Ver­ga­be­kam­mer Baden-Würt­tem­berg: Daten­über­mitt­lung durch jede theo­re­ti­sche Zugriffsmöglichkeit?

The Public Pro­cu­re­ment Cham­ber of Baden-Würt­tem­berg (VK) issued a non-appeal­ab­le deci­si­on on July 13, 2022 (Ref. 1 VK 23/22). Deci­si­on takenwhich has made waves (see, for examp­le, the Office of the suc­cess­ful bid­der, a Dis­cus­sion on Twit­ter and the Note from Mar­tin Stei­ger).

The case con­cer­ned a ten­der of a public body in which the pre­vious­ly suc­cess­ful bid­der and a com­pe­ti­tor had par­ti­ci­pa­ted (the lat­ter the “respon­dent” in the deci­si­on). In the pro­ce­e­dings, this com­pe­ti­tor had sub­mit­ted a EU-based sub­si­dia­ry of a cloud pro­vi­der with group com­pa­nies in the USA as order pro­ces­sor named. It can be seen from the reso­lu­ti­on that this would not invol­ve fur­ther com­pa­nies in the USA as subcontractors.

The con­tract was initi­al­ly awar­ded to the suc­cess­ful bid­der. The com­pe­ti­tor objec­ted, whe­reu­pon the invi­ta­ti­on to ten­der was rene­wed. Part of the spe­ci­fi­ca­ti­ons was that the Requi­re­ments of the GDPR be ful­fil­led. As a result, the suc­cess­ful bid­der reque­sted that the Com­pe­ti­tor to be exclu­ded from the award pro­ce­du­reamong other things, becau­se the abo­ve con­di­ti­ons were not met.

Argu­ments of the parties

The suc­cess­ful bid­der essen­ti­al­ly argued that the com­pe­ti­tor set a data cen­ter ope­ra­tor who­se group com­pa­ny is loca­ted in third coun­tries.. Es an unaut­ho­ri­zed trans­fer to the USA becau­se the “U.S. sur­veil­lan­ce law” crea­tes a “latent risk” that an effec­ti­ve trans­fer to the U.S. will occur. This is alrea­dy a trans­fer i.S.v. DSGVO 44 et seq..

The losing bid­der, on the other hand, argued,

  • a trans­fer always requi­res data pro­ces­sing (accord­ing to DSGVO 4 No. 2: “Pro­ces­sing [means] any […] ope­ra­ti­on […] rela­ted to per­so­nal data such as […] dis­clo­sure by trans­mis­si­on, dis­se­mi­na­ti­on or other­wi­se making avail­ab­le […]”). Howe­ver, a theo­re­ti­cal pos­si­bi­li­ty of access does not con­sti­tu­te pro­ces­sing and is the­re­fo­re also not a trans­fer to a third country.
  • Irre­spec­ti­ve of this, a trans­fer – if the­re is one – is legi­ti­mi­zed by the stan­dard con­trac­tu­al clau­ses that are app­lied accord­ing to the con­trac­tu­al docu­ments. Sup­ple­men­ta­ry pro­vi­si­ons imple­men­ting the “fur­ther mea­su­res” requi­red by the ECJ are also agreed.

Con­si­de­ra­ti­ons of the Pro­cu­re­ment Chamber

The UK sees an imper­mis­si­ble trans­fer to the USA:

  • The term “trans­fer” is men­tio­ned in GDPR 4 No. 2 as an examp­le of pro­ces­sing, but the term “dis­clo­sure by trans­fer” as defi­ned in GDPR 4 No. 2 is not the same as the term “trans­fer” as defi­ned in GDPR 44 et seq. Rather, any dis­clo­sure is suf­fi­ci­ent, even without processing.
  • Such dis­clo­sure is to be assu­med alrea­dy when per­so­nal data are pla­ced on a plat­form that can be acces­sed from a third coun­try, “regard­less of whe­ther the access actual­ly takes place.” A Access pos­si­bi­li­ty con­sti­tuted “a latent risk that an unaut­ho­ri­zed trans­fer of per­so­nal data may take place”.
  • Accord­ing to the cloud provider’s con­tract, custo­mer data may be dis­c­lo­sed, among other things, if this is necessa­ry to com­ply with laws or effec­ti­ve and legal­ly bin­ding orders from government agen­ci­es. It is true that over­ly broad or unre­a­son­ab­le requests by government agen­ci­es must be chal­len­ged. Howe­ver, the­se pro­vi­si­ons still open up the pos­si­bi­li­ty for government and pri­va­te agen­ci­es in the U.S. to access custo­mer data. This latent risk is suf­fi­ci­ent for an imper­mis­si­ble transfer:
  • In this respect, it does not mat­ter whe­ther and how obvious the occur­rence of the cir­cum­stan­ces laid down in the two clau­ses, which are necessa­ry for access in the indi­vi­du­al case, is. Final­ly, the latent risk can mate­ria­li­ze at any time. By ente­ring into the agree­ment with [the cloud pro­vi­der], the defen­dant is at least par­ti­al­ly relin­quis­hing its abi­li­ty to influ­ence the data ent­ru­sted to [the cloud provider].

