In a submission dated February 9, 2022, a private individual had requested the Federal Administrative Court to Federal Chancellery (BK) was to forbid, the work in connection with the federal government’s cloud strategy (on this here) or continue according to data Outsource to the public clouds of the five providers Microsoft, Oracle, IBM, AWS and Alibaba.
The SNB had dismissed the application for a precautionary ban on March 31, 2022, because it had considered itself to lack jurisdiction. On appeal, the Federal Supreme Court had held that the FAC had committed a formal denial of justice because it had wrongly left open the question of jurisdiction to issue precautionary measures and had wrongly failed to examine the substance of the application for precautionary measures (Decision 1C_216/2022 of July 28, 2022). It therefore referred the matter back to the FAC.
The BVGer rejects the Request for precautionary measures in an interim order (Business no. A‑661/2022) now again from, this time with a discussion of the content (see also the Media release of the BK):
- Insofar as the application is directed against processing not by the BK but by other administrative units, it must be rejected because the BK – as the addressee – would not be responsible for it;
- The complainant has the right to appeal with regard to his own personal data. He has a legitimate interestbecause any data processing interferes with the “fundamental right to informational self-determination” according to BV 13 II. The person affected by a data processing has “in principle a current and practical interest in warding off unjustified encroachments”. Nor can the legitimacy to file an appeal be denied because the complainant would not be more intensively affected by a shift of his data to a public cloud than other persons, because otherwise, precisely where data processing affects a large part of the population, “the claims under data protection law would be emptied of their content for formal reasons” – a comprehensible but far-reaching statement;
- on the merits, the application must be rejected because the BK – and only these are at stake – today does not process any personal data of the complainant or move it to a public cloudand it is also “not yet apparent that, as part of the project to introduce certain Microsoft 365 applications in the cloud, which is currently still in the concept phase, older data will also be filed electronically and/or stored in a cloud”. Accordingly, both a reason for the order and a particular urgency are missing.
Whether the private individual will now also take action against other administrative units if they want to obtain services from the public clouds – which they can now do after the complaint has been dismissed – remains to be seen.