GDPR for IT service providers – is the tide turning now?

What is at stake?

 

In July 2020, the European Court of Justice annulled the Privacy Shield agreement between the USA and Europe. Until then, the Privacy Shield ensured unhindered data traffic between US-based companies and their customers in Europe and vice versa. The repeal was based on significant, substantiated doubts about its compatibility with the GDPR.

After this decision, however, many questions remained unanswered for the independent economy and public institutions. One of these questions was whether it was still permissible for U.S. providers of cloud and server services to continue to be eligible for cooperation via their European subsidiaries. Until now, it was not clear whether this was permissible under the GDPR.

But now there seems to be some movement on this issue: The law firm 'gruendelpartner', which is based in Leipzig, Jena and Berlin, was able to obtain a decision from the Baden-Württemberg Procurement Chamber, according to its own homepage. The decision is intended to clarify whether cooperation between the public sector and US companies can continue to be permitted.

In the process, the Procurement Chamber decided that cooperation with IT providers from so-called third countries, i.e. countries outside the EU, is potentially unlawful.

 

What happens next?

 

Of course, the question of possible consequences arises right away. Although the ruling is not yet legally binding, it could serve as a precedent for other similar cases.

That's why we asked our IOTIQ IT expert, Managing Director Sven Noack, how things could progress now.

 

IOTIQ Editorial: 

So far, this decision, which is not yet legally binding, has been limited to public procurement procedures, i.e. tenders issued by the public sector. What consequences could this have for public institutions?

 

Sven Noack, Managing Director IOTIQ: 

As you said, the ruling is not yet legally binding. However, in German jurisprudence it is the case that courts like to orient themselves on decisions that have already been made. This means that where an award decision has been made, it is highly likely that the same argumentation will be used as the basis for the decision in similar cases, thus leading to the same result. Of course, this does not have to be the case, but since it has happened in many GDPR proceedings in the past, it is quite likely.

 

IOTIQ Editorial: 

What other consequences could result if more federal states decide to follow this ruling?

 

Sven Noack, Managing Director IOTIQ:

If other federal states decide to do so, it will eventually become national case law. Not because it will be national law, but because one federal state will follow the example of another and this will become the norm in the future. (Note: Data protection is regulated in the individual federal states).

The important thing is that it has a signal effect. Normally, German case law is very logical: if there are certain preconditions for a ruling, and if these preconditions later apply in the same way, then it is a logical conclusion. So if there is a precondition, and it applies in reality, a judgment follows from it. If it was once reasoned and a court came to a judgment, this can be resumed in the next instance. But if this one comes to the same result, because the arguments and the resulting measures are the same, one comes to the same judgment again.

It is very unlikely that once a verdict has been reached and confirmed in the next instance, it will be overturned in another court with a different argumentation. This is so rare because there are fewer individual case decisions in German jurisprudence than, for example, in the Anglo-American world.

As a rule, very careful consideration is given to how a ruling can be made in such a way that it covers as many cases as possible. This provides further guidance for other courts, which look to see whether there has ever been a precedent, which the current decision can certainly be described as. As a result, one can conclude that similar case law is being made in other states.

 

IOTIQ Editorial: 

In the case of public institutions, it is of course the case that they have to place particularly strong emphasis on data protection. But in fact, this also applies to any other business. So do you think that the decision, which is now limited to public institutions, will also be applied to companies in the private sector?

 

Sven Noack, Managing Director IOTIQ:

It has to. In 2019, during a short trip to Silicon Valley, I had a conversation with the person in charge of the European Commission, a German, about the GDPR implementation in Europe in general. I had told her about our daily work, where companies say, 'Oh, the GDPR; I don't need it, I don't know it, it's not that relevant.' She simply replied, 'Yes, but it is applicable law.'

The GDPR is case law turned into law, and those who violate it are breaking the law. The question is whether or when the prosecution of these breaches will become so regular and so significant that companies will act. There are a few cases, for example, 'Deutsche Wohnen', which was fined heavily in Berlin in 2019 for violating GDPR fundamental assumptions.

[Editor's note: The 'Deutsche Wohnen' case is still under review at the ECJ. A final ruling is not yet available].

