- The Baden-Württemberg Public Procurement Chamber considered a latent US access option to be sufficient to assume an inadmissible data transfer under the GDPR.
- Criticism: The Chamber had failed to specifically examine the actual probability of access by the US authorities and applicable US law.
- Author’s conclusion: The UK’s considerations are too far-reaching; a blanket assumption of every theoretical possibility of access is legally unfounded.
The Public Procurement Chamber of Baden-Württemberg (VK) issued a non-appealable decision on July 13, 2022 (Ref. 1 VK 23/22). Decision takenwhich has made waves (see, for example, the Office of the successful bidder, a Discussion on Twitter and the Note from Martin Steiger).
The case concerned a tender of a public body in which the previously successful bidder and a competitor had participated (the latter the “respondent” in the decision). In the proceedings, this competitor had submitted a EU-based subsidiary of a cloud provider with group companies in the USA as order processor named. It can be seen from the resolution that this would not involve further companies in the USA as subcontractors.
The contract was initially awarded to the successful bidder. The competitor objected, whereupon the invitation to tender was renewed. Part of the specifications was that the Requirements of the GDPR be fulfilled. As a result, the successful bidder requested that the Competitor to be excluded from the award procedureamong other things, because the above conditions were not met.
Arguments of the parties
The successful bidder essentially argued that the competitor set a data center operator whose group company is located in third countries.. Es an unauthorized transfer to the USA because the “U.S. surveillance law” creates a “latent risk” that an effective transfer to the U.S. will occur. This is already a transfer i.S.v. DSGVO 44 et seq..
The losing bidder, on the other hand, argued,
- a transfer always requires data processing (according to DSGVO 4 No. 2: “Processing [means] any […] operation […] related to personal data such as […] disclosure by transmission, dissemination or otherwise making available […]”). However, a theoretical possibility of access does not constitute processing and is therefore also not a transfer to a third country.
- Irrespective of this, a transfer – if there is one – is legitimized by the standard contractual clauses that are applied according to the contractual documents. Supplementary provisions implementing the “further measures” required by the ECJ are also agreed.
Considerations of the Procurement Chamber
The UK sees an impermissible transfer to the USA:
- The term “transfer” is mentioned in GDPR 4 No. 2 as an example of processing, but the term “disclosure by transfer” as defined in GDPR 4 No. 2 is not the same as the term “transfer” as defined in GDPR 44 et seq. Rather, any disclosure is sufficient, even without processing.
- Such disclosure is to be assumed already when personal data are placed on a platform that can be accessed from a third country, “regardless of whether the access actually takes place.” A Access possibility constituted “a latent risk that an unauthorized transfer of personal data may take place”.
- According to the cloud provider’s contract, customer data may be disclosed, among other things, if this is necessary to comply with laws or effective and legally binding orders from government agencies. It is true that overly broad or unreasonable requests by government agencies must be challenged. However, these provisions still open up the possibility for government and private agencies in the U.S. to access customer data. This latent risk is sufficient for an impermissible transfer:
-
In this respect, it does not matter whether and how obvious the occurrence of the circumstances laid down in the two clauses, which are necessary for access in the individual case, is. Finally, the latent risk can materialize at any time. By entering into the agreement with [the cloud provider], the defendant is at least partially relinquishing its ability to influence the data entrusted to [the cloud provider].
- The obligation to challenge certain requests does not eliminate the latent risk of access, he said.
- The encryption technology used by the losing bidder was also not sufficient. However, the Procurement Chamber did not examine this on the merits because the cloud provider only wanted to (or was allowed to) disclose the relevant documents on condition that they were only disclosed to the other parties in blacked-out form; such documents are not to become part of the files of the Procurement Chamber.
- The SCC are “not suitable for legitimizing transfers per se; rather, a case-by-case examination is required”. This leads to the assumption of inadmissibility under data protection law.
Notes
The considerations of the UK are to be rejected. The UK has made things far too easy for itself. If it is indeed of the opinion that the theoretical possibility of access by U.S. authorities already constitutes a transfer within the meaning of GDPR 44 et seq. it should have examined whether there is actually a possibility of access by the U.S. authorities, which it failed to do (see below). However, its broad interpretation of the term “transmission” is also absurd. The fact that it has not sufficiently addressed these questions is also shown by the fact that the UK speaks of a “transfer”, i.e. does not itself use the terms consistently.
Notion of transmission
Preliminary, but actually secondary question: transmission as processing?
The UK wants to Transmission i.S.v. DSGVO 44 ff. not as a use case of processing understand. Apparently, it wants to justify that no processing is necessary for the transmission and that the latter consequently includes any access possibility, no matter how remote.
