Update: European Subsidiaries of U.S. Cloud Providers Can Offer IT Services in the EU

September.14.2022

The decision of the Procurement Chamber of Baden-Württemberg was annulled by the Higher Regional Court of Karlsruhe in its legally binding decision on September 9, 2022. In contrast to the approach chosen by the Procurement Chamber, the Higher Regional Court now identified a way to avoid commenting on the definition of the term “transfer” in Art. 44 GDPR and permitted the US subsidiary to offer its services – as a sub-processor to a Germany customer.

Findings

In contrast to the first instance Procurement Chamber, the Higher Regional Court avoided the tricky discussion on what constitutes a transfer within the meaning of Art. 44 GDPR by applying the procurement law-mandated restricted review standard: As a general rule, in procurement procedures the public purchaser may assume that a bidder will fulfill its contractual promises. If tangible indicators exist that the fulfillment of contractual promises is uncertain the public purchaser must obtain additional evidence to validate the bidder’s assurances. Based on this narrow standard of evaluation, the Court concluded that there are no indicators that the bidder will violate data protection requirements and thus breach the contract. In particular, it held that there is no reason to assume that the parent company will give instructions to its subsidiary that are in violation of contractual or legal obligations. Therefore, performing a transfer impact assessment was not deemed a requirement by the court.

The court reaches this conclusion by focusing on the performance description, because under procurement law, courts must only consider the legal documents on which the procurement procedure is based. Therefore, the Procurement Division of the Higher Regional Court ruled that the contract signed by the bidder and the European subsidiary of a U.S. parent as well as the GDPR Data Processing Addendum included therein that requires the subsidiary to challenge any request by a foreign authority that violates EU law is not part of the procurement process. Since this is the case, the court was not required to decide on whether the contractual agreement posed a risk of access and thus violated Chapter V provisions.

According to the Court, the guarantees that the bidder provided to the authority during the procurement process were a particular justification against preexisting concerns about GDPR compliance. For instance, the bidder guaranteed that personal data would only be sent to the European subsidiary and will not be processed outside of the EU, but only in Germany. The Bidder also affirmed during the oral hearing that it will sign into the relevant agreements with the European subsidiary in order to fulfill its commitments.

Assessment and Conclusions

The Court clarifies that it is always vital to assess what service is being offered in the procurement process. If problematic actions under data protection law occur outside of a given service description, the awarding authority and the courts must consider these possible violations as irrelevant. Hence, data protection compliance is to be assumed if the bidder provided appropriate guarantees and no indicators suggest otherwise.

The Court’s decision is of great relief for businesses. In reversing the Procurement Chamber’s decision which had been met with great irritation among privacy professionals and business leaders, the Court helped resolve some concerns around possible further complications surrounding international data transfers. Cooperation with European subsidiaries of U.S. companies will therefore remain possible for the time being. However, the court’s reasoning is predominantly founded in specifics of procurement law and does not take a position on data privacy aspects of international transfers. In other words, the Court averted elegantly to resolve a tremendous challenge to privacy practitioners by avoiding commenting on pressing Chapter V issues.