Germany – Schrems II: German court overturns presumption of international data transfer from EU-subsidiary to non-EU parent company
Browse this blog post
Related news and insights
News: 07 September 2023
News: 06 September 2023
Blog Post: 25 May 2023
Publications: 25 May 2023
It held that a transfer of data outside the EU takes place where there is a chance that the personal data may be accessed from outside the EU, even if the data is never actually accessed from outside the EU as a matter of fact. On 7 September 2022, this decision was overturned by the Karlsruhe Higher Regional Court (the OLG Karlsruhe).
The Public Procurement Chamber Decision
The Decision arose in the context of the Schrems II judgment of the CJEU. Public procurement chambers in Germany provide an independent review of public tender procedures and award of public contracts. In present case, the public tender requirements included the use of the cloud with the physical location of data in the EEA. The contract was awarded to a contractor intending to use a Luxembourg-based subsidiary of a US cloud provider, with an agreed physical server location to be in Germany. The Public Procurement Chamber concluded that processing personal data on an EU based platform with the mere possibility that data could be accessed by the US parent company constitutes a transfer within the meaning of Article 44 GDPR and a latent risk of access to data by the US authorities cannot be sufficiently contained by contractual provisions on confidentiality of customer data or obligations to challenge excessive governmental access requests. This transfer, was therefore, considered to violate the GDPR taking into account the heightened regulatory scrutiny following Schrems II for US data transfers, and the Chamber’s view that the infrastructure services of the European subsidiaries of a US cloud provider cannot be used in the public procurement procedure in question.
DPA criticizes the Decision
On 15 August 2022, the Baden-Württemberg supervisory authority (DPA) issued a statement noting that the Decision might have far-reaching significance going beyond the original procedure. The DPA found equating the risk of access with actual transmission (as part of the definition of “processing” under Art. 4(2) GDPR) to be legally questionable and had disregarded the risk-based approach of the GDPR. The DPA also considered that the Decision also did not take into account the possibility of the parties implementing technical and organisational measures to mitigate or ultimately exclude any risk, for instance, through the use of encryption technology.
The DPA further pointed out that the Public Procurement Chamber focused on the old standard contractual clauses (SCCs) and did not consider the new SCCs adopted by the European Commission in June 2021, which take into account the requirements of Schrems II. The DPA concluded that it continues to adhere to its guidance on international data transfers, requiring case-by-case assessments of intended transfers by data exporters rather than a blanket ban on transfers suggested by the Decision.
The OLG Karlsruhe: no presumption that an EU subsidiary of a cloud provider would violate binding contractual commitments or EU law
In an appeal procedure, the OLG Karlsruhe overturned the Decision of the Public Procurement Chamber. It did not see reasons to doubt that a tenderer would fulfil its contractual commitments. It reasoned that clear assurances from the service provider about the content of its contract with the Luxembourg-based subsidiary of a US cloud provider (i.e. to have data only transferred to the Luxembourg entity and processed only in Germany) should be sufficient and contracting authorities should not presume that a European subsidiary would follow unlawful instructions of the US parent company to transfer personal data to the US in breach of contract and in violation of EU law.
The OLG Karlsruhe did not address the argument of the Public Procurement Chamber that a mere possibility of accessing data from outside the EU by a US parent company would constitute a transfer within the meaning of Article 44 GDPR, however, the OLG Karlsruhe noted that with the contractual assurances, as in the present case, there should be no assumption about a transfer of personal data to the US.
The decision of the OLG Karlsruhe is final.