For its interpretation of the term “transfer”, the UK can prima vista rely on the English version of the GDPR, because this indeed distinguishes between transfer within the meaning of GDPR 4 No. 2, i.e. as an application of processing (German: “Offenlegung durch Übermittlung”, English: “disclosure by transmission”). transmission”), and that according to DSGVO 44 ff. (German also “Übermittlung”, but English now “transfer„).
However, the UK overlooks the fact that the GDPR does not apply to the “transfer” very well also in the English version as a processing Understands. GDPR 28(3)(a) requires that the processor shall
processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country […];
This is even clearer in GDPR 48, the provision that refers to mutual legal assistance for transfers under foreign law. GDPR 48 says in the German text
[…] any decision of an administrative authority of a third country by which […] the Transmission or disclosure personal data is required […].
Analogous to the English version:
[…] any decision of an administrative authority of a third country requiring […] to transfer or disclose personal data […]
Thus, a clear distinction is made between a transmission (“transfer”) and a “disclosure”, which must therefore be something other than a transfer.
The ECJ also considers transfers within the meaning of GDPR 44 et seq. as processing. The ECJ has ruled in Schrems II stated in para. 83 that
[…] the transfer of personal data from a Member State to a third country as such constitutes a processing of personal data within the meaning of Article 4(2) of the GDPR which takes place on the territory of a Member State.
Therefore, the UK obviously could not say that the transfer according to GDPR 44 et seq. includes a blanket disclosure. But even if it did, it would have had to answer the question, under which conditions such disclosure is to be assumed. The fact that any theoretical possibility is sufficient does not in any case follow even from the very broad understanding of the UK.
Main question: When does a possibility of access lead to a “transmission”?
The main question is therefore how realistic an access possibility must be for it to constitute a “transfer” within the meaning of GDPR 4 et seq. The UK should not have been satisfied with superficial GDPR hermeneutics. It is clear not every theoretical access possibility covered by GDPR 44 et seq:
- The argument of the VK, a Transmission does not need processing, is wrong as stated. However, it could not yet answer the question anyway, under which conditions a theoretical access becomes a “transmission”.
- While it is true that a transfer can also occur by providing the recipient of the data with the Access granted (e.g. storage on a server with disclosure of a login). However, this does not mean that any theoretical access is sufficient. If the latter were the case any processing a transfer to a third country, if only because the risk of a hacker attack from a third country is never zero.
- The accessibility requirements are not at zero. This follows directly from the GDPR, not from semantics, but from fundamental concepts. Ultimately, the yardstick for the question of when a transfer exists is the same as for the question of whether a datum is anonymous or pseudonym is. This is because both concepts presuppose that access to a data set by a person with identifying additional knowledge is excluded. And also in the case of anonymization and pseudonymization no one requires to exclude any theoretical access possibility:
- With respect to the test of personhood, recital 26 states that all means “generally considered to be likely to be usedto identify the natural person directly or indirectly”. In doing so, “all objective factors” must be taken into account, “such as the cost of identification and the time required for it”. This means that not just any theoretical identification possibility will do. If this were the case, there would basically be no more factual data, which is clearly not the aim of the GDPR and must not be.
- Furthermore, the GDPR states in Art. 4 No. 5 on the Pseudonymization, this presupposes that the identifying additional information “is stored separately and technical and organizational measures are subjectensuring that the personal data are not attributed to an identified or identifiable natural person”. The reference to TOMs assigns this issue to data security, and this, as is well known, requires not complete but adequate protection. This illustrates once again that not every theoretical identification possibility is sufficient.
- It is clear from this that the yardstick for the transfer within the meaning of GDPR 44 ff. is a sufficient probability is that a recipient in a third country will access the data in question. Like probable this must be is open, but it is clear that not every theoretical possibility is sufficient. Moreover, the probability can be reduced by suitable TOMs, and the decisive factor is, of course, the remaining probability.
This probability is not a question of the risk-based approach, but a factual element of the transfer under GDPR 44 et seq. In other words:
- If personal data is transferred to an exporter in the U.S. in such a way that it effectively possesses that data, a transfer has occurred. Then there is the further question of whether the SCCs are sufficient, and it is in this context that the risk-based approach plays a role. This is not the present case.
- If, on the other hand, as here is already questionable, whether If personal data is transferred to a body in the USA because it is not clear whether this body can realistically access this personal data – in an identifying form – then it follows from the concept of transfer that the probability of this access possibility is decisive.
The UK should therefore have answered, with what probability a U.S. agency can access personal data or, in other words, whether this possibility of access is realistic or merely theoretical. Without this examination, it could not assume a transfer. Again – this is not a question of the risk-based approach, but of the preliminary question of whether a transfer is to be assumed.
