The EU subsidiary of a US company is not allowed to participate in an award procedure because it could transmit data to the USA. Whether she does it is irrelevant.
With a decision that is not yet legally binding, the Baden-Württemberg Public Procurement Chamber has highlighted the still unresolved question of the transfer of personal data from the EU to the USA.
In the specific case, an EU-based subsidiary of a US provider of server and cloud services took part in an award procedure. Although the servers used to provide the service were located within the EU, the Public Procurement Chamber found a violation of the General Data Protection Regulation.
As a result of this violation, a corresponding offer should be excluded from the award procedure because it does not correspond to the award documents, according to the public procurement chamber. This is the case because the provider “does not offer a service that is compatible with the applicable data protection law”.
Possibility of access is sufficient
According to their decision, the mere possibility of access to personal data by the US parent company is sufficient to assume a transfer to the USA. Whether such a flow of data actually occurs is then irrelevant. The mere possibility is enough.
The decision of the Public Procurement Chamber states: “Disclosure that can be taken into account in this context is also to be assumed if personal data is posted on a platform that can be accessed from a third country, regardless of whether the access actually takes place. The physical location of the server doesn’t matter.
Standard data protection clauses are not enough
In its decision, the Public Procurement Chamber also comes to the conclusion that the use of the so-called EU standard data protection clauses is not sufficient in the specific case to rule out a violation of the GDPR. Even the obligation to contest any government orders for access to personal data “does not eliminate the latent risk of access by these same bodies”.
If the decision of the procurement chamber is upheld, US corporations could be excluded from procurement procedures even if they provide servers for the processing of personal data within the EU by subsidiaries. Ultimately, this could also affect the cooperation of private companies with such service providers, because the data protection assessment does not depend on whether government agencies or private companies make use of such services.
Basis: Judgment of the European Court of Justice
The background to the procedure is once again the decision of the European Court of Justice of July 16, 2020, in which it prohibited the transfer of personal data on the basis of the EU-US Privacy Shield (so-called Schrems II judgment).
The EU Commission and responsible authorities in the USA are currently working on a successor agreement. Experts do not expect a conclusion and a subsequent so-called adequacy decision by the EU Commission before the end of the year.