In a controversial data-protection decision that has been the subject of critical discussions, on 13 July 2022 the Baden-Württemberg Procurement Chamber (Ref. 1 VK 23/22) ruled that even the possibility of accessing personal data from abroad must be considered a transmission. In the opinion of the Procurement Chamber, this means that no US cloud providers should be considered in future tenders, even if they offer their services via subsidiaries in Europe.
The Higher Regional Court (OLG) of Karlsruhe has now overruled this much-discussed deci-sion of the Procurement Chamber of Baden-Württemberg (OLG Karlsruhe, decision of 7 Sep-tember 2022 – 15 Verg 8/22).
Legal justification required for data transfers outside of the EU
On July 16, 2020, the European Court of Justice (ECJ) declared the existing EU data protection agreement with the US (i.e. the Privacy Shield) invalid in its ruling on the "Schrems II" case (Case No. C-311/18). According to the ECJ, the level of data protection in the US does not meet the standards of European data protection, because US authorities secretly allow access to personal data of EU citizens and without effective means of redress.
According to the General Data Protection Regulation (GDPR), personal data may only be transferred to a country outside the EU (i.e. a third country) if one of the special grounds for permission set out in Art. 44 et seq. DSGVO apply. A data transfer to a third country is permitted in particular if the Commission has determined the adequate level of protection of the third country in a decision (i.e. the adequacy decision, cf. Art. 45 (1) GDPR). Such a decision does not exist for the US.
A successor to the then data protection agreement between the EU and US has so far not been implemented. As a result, there is considerable legal uncertainty as to what is and is not permitted in data transfer and processing. At present, data controllers must continue to rely on standard contractual clauses (SCC), the use of which must be reviewed on a case-by-case basis to determine whether they are sufficient.
What is important is that the difficulties only arise when a transfer of personal data to the US takes place. If the data is processed exclusively at a US subsidiary in the EU, the problem does not arise in everyday life. However, the CLOUD Act gives US agencies far-reaching access rights, even if the data is held by a subsidiary in the EU. Beside the far-reaching access possibilities, it is also a fact that the number of access requests by US agencies is comparatively low. Therefore, there is only the possibility that data may be transferred to the US, and in fact the transfer often does not take place.
The Baden-Württemberg Procurement Chamber issued a controversial decision for this constellation (decision dated July 13, 2022 - Ref. 1 VK 23/22). It is of the opinion that the mere possibility of access is already to be regarded as an actual data transmission. If this view would have been upheld, US subsidiaries would already be in breach of the GDPR because a US agency could, under certain circumstances, access data located in the EU.
In Germany, Public Procurement Chambers are responsible for reviewing public tenders (Sections 155 et seq. of the Act against Restraints of Competition - GWB). They are independent review authorities and are similar to courts in their organisation.
A company that has participated in a public tender whose rights may have been violated can file corresponding applications with the Procurement Chamber for review. The Procurement Chamber then decides whether the award of the contract involved a violation of the applicant's rights. Chambers are not bound by the applications and can also independently influence the legality of an award procedure.
Contract awarded to a company using a US cloud provider
The decision of the Baden-Württemberg Procurement Chamber concerned the award of a contract for the procurement of software for digital discharge management. The procedure was put out to tender throughout Europe in an open procedure. Criteria for the award of the contract were the overall price, the quality of the services offered, and the requirements for IT security and data protection, including compliance with the requirements from the DSGVO and the BDSG. In addition, data was to be processed exclusively in an EU EEA data centre (i.e. no data was to be processed by sub-service providers or group companies in third countries).
The contract was awarded to a company that wanted to use a European subsidiary of a US cloud provider for data storage. The agreed physical server location was to be in Germany, and the contract was to be concluded with the US company's German-based subsidiary.
A competitor complained that the award was made unlawfully. The competitor argued that by using the cloud service of the US subsidiary, there is a latent risk of US authorities accessing the servers in Europe. The competitor claimed that, regardless of the geographical storage of the data, mere potential access from the US must be considered unauthorized transfer of personal data to the US.
