Procurement Chamber BaWü: Impermissible third-country transfer through the use of the EU subsidiary of a US service provider

Rarely has the decision of a public procurement chamber caused such a stir in such a short time as the decision of the VK Baden-Württemberg of July 13, 2022 (Ref. 1 VK 23/22). The decision, which is not yet final, is not only relevant for award procedures. The statements of the Procurement Chamber can also have an impact on the selection of IT service providers in the area of private law.

The underlying proceedings concerned the procurement of software by a public contracting authority. The customer’s specifications contained the following requirements in particular in the IT security and data protection requirements:

“[…]

– Fulfillment of the requirements from the DS-GVO and the BDSG […]

– Data is processed exclusively in an EU-EEA data center where no subcontractors/group companies are located in third countries.

[…]”

The contract was awarded to a bidder who used a subcontractor based in the EU to provide the server and hosting services. However, this was a subsidiary of a US group. The second-placed bidder has filed an application for review against this. Among other things, the applicant relied on the fact that the use of the data center operator with a US parent company constituted a violation of Article 44 et seq. of the GDPR and thus the requirements of the tender documents were not met.

Use of European subsidiaries of US service providers as third-country transfers

The Procurement Chamber followed the applicant’s view and found:

“The use of X. as a hosting service provider constitutes a transfer within the meaning of Art. 44 et seq. DS-GVO to be seen. […].

The concept of transmission is to be understood in the light of the because [sic!] wording of Art. 44 p. 1 of the GDPR and the instruction set out in Art. 44 p. 2 of the GDPR with regard to the application of the standard and thus to be understood comprehensively: Transfer is any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure or the disclosure to a third party […].

An access option – for example by granting access rights – constitutes a latent risk that an unauthorized transfer of personal data can take place without the legal basis for this standardized in the GDPR […].

Measured against these standards, the use of X., a European company whose parent company is the U.S.-based X. lnc. is an impermissible transfer of data to a third country.”

No sufficient compensatory measures to maintain an adequate level of data protection

Furthermore, the Board considered the data protection agreements concluded between the successful bidder and the data center operator as well as the measures provided therein to be insufficient to ensure an adequate level of data protection:

“The commissioning of X. by the Respondent is based, inter alia, on the “X. GDPR DATA PROCESSING ADDENDUM”. Clause 3 of this agreement contains a clause relating to the confidentiality of customer data (“Confidentiality of Costumer Data”). Under this clause, Customer Data may not be accessed, used or disclosed by X. to any third party except as necessary to maintain or provide the Services or to comply with any law or effective and valid order of any governmental authority. […]

Clause 3 and 12.1 of the “X. GDPR DATA PROCESSING ADDENDUM” are designed in the form of general clauses and open up the possibility for both governmental and private bodies outside the EU and in particular in the USA to access data stored by X. in certain situations within the framework of the contractual or legal authorizations applicable in the specific case. […]

After all, the latent risk can materialize at any time. By entering into the agreement with X., the Defendant is in any case partially relinquishing its ability to exert influence with regard to the data entrusted to X.. […]

X.’s assumption of an obligation to challenge overbroad or unreasonable requests by government agencies, including requests that conflict with EU or applicable member state law, does not eliminate the latent risk of access by those same agencies.”

Inadmissibility of the use of EU subsidiaries of a US service provider

Accordingly, the Board concluded that the identified data transfer to the U.S. is unlawful:

“Here, there is no special reason for permission according to Art. 44 et seq. GDPR exists. Thus, an adequacy decision within the meaning of Art. 45 (1) of the GDPR is missing here. Article 46 (2) c), d) of the GDPR also does not apply here. Standard data protection clauses within the meaning of this provision are not suitable to legitimize transfers per se; rather, a case-by-case assessment is required in this respect […]. This leads – as explained – to the assumption of inadmissibility under data protection law. An exceptional circumstance according to Art. 49 DS-GVO is also not given here.”

The argumentation of the Procurement Chamber to assume an inadmissible data transfer to a third country already by the use of a European subsidiary of a US company due to the existence of a “latent danger” is not uncontroversial. Furthermore, for procedural reasons, the Procurement Chamber did not take into account the submission regarding an encryption technology used by the data center operator. Nevertheless, the decision is remarkable. It illustrates that even doubts about compliance with data protection law can present themselves as a real competitive disadvantage. The close temporal connection with the controversial use of a U.S. cloud provider in the context of the online portal for conducting the 2022 census, which is still being investigated by the BfDI, also makes it clear that the topic of third-country transfers – also in the public sector – is gaining increasing attention. The decisions that assume illegality due to a lack of contractual, technical and organizational compensatory measures are beginning to accumulate.