treats data protection adequacy and technological sovereignty as distinct objectives.

The distinction between data privacy and cloud sovereignty

The DPF focuses on the privacy rights of individuals and the legal basis for transfers of personal data. It does not address the Union's broader reliance on third-country cloud providers, which creates risks beyond personal data privacy: operational discontinuity, lack of control over infrastructure, and exposure to extraterritorial laws that may conflict with EU fundamental rights or public order.

CADA would address these gaps by establishing a "Union cloud computing sovereignty framework" comprising four Union assurance levels (Article 16), with criteria in Annex II, so that the Union retains control over its digital infrastructure, data, and assets.

CADA's explicit position on the DPF

The CADA proposal acknowledges the DPF but delineates its scope. The Commission's explanatory memorandum (on consistency with existing policy) states the proposal is consistent with existing rules on the processing of personal data, including the GDPR and the EU-US Data Privacy Framework. It then clarifies: "while the EU-US Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers. The proposal thus complements the EU-US Data Privacy Framework as the notion of sovereignty goes beyond data transfers and relates to operational autonomy too."

The DPF may satisfy GDPR transfer requirements, but it would not satisfy CADA's requirements for Union assurance levels, which apply to public sector procurement and may be relevant to critical private sector entities.

The risks the DPF does not address

The DPF does not address the following sovereignty risks that CADA aims to mitigate:

1. Extraterritorial access and control: The DPF does not prevent US authorities from seeking access to data held by US cloud providers under laws such as the CLOUD Act. CADA's higher Union assurance levels would impose criteria designed to prevent third-country access to customer data and to ensure providers cannot be compelled to degrade or disrupt service continuity (Annex II).
2. Operational continuity and resilience: The DPF does not guarantee continued service in the event of geopolitical tension, sanctions, or unilateral decisions by third-country actors. CADA would require risk assessments (Article 29) that weigh the impact on public order of possible service disruption.
3. Technological dependence: The DPF does not address market concentration among a few third-country hyperscalers. CADA aims to reduce this dependence by promoting trusted European cloud services.

The CADA sovereignty framework

CADA would introduce a harmonised mechanism for cloud computing service providers to be recognised as offering Union assurance level 1, 2, 3, or 4 (Article 17), based on the cumulative criteria in Annex II.

• Union assurance level 1: Demonstrated by a conformity self-assessment and EU statement of conformity (Article 19), covering baseline criteria such as data residency within the Union unless explicitly required otherwise by the public sector body.
• Union assurance levels 2, 3, and 4: Verified by independent third-party audit (Article 20). Higher levels add restrictions on third-country control and guarantees that third-country laws cannot compel the provider to access data or disrupt service. The highest levels require that the provider and subcontractors are not subject to the control of a third country or a legal entity established in a third country (Annex II).

The DPF does not provide a pathway to these assurance levels. A US cloud provider certified under the DPF may still be subject to US laws that conflict with the CADA criteria for the higher levels. Reliance on the DPF alone would therefore not exempt providers from CADA's sovereignty requirements when serving public sector bodies.

Implications for risk assessments

Under CADA, Member States and Union entities would conduct risk assessments to determine which public sector activities require Union assurance level 2, 3, or 4 (Article 29). These must consider the sensitivity, criticality, and magnitude of the data, the risk of unlawful access by a third country, and the risk of service disruption. The DPF is not a mitigating factor in these assessments: even where transfers are DPF-compliant, the risks of third-country access and operational disruption remain.

What this means for you

For in-house counsel and compliance officers, the distinction between the DPF and CADA's framework matters for cloud procurement and risk management.

1. DPF certification is not sufficient for CADA: If your organisation is a public sector body, you could not rely solely on DPF certification to meet CADA's sovereignty requirements; you would need providers recognised at the appropriate Union assurance level.
2. Procurement obligations: Contracting authorities must procure services meeting the level determined by their risk assessment (Article 30). For activities contributing to public order, that means Union assurance level 2, 3, or 4 — which DPF-certified US providers may not meet given their exposure to US extraterritorial laws.
3. Risk assessments: You would need to conduct or participate in assessments addressing third-country access and service disruption (Article 29) — risks the DPF does not cover.
4. Transition and migration: Where a risk assessment requires migration, CADA allows a reasonable transition period not exceeding 12 months (Article 29(6)).
5. Penalties and liability: As proposed, Member States must lay down penalties for provider infringements (Article 24), and recipients may seek compensation for damage or loss caused by a provider's infringement of the sovereignty chapter (Article 24(3)).

Common misconceptions

Misconception 1: The DPF ensures data sovereignty. The DPF supports adequacy for personal data transfers, not sovereignty. Sovereignty, as CADA frames it, includes operational autonomy, control over infrastructure, and resilience against third-country interference. The DPF does not prevent foreign authorities from seeking access or address service disruption.

Misconception 2: CADA replaces the DPF. CADA would complement the DPF. The DPF remains relevant for GDPR-compliant transfers, but it does not satisfy CADA's sovereignty requirements. An organisation may need to address both.

Misconception 3: All cloud providers can achieve Union assurance level 4. The highest levels require that the provider and subcontractors are not subject to the control of a third country or a legal entity established in a third country (Annex II). A US-based provider, even if DPF-certified, is subject to US jurisdiction, making this difficult or impossible without significant structural change.

Misconception 4: The DPF mitigates the risk of service disruption. The DPF does not address operational continuity. CADA's higher assurance levels are designed to ensure third-country actors cannot compel the provider to degrade or disrupt service quality or continuity (Annex II). The DPF provides no such guarantee.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why data residency is not enough for cloud sovereignty under CADA
• Data residency vs data sovereignty: the difference under CADA
• Cloud vs AI Sovereignty: How CADA Distinguishes Control Over Data, Compute and Models
• What is data sovereignty, and how does the EU's CADA define it?
• Is data localisation the same as digital sovereignty under CADA?

This is general information about a draft EU regulation, not legal advice.