Update Data Protection No. 116
The Higher Regional Court of Karlsruhe clarifies that using a European server and hosting service provider that has a US parent company is not unlawful per se under data protection law
The (legally-binding) decision of the Higher Regional Court of Karlsruhe on the complaint lodged against the sensational decision of July 13, 2022 (1 VK 23/22) of the Public Procurement Chamber of Baden-Württemberg has been eagerly anticipated and will allow us all to breathe again, albeit briefly. With its decision of September 7, 2022 (15 Verg 8/22), the Public Procurement Division of the Higher Regional Court of Karlsruhe overturned the decision of the Public Procurement Chamber. In contrast to the Public Procurement Chamber, the Public Procurement Division did not consider the use of server and hosting services provided by an EU-based cloud provider with a US parent company to be unlawful per se under data protection law. However, the decision of the Higher Regional Court of Karlsruhe does not provide a ‘free ticket’ under data protection law to use European server and hosting providers with US parent companies. Rather, the strict requirements that ensure an equivalent level of data protection to the EU must be respected. The only relief provided, therefore, is if it is contractually assured that the data will only be processed within the EU and there is no reasonable doubt about this. This is particularly important against the backdrop of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), which allows for US authorities to access data on the servers of US companies, even if these are operated by subsidiaries outside the US.
What has happened?
A request for review meant that the Public Procurement Chamber of Baden-Württemberg was required to rule on the compliance of the top-placed bid with the tender documents. The object of the tender procedure was the provision of software for digital discharge management. In the tender documents, the public-sector contracting authority expressly stated the need to fulfill the requirements of the GDPR and BDSG [German Federal Data Protection Act], as well as the exclusive processing of the data in a EU/EEA data center where none of the subcontractors or company groups are based in third countries.
The successful bidder intended to use an EU-based cloud provider, which has a US parent company, as a subcontractor to provide the server and hosting services. In addition, its bid included contractual clauses relating to data protection against a transfer to a third country: The transmission of data to a third party was excluded unless it was necessary to maintain or supply the services or to comply with laws or effective and lawful orders issued by public authorities. Moreover, the cloud provider undertook to challenge any too far-reaching or inappropriate requests made by a public authority, including such requests that would conflict with EU law or the applicable law of Member States.
The Public Procurement Chamber held the award of tender invalid. From the perspective of the Public Procurement Chamber, the bid submitted by the successful bidder breached the provisions for data transfers to third countries as per Art. 44 et seqq. GDPR and should therefore be excluded from the tender procedure as it represents a modification of the tender documents within the meaning of Sec. 57(1)(4) VgV [German Procurement Ordinance]. To justify the unlawful nature of the bid under data protection law, the Public Procurement Chamber explains that, due to the blanket-clause phrasing of the contractual clauses, specific configurations could make it possible to access the data and there is therefore a latent risk of access by both public and private authorities outside the EU. Such latent risk should in itself be classified as a data transfer to a third country. The probability of this risk being realized is irrelevant for this evaluation. Even a contractual clause that obligates the cloud provider to challenge unlawful requests would not minimize the risk to a level permissible under data protection law. According to the Public Procurement Chamber, in line with the principle of the right to a fair hearing (Art. 103(1) GG [German Basic Law]), the possibility that technical measures such as encryption technology could effectively exclude this risk should not be considered, if such measures are merely submitted in confidence.
The decision of the Public Procurement Chamber was subject to criticism. The Baden-Württemberg Data Protection Authority questioned in particular the equating of a latent access risk with a transfer that is relevant under data protection law within the meaning of Art. 44 et seqq. GDPR (as a form of processing according to Art. 4(2) GDPR). When assessing the lawful use under data protection law of cloud services provided by a European provider with a US parent company, he maintained that “technical and organizational measures” that could effectively exclude access should be given more consideration. Likewise, the literature requires a differentiated distinction between a simple transfer risk and a transfer that is relevant under data protection law.
