Can European Subsidiaries of U.S. Cloud Providers No Longer Provide IT Services in the EU?

August.03.2022

An update to this article was published on September 14, 2022, and contains the latest developments pertaining to European subsidiaries of U.S. cloud providers providing services in the EU.

Analysis of the Baden-Württemberg Procurement Chamber on the admissibility of the use of IT services by European subsidiaries of U.S. cloud providers

I. Background

In its recently published decision (12 July 2022), a Procurement Chamber of the German State Baden-Württemberg (“Chamber”) commented on one of the most controversial issues in the context of international data flow regulation and took the view that an EU subsidiary of a U.S. cloud provider could not offer its IT services in compliance with the GDPR as there would be a risk that U.S. law enforcement could request access to personal data processed when making use of the U.S. CLOUD Act. The Chamber considered this risk as constituting a transfer within the meaning of Art. 44 GDPR and further concluded that the requirements for such an international transfer were not met. As a consequence, the EU subsidiary would be barred from offering its services to the public entity which runs a public procurement process.

According to Art. 44 GDPR, any transfer of personal data by controllers or processors to a third country is subject to the requirements set out in chapter V of the GDPR.

Yet what does “transfer” mean?

This became a controversial question following the ECJ’s Schrems decisions (see here and here), in which, due to the long arm of the U.S. government, data transfers to the United States were found to be unlawful unless an equivalent level of data protection could be achieved by other means. Given the potential and unrestricted access to European communications data by U.S. authorities, the ECJ considered the access on a generalized basis to be so serious that it recognized – for the first time in its case law – a violation of the essence of the fundamental right to privacy enshrined in Art. 7 of the European Charter of Fundamental Rights and declared the Commission Decision 2000/520/EC (“Safe Harbour”) invalid.

The ECJ did not, however, clarify how the term “transfer” is to be defined. Thus, national authorities and courts, which have still not been able to form a unanimous opinion on the question, are in a tight spot.

II. In a nutshell

The parties involved in the case in the German State Baden Württemberg submitted their bids in a tendering process for a cloud platform whereby one bidder was not considered in the offer evaluation due to a complaint filed by a competing bidder. The rejected bidder uses a subcontractor for the provision of server and hosting services, that operate with servers located in Germany. The subcontractor is the subsidiary of a company based in the United States. The other bidder, who was ultimately chosen as the winning bidder, argued in the case before the Chamber that the rejected applicant violated the requirements of inter alia chapter V of the GDPR.

The Chamber held that the term “transfer” includes any disclosure of data to a recipient outside the EU. If data is uploaded on a platform that can be accessed from a third country then, according to the Chamber, a transfer occurs, regardless of whether access actually takes place.

In its reasoning, the Chamber held that the mere possibility of access – for example by granting access rights – constitutes a latent risk of unauthorized transfer of personal data into third countries. Following this determination, the Chamber then assessed and did not find sufficient safeguards to cover that legal risk of transfer in the contract concluded between the rejected bidder and its subcontractor. Under the contract, the subcontractor’s parent company was not allowed to access or use the data unless there was a legally binding official order requiring the parent company to disclose the data [e.g., a CLOUD Act order].

The Chamber, therefore, considered the use of a platform operated by a European subsidiary whose parent company is located in the United States to be in violation of the GDPR because the requirements of Chapter V were not met.

The complaining bidder filed an immediate appeal, which will be decided by the Higher Regional Court of Karlsruhe.

III. What do other authorities say?

Unfortunately, there is still no consensus within the EU on the interpretation of the term “transfer.” Concretely:

The ECJ addressed the question as to whether holding data available for retrieval is sufficient for the presumption of a “transfer” early on in its Lindqvist decision. This broad interpretation was rejected by the ECJ: A processor who merely uploads data on a website hosted by a server located in the EU does not transfer data to third countries, since an internet user must first take additional steps [e.g., visit the website] to be able to access the stored information. Thus, only if the information is sent automatically from the server to an internet user who did not intentionally seek access to those websites and who can access such data without needing any other steps, may a transfer occur [para. 60].
Tellingly, the ECJ stated in Lindqvist [para. 68]:

“Given, first, the state of development of the internet at the time Directive 95/46 was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading, by an individual in Mrs Lindqvist's position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.”

