The Karlsruhe Higher Regional Court decides: Subsidiaries of US corporations may not be excluded from procurement procedures across the board.
“No exclusion from award procedures due to the involvement of the Luxembourg subsidiary of a US company as a hosting provider.” This is how the Karlsruhe Higher Regional Court presented its most recent decision on the use of US cloud providers, which is controversial in terms of data protection law.
The background is the decision of the Baden-Württemberg Public Procurement Chamber of July 13, 2022 (Az. 1 VK 23/22), which has been criticized from many sides. In a procurement procedure, she decided that EU-based subsidiaries of US corporations may not participate in public procurement if the subject of the procurement is the processing of personal data. The reason given was that this involved an inadmissible data transfer to the USA, which in turn violated the General Data Protection Regulation (GDPR).
Specific doubts needed
The Karlsruhe judges have now accepted this decision within just eight weeks and have already overturned the decision of the public procurement chamber (Az. 15 Verg 8/22). However, the Higher Regional Court did not issue a license to award contracts to subsidiaries of companies not based in the EU: As is so often the case in the legal profession, it depends on the circumstances of the individual case. In the specific case, the Luxembourg provider had assured that it would only process and store data within Germany. “The contracting authority only has to obtain additional information and check whether the promise of performance can be fulfilled if there are concrete indications that doubts arise,” the press release says. And further: “You do not have to expect that the Luxembourg company will follow instructions that are in breach of contract and European law and will transfer personal data to the USA.” The mere fact of being a subsidiary of a US group is sufficient for an exclusion from the award of contracts so not yet.
The decision of the public procurement tribunal had already been criticized by a number of sides. The State Commissioner for Data Protection and Information Security saw “the equating of access risk and transmission (as a form of processing according to Art. 4 No. 2 DS-GVO) carried out by the public procurement chamber as legally doubtful”. He also points out that the permissibility under data protection law must be determined on the basis of each individual case and, according to a press release, adheres to “the provisions of his guidance on data transfers; Individual case-related alternative tests and not blanket transfer bans are still the means of choice to implement the specifications of the GDPR in the best possible way”.
No more security with US clouds
The decision should provide relief for US corporations such as Google, Amazon, Microsoft & Co. If it had lasted, there would have been a risk of blanket exclusion from numerous award procedures. The dispute that has now been decided highlights the widespread uncertainties in the area of the processing of personal data when there is a connection to a non-EU country or a country without an “adequate level of data protection” recognized by the EU Commission. Most of the problems are in relation to the USA. Following the Schrems II decision of the European Court of Justice in July 2020, the EU and the USA are struggling to come up with a successor agreement to the EU-US Privacy Shield. It is currently being worked on. Nobody in specialist circles should expect that after its entry into force there will be calm in data protection circles.
(fo)