  • The obli­ga­ti­on to chal­len­ge cer­tain requests does not eli­mi­na­te the latent risk of access, he said.
  • The encryp­ti­on tech­no­lo­gy used by the losing bid­der was also not suf­fi­ci­ent. Howe­ver, the Pro­cu­re­ment Cham­ber did not exami­ne this on the merits becau­se the cloud pro­vi­der only wan­ted to (or was allo­wed to) dis­c­lo­se the rele­vant docu­ments on con­di­ti­on that they were only dis­c­lo­sed to the other par­ties in blacked-out form; such docu­ments are not to beco­me part of the files of the Pro­cu­re­ment Chamber.
  • The SCC are “not sui­ta­ble for legi­ti­mi­zing trans­fers per se; rather, a case-by-case exami­na­ti­on is requi­red”. This leads to the assump­ti­on of inad­mis­si­bi­li­ty under data pro­tec­tion law.

Notes

The con­si­de­ra­ti­ons of the UK are to be rejec­ted. The UK has made things far too easy for its­elf. If it is inde­ed of the opi­ni­on that the theo­re­ti­cal pos­si­bi­li­ty of access by U.S. aut­ho­ri­ties alrea­dy con­sti­tu­tes a trans­fer wit­hin the mea­ning of GDPR 44 et seq. it should have exami­ned whe­ther the­re is actual­ly a pos­si­bi­li­ty of access by the U.S. aut­ho­ri­ties, which it fai­led to do (see below). Howe­ver, its broad inter­pre­ta­ti­on of the term “trans­mis­si­on” is also absurd. The fact that it has not suf­fi­ci­ent­ly addres­sed the­se que­sti­ons is also shown by the fact that the UK speaks of a “trans­fer”, i.e. does not its­elf use the terms consistently.

Noti­on of transmission

Preli­mi­na­ry, but actual­ly secon­da­ry que­sti­on: trans­mis­si­on as processing?

The UK wants to Trans­mis­si­on i.S.v. DSGVO 44 ff. not as a use case of pro­ces­sing under­stand. Appar­ent­ly, it wants to justi­fy that no pro­ces­sing is necessa­ry for the trans­mis­si­on and that the lat­ter con­se­quent­ly inclu­des any access pos­si­bi­li­ty, no mat­ter how remote.

For its inter­pre­ta­ti­on of the term “trans­fer”, the UK can pri­ma vista rely on the Eng­lish ver­si­on of the GDPR, becau­se this inde­ed distin­guis­hes bet­ween trans­fer wit­hin the mea­ning of GDPR 4 No. 2, i.e. as an app­li­ca­ti­on of pro­ces­sing (Ger­man: “Offen­le­gung durch Über­mitt­lung”, Eng­lish: “dis­clo­sure by trans­mis­si­on”). trans­mis­si­on”), and that accord­ing to DSGVO 44 ff. (Ger­man also “Über­mitt­lung”, but Eng­lish now “trans­fer„).

Howe­ver, the UK over­loo­ks the fact that the GDPR does not app­ly to the “trans­fer” very well also in the Eng­lish ver­si­on as a pro­ces­sing Under­stands. GDPR 28(3)(a) requi­res that the pro­ces­sor shall

pro­ces­ses the per­so­nal data only on docu­men­ted inst­ruc­tions from the con­trol­ler, inclu­ding with regard to trans­fers of per­so­nal data to a third country […];

This is even clea­rer in GDPR 48, the pro­vi­si­on that refers to mutu­al legal assi­stance for trans­fers under for­eign law. GDPR 48 says in the Ger­man text

[…] any deci­si­on of an admi­ni­stra­ti­ve aut­ho­ri­ty of a third coun­try by which […] the Trans­mis­si­on or dis­clo­sure per­so­nal data is required […].

Ana­lo­gous to the Eng­lish version:

[…] any deci­si­on of an admi­ni­stra­ti­ve aut­ho­ri­ty of a third coun­try requi­ring […] to trans­fer or dis­c­lo­se per­so­nal data […]

Thus, a clear distinc­tion is made bet­ween a trans­mis­si­on (“trans­fer”) and a “dis­clo­sure”, which must the­re­fo­re be some­thing other than a transfer.

