The German Higher Regional Court of Karlsruhe (OLG Karlsruhe) recently repealed the July 13, 2022, decision of the Procurement Chamber of the German state of Baden-Württemberg that had argued that the mere risk of access to personal data stored in the European Union by US authorities would constitute a data transfer that would not comply with the EU General Data Protection Regulation (GDPR).
In the September 7 ruling (German language only), the OLG Karlsruhe reasoned that a procurement chamber cannot deny a bidder merely based on the assumption that the bidder or its sub-processors would breach their own contractual commitment to keep the data in the European Union and violate European law. The Procurement Chamber had argued that the mere risk that US authorities may access or get ahold of personal data in the cloud would already constitute a “transfer” from that subsidiary under the GDPR to a country with inadequate data protection (the United States) and thus would exclude the bidder.
The OLG Karlsruhe explained:
By signing the GDPR contracts provided by the Respondents, the party invited to the proceeding has declared that it will comply with their stipulations. It has also described its services for the use of service providers and in the area of data protection and IT security in detail in the procurement offer; in doing so it has made a clear and unambiguous performance promise. In this context, it has assured that personal health data will only be transferred to A. S.à.r.l. [the Luxembourg entity], and will not leave the EU for any data processing, but that the data will only be processed in Germany. In addition, the party invited to the proceeding stated that A. S.à.r.l. . . . had assured it that all of the Respondents' data would be processed in Germany and also confirmed in the oral hearing before the bench that it would conclude all internally necessary contracts with A. [S.a.r.l.] until the offer was implemented, which would implement its promises made in the Offer. By receiving such a binding legal assurance, the Respondents understood the declarations of the party invited to the proceeding in the award documents the same way. The Respondents may rely on this promise of performance.
The OLG Karlsruhe held that the mere fact that A. S.à.r.l. is a subsidiary of a US group is no reason for the respondents to doubt the fulfillment of the performance promise or that there would be instructions to the subsidiary in violation of the law and the contract, or that the European subsidiary would follow such instructions of the US parent company in violation of the law through its managing directors. The OLG Karlsruhe reasoned the core argument that the data transfer to the United States in and of itself “does not cast doubt on the performance promise of the defendant.” In essence, there is no presumption that an EU subsidiary of a US cloud provider would violate EU law.
What can we take away from this ruling? This ruling serves as a big relief for many US cloud businesses as it is now clear that they are not excluded from procurements in Germany, although the court did not address the argument of the Procurement Chamber that a mere possibility of accessing data from outside the European Union by a US parent company would constitute a “transfer” under the GDPR. However, the OLG Karlsruhe seems to assume that the mere risk that US authorities may gain access to European personal data is irrelevant because otherwise every bidder with a US presence would be excluded from the procurement. The decision of OLG Karlsruhe is final.