Can European Subsidiaries of U.S. Cloud Providers No Longer Provide IT Services in the EU?
Aug 5, 2022
To embed, copy and paste the code into your website or blog:
<iframe frameborder="1" height="620" scrolling="auto" src="//www.jdsupra.com/post/contentViewerEmbed.aspx?fid=df70b898-216d-4841-a50e-102532040919" style="border: 2px solid #ccc; overflow-x:hidden !important; overflow:hidden;" width="100%"></iframe>
Analysis of the Baden-Württemberg Procurement Chamber on the admissibility of the use of IT services by European subsidiaries of U.S. cloud providers
In its recently published decision (12 July 2022), a Procurement Chamber of the German State Baden-Württemberg (“Chamber”) commented on one of the most controversial issues in the context of international data flow regulation and took the view that an EU subsidiary of a U.S. cloud provider could not offer its IT services in compliance with the GDPR as there would be a risk that U.S. law enforcement could request access to personal data processed when making use of the U.S. CLOUD Act. The Chamber considered this risk as constituting a transfer within the meaning of Art. 44 GDPR and further concluded that the requirements for such an international transfer were not met. As a consequence, the EU subsidiary would be barred from offering its services to the public entity which runs a public procurement process. According to Art. 44 GDPR, any transfer of personal data by controllers or processors to a third country is subject to the requirements set out in chapter V of the GDPR. Yet what does “transfer” mean? This became a controversial question following the ECJ’s Schrems decisions (see here and here ), in which, due to the long arm of the U.S. government, data transfers to the United States were found to be unlawful unless an equivalent level of data protection could be achieved by other means. Given the potential and unrestricted access to European communications data by U.S. authorities, the ECJ considered the access on a generalized basis to be so serious that it recognized – for the first time in its case law – a violation of the essence of the fundamental right to privacy enshrined in Art. 7 of the European Charter of Fundamental Rights and declared the Commission Decision 2000/520/EC (“Safe Harbour”) invalid. The ECJ did not, however, clarify how the term “transfer” is to be defined. Thus, national authorities and courts, which have still not been able to form a unanimous opinion on the question, are in a tight spot. II. In a nutshell
The parties involved in the case in the German State Baden Württemberg submitted their bids in a tendering process for a cloud platform whereby one bidder was not considered in the offer evaluation due to a complaint filed by a competing bidder. The rejected bidder uses a subcontractor for the provision of server and hosting services, that operate with servers located in Germany. The subcontractor is the subsidiary of a company based in the United States. The other bidder, who was ultimately chosen as the winning bidder, argued in the case before the Chamber that the rejected applicant violated the requirements of inter alia chapter V of the GDPR. The Chamber held that the term “transfer” includes any disclosure of data to a recipient outside the EU. If data is uploaded on a platform that can be accessed from a third country then, according to the Chamber, a transfer occurs, regardless of whether access actually takes place. In its reasoning, the Chamber held that the mere possibility of access – for example by granting access rights – constitutes a latent risk of unauthorized transfer of personal data into third countries. Following this determination, the Chamber then assessed and did not find sufficient safeguards to cover that legal risk of transfer in the contract concluded between the rejected bidder and its subcontractor. Under the contract, the subcontractor’s parent company was not allowed to access or use the data unless there was a legally binding official order requiring the parent company to disclose the data [e.g., a CLOUD Act order]. The Chamber, therefore, considered the use of a platform operated by a European subsidiary whose parent company is located in the United States to be in violation of the GDPR because the requirements of Chapter V were not met. The complaining bidder filed an immediate appeal, which will be decided by the Higher Regional Court of Karlsruhe. III. What do other authorities say? Unfortunately, there is still no consensus within the EU on the interpretation of the term “transfer.” Concretely:
The ECJ addressed the question as to whether holding data available for retrieval is sufficient for the presumption of a “transfer” early on in its Lindqvist decision . This broad interpretation was rejected by the ECJ: A processor who merely uploads data on a website hosted by a server located in the EU does not transfer data to third countries, since an internet user must first take additional steps [e.g., visit the website] to be able to access the stored information. Thus, only if the information is sent automatically from the server to an internet user who did not intentionally seek access to those websites and who can access such data without needing any other steps, may a transfer occur [para. 60]. Tellingly, the ECJ stated in Lindqvist [para. 68]:
“Given, first, the state of development of the internet at the time Directive 95/46 was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading, by an individual in Mrs Lindqvist's position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.”
