An update to this article was published on September 14, 2022, and contains the latest developments pertaining to European subsidiaries of U.S. cloud providers providing services in the EU.
Analysis of the Baden-Württemberg Procurement Chamber on the admissibility of the use of IT services by European subsidiaries of U.S. cloud providers
In its recently published decision (12 July 2022), a Procurement Chamber of the German State Baden-Württemberg (“Chamber”) commented on one of the most controversial issues in the context of international data flow regulation and took the view that an EU subsidiary of a U.S. cloud provider could not offer its IT services in compliance with the GDPR as there would be a risk that U.S. law enforcement could request access to personal data processed when making use of the U.S. CLOUD Act. The Chamber considered this risk as constituting a transfer within the meaning of Art. 44 GDPR and further concluded that the requirements for such an international transfer were not met. As a consequence, the EU subsidiary would be barred from offering its services to the public entity which runs a public procurement process.
According to Art. 44 GDPR, any transfer of personal data by controllers or processors to a third country is subject to the requirements set out in chapter V of the GDPR.
Yet what does “transfer” mean?
This became a controversial question following the ECJ’s Schrems decisions (see here and here), in which, due to the long arm of the U.S. government, data transfers to the United States were found to be unlawful unless an equivalent level of data protection could be achieved by other means. Given the potential and unrestricted access to European communications data by U.S. authorities, the ECJ considered the access on a generalized basis to be so serious that it recognized – for the first time in its case law – a violation of the essence of the fundamental right to privacy enshrined in Art. 7 of the European Charter of Fundamental Rights and declared the Commission Decision 2000/520/EC (“Safe Harbour”) invalid.
The ECJ did not, however, clarify how the term “transfer” is to be defined. Thus, national authorities and courts, which have still not been able to form a unanimous opinion on the question, are in a tight spot.
II. In a nutshell
The parties involved in the case in the German State Baden Württemberg submitted their bids in a tendering process for a cloud platform whereby one bidder was not considered in the offer evaluation due to a complaint filed by a competing bidder. The rejected bidder uses a subcontractor for the provision of server and hosting services, that operate with servers located in Germany. The subcontractor is the subsidiary of a company based in the United States. The other bidder, who was ultimately chosen as the winning bidder, argued in the case before the Chamber that the rejected applicant violated the requirements of inter alia chapter V of the GDPR.
The Chamber held that the term “transfer” includes any disclosure of data to a recipient outside the EU. If data is uploaded on a platform that can be accessed from a third country then, according to the Chamber, a transfer occurs, regardless of whether access actually takes place.
In its reasoning, the Chamber held that the mere possibility of access – for example by granting access rights – constitutes a latent risk of unauthorized transfer of personal data into third countries. Following this determination, the Chamber then assessed and did not find sufficient safeguards to cover that legal risk of transfer in the contract concluded between the rejected bidder and its subcontractor. Under the contract, the subcontractor’s parent company was not allowed to access or use the data unless there was a legally binding official order requiring the parent company to disclose the data [e.g., a CLOUD Act order].
The Chamber, therefore, considered the use of a platform operated by a European subsidiary whose parent company is located in the United States to be in violation of the GDPR because the requirements of Chapter V were not met.
The complaining bidder filed an immediate appeal, which will be decided by the Higher Regional Court of Karlsruhe.
III. What do other authorities say?
Unfortunately, there is still no consensus within the EU on the interpretation of the term “transfer.” Concretely:
Tellingly, the ECJ stated in Lindqvist [para. 68]:
“Given, first, the state of development of the internet at the time Directive 95/46 was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading, by an individual in Mrs Lindqvist's position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.”
The ECJ suggests in Lindqvist that “transfer” should be understood as an active act. Making data passively accessible would on the other side not be sufficient to speak of a transfer. However, it must be noted that the restrictive approach of the ECJ in Lindqvist is the result of the context and especially the state of development of the internet at that time.
1) A controller or a processor is subject to the GDPR for the given processing.
2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
3) The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Art. 3. The EDPB thus does not interpret Art. 44 GDPR broadly.
IV. What are the implications and consequences of the decision?
At first glance, the interpretation of the Chamber seems to be too far-reaching:
As the decision of the Procurement Chamber is not final and in our view also not based on a consensus in the EU, Companies should for now not panic. One may first wait for judicial clarification and further guidance by European supervisory authorities.