A Public Procurement Chamber excluded a tender from a Public Procurement procedure since the tenderer contracted an US provider processing personal data.1 The Chamber held a contractual clause, granting access to law enforcement agencies according to US law, is in breach with GDPR.
This interpretation puts US providers at risk to be excluded from public contracts within the EU whether directly as tenderer or indirectly as a contracting party of a tenderer. The public sector2 and the special sectors water, energy, transport and postal services3 in general have to adhere to Public Procurement law within the EU, if the contract exeeds a certain threshold amount.
The principles of Public Procurement
A public contract will be awarded to the most economically advantageous tender.4 In addition, the principles of Public Procurement are equal treatment and non-discrimination of tenderers.5 The procedure shall be consistent with the principle of transparency which requires e.g. that any condition of the public contract shall be transparent to all candidates.
These principles are in line with the principle of lawfulness which means public administration shall comply with the law. Therefore, offers may be excluded from a Public Procurement procedure in case of non-compliance with GDPR.
Summary of the facts and the proceeding
A public body published the conditions of a Public Procurement procedure requiring the tenders to comply with GDPR. The contract between ‘tenderer A’ and the US provider states the US provider will keep the customer data confidential and will not access or disclose any customer data,
“…except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). ( .. :)“
In addition, the contract states the data will not be transferred outside the selected Regions (EU),
“…except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.“
The public body did inform ‘tenderer B’ of the intention to conclude the public contract with ‘tenderer A’. However, ‘tenderer B’ applied in form of a repriement to the public body. Nevertheless, the public body upheld its decision to conclude the contract with ‘tenderer A’. Therefore, ‘tenderer B’ applied to the Public Procurement Chamber. In Germany, Public Procurement Chambers are staffed with lawyers however, the Chambers are not independent like courts since these are part of the administration.6 Most likely the decision will face an appeal to the Public Procurement Court.7
The decision
The Chamber is elaborating several procedural questions according to Public Procurment law. The decision states that the condition to be compliant with GDPR is an excluding condition according to the wording of the procurement process in this case. It follows, when the condition is not met, the tenderer changes the wording of the procurement process and has to be excluded since his offer is an “aliud“ in comparison to the request of the public body.8
Referring to GDPR the Chamber interprets the wording of the contract as data transfer to the US regardless of the fact that the servers of the US provider are located in Germany.
It elaborates whether the transfer from the tenderer the US data processor is a disclosure according to Art 4 GDPR. In German law, a transfer to a processor historically was not defined to be a disclosure to a third party. This has changed with GDPR as the Chamber concludes. Therefore, a disclosure to a processor has to meet the requirements of Art. 44 GDPR.
Whether and when the law enforcement agencies do access the data in praxis is not decisive for the Chamber. The Chamber interprets this situation as “latent“ access to the data which may happen at any time.
According to Art 44 ff. GDPR, the Chamber states that no adequacy decision of the EU commission and no other legal instrument are available to justify the data transfer to the US. In respect to the Standard Contractural Clauses (SCC) the Chamber refers to several German data protection scholars and states that the SCC are in general not suitable to justify a data transfer to the US. An exeption based on the facts of the case is no option for the Chamber, since the encryption process of the US provider was not fully disclosed in the procedure and therefore, can not be included in the consideration of the decision.
Evaluation of the arguments
The Chamber is not referring to the decision ECJ Schrems II9 at all. Similarly, the Chamber does not mention the “supplementary measures“ required by the EDPB to enable a data transfer on basis of the SCC.10 Thirdly, the Chamber is not referring to the decisions of several DPA’s on Schrems II and the consequences for the data transfer to the US.11
These are remarkable aspects and a weakness of the decision. However, the Chamber checks whether encryption can be seen as an argument to justify a data transfer on basis of the SCC. With the procedural argument that the encryption process was not fully disclosed to the Chamber, the Chamber denies any effect of encrytion as “supplementary mesure“.
Eventually, the Chamber comes to a reasonable conclusion in respect of the GDPR. As long as personal data can be potentially disclosed to US law enforcement agencies without the two requirements of ECJ Schrems12 beeing met, this access is not admissible according to Art 44 GDPR. If such an access is granted, an encryption can not be regarded as “supplementary measure“, since the encryption does not hinder the access of the law enforcement agencies.
Two key questions have not been elaborated since these were not relevant for the case. The first aspect is whether compliance with GDPR can be a non-exclusive condition of a Public Procurement procedure. As consequence, US providers would face a negative assessment for this condition but could compensate e.g. with a better price in comparision with a competitor. Since GDPR is a binding EU regulation it seems not likely that compliance with GDPR can be regarded as non-exclusive condition. The second aspect is how to deal with an US provider which is not transparent in respect to US law. Does the legal evaluation change when a US company is hiding that the US requires an access to law enforcement agencies to personal data?
One important aspect of Public Procurement law is that a Public Procurement process, which is finalized with the conclusion of a public contract, can in general not be challenged after the procedure is closed. This specific characteristic of Public Procurement law provides that running public contracts are not at risk.
Assessment
The Public Procurement Chamber hits a dilemma of US IT-companies.
US companies can not comply with GDPR and US law at the same time, since both are containing contradicting requirements and both have extraterritorial jurisdiction. This was visible as EuGH Schrems II declared the Privacy Shield as invalid and held the access of law enforcement agencies can not be limited solely by contractual clauses like SCC. As long as an unlimited access to US law enforcement agencies is granted, GDPR will be infringed regardless of any sublementary measure.
The „clash of law“ becomes obvious in a Public Procurement procedure since a public body has no choice than to comply with GDPR. At least, the public body will be forced to be compliant in a proceeding with the Public Procurement Chamber and eventually, in an appeal to the Public Procurement Court.
Insofar a tenderer does not cooperate with an US provider this tenderer has an advantage in a Public Procurement procedure and can use GDPR as a legal instrument to shorten the list of competitors.
However, the public sector and the special sectors are facing challenges at the same time, since fulfilling their tasks, which are in public interest, will not be possible without any support of the US IT-industry.
The high impact on the US IT-economy and the challenges for the Public Procurement sectors show how essential it is to reach a new data protection agreement between the US and the EU.
3 Directive 2014/25/EU, 26 February 2014, on procurement by entities operating in the water, energy, transport and postal services sectors
11 Trieb/Kühberger DPOblog.eu, 13 February 2022, Austrian DPA: Google Analytics not in line with Schrems II;
12 ECJ C-311/18, Schrems II, 16 July 2020: first, limitation of the access acording to the proportionality principle and second, access of European citizens to independent courts to defend their Right to Data Protection.