Criticism of data protection: US cloud providers excluded

The argument about the middle and the right way in data protection has been in full swing in Germany for a long time, but sometimes it even gets too much for data protection officials.

An unusual resistance is currently coming from the southwest of the republic, where the public procurement chamber of Baden-Württemberg has tightly shackled the authorities when choosing cloud providers.

In the future, these should not be allowed to consider US cloud providers in tenders, even if they offer their services via subsidiaries in Europe (Az.: 1 VK 23/22).

If this decision were upheld, large cloud providers such as Amazon Web Services (AWS), Microsoft or Google would be categorically excluded from future cooperation with German authorities.

Corinna Budras

Business correspondent in Berlin.

• Follow I follow

It has therefore already met with severe criticism in professional circles.

With the Baden-Württemberg data protection officer Stefan Brink, however, a supervisory authority is now reporting with clear criticism.

According to a statement made available to the FAZ, some of the public procurement chamber's assessments are "legally dubious".

The authority rejects blanket transfer bans.

Specifically, it is about a decision from mid-July, which Brink believes is important beyond the specific award procedure.

In its negative decision, the Public Procurement Chamber relies on the "latent risk" of access to personal data by US authorities, which cannot be adequately contained in contract clauses.

She is referring to a landmark ruling by the European Court of Justice (ECJ), which has made data traffic between Europe and the United States significantly more difficult for around two years - and has already had far-reaching practical effects.

At that time, the European judges declared in their landmark judgment “Schrems II”, which bears the name of the plaintiff, that the data of European citizens are largely unprotected from access by American authorities such as the FBI.

Companies that want to transfer data must therefore take additional precautionary measures.

Cloud service providers from the USA such as AWS and Microsoft therefore changed their business model and now offered server farms with locations in Germany or other European countries via European subsidiaries.

This was also done to meet the strict requirements of German data protection officials.

In the opinion of the public procurement tribunal, however, this is not sufficient.

Even in these constellations, she fears that American authorities could access the personal data of European citizens.

According to the Public Procurement Chamber, this latent risk could “realize at any time”.

However, a number of data protection lawyers, including Brink, are now contradicting this.

He is bothered by the fact that the mere risk is equated with a scenario in which the data is actually transmitted to the authorities.

He thinks this could be disputed with good reason.

This line of argument overlooks the fact that effective countermeasures against such access risks can be used via technical and organizational measures that rule out any risk.

The data protection lawyer Stephan Schmidt from the Mainz law firm TCI Rechtsanwälte agrees.

He considers the decision to be "excessive and poorly justified".

The judges apparently assumed that there were employees in subsidiaries of US companies who simply gave out data or granted access options.

"In doing so, however, these companies and their employees would be in breach of the European General Data Protection Regulation and would thereby commit at least one administrative offense themselves," emphasizes Schmidt.

"That's unlikely."

The decision is causing a great deal of excitement in the industry, as it would be the end of a solution with which companies are trying to implement the much-criticized Schrems case law of the ECJ.

Because of what he considers a bad justification, Schmidt does not expect it to last.

Brink is also looking “with excitement” at the higher regional court in Karlsruhe, which will deal with it in the next instance.

In the meantime, the view that American cloud services must disappear from German or European authorities is spreading: The European Society for Data Protection, which regularly represents plaintiffs in data protection lawsuits in court, recently took action against the European Commission itself, partly because it was using the services uses by AWS.

The argument: When the website https://futureu.europa.eu is called up, personal information such as the IP address automatically reaches an “insecure third country without an appropriate level of data protection” through the cloud service in its function as web host and is processed there.

There is also criticism of the current 2022 census. In this context, the Federal Statistical Office relies on the services of the American provider Cloudflare.

Brink thinks little of such blanket allegations.

"Cloudflare is not an ideal partner for German authorities," he admits.

"But such assessments must be specific, not sweeping."