On 24.08.2022 we informed you in our article "Are you still allowed to use cloud services? - A guide" about a decision by the Baden-Württemberg Procurement Chamber. The latter considered the use of Amazon Web Services to be inadmissible under data protection law. The Karlsruhe Higher Regional Court has now reversed the decision of the Baden-Württemberg Procurement Chamber.
As a reminder: What did the Procurement Chamber decide?
In a review procedure, an unsuccessful bidder complained that the co-bidder had made inadmissible changes to the award documents. According to the award documents, personal data was to be processed exclusively in an EU/EEA data center. The co-bidder wanted to use the services of Amazon Web Services EMEA SARL. According to the contract with Amazon Web Services EMEA SARL, access by Amazon Web Services, Inc. to personal data stored in the EU is possible.
According to the legal opinion of the Baden-Württemberg Procurement Chamber, there was an inadmissible transfer of personal data to the USA. The risk of access to the personal data at any time (and possibly unlawfully) was sufficient for this assumption.
OLG Karlsruhe: The client may rely on performance promises
In terms of procurement law, the Karlsruhe Higher Regional Court found that the bidder had not made any inadmissible changes to the award documents and for this reason could not be excluded from the award procedure.
In terms of data protection law, the OLG Karlsruhe argued as follows:
Amazon Web Services EMEA SARL had contractually promised the provider that the personal data would only be processed in the EU. This promise was therefore also a component of the provider's performance promise to the contracting authority. The contracting authority may rely on these contractual promises of the provider. Only if concrete indications give rise to doubts about compliance with the promise of Amazon Web Services EMEA SARL would the contracting authority have to examine the fulfillment of the performance promise. These doubts do not exist here. The contracting authority does not have to expect that Amazon Web Services EMEA SARL will inadmissibly transfer personal data to the USA.
Are there already reactions from the regulatory authorities?
In our article "Are you still allowed to use cloud services? - A guide" we informed you about the statement of the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LFDI BW) of 15.08.2022 on the decision of the Procurement Chamber. The LDI BW criticized the decision of the Procurement Chamber in various places. A current statement by the LDI BW on the decision of the Karlsruhe Higher Regional Court is not yet available.
Can you safely use cloud services now, or can't you?
Questionable. It is possible that the special rules and dynamics of an award procedure played the decisive role here.
From a purely data protection law perspective, we take a critical view of the OLG Karlsruhe's decision. Even if Amazon Web Services EMEA SARL is happy to keep its promise of performance (processing only in the EU), it is subject to the right of instruction of the parent company Amazon Web Services, Inc. In the event of a request from US security authorities, Amazon Web Services, Inc. presumably has no choice in many cases but to pass on corresponding instructions to Amazon Web Services EMEA SARL. This means that there is a latent risk of unauthorized data access from the outset. The performance promise of Amazon Web Services EMEA SARL is thus worth nothing in case of doubt.
What should you continue to do?
Our recommendations from our article "Are you still allowed to use cloud services? - A guide" still apply:
- In any case, you must check in which cases (and with which software) you export personal data to third countries. In any case, you must use an up-to-date order processing contract including the currently valid standard contractual clauses.
- According to a recommendation of the LFDI BW, some clauses of the current standard contractual clauses should be tightened in favor of the data subjects in order to minimize or eliminate the risk of access to personal data.
Furthermore, the personal data on the cloud provider's server should be encrypted in such a way that even US authorities cannot break the encryption. Alternatively, the personal data should only be stored anonymously.
- If contract adjustments and/or encryption are not possible, you may need to terminate the contractual relationship with your provider and consider moving to a provider with exclusive headquarters and server location in the EU/EEA.
In any case, you should approach the topic of cloud services with legal counsel, at least if the use of cloud services is essential for your company. We will review your existing contracts for you and show you possible solutions. In the event of proceedings before the supervisory authority, we will support you with all our experience in order to achieve an optimal result. In many cases, fines or drastic conditions can be avoided. Please do not hesitate to contact us!
1. VK Baden-Württemberg, Decision of 13.07.2022, Ref. 1 VK 23/22
2nd OLG Karlsruhe, decision of 07.09.2022, ref. 15 Verg 8/22
GoldbergUllrich Lawyers 2022
Julius Oberste-Dommes LL.M. (Information Law)
Specialist lawyer for information technology law