Is data transfer to the USA by international online services lawful per se? And can a company refuse to provide information regarding data disclosures to US intelligence agencies? The Regional Court (Landgericht – LG) of Bonn has answered “Yes” to both questions in a ruling that could have far-reaching consequences for the entire digital sector. The decision (Case No. 13 O 156/24) provides companies with strong arguments to defend against the wave of lawsuits related to US data transfers.
The Case: User sues over data storage in the USA
A user of an international social network sued the operator because their data was stored on servers in the USA. They demanded an injunction against the transfer and a comprehensive disclosure, specifically regarding whether (and which) data was passed on to US intelligence services. The company argued that the transfer was technically necessary for the operation of a global network and that US law prohibits the disclosure of intelligence access.
The Decision of the LG Bonn: A complete victory for the company
The court dismissed the lawsuit entirely, justifying the decision with an interpretation of the GDPR that is very favorable for companies:
1. US data transfer necessary for contract performance
The court classified the data transfer to the USA as lawful because it was necessary for the performance of the user contract (Art. 49 GDPR). The reasoning is remarkably pragmatic:
- Global Functionality: A globally used social network must be technically structured so that users from different countries (e.g., the USA) can access profiles. This makes international storage and short-term caching of data unavoidable.
- User’s General Knowledge: Anyone signing up for a major network run by a US company must realistically expect data processing in the USA. The court referred to this as at least “tacit consent.”
- Validity before the Adequacy Decision: This justification via Art. 49 GDPR (necessity for contract performance) also applies to the period before the new EU-U.S. Data Privacy Framework came into force on July 10, 2023.
2. Refusal to provide information justified due to “unresolvable conflict of duties”
The refusal to provide information about access by US intelligence agencies was also deemed lawful by the court.
- Contradictory Laws: The company is caught in a bind. The GDPR requires disclosure, while US laws (such as Section 702 FISA) penalize exactly that disclosure.
- Supra-statutory Necessity: The court invoked the legal principle of “supra-statutory necessity” (übergesetzlicher Notstand). If a company cannot simultaneously fulfill two contradictory legal duties, it is not acting unlawfully if it chooses to comply with one of them.
- User Awareness: Here, too, the court argued based on general knowledge. Since the Snowden revelations, it is known that US intelligence agencies have far-reaching access rights. A user of a US service must assume that the company is required to comply with US law.
What this ruling means for your company
- Strengthening the “Contract Performance” Justification: The argument that operating an international service makes US data transfer technically “necessary” is an extremely strong new defense for all global SaaS providers, cloud services, and online platforms.
- A New Way Out for Intelligence Inquiries: The “conflict of duties” argument provides US subsidiaries with legal leverage to refuse sensitive information requests. This is a novelty in German case law.
- The Importance of the “Informed User”: The court sets a high standard for what users are expected to know. The argument regarding “general knowledge” about how US companies function significantly weakens the position of plaintiffs.
- Caution is Advised: This is a first-instance ruling. Higher courts could overturn this very business-friendly interpretation. It is not a general free pass to ignore the GDPR.
FAQ on US Data Transfers and Information Obligations
What is the difference between Art. 49 GDPR and an adequacy decision?
An adequacy decision (like the EU-U.S. Data Privacy Framework) establishes that a third country offers an appropriate level of data protection, allowing for general data transfers. Art. 49 GDPR regulates exceptions for specific cases, e.g., if the transfer is necessary for the performance of a contract with the data subject.
Can I now always rely on “necessity for contract performance”?
That is risky. This ruling is a decision based on an individual case. You still need to demonstrate why the transfer is technically unavoidable for the provision of your specific service.
Does “supra-statutory necessity” apply to every company?
No. It only applies in the very specific constellation where a company is demonstrably subject to two directly contradictory legal obligations from different legal systems.
What should I do if a customer asks about data sharing with authorities?
This is an extremely sensitive question. A blanket refusal is not possible without such a proven conflict of duties. The response must be carefully vetted by legal counsel.
Where can I get advice on structuring my international data transfers securely?
International data transfers are a legal minefield. Our experts at sofortdatenschutz.de analyze your data flows and help you develop a legally compliant strategy. Contact us now!
A landmark ruling or just an outlier?
The ruling by the LG Bonn is one of the most business-friendly decisions regarding transatlantic data transfers in years. It breaks with the often very strict interpretation of the GDPR and introduces pragmatic arguments based on the user’s general knowledge. Whether this bold positioning will hold up before the Higher Regional Courts or the Federal Court of Justice remains to be seen. For the moment, however, it is a strong signal and a vital argumentative support for all companies facing the wave of lawsuits following “Schrems II.”
