On August 19, 2021, the Belgian Council of State confirmed a decision of the regional Flemish Authorities to contract with an EU branch of a U.S. company using Amazon Web Services (“AWS”).

The decision was made in the context of a tender granted by the Flemish Authorities to a company that used AWS cloud services. An unsuccessful tender participant had challenged the outcome of the tender process before the Council of State, deploying several arguments, including that a lack of appropriate safeguards for data transfers to AWS in the U.S. infringed the GDPR’s restrictions on data transfers in light of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

In the Schrems II decision, the CJEU took the position that organizations relying on appropriate safeguards, such as the Standard Contractual Clauses (“SCCs”), under Article 46 of the EU General Data Protection Regulation (“GDPR”) to transfer personal data outside the EU must verify, on a case-by-case basis, whether the law of the destination country ensures a level of protection for the personal data that is essentially equivalent to that in the EU. If the level of protection is not essentially equivalent, organizations must implement supplementary technical, organizational and contractual measures. In addition, for data transfers to the U.S., the CJEU determined that U.S. law does not generally provide a level of data protection equivalent to EU law. As a result, transfers of personal data to the U.S. can only take place provided that supplementary safeguards are implemented.

In its decision of August 19, 2021, the Belgian Council of State took the position that the use of U.S. cloud services in and of itself does not violate the GDPR. In reaching its decision, the Council of State took into account the Guidelines issued by the European Data Protection Board on supplementary measures and an opinion issued by the Flemish Supervisory Commission, and concluded that encryption is a valid supplementary measure to transfer data to the U.S. in certain circumstances, including where the encryption keys are kept under the full control of the data controller.