The ECJ suggests in Lindqvist that “transfer” should be understood as an active act. Making data passively accessible would on the other side not be sufficient to speak of a transfer. However, it must be noted that the restrictive approach of the ECJ in Lindqvist is the result of the context and especially the state of development of the internet at that time. The European Data Protection Board (EDPB) has also taken a restrictive approach in its Guidelines 05/2021 on the Interplay between Art. 3 and Chapter V GDPR adopted on November 18, 2021. A transfer shall be given only if the following criteria are cumulatively met:
1) A controller or a processor is subject to the GDPR for the given processing. 2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”). 3) The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Art. 3. The EDPB thus does not interpret Art. 44 GDPR broadly. In its recently published guidelines on international data transfers, the German Society for Data Protection (“GDD”) takes the view that the disclosure or holding of data for retrieval in favor of an entity located outside the EU can be deemed as a transfer. The ICO holds in its guidance on international data transfers that there is a “restricted transfer” to a third-country, if “you are (…) making it accessible, to a receiver which is located in a country outside the UK.”
The Conseil d’Etat rejected in its Doctolib judgment (No. 450163) an application that was filed to block the use of AWS’s Cloud in Luxembourg due to the potential access of personal data by U.S. authorities based on the U.S. CLOUD Act. The reason for the court’s finding was that Doctolib and AWS had concluded a complementary addendum to their contract that established a specific procedure in the event of requests for access by a public authority to personal data processed on behalf of Doctolib, providing in particular for the contestation of any general request or request that does not comply with European regulations. Doctolib also implemented additional security measures for data hosted by AWS that relies on an encryption procedure based on a trusted third party located in France, in order to prevent the reading of data by third parties. The Conseil d’Etat’s summary judgment thus suggests that even a potential risk of access could constitute a transfer unless there are strong measures implemented which would prevent such access. IV. What are the implications and consequences of the decision? At first glance, the interpretation of the Chamber seems to be too far-reaching:
The ECJ and the EDPB, the main interpreters of the GDPR in Europe, so far, seem to take a more restrictive approach to the interpretation of the term “transfer.”
The interpretation of the Chamber is not covered by the wording of Art. 44 GDPR and recital 101 that imply the necessity of an active act of “transfer.” According to Art. 44 GDPR any “transfer of personal data which are undergoing processing” is subject to Chapter V. If storage and disclosure are understood as means of processing personal data (Art. 4 (2)) the mere possibility of access by third parties cannot be deemed as a transfer since Art. 44 GDPR speaks of a transfer that occurs with regards to data that is being processed already. Recital 101 speaks of “[f]lows of personal data to and from countries outside the Union and international organizations.” The term “flows” indicates a movement of something in to one direction and is commonly used in order to describe river, lava, electricity and traffic flows for instance. The Chamber considered the clause in the contract agreed between the entities as too permissive since the parent company was allowed to access data if necessary to maintain or provide the services or to comply with laws or enforceable orders of U.S. authorities. The potential access by the parent company, that was not restricted by contract, led the Chamber to activate the protection of Chapter V of the GDPR. However, the full protection of all transfer requirements under Chapter V may not be necessary bearing in mind that companies established in the EU may already generally be prohibited from complying with foreign transfer or disclosure orders under Art. 48 GDPR. This was not taken into consideration. An overly broad interpretation of the term “transfer” would also seem difficult to implement in practice. Even where there is no active transfer outside the EU, European companies would be obliged to evaluate foreign legal systems in order to check whether there is a risk of data being accessed by third-country authorities. As the decision of the Procurement Chamber is not final and in our view also not based on a consensus in the EU, Companies should for now not panic. One may first wait for judicial clarification and further guidance by European supervisory authorities.