US-Cloud and DSGVO / OLG overturns decision of the Public Procurement Chamber BW

No blanket exclusion of subsidiaries of US cloud service providers due to data protection concerns in public contract awards!

According to the current decision of the Higher Regional Court (OLG) Karlsruhe (OLG Karlsruhe, decision dated 07.09.2022 - AZ.: 15 Verg 8/22), subsidiaries of US cloud service providers may continue to be used in public procurement procedures within the healthcare sector.

Background to these decisions was an award procedure between two hospital companies. The aim of the tender was to procure a digital discharge management system. The tender documents reqired compliance with the General Data Protection Regulation (Datenschutzgrundverordnung – DSGVO) and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) with regard to the personal data of the patients to be discharged. The Baden-Württemberg Procurement Chamber had excluded the bid of a bidder who wanted to integrate US cloud service providers due to data protection concerns. The Higher Regional Court has now rightly rejected this decision by the Baden-Württemberg Procurement Chamber, which is highly controversial within the sector.

1. Background: Decision of the “Vergabekammer” Baden-Württemberg

The starting point was the decision of the Public Procurement Tribunal of 13.07.2022 (AZ.: 1 VK 23/22), according to which the use of European cloud service providers with a U.S. parent company for personal data violated the GDPR. In the opinion of the Procurement Chamber, the bidder in question had thus inadmissibly amended the tender documents within the meaning of Section 57 (1) No. 4 VgV, which resulted in the exclusion of the bid. In this respect, the Public Procurement Chamber assumed that the bidder using the cloud provider with U.S. parent company cannot provide the service - as required in the award documents - in compliance with the DSGVO.

When using the hosting infrastructure of the cloud provider, there is a "latent risk" of access by both state and private bodies outside the EU and in particular in the USA, irrespective of its location in the EU and the fact that the data is to be stored exclusively on servers in Germany. Even a latent risk is sufficient to constitute a data transfer that is impermissible under Art. 44 ff. DSGVO to a third country. Whether and how obvious access is is irrelevant.

In this respect, the Public Procurement Chamber refers to the so-called "Schrems II" judgment of the European Court of Justice (EuGH, judgment of July 16, 2020, Case C-311/18). Accordingly, personal data can no longer be transferred to the USA on the basis of the Commission's implementing decision 2016/1250 on the adequacy of the so-called "EU-US Privacy Shield". The EuGH had declared the implementing decision on the EU-US Privacy Shield invalid because the USA does not guarantee an adequate level of protection for personal data. According to the current legal situation, the exchange of data between an EU and a US company regularly takes place on the basis of the standard contractual clauses, combined in individual cases with sufficient technical protection measures and contractual guarantees.

The decision of the Procurement Chamber has been widely criticized in practice. In particular, the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI) commented on the decision of the VK Baden-Württemberg. It is doubtful to equate a latent access risk with a "transfer" (as a form of processing according to Art. 4 No. 2 DSGVO).

In addition, the Procurement Chamber ignores the fact that effective countermeasures exist against access risks in the form of so-called "technical-organizational measures" (TOM), which can help to reduce corresponding risks in individual cases. In addition, a distinction must be made between the different versions of the standard contractual clauses (SCC) that could be considered as a protective mechanism for a data transfer to the USA. The bidder awarded the contract used clauses that fall short of the version of the clauses that can currently be used. Therefore, even after the decision, the LfDI continues to adhere to the principle of not imposing blanket prohibitions on transfers, but rather to conduct alternative tests on a case-by-case basis.

The decision of the Public Procurement Tribunal was thus a big surprise, both from the point of view of public procurement law and from the point of view of data protection law. Due to the Schrems II decision of the EuGH, no data protection supervisory authority had issued a blanket ban on the use of U.S. cloud service providers, as far as is known. Moreover, due to the high practical relevance of U.S. cloud service providers, much is in flux here. Some U.S. cloud service providers are now offering new contract models to directly address the criticism of the European supervisory authorities.

2. Correction by the Higher Regional Court of Karlsruhe

The  Higher Regional Court of Karlsruhe has now corrected the decision of the Public Procurement Chamber and emphasized that data processing in procurement procedures may continue to be carried out by a European subsidiary of U.S. cloud service providers. The decisive factor is that the company gives a binding assurance that the personal data will be processed exclusively in Germany and not in any third country. According to the Higher Regional Court of Karlsruhe, a public client may generally assume that a bidder will fulfill its contractual commitments. Only if there are concrete indications is a public purchaser required to obtain additional information regarding the fulfillment of the performance promise.

In the present case, the bidding company in question had signed the DSGVO contracts specified by the contracting authority. Furthermore, it described these in more detail in the offer with regard to the services for the use of service providers and in the area of data protection and IT security and made a clear and unambiguous performance promise.

In the opinion of the Higher Regional Court, a mere group affiliation is in any case not sufficient to cast doubt on the fulfillment of the performance promise.

The decision is interesting insofar as it concerns interstate collisions of different legal systems. As was the case at the time with the "chancellor's cell phone" and its monitoring by "friendly services," it seems entirely possible that internationally, due to the de facto dominance of the U.S. authorities and the obligations of the U.S. companies, it is accepted that legal and contractual requirements from the EU area are violated. However, this is difficult to prove. In this respect, the Higher Regional Court makes the realistic decision to initially rely on contractually binding promises.

3. Practical significance of the decision

The decision facilitates the use of various cloud technologies. It is important that the case-by-case examination in the award procedure, which is also required by the data protection officers, is documented (in relation to award documents and also in the bid review). Current contractual templates for data protection must also be used.

It is advisable to impose high penalties on U.S. companies in the event of a violation and - if possible - to provide technical safeguards for contractual commitments (e.g., data encryption in which the private key is stored outside the sphere of a U.S. cloud service provider). This could be an economic incentive to comply with EU data protection requirements.

Incidentally, this topic is also of interest outside of pure public procurement law: Even if a company is not a public contracting authority but receives funding (e.g. on the basis of the KHZG - Krankenhauszukunftsgesetz), a call for tenders is generally envisaged on the basis of the requirements of funding law. The above-mentioned legal issues then become relevant again, even if they are not clarified before the Public Procurement Chamber. Data protection violations can cost money quickly.

Supplement (2022-09-23)
The OLG does not require that data be processed only in Germany. This was probably offered and thus agreed in the specific case. Legally, this is not necessary. As long as data is processed in countries that are subject to the GDPR (EU, EEA), this is sufficient.
On the award blog, the decision is also discussed. More information here.