The ECJ also con­si­ders trans­fers wit­hin the mea­ning of GDPR 44 et seq. as pro­ces­sing. The ECJ has ruled in Schrems II sta­ted in para. 83 that

[…] the trans­fer of per­so­nal data from a Mem­ber Sta­te to a third coun­try as such con­sti­tu­tes a pro­ces­sing of per­so­nal data wit­hin the mea­ning of Arti­cle 4(2) of the GDPR which takes place on the ter­ri­to­ry of a Mem­ber State.

The­re­fo­re, the UK obvious­ly could not say that the trans­fer accord­ing to GDPR 44 et seq. inclu­des a blan­ket dis­clo­sure. But even if it did, it would have had to ans­wer the que­sti­on, under which con­di­ti­ons such dis­clo­sure is to be assu­med. The fact that any theo­re­ti­cal pos­si­bi­li­ty is suf­fi­ci­ent does not in any case fol­low even from the very broad under­stan­ding of the UK.

Main que­sti­on: When does a pos­si­bi­li­ty of access lead to a “trans­mis­si­on”?

The main que­sti­on is the­re­fo­re how rea­li­stic an access pos­si­bi­li­ty must be for it to con­sti­tu­te a “trans­fer” wit­hin the mea­ning of GDPR 4 et seq. The UK should not have been satis­fied with super­fi­cial GDPR her­me­neu­tics. It is clear not every theo­re­ti­cal access pos­si­bi­li­ty cove­r­ed by GDPR 44 et seq:

  • The argu­ment of the VK, a Trans­mis­si­on does not need pro­ces­sing, is wrong as sta­ted. Howe­ver, it could not yet ans­wer the que­sti­on any­way, under which con­di­ti­ons a theo­re­ti­cal access beco­mes a “trans­mis­si­on”.
  • While it is true that a trans­fer can also occur by pro­vi­ding the reci­pi­ent of the data with the Access gran­ted (e.g. sto­rage on a ser­ver with dis­clo­sure of a log­in). Howe­ver, this does not mean that any theo­re­ti­cal access is suf­fi­ci­ent. If the lat­ter were the case any pro­ces­sing a trans­fer to a third coun­try, if only becau­se the risk of a hacker attack from a third coun­try is never zero.
  • The acces­si­bi­li­ty requi­re­ments are not at zero. This fol­lows direct­ly from the GDPR, not from seman­tics, but from fun­da­men­tal con­cepts. Ulti­mate­ly, the yard­stick for the que­sti­on of when a trans­fer exists is the same as for the que­sti­on of whe­ther a datum is anony­mous or pseud­onym is. This is becau­se both con­cepts pre­sup­po­se that access to a data set by a per­son with iden­ti­fy­ing addi­tio­nal know­ledge is exclu­ded. And also in the case of anony­miz­a­ti­on and pseud­ony­miz­a­ti­on no one requi­res to exclu­de any theo­re­ti­cal access pos­si­bi­li­ty:
    • With respect to the test of per­son­hood, reci­tal 26 sta­tes that all means “gene­ral­ly con­si­de­red to be likely to be usedto iden­ti­fy the natu­ral per­son direct­ly or indi­rect­ly”. In doing so, “all objec­ti­ve fac­tors” must be taken into account, “such as the cost of iden­ti­fi­ca­ti­on and the time requi­red for it”. This means that not just any theo­re­ti­cal iden­ti­fi­ca­ti­on pos­si­bi­li­ty will do. If this were the case, the­re would basi­cal­ly be no more fac­tu­al data, which is clear­ly not the aim of the GDPR and must not be.
    • Fur­ther­mo­re, the GDPR sta­tes in Art. 4 No. 5 on the Pseud­ony­miz­a­ti­on, this pre­sup­po­ses that the iden­ti­fy­ing addi­tio­nal infor­ma­ti­on “is stored sepa­r­ate­ly and tech­ni­cal and orga­niz­a­tio­nal mea­su­res are sub­jectensu­ring that the per­so­nal data are not attri­buted to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son”. The refe­rence to TOMs assigns this issue to data secu­ri­ty, and this, as is well known, requi­res not com­ple­te but ade­qua­te pro­tec­tion. This illu­stra­tes once again that not every theo­re­ti­cal iden­ti­fi­ca­ti­on pos­si­bi­li­ty is sufficient.
  • It is clear from this that the yard­stick for the trans­fer wit­hin the mea­ning of GDPR 44 ff. is a suf­fi­ci­ent pro­ba­bi­li­ty is that a reci­pi­ent in a third coun­try will access the data in que­sti­on. Like pro­bable this must be is open, but it is clear that not every theo­re­ti­cal pos­si­bi­li­ty is suf­fi­ci­ent. Moreo­ver, the pro­ba­bi­li­ty can be redu­ced by sui­ta­ble TOMs, and the decisi­ve fac­tor is, of cour­se, the remai­ning probability.

