Many of our clients offer digital software via their own online platforms ("software as a service"). The business models here are diverse and range from digital health platforms to cloud-based personnel management tools. Personal data (in particular the data of the platform users) is also regularly processed in the process.
Previous view: Theoretical access = Data transfer
In practice, the server infrastructure required to operate the software (hosting) is very often provided by American companies that act as subcontractors to the platform provider. The leading international companies all come from the USA (e.g. Amazon Web Services, Google Cloud Platform, Microsoft Azure) and usually offer their services via subsidiaries in Europe. So far, I am not aware of any European hosting providers that could compete with the major American hosting providers in terms of price or technology.
European companies using the said U.S. hosting providers are often confronted with the question vis-à-vis customers and authorities as to whether their services can be used in a GDPR-compliant manner.
This is because it is sometimes assumed that such use is always accompanied by a third-country transfer of personal data (to the US). As a reminder, according to the so-called Schrems II ruling of the European Court of Justice ("ECJ"), a transfer of personal data is only possible under strict conditions that take into account any access rights by U.S. intelligence agencies, which are considered to be incompatible with European data protection law by the ECJ.
In fact, even the transfer of data to the European entity (e.g., "Amazon Web Services EMEA SARL, Avenue John F. Kennedy 38, 1855 Luxembourg") of a U.S. parent company (e.g., "Amazon.com, Inc., 410 Terry Ave N, Seattle 98109, WA, USA"), was considered to be a data transfer to the United States by some authorities.
This is because the U.S. parent company that controls the European entity could (or would have to) oblige the European entity to hand over data under applicable U.S. laws. Such potential access alone was already considered a transfer to the US.
This in turn would mean that the strict requirements for third country transfers under the GDPR would apply. According to the ruling of the ECJ (Schrems II) and the implementation guidelines of the European Data Protection Board, a transfer impact assessment would have to be carried out in addition to the conclusion of standard contractual clauses (often with the result that a transfer would have been impermissible under data protection law).
As a result, this often meant that an avoidable data transfer to the USA could only be carried out with difficulty in compliance with data protection law. The uncertain legal situation caused considerable uncertainty among potential customers, some of whom assumed that a data transfer to a large U.S. tech company was always illegal under data protection law.
The result of this strict interpretation often led to the de facto compulsion to resort to a European hosting provider in order to act in a data protection-compliant manner. As a consequence, however, this put EU companies at a competitive disadvantage vis-à-vis their international competitors.
Current view: Hypothetical access = no third country transfer
However, European companies can now breathe a sigh of relief. If data is transferred to an EU subsidiary (be it "Google Ireland", "Amazon Luxembourg", or "Microsoft Ireland"), this alone does not constitute a third country transfer to the USA. The quintessence of the legal opinion is that a purely hypothetical access does not constitute a "transfer by disclosure" according to the wording of Art. 44 et seq. GDPR.
This is the view of the Conference of Independent Data Protection Authorities of Germany "DSK" (Datenschutzkonferenz) in its decision of January 31, 2023 (available here) and also of the Procurement Chamber of the Federal Cartel Office (available here). [But note: Both the Procurement Chamber and the Data Protection Conference are not courts, so their decisions do not have the force of law].
Both the DSK and the Federal Cartel Office are now of the opinion that control by an American parent company alone does not lead to a third country transfer pursuant to Art. 44 et seq. GDPR. This means that no transfer impact assessment has to be carried out and the data transfer is regularly to be classified as purely intra-European and thus "secure".
European companies that use such subcontractors can now confidently refer to the decision of the Data Protection Conference and the Procurement Chamber of the German Federal Cartel Office.
What to watch out for
For the sake of completeness, it should be mentioned that in the opinion of the Data Protection Conference, however, the possibility of access by public authorities must be taken into account in the context of the general reliability check pursuant to Article 28 (1) of the GDPR.
In this context, the abstract risk of possible access must be assessed and (among other things) the extraterritorial applicability of third-country law, the risk of instructions from third-country parent companies, and suitable technical and organizational measures to prevent access must also be taken into account. As long as the EU Commission has not yet issued an adequacy decision, companies must place particularly high demands on the diligence of the reliability check.
However, the current opinion (Opinion 5/2023) of the European Data Protection Board (EDPB) has brought an adequacy decision by the European Commission on the EU-U.S. Data Privacy Framework closer again. The EDPB had generally expressed positive views on the EU Commission's draft adequacy decision, but at the same time expressed concerns and asked for clarification on several points. If the adequacy decision would be issued, companies would be allowed to transfer personal data to the U.S. without any special restrictions, as the level of data protection in the U.S. would thus correspond to that of the EU.
It should also be noted that when data is transferred to EU subsidiaries, there may also be a third country transfer if the subsidiary in turn uses subcontractors from third countries (in some cases, however, this can be ruled out if only "regional services" limited to EMEA are used). A precise legal examination of the respective processing situation is therefore advisable.
We also recommend checking whether the Data Processing Agreement (DPA) concluded with the hosting provider is up to date. Here, it is important to ensure that the DPA also refers to the correct service.
In most cases, this can be verified by a simple Google search ("Microsoft current Data Processing Agreement") and should otherwise be requested from the hosting service provider. Typically, this is done via the data protection email address, for example, which can usually be found in the data protection statements.
The Data Processing Agreement should be independently reviewed for effectiveness and accuracy of fit and - at least in connection with other parts of the contract - include an EU company as a contractual partner. Several providers make the most recent DPAs available for download via their admin console.