Karlsruhe Higher Regional Court overturns controversial decision!
How much EU is there in data protection in the UK and CH?
News on data transfer to the USA! After the Public Procurement Chamber of Baden-Württemberg found in a decision on July 13, 2022 that cloud providers in the USA, and among others also their EU subsidiaries, violate the General Data Protection Regulation (GDPR), the Higher Regional Court (OLG) of Karlsruhe has now overturned this highly controversial decision.
According to the decision of the Procurement Chamber, the use of these cloud providers is unlawful because they involve an unlawful transfer of data to a third country in which the data of EU citizens is not adequately protected. In 2020, the European Court of Justice (ECJ) overturned the Privacy Shield in the Schrems II decision, which had previously justified the data transfer. The main reason for this was the extensive surveillance laws and the access possibilities to the data on the part of the US authorities (please see the blog article we have already written on this).
How did the decision of the Procurement Chamber come about? And on what grounds did the Karlsruhe Higher Regional Court overturn the decision of the Public Procurement Chamber?
The problem is the US CLOUD Act
Although the case in question involved a dispute under procurement law, the conformity of a piece of software with the GDPR was also being examined at the same time. In addition to price and quality, data protection and IT security were also decisive factors in awarding the contract.
The company concerned is based in the EU and is the subsidiary of a US group. Due to the US CLOUD Act, US authorities may also be permitted to access data located on servers outside the USA, provided that this involves data from subsidiaries. Because of this access possibility to data of EU citizens, the Procurement Chamber has classified the cloud service as inadmissible. Whether and to what extent access takes place was irrelevant for the Procurement Chamber.
When would a data transfer to a third country be justified?
The transfer of data to a third country, i.e., a country outside the EU/EEA, may be justified under Artt. 44 et seq. of the GDPR. For this purpose, either an adequacy decision must have been issued for the respective country (this is not the case for the USA) or other means of justification such as standard contractual clauses must be used, although it must be verified in each individual case whether EU data protection law has been complied with.
However, in the opinion of the Procurement Chamber, the standard contractual clauses were not sufficient in the present case, because there was a “latent” risk of access by U.S. agencies due to the CLOUD Act and this therefore violated EU data protection law.
Criticism of the decision and grounds for reversal
The decision of the Procurement Chamber faced a lot of headwind from the beginning. In particular, the State Data Protection Commissioner for Baden-Württemberg voiced some criticism. This criticism was then echoed by the Karlsruhe Higher Regional Court, which reviewed the validity of the decision and ultimately overturned it on September 7, 2022. The decision of the OLG Karlsruhe is also legally binding.
But what was so questionable about the decision of the Procurement Chamber? Why did the OLG overturn the decision?
The State Data Protection Commissioner for Baden-Württemberg found the following points questionable:
- The Procurement Chamber did not review the current EU standard contractual clauses, but older ones.
- In addition, the Procurement Chamber equated a possible access risk on the part of the U.S. agencies with an actual transfer of data.
In addition, data protection experts criticized the fact that the Procurement Chamber completely disregarded the possibility of encrypting the data in its decision.
The OLG has now based its decision primarily on the latter point of criticism by the Baden-Württemberg data protection authority. As long as the provider makes a binding promise that no third-country transfer will take place when the online service is used, this can be relied on. Such contractual promises can be relied on until there are concrete indications that give cause for doubt.
In the present case, however, there were no such doubts. The mere fact that the U.S. parent company could access the data is not sufficient to cast doubt on the reliability of the contractual information. In principle, therefore, you can trust the information provided by software providers when it comes to data protection compliance.
The decision, if it had been upheld, would have had a considerable impact on private law issues in IT and data protection law! However, since it has now been overturned, providers with U.S. corporate parent companies are still to be considered in award procedures and the use of such cloud providers may also continue to be possible in individual cases.
It is also clear from the decision of the OLG Karlsruhe that, in principle, one can rely on the contractual information with regard to data protection conformity and only in the case of concrete indications must further information be obtained and the performance promise reviewed.
In addition, the EU Commission is currently working with the responsible bodies in the U.S. on a future solution for data transfers between the EU and the U.S.. However, such a follow-up agreement is not expected before the end of the year.