This pro­ba­bi­li­ty is not a que­sti­on of the risk-based approach, but a fac­tu­al ele­ment of the trans­fer under GDPR 44 et seq. In other words:

  • If per­so­nal data is trans­fer­red to an exporter in the U.S. in such a way that it effec­tively pos­ses­ses that data, a trans­fer has occur­red. Then the­re is the fur­ther que­sti­on of whe­ther the SCCs are suf­fi­ci­ent, and it is in this con­text that the risk-based approach plays a role. This is not the pre­sent case.
  • If, on the other hand, as here is alrea­dy que­stion­ab­le, whe­ther If per­so­nal data is trans­fer­red to a body in the USA becau­se it is not clear whe­ther this body can rea­li­sti­cal­ly access this per­so­nal data – in an iden­ti­fy­ing form – then it fol­lows from the con­cept of trans­fer that the pro­ba­bi­li­ty of this access pos­si­bi­li­ty is decisive.

The UK should the­re­fo­re have ans­we­red, with what pro­ba­bi­li­ty a U.S. agen­cy can access per­so­nal data or, in other words, whe­ther this pos­si­bi­li­ty of access is rea­li­stic or merely theo­re­ti­cal. Without this exami­na­ti­on, it could not assu­me a trans­fer. Again – this is not a que­sti­on of the risk-based approach, but of the preli­mi­na­ry que­sti­on of whe­ther a trans­fer is to be assumed.

Unfor­tu­n­a­te­ly, what remains open in this con­text is what the cloud provider’s or its customer’s Encryp­ti­on with regard to the risk of access from the USA, becau­se the Pro­cu­re­ment Cham­ber did not want to keep the rele­vant docu­ments on file in redac­ted form (without giving legal rea­sons for this, except with a gene­ral refe­rence to the right to be heard). Howe­ver, inso­far as custo­mers of the cloud pro­vi­der encrypt custo­mer data in such a way that the cloud pro­vi­der its­elf can­not use the key and/or that it can­not search custo­mer data for tar­gets of the US aut­ho­ri­ties, access by US aut­ho­ri­ties and thus also trans­mis­si­on would be excluded.

Access risks under US law

The UK should the­re­fo­re have loo­ked more clo­se­ly at US law, which it also fai­led to do. In this con­text, it see­med to be a que­sti­on of the Stored Com­mu­ni­ca­ti­ons Act (SCA) – which was amen­ded by the CLOUD Act – to go. Here, the UK should have checked the requi­re­ments for access:

  • The ECJ has ruled in the Schrems II judgment with refe­rence to the USA, only FISA and EO 12333 are clas­si­fied as pro­ble­ma­tic, i.e. not com­pa­ti­ble with Euro­pean princi­ples (the “essen­ti­al gua­ran­tees”). The SCA also allo­ws access by aut­ho­ri­ties, in con­nec­tion with cri­mi­nal pro­ce­e­dings, but in a frame­work reco­gni­zed in Euro­pe. The­re­fo­re, the SCA is nor­mal­ly not the pro­blem. Howe­ver, the UK was pro­bab­ly thin­king of the alrea­dy men­tio­ned Art. 48 (“[…] any deci­si­on of an admi­ni­stra­ti­ve aut­ho­ri­ty of a third coun­try requi­ring […] the trans­fer or dis­clo­sure of per­so­nal data shall, in any event, without pre­ju­di­ce to other grounds for trans­fer under this Chap­ter, only be reco­gni­zed or enfor­ce­ab­le if based on an inter­na­tio­nal agree­ment in for­ce, such as a mutu­al legal assi­stance agree­ment bet­ween the reque­sting third coun­try and the Uni­on or a Mem­ber Sta­te”). If an EU com­pa­ny were requi­red by the cloud pro­vi­der to dis­c­lo­se to U.S. aut­ho­ri­ties under the SCA, a vio­la­ti­on of this pro­vi­si­on would be conceivable.
  • Howe­ver, the SCA pre­sup­po­ses that in the U.S. an at all. Respon­si­bi­li­ty exists (juris­dic­tion). That this should be the case with refe­rence to the EU sub­si­dia­ry of the cloud pro­vi­der is anything but clear, and it has not been verified.
  • A cloud pro­vi­der sub­ject to U.S. juris­dic­tion would fur­ther not be requi­red to release data, to which it has no rea­son­ab­le access. Whe­ther this was the case in the pre­sent case depends, among other things, on the tech­ni­cal and orga­niz­a­tio­nal mea­su­res with which the cloud pro­vi­der restricts the plain­text access of its US com­pa­nies, inclu­ding encryp­ti­on measures.
  • Fur­ther­mo­re, the UK should have exami­ned whe­ther a sur­ren­der order would also be enfor­ced against Art. 48 GDPR – and, if app­li­ca­ble, ana­lo­gous pro­vi­si­ons of the law app­li­ca­ble to the EU sub­si­dia­ry of the cloud pro­vi­der. US courts could name­ly rule on the basis of a Comi­ty ana­ly­sis con­clu­de that a threa­tened bre­ach of, for examp­le, Art. 48 GDPR is suf­fi­ci­ent to overri­de a sur­ren­der order.