This decision by the Public Procurement Chamber has now been overturned by the Higher Regional Court of Karlsruhe. In the view of the Public Procurement Division of the court, the public-sector contracting authority “does not have to assume that the group affiliation will lead to the subsidiary receiving instructions that are unlawful and in violation of the contract, nor that the directors of the European subsidiary would comply with any unlawful instructions issued by the US parent company.” (Decision of September 7, 2022 (15 Verg 8/22)). Rather, the public-sector contracting authority may rely on contractual assurances on data protection being fulfilled, especially since the bidder has “described in detail the services when using services providers and in the area of data protection and IT security in the bid and has thereby made a clear and unequivocal performance promise”. The public-sector contracting authority would only need to obtain further information and verify that the performance promise can be fulfilled if there are concrete indications that create doubt as to the contractually compliant behavior of the bidder. The successful bid should therefore not be excluded from the tender in the view of the Public Procurement Division.
Why is this important for companies?
The binding decision of the Public Procurement Division reaches beyond procurement law and affects at its core how the use of cloud services offered by European providers with US parent companies, such as Amazon (AWS), Microsoft (Azure) or Google (Cloud), is classified under data protection law. This decision affects not only the public sector and the bidders competing in the procurement process, but also private companies. If public-sector contracting authorities that are bound by strict conditions can rely on the contractual agreement of the contractor, then the same must also apply to private clients. Whereas a confirmation of the decision of the Public Procurement Chamber would have created far-reaching uncertainty in terms of the general lawfulness under data protection law of using server and hosting services of EU-based cloud providers with US parent companies, we now have the all-clear: Provided the European subsidiary of the US parent company guarantees an equivalent level of data protection to the EU, for instance through a contractual declaration, the affiliation of the European subsidiary to the US parent company does not automatically lead to the risk of an unlawful or contract-violating data transfer within the meaning of an unlawful data transmission to a third country under data protection law. However, this does not mean that using such cloud services is lawful per se under data protection law.
What should be done?
When using the cloud services of European subsidiaries with US parent companies, caution continues to be advised in terms of lawfulness under data protection law. It is true that the Higher Regional Court of Karlsruhe considers that a complex Data Transfer Impact Assessment can exceptionally be dispensed with. Nevertheless, in this case the contractor must provide, in the specific contractual relationship, an unequivocal performance promise that the data will not leave the EU and a detailed description of the services when using services providers, and there must not be any indications that would cast doubt on this.
In case of doubt and in all other cases, in consideration of the recommendations of the supervisory authorities, an equivalent level of data protection to the EU must be guaranteed by using a Data Transfer Impact Assessment, the new European Standard Contractual Clauses and additional technical and organizational protective measures, in order to effectively exclude the risk of access and ensure harmless use under data protection law.
Companies that (want to) use European server or hosting service providers with US parent companies should first check whether a level of data protection equivalent to the EU is guaranteed or whether improvements are required. With regard to Microsoft Office 365, the evaluation of the supervisory authorities should be noted, which was very critical in parts.
Companies who want to ensure they remain on the safe side as they use cloud services offered by European service providers with US parent companies, but which do not have an unequivocal performance promise that the data will not leave the EU, can find a list of the key implementation steps below that take into consideration the guidance of the Baden-Württemberg Data Protection Authority:
- Verify the legal bases for the data transfer (generally processing according to Art. 28 GDPR, possibly consent, see also further exceptions in Art. 49 GDPR)
- Request information from the provider to get an idea of its data processing and of any existing security measures it takes
- Request the use of further guarantees, such as the assurance (subject to a contractual penalty) of the EU provider (with US roots) to verify and resist requests from US authorities or, best of all, to completely abstain from any voluntary disclosure of data when faced with such requests
- Verify the use of additional internal technical protective measures, such as data encryption prior to transmission
- Consider restricting the categories of data to be transmitted
- Conduct a documented risk assessment (Transfer Impact Assessment) taking into account the above findings
- In the event of a positive result (and therefore the use of the cloud services under application of the EU Standard Contractual Clauses), adapt the company’s data protection guidelines according to Art. 13 GDPR and processing register according to Art. 30 GDPR.