Large companies à la Google or Facebook can also be mentioned. But it will additionally transfer more and more to smaller companies.

 

IOTIQ Editorial: 

One already has the feeling that the topic is swept under the carpet, especially in smaller companies, and that no one is really pursuing it. Do you think that with a decision like this, if it really spreads to the industry, this will increase in the future?

 

Sven Noack, Managing Director IOTIQ:

It's not a question of if, but a question of when. The institutions are now building up their staff, who will later monitor and comply with data protection. And I think this is very important now, when data has to be protected in the context of the new cyber attacks coming from Russia, China or North Korea.

If a company discloses such data leaks, then of course it becomes critical. If you then discover there are still GDPR violations per se, the company is in double trouble explaining. On the one hand, there is the cyber risk, and on the other hand, the question arises: Why was the data not properly protected? After all, that goes hand in hand.

 

IOTIQ Editorial: 

Negative consequences for companies are then in that sense probably high penalties?

 

Sven Noack, Managing Director IOTIQ:

Absolutely! High fines anyway, but then also the loss of face, because the GDPR already stipulates that potential and existing customers must be informed if their data is lost.

And personally, no company has contacted me yet, even though they have lost my data. A very prominent example is the marketing tool Canva, who were hacked in 2019. There was also my data involved, which I have seen online. I haven't received an apology from them yet.

Well, Canva is probably not subject to European data protection law. But this is also such a dispute: They offer their product in the European market, so accordingly the European data protection law should apply.

 

IOTIQ Editorial: 

That's basically what this ruling says now: If you offer services in a European country too, then they are also subject to European law.

 

Sven Noack, Managing Director IOTIQ:

Yes, but that's not quite the core. In concrete terms, this means that if the American parent company, through its European subsidiary, has the purely theoretical ability to access data that has been collected and stored in Europe, it is already in violation of the GDPR.

Microsoft, for example, has very successfully operated German Cloud and this ruling will counter such services. German Cloud was a data center near Magdeburg together with Deutsche Telekom, where data protection 'Made in Germany' was virtually propagated despite American service or software. The ruling now says that this is not the case - the data is not sufficiently secured. It used to be under the American Privacy Shield, after all.

 

IOTIQ Editorial: 

Exactly, the Privacy Shield was abolished by the EU in 2020 as not compatible with the European Data Protection Regulation.

 

Sven Noack, Managing Director IOTIQ:

That's what I meant, because the sticking point was that U.S. companies were giving their state the benefit of the doubt. That means that the CIA and the FBI have some pressure on the companies and can access the data.

That affects everybody. Apple, for example, has so far resisted quite successfully, but sooner or later, at some level, the data will pass to the state.

But it's not just about the current scenario. It's also always a look into the future, because we don't know what the world will look like in five years or ten years and who will be friends or enemies with whom. That can happen quickly, and of course there has to be some legal certainty

 

IOTIQ Editorial: 

That's right. Besides bringing company policies in line with the GDPR, do you think there are other measures companies can take?

 

Sven Noack, Managing Director IOTIQ:

Well, where regulations are set, you should already try to comply with them.

You should also look at whether you really run every service in a foreign cloud for convenience, or whether you can't manage a good mix of services that can be hosted on your own servers, for example. And to talk specifically about Microsoft Office, which is also operated in the cloud with Microsoft 365, there are enough alternatives, for example. Also from Germany. So you're not tied to Microsoft.

 

Conclusion

 

After the elimination of the Privacy Shield, which ensured unhindered data traffic between the U.S. and Germany, it was unclear for a long time how German subsidiaries of American IT providers should handle the transfer of data to their American parent companies.

According to the decision of the Baden-Württemberg Procurement Chamber, the participation of German subsidiaries of American companies in public sector tenders may be inadmissible in the future. The basis of this decision is the fact that the American IT providers could obtain the data of German citizens via their German subsidiaries. However, this is not permitted under the GDPR.

If this decision becomes legally binding in the second step, it could serve as a guide for further court decisions. Accordingly, a transfer of this practice to the free economy is also conceivable. Thus, companies that firstly have their headquarters in the USA and secondly do not have sufficiently verifiable data protection mechanisms could not only expect high fines, but could also be completely excluded from working with German companies in the future.