Rele­van­ce of for­eign law only in case of con­cre­te applicability

The UK should have care­ful­ly exami­ned the­se que­sti­ons. A blan­ket refe­rence to the Schrems II judgment can­not replace this, becau­se the ECJ had found the insuf­fi­ci­en­cy of cer­tain legal bases of U.S. law gene­ri­cal­ly deter­mi­ned, name­ly with regard to the que­sti­on of whe­ther the Pri­va­cy Shield as such con­fers ade­qua­te pro­tec­tion, without having to exami­ne the que­sti­on of app­li­ca­bi­li­ty in more detail in each case.

Here, howe­ver, the rele­vant que­sti­on would not have been whe­ther U.S. law is defi­ci­ent in cer­tain respects, but whe­ther defi­ci­ent law – or in the case of the SCA, other law – is for use at all comes. This test, in turn, has not­hing to do with the risk-based approach, but pre­ce­des it – or even the zero-risk approach – as a preli­mi­na­ry que­sti­on. For unli­ke the assess­ment by the ECJ and as with the SCC, the issue here is not to assess U.S. law per se, but its effect in a par­ti­cu­lar scenario.

With refe­rence to the Stan­dard clau­ses The ECJ has also sta­ted (para. 141) that it is not necessary

shall be deemed to be in bre­ach of the­se clau­ses if an obli­ga­ti­on ari­sing from the law of the third coun­try of desti­na­ti­on is com­plied with, which goes beyond what is necessa­ry for pur­po­ses such as tho­se men­tio­ned above.

This demon­stra­tes the self-evi­dent fact that a defi­ci­ent legal basis-or, in this case, the SCA-does not pre­clu­de a trans­fer based on the SCC as long as that legal basis app­lies to the trans­fer­red data inap­p­li­ca­ble is. For the same rea­son, clau­se 14 of the SCC pro­vi­des that the par­ties assu­re each other,

have no rea­son to belie­ve that the […] laws and prac­ti­ces in the third coun­try of desti­na­ti­on […] pre­vent the data importer from Ful­fill­ment of its duties accord­ing to the­se clau­ses hin­der.

It is the­re­fo­re always a mat­ter of local law, which is app­lied in the spe­ci­fic case and must be exami­ned accordingly.

Once again, this has not­hing to do with a risk-based approach. It is not about quan­ti­fy­ing or accep­t­ing an access risk on the basis of U.S. law, but about the que­sti­on of whe­ther access pos­si­bi­li­ties exist at all under this law (unless one assu­mes that the U.S. gene­ral­ly acts without a legal basis, which the Euro­pean aut­ho­ri­ties have not done so far, at least not openly).

Against this back­ground, the state­ments of the Pro­cu­re­ment Cham­ber are initi­al­ly not pre­ju­di­cial. Too many legal and fac­tu­al que­sti­ons remain unas­ked and unans­we­red. Howe­ver, they are also to be rejec­ted in sub­stance and in result. They would have the direct con­se­quence that in the future every com­pe­ti­tor with the sligh­test US refe­rence can be bea­ten out of the field with sweeping alle­ga­ti­ons, and the indi­rect con­se­quence that every risk would have to be exclu­ded in every data pro­ces­sing and that the­re would no lon­ger be any anony­miz­a­ti­on or pseud­ony­miz­a­ti­on – the GDPR would then real­ly be “the law of ever­ything”. This would not only be absurd, but also sim­ply out­side the legis­la­ti­ve com­pe­tence of the EU.