Court decision: Karlsruhe Higher Regional Court protects data protection

German authorities may continue to use subsidiaries of US cloud service providers for public contracts if they promise to process the data in Germany.

The Higher Regional Court of Karlsruhe made this clear on Wednesday and thus overturned a decision by the Baden-Württemberg Public Procurement Chamber in mid-July that had caused a lot of excitement.

Corinna Budras

Business correspondent in Berlin.

• Follow I follow

The Public Procurement Chamber had previously dropped such a provider from the race due to data protection concerns, citing the "latent risk" of access by US authorities.

If this decision had stood up before the Karlsruhe Higher Regional Court, large cloud providers such as Amazon Web Services (AWS), Microsoft or Google would have been categorically excluded from working with German authorities in the future.

Authorities may trust the offer

The Karlsruhe judges now saw things differently: the contracting authorities, in this case two municipally owned hospital companies, can rely on the provider’s binding commitments that the data will only be processed in Germany and not transmitted to any third country, they found.

In principle, it can be assumed that a bidder will fulfill his contractual commitments.

The judges decided that the contracting authority only had to obtain additional information and check whether the promise of performance could be fulfilled if specific indications raised doubts (Az.: 15 Verg 8/22).

The case is thus legally decided.

"This is a step back to normality," said Christian Schröder, a lawyer for the law firm Orrick, Herrington & Sutcliffe, who was not involved in the proceedings.

Anything else would have led to great uncertainty.

Providers changed their business model

The decision of the procurement chamber in July had irritated even data protection officials.

The criticism was that this would thwart any pragmatic handling of the "Schrems II" case law of the European Court of Justice (ECJ).

Around two years ago, the European judges determined that the data of European citizens was largely unprotected from access by American authorities such as the FBI.

Companies that want to transfer data must therefore provide additional precautionary measures, the European judges demanded.

Cloud service providers from the USA such as AWS and Microsoft therefore changed their business model and now offered server farms with locations in Germany or other European countries via European subsidiaries.

This was also done to meet the strict requirements of German data protection officials.

However, the Public Procurement Chamber took the position that this was not sufficient.

Even in these constellations, she feared that American authorities could access the personal data of European citizens.

According to the Public Procurement Chamber, this latent risk could "realize at any time".

A view that the Higher Regional Court has now completely rejected.