Unfortunately, what remains open in this context is what the cloud provider’s or its customer’s Encryption with regard to the risk of access from the USA, because the Procurement Chamber did not want to keep the relevant documents on file in redacted form (without giving legal reasons for this, except with a general reference to the right to be heard). However, insofar as customers of the cloud provider encrypt customer data in such a way that the cloud provider itself cannot use the key and/or that it cannot search customer data for targets of the US authorities, access by US authorities and thus also transmission would be excluded.
Access risks under US law
The UK should therefore have looked more closely at US law, which it also failed to do. In this context, it seemed to be a question of the Stored Communications Act (SCA) – which was amended by the CLOUD Act – to go. Here, the UK should have checked the requirements for access:
- The ECJ has ruled in the Schrems II judgment with reference to the USA, only FISA and EO 12333 are classified as problematic, i.e. not compatible with European principles (the “essential guarantees”). The SCA also allows access by authorities, in connection with criminal proceedings, but in a framework recognized in Europe. Therefore, the SCA is normally not the problem. However, the UK was probably thinking of the already mentioned Art. 48 (“[…] any decision of an administrative authority of a third country requiring […] the transfer or disclosure of personal data shall, in any event, without prejudice to other grounds for transfer under this Chapter, only be recognized or enforceable if based on an international agreement in force, such as a mutual legal assistance agreement between the requesting third country and the Union or a Member State”). If an EU company were required by the cloud provider to disclose to U.S. authorities under the SCA, a violation of this provision would be conceivable.
- However, the SCA presupposes that in the U.S. an at all. Responsibility exists (jurisdiction). That this should be the case with reference to the EU subsidiary of the cloud provider is anything but clear, and it has not been verified.
- A cloud provider subject to U.S. jurisdiction would further not be required to release data, to which it has no reasonable access. Whether this was the case in the present case depends, among other things, on the technical and organizational measures with which the cloud provider restricts the plaintext access of its US companies, including encryption measures.
- Furthermore, the UK should have examined whether a surrender order would also be enforced against Art. 48 GDPR – and, if applicable, analogous provisions of the law applicable to the EU subsidiary of the cloud provider. US courts could namely rule on the basis of a Comity analysis conclude that a threatened breach of, for example, Art. 48 GDPR is sufficient to override a surrender order.
Relevance of foreign law only in case of concrete applicability
The UK should have carefully examined these questions. A blanket reference to the Schrems II judgment cannot replace this, because the ECJ had found the insufficiency of certain legal bases of U.S. law generically determined, namely with regard to the question of whether the Privacy Shield as such confers adequate protection, without having to examine the question of applicability in more detail in each case.
Here, however, the relevant question would not have been whether U.S. law is deficient in certain respects, but whether deficient law – or in the case of the SCA, other law – is for use at all comes. This test, in turn, has nothing to do with the risk-based approach, but precedes it – or even the zero-risk approach – as a preliminary question. For unlike the assessment by the ECJ and as with the SCC, the issue here is not to assess U.S. law per se, but its effect in a particular scenario.
With reference to the Standard clauses The ECJ has also stated (para. 141) that it is not necessary
shall be deemed to be in breach of these clauses if an obligation arising from the law of the third country of destination is complied with, which goes beyond what is necessary for purposes such as those mentioned above.
This demonstrates the self-evident fact that a deficient legal basis-or, in this case, the SCA-does not preclude a transfer based on the SCC as long as that legal basis applies to the transferred data inapplicable is. For the same reason, clause 14 of the SCC provides that the parties assure each other,
have no reason to believe that the […] laws and practices in the third country of destination […] prevent the data importer from Fulfillment of its duties according to these clauses hinder.
It is therefore always a matter of local law, which is applied in the specific case and must be examined accordingly.
Once again, this has nothing to do with a risk-based approach. It is not about quantifying or accepting an access risk on the basis of U.S. law, but about the question of whether access possibilities exist at all under this law (unless one assumes that the U.S. generally acts without a legal basis, which the European authorities have not done so far, at least not openly).
Against this background, the statements of the Procurement Chamber are initially not prejudicial. Too many legal and factual questions remain unasked and unanswered. However, they are also to be rejected in substance and in result. They would have the direct consequence that in the future every competitor with the slightest US reference can be beaten out of the field with sweeping allegations, and the indirect consequence that every risk would have to be excluded in every data processing and that there would no longer be any anonymization or pseudonymization – the GDPR would then really be “the law of everything”. This would not only be absurd, but also simply outside the legislative competence of the EU.