Data in a third country: access risk already contrary to data protection?

At the latest since the Schrems II ruling, it has become clear that the transfer of data to countries outside the EU (third countries) can be problematic under data protection law. But is the risk of transfer to a third country sufficient? At least this is the opinion of the Baden-Württemberg Procurement Chamber.

You can find out the current status of the debate on data protection law here.

Procurement Chamber: Access risk in the third country is processing in the third country

Die Vergabekammer Baden-Württemberg ist der Ansicht, dass eine Übermittlung (und damit Verarbeitung im Sinne von Art. 4 Nr. 2 DSGVO) bereits vorliegt, wenn die Gefahr besteht, dass die Daten in ein Drittland be transmitted.

Role of procurement chambers

The public procurement chambers of the federal states are independent supervisory authorities just like the data protection commissioners of the federal states (Section 157 GWB). In this context, public procurement chambers do not have the function of a supervisory authority, but rather act in a court-like manner. They review the award of public contracts if a competitor files a complaint (Section 155 GWB).

Position of the Procurement Chamber

The Baden-Württemberg Procurement Chamber was presented with a case involving the award of a contract for the purchase of software for digital admission management for hospitals. An unsuccessful competitor, which advertised that the data would only be stored on German servers, lodged an appeal. According to the unsuccessful competitor, the competitor that won the bid did not comply with data protection law. He would in fact be using the services of an EU subsidiary of a major US cloud service, which would entail the risk that the parent company would access the data stored in the EU from the US side and that it would then no longer be as secure as required by the GDPR.

The Procurement Chamber agreed with this view and cancelled the award. It stated that the concept of transfer in Art. 4 No. 2 and Art. 44 GDPR is not the same. Rather, a transfer in the sense of processing pursuant to Art. 44 GDPR already exists if there is a risk of transfer to a third country.

Dazu führt die Vergabekammer aus: „Der Übermittlungsbegriff ist im Lichte des weil [gemeint ist hier wohl „weit“] gefassten Wortlauts des Art. 44 S. 1 DS-GVO sowie der in Art. 44 S. 2 DS-GVO niedergelegten Anweisung in Bezug auf die Normanwendung auszulegen und damit umfassend zu verstehen: Übermittlung ist jede Offenlegung personal data gegenüber einem Empfänger in einem Drittland oder einer internationalen Organisation, wobei es weder auf die Art der Offenlegung, noch auf die Offenlegung gegenüber einem Dritten ankommt.“ Eine Offenlegung in diesem Sinne liege schon vor, wenn die Möglichkeit besteht, dass ein Drittland zugreift, unabhängig vom tatsächlichen Zugriff.

Data Protection Authority: TOMs are there to minimize risk

Following this decision, the State Data Protection Commissioner has also taken a position on the decision of the Procurement Chamber: He does not agree with the interpretation.

Der Landesdatenschutzbeauftragte bemängelt, dass in der Argumentation der Vergabekammer übersehen wird, dass es gerade die technischen und organizational measures (TOM´s) gibt, die das aufgezeigte Risiko des Zugriffes minimieren (Art. 32 DSGVO). Diese seien „wirksame Gegenmittel“. Sie könnten anhand einer einzelfallbezogenen Risikoabschätzung ein optimales Datenschutzniveau schaffen.

The main problem with the decision is the different interpretation of the transfer in Art. 4 No. 2 and Art. 44 GDPR. This is neither evident from the wording nor from the recitals.

A blanket exclusion of companies with connections to American service providers is neither elegant nor economical. The view of the Procurement Chamber would only lead to the fact that no American service providers can be used, even if they operate server farms in the EU.

And now?

How the debate will ultimately be resolved remains to be seen. The decision of the Procurement Chamber will now be reviewed by the Karlsruhe Higher Regional Court. The opinion of the State Data Protection Commissioner suggests that the court will overturn the decision. There is not yet a blanket ban on transfers, but rather individual case reviews.

Are you looking for professional advice in all areas relating to data protection? Our team of experts will be happy to assist you. Contact us!