Procurement chamber: potential transfer already a transfer
The Procurement Chamber then had to decide whether the use of service providers acting as the European subsidiary of a US group entails an unlawful transfer of data to the US, even though the data is generally processed on servers within the EU/EEA. Thus, the interpretation of the term "transfer" in Art. 44 et seq. GDPR came to the forefront of the decision.
According to the Procurement Chamber, there was an unlawful transfer of data to a third country pursuant to Art. 44 et seq. DSGVO. The term "transfer" is not defined in the GDPR. The Procurement Chamber now interpreted the term broadly. Due to the special need for protection in the case of third-country transfers, a broader interpretation is – in the opinion of the Procurement Chamber – necessary, which is why transfer means any disclosure of personal data to a recipient in a third country or an international organisation. In this situation, neither the type of disclosure nor the disclosure to a third party is relevant. Based on this agreement, such a disclosure also occurs when personal data is posted on a platform that can be accessed from a third country, regardless of whether the access actually occurs. The fact that the geographical location of the server is within the EU was considered irrelevant in the Procurement Chambers opinion. Likewise, the degree of probability of access to personal data is not relevant in this view. The mere possibility of access, in this case by granting access rights, constitutes a latent risk that an unauthorised transfer could take place. According to the Procurement Chamber, even a theoretical risk of such access by entities in insecure third countries is sufficient to constitute a transfer within the meaning of Art. 44 et seq. GDPR.
The consequences of this decision – had it been upheld – would have been enormous and would have had a considerable impact on the cooperation of German companies with US cloud providers or their European subsidiaries. Companies that use US cloud providers (be it only their subsidiaries in Europe) would have found it considerably more difficult, if not im-possible, to successfully participate in procurement procedures.
OLG Karlsruhe: No exclusion of a US-American company as hosting provider due to integration of the European subsidiary
However, the decision of the Procurement Chamber Baden-Württemberg did not become legally final. On appeal, the Karlsruhe Higher Regional Court overturned the decision of the Procurement Chamber in a decision dated 7 September 2022 (15 Verg 8/22), which has not been published in full yet. The OLG announced this in a press release and emphasised that no exclusion may take place for the above-mentioned reasons. Rather, according to the OLG, a contracting authority may rely on the binding assurances of the providers that the data will be processed exclusively in Germany and will not be transferred to any third country and may assume that contractual assurances will be fulfilled until concrete indications give rise to doubt. In this case, the contracting authority has the duty to obtain information and to check the fulfilment of the performance promise.
According to the OLG's press release, the latter was not the case in the present case, as the provider had given a clear and trustworthy assurance that the data would be transmitted exclusively to the European company and that the data would be processed exclusively by it and exclusively in Germany, but not in third countries. The public client could trust that this promise would not be violated. According to the OLG Karlsruhe, the mere fact that there was a US parent company was not sufficient to justify doubts about the promise of performance and further obligations to inform and verify. The OLG does not seem to have examined whether the provider would have been able to fulfil its performance promise in a legally compliant manner from a data protection perspective against the background of the CLOUD Act.
Conclusion: Further procurement procedures with US cloud providers not ruled out
The final decision of the Karlsruhe Higher Regional Court has calmed the debate about the cooperation of German companies with US cloud providers or their European subsidiaries, which would have been considerably shaken by the decision of the Procurement Chamber – had it become final. For the time being, companies that use US cloud providers and their subsidiaries in Europe can continue to hope for successful participation in award procedures, provided that the promises with regard to data protection can also be fulfilled and that the performance promise does not already contain violations of the GDPR.
For more information on this ruling and how the EU GDPR could affect your European-based subsidiary, contact your usual CMS advisor or local CMS experts: Schrems II Expert Guide.
The author would like to thank Lisa Dietrich, Research Associate at CMS Germany, for her contribution to this article.