Baden-Württemberg Procurement Chamber decides US Cloud Services are not GDPR compliant

In July 2020, the Schrems II case invalidated the EU-US Privacy Shield meaning that data transfers to non-EU countries were illegal under the GDPR. From this point forward, companies immediately had to comply with the new decision. If companies needed to make a data transfer outside of the EU, they would need to confirm that the country provides equivalent data privacy rules and laws to that of the GDPR.

This ruling of the European Court of Justice (ECJ) trickles down to all EU countries, however because of the many ways in which companies work around the ruling (like through Binding corporate rules BCR), Schrems II is not often taken seriously enough at the local level. However, the Procurement Chamber of Baden-Württemberg has recently made a more binding decision that will greatly impact all public tenders in the state.

According to a Presse Box release, the Vergabekammer Baden-Württemberg, or the Public Procurement Chamber of Baden-Württemberg, has made a non-appealable decision that the transfer of personal data to a “third country” (outside of the EU) that does not have this equivalency in privacy law is impermissable under the GDPR.

This entails that even if a server is operated by a company based in the EU but has a parent company in the US, the data transfer is still not allowed due to the possibility of that data being accessed by its non-European counterparts.

After the EU-US Privacy Shield was invalidated, there still was the possibility of transfers with so called Standard Contractual Clauses (SCCs). However, this new decision in Baden-Württemberg also illegitimizes the use of SCCs which companies and organisations have used as a work around in the past.