The Higher Regional Court [Oberlandesgericht, OLG] of Karlsruhe has brought a sigh of relief to companies that have personal data hosted by an external service provider. When assessing whether this constitutes a data transfer to a third country outside the EU, all that matters is whether the external service provider is based in the EU and that the data is stored in the EU. The service provider's group connections to other companies, in contrast, do not play a role. Thus, according to the OLG Karlsruhe, the theoretical possibility of access by the US parent company of the European service provider does not lead to the assumption of a transfer to a third country (judgement of 07 September 2022 (docket No. 15 Verg 8/22)).
Background and subject matter of the main proceedings
In the Schrems II ruling (docket No. C-311/18), the ECJ declared the US Privacy Shield invalid. This ruling made the permissible transfer of data to the USA more difficult, as it is now necessary to rely on appropriate safeguards of Art. 46 et seq. GDPR. Without an appropriate safeguards (especially the agreement of the model data protection clauses), a data transfer to a third country is not permitted without an adequacy decision.
The Baden-Württemberg Public Procurement Tribunal caused a stir at first instance with its decision of 13 July 2022 (docket No. 1 VK 23/22). The Tribunal equated the mere possibility of accessing personal data with a data transfer. The consequence: the hosting of personal data by a European service provider had to comply with the requirements of the GDPR for data transfers to third countries. The reason was the group connection between the European service provider and the US parent company. The Public Procurement Tribunal classified the mere possibility of access by the parent company as a third-country transfer to the USA. According to the Tribunal, the latent risk of data being accessed by governmental or private bodies outside the EU sufficed for the assumption of a data transfer of relevance under data protection law.
This assumption had far-reaching consequences for companies when selecting an external service provider. Companies had to additionally check the service provider's group connections before concluding a contract and take them into account in the data protection assessment.
OLG Karlsruhe revises the decision of the Public Procurement Tribunal
The OLG Karlsruhe overturned this widely criticised decision of the Baden-Württemberg Public Procurement Tribunal in its ruling of 07 September 2022 (docket No. 15 Verg 8/22)). A violation of data protection law does not already exist if a European service provider of a US-American group is commissioned within the scope of the hosting. The (mere) connection to the group does not give rise to any fears that instructions will be given that are contrary to the law or to the agreement, or that the subsidiary will mandatorily comply with possible instructions that are contrary to the law.
Relief for companies and outlook for the new adequacy decision
The decision of the OLG Karlsruhe is to be welcomed and comes as a relief for companies.
Nevertheless, in case of data processing with a connection to countries outside of the EU, particular care should be taken to comply with data protection requirements, also and especially in case of transfers to third countries. In the meantime, data transfers to the US could be simplified in the future under a new adequacy decision. The EU Commission submitted the draft adequacy decision for data transfers to the US to the European Data Protection Board on 13 December 2022. The Board's next step will be to review and possibly approve the draft. Once the necessary approvals have been given, the EU Commission can issue the adequacy decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.