The ECJ suggests in Lindqvist that “transfer” should be understood as an active act. Making data passively accessible would on the other side not be sufficient to speak of a transfer. However, it must be noted that the restrictive approach of the ECJ in Lindqvist is the result of the context and especially the state of development of the internet at that time.
The European Data Protection Board (EDPB) has also taken a restrictive approach in its Guidelines 05/2021 on the Interplay between Art. 3 and Chapter V GDPR adopted on November 18, 2021. A transfer shall be given only if the following criteria are cumulatively met:
1) A controller or a processor is subject to the GDPR for the given processing.

2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).

3) The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Art. 3. The EDPB thus does not interpret Art. 44 GDPR broadly.
In its recently published guidelines on international data transfers, the German Society for Data Protection (“GDD”) takes the view that the disclosure or holding of data for retrieval in favor of an entity located outside the EU can be deemed as a transfer.
The ICO holds in its guidance on international data transfers that there is a “restricted transfer” to a third-country, if “you are (…) making it accessible, to a receiver which is located in a country outside the UK.”
The Conseil d’Etat rejected in its Doctolib judgment (No. 450163) an application that was filed to block the use of AWS’s Cloud in Luxembourg due to the potential access of personal data by U.S. authorities based on the U.S. CLOUD Act. The reason for the court’s finding was that Doctolib and AWS had concluded a complementary addendum to their contract that established a specific procedure in the event of requests for access by a public authority to personal data processed on behalf of Doctolib, providing in particular for the contestation of any general request or request that does not comply with European regulations. Doctolib also implemented additional security measures for data hosted by AWS that relies on an encryption procedure based on a trusted third party located in France, in order to prevent the reading of data by third parties. The Conseil d’Etat’s summary judgment thus suggests that even a potential risk of access could constitute a transfer unless there are strong measures implemented which would prevent such access.

IV. What are the implications and consequences of the decision?

At first glance, the interpretation of the Chamber seems to be too far-reaching:

The ECJ and the EDPB, the main interpreters of the GDPR in Europe, so far, seem to take a more restrictive approach to the interpretation of the term “transfer.”
The interpretation of the Chamber is not covered by the wording of Art. 44 GDPR and recital 101 that imply the necessity of an active act of “transfer.” According to Art. 44 GDPR any “transfer of personal data which are undergoing processing” is subject to Chapter V. If storage and disclosure are understood as means of processing personal data (Art. 4 (2)) the mere possibility of access by third parties cannot be deemed as a transfer since Art. 44 GDPR speaks of a transfer that occurs with regards to data that is being processed already. Recital 101 speaks of “[f]lows of personal data to and from countries outside the Union and international organizations.” The term “flows” indicates a movement of something in to one direction and is commonly used in order to describe river, lava, electricity and traffic flows for instance.
The Chamber considered the clause in the contract agreed between the entities as too permissive since the parent company was allowed to access data if necessary to maintain or provide the services or to comply with laws or enforceable orders of U.S. authorities. The potential access by the parent company, that was not restricted by contract, led the Chamber to activate the protection of Chapter V of the GDPR. However, the full protection of all transfer requirements under Chapter V may not be necessary bearing in mind that companies established in the EU may already generally be prohibited from complying with foreign transfer or disclosure orders under Art. 48 GDPR. This was not taken into consideration.
An overly broad interpretation of the term “transfer” would also seem difficult to implement in practice. Even where there is no active transfer outside the EU, European companies would be obliged to evaluate foreign legal systems in order to check whether there is a risk of data being accessed by third-country authorities.

As the decision of the Procurement Chamber is not final and in our view also not based on a consensus in the EU, Companies should for now not panic. One may first wait for judicial clarification and further guidance by European supervisory authorities.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.