The German Higher Regional Court of Karlsruhe (OLG Karlsruhe) recently repealed the July 13, 2022, decision of the Procurement Chamber of the German state of Baden-Württemberg that had argued that the mere risk of access to personal data stored in the European Union by US authorities would constitute a data transfer that would not comply with the EU General Data Protection Regulation (GDPR).
In the September 7 ruling (German language only), the OLG Karlsruhe reasoned that a procurement chamber cannot deny a bidder merely based on the assumption that the bidder or its sub-processors would breach their own contractual commitment to keep the data in the European Union and violate European law. The Procurement Chamber had argued that the mere risk that US authorities may access or get ahold of personal data in the cloud would already constitute a “transfer” from that subsidiary under the GDPR to a country with inadequate data protection (the United States) and thus would exclude the bidder.
The OLG Karlsruhe held that the mere fact that A. S.à.r.l. [Luxembourg] is a subsidiary of a US group is no reason for the respondents to doubt the fulfillment of the performance promise or that there would be instructions to the subsidiary in violation of the law and the contract, or that the European subsidiary would follow such instructions of the US parent company in violation of the law through its managing directors. The OLG Karlsruhe reasoned the core argument that the data transfer to the United States in and of itself “does not cast doubt on the performance promise of the defendant.” In essence, there is no presumption that an EU subsidiary of a US cloud provider would violate EU law.
What can we take away from this ruling?
This ruling serves as a big relief for many US cloud businesses as it is now clear that they are not excluded from procurements in Germany, although the court did not address the argument of the Procurement Chamber that a mere possibility of accessing data from outside the European Union by a US parent company would constitute a “transfer” under the GDPR. However, the OLG Karlsruhe seems to assume that the mere risk that US authorities may gain access to European personal data is irrelevant because otherwise every bidder with a US presence would be excluded from the procurement. The decision of OLG Karlsruhe is final.