Many companies use cloud services from large providers such as Amazon Web Services or Google Cloud Platform to store business data or to provide digital services. In many cases, personal data of employees, customers and/or suppliers are also processed in the process. The Procurement Chamber of Baden-Württemberg(VK Baden-Württemberg, decision of 13.07.2022, ref. 1 VK 23/22) considered the use of Amazon Web Services to be inadmissible under data protection law.
The decision is not yet final.
Why does a procurement chamber decide on data protection issues?
In a review procedure, an unsuccessful bidder complained that the co-bidder had made inadmissible changes to the award documents. The award documents stipulated, among other things, that personal data be processed exclusively in an EU/EEA data center where group companies are not located in third countries. The co-bidder wanted to use the services of Amazon Web Services EMEA SARL. However, Amazon Web Services EMEA SARL is a subsidiary of Amazon Web Services, Inc. based in the U.S. According to the contract with Amazon Web Services EMEA SARL, access by Amazon Web Services, Inc. to the personal data stored in the EU is possible.
Risk of access = transmission?
In essence, the Procurement Chamber complained of a violation of the regulations in Art. 44 et seq. GDPR. Art. 44 et seq. DSGVO regulate in detail the permissibility of data transfer to third countries. According to the Procurement Chamber, the possibility to access personal data at any time is equivalent to an actual transfer of these personal data. For this reason, the requirements of Art. 44 et seq. DSGVO must be fulfilled, which was not the case here.
Why is the data transfer inadmissible?
According to the contract with Amazon Web Services EMEA SARL, personal data stored in the EU could be accessed from the USA, inter alia, for compliance with laws or effective and legally binding orders of government bodies. The GDPR does not provide a legal basis for this data transfer. The EU standard contractual clauses included in the contract with Amazon Web Services EMEA SARL are also not suitable to legitimize an unlawful data transfer.
How do the data protection supervisory authorities assess the decision?
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LFDI BW) commented on the decision of the Procurement Chamber on 15.08.2022 (cf. https://www. baden-wuerttemberg.datenschutz.de/stellungnahme-zum-beschluss-der-vergabekammer-bw/). According to the LFDI BW, it is doubtful whether the mere possibility of accessing personal data can be equated with an actual transfer of this personal data. Furthermore, the Procurement Chamber did not fully deal with the standard contractual clauses. Finally, the LFDI BW criticizes that the Procurement Chamber did not deal with the encryption technology used by the co-bidder.
No comments from other data protection supervisory authorities on the decision of the Procurement Chamber were available.
Do you have to comply with the decision of the Procurement Chamber?
The answer is clearly: No!
The decision of the Procurement Chamber is only binding on the parties to the proceedings there. However, the decision of the Procurement Chamber does have a signal effect. Although a public procurement chamber is not a court, fundamental decisions of the public procurement chambers can certainly further develop the law. This would apply in particular if the Karlsruhe Higher Regional Court, which has probably already been called upon in this case, confirms the decision of the Procurement Chamber. In that case, a decision by a higher court would be available.
Are you still allowed to use cloud services or not?
To this question one can only answer: It depends!
- In any case, you must check in which cases (and with which software) you export personal data to third countries. In any case, you must use an up-to-date order processing contract including the currently valid standard contractual clauses.
- According to a recommendation of the LFDI BW, some clauses of the current standard contractual clauses should be tightened in favor of data subjects in order to minimize or eliminate the risk of access to personal data.
- Furthermore, the personal data on the cloud provider's server should be encrypted in such a way that even US authorities cannot break the encryption. Alternatively, the personal data should only be stored anonymously.
- If contract adjustments and/or encryption are not possible, you may need to terminate the contractual relationship with your provider and consider moving to a provider with exclusive headquarters and server location in the EU/EEA.
In any case, you must take the risk posed by the decision of the Procurement Chamber seriously.
Trouble may be looming from another quarter, however.
A former customer and/or employee could request information from you as to whether personal data is transferred to the USA or can be accessed from there. In addition, if a supervisory authority were to deal with this issue, you might have to answer unpleasant questions or even shut down data processing.
You should approach the topic of cloud services with legal counsel, at least if the use of cloud services is essential for your company. We will review your existing contracts for you and show you possible solutions. In the event of proceedings before the supervisory authority, we will support you with all our experience in order to achieve an optimal result. In many cases, fines or drastic conditions can be avoided. Please do not hesitate to contact us!
GoldbergUllrich Lawyers 2022
Julius Oberste-Dommes LL.M. (Information Law)
Specialist lawyer for information technology law