The Higher Regional Court of Duesseldorf has issued its first and long awaited decision on the admissibility of a “no spy guarantee” requirement for companies entering into certain procurement contracts with the German Federal Government under public procurement law (OLG Duesseldorf, Verg 28/14, dated 21 Oct 2015; previous VK Bund, VK 2-63/14, dated 29 Aug 2014).
The Higher Regional Court decided in favor of an applicant who filed an immediate appeal against an IT high-volume tender procedure initiated by the Procurement Office of the Federal Ministry of the Interior and annulled the previous decision by the Federal Public Procurement Chamber. The applicant claimed that the bidder who should be awarded the contract infringed the “no spy” requirements defined in the tender documents. The “no spy” declaration itself was not decisive in the case at hand; however, the Higher Regional Court deals with the “no spy” declaration in an obiter dictum.
1. THE CASE
The immediate appeal against the previous decision by the Federal Public Procu-rement Chamber was filed by a competitor in the tender procedure. The applicant claimed that the summoned party, a German company, was not able to provide a system that complies with the relevant data security requirements described in the scope of work for the tendered contract. Pursuant to the scope of work, a so-called local reputation service had to be established. A local reputation service is a protective layer between the own network and the internet. It ensures that queries of end devices of the antivirus program users (“VSP users”) are not directly posted to the supplier’s online cloud services, but to the local reputation service in order to prevent data traffic between the end devices and external systems.
The Federal Public Procurement Chamber stated in its previous decision that the summoned party had sufficiently confirmed in its offer that and how it fulfils the requirements of the reputation service and how it prevents an online communication with the providers of the antivirus software that the summoned party intends to use. The applicant argued that the summoned party wanted to use the antivirus software of an US-American supplier thus becoming subject to certain disclosure obligations under the USA PATRIOT Act; hence US intelligence services could gain access to the software violating the “no spy” guarantee.
2. THE OBITER DICTUM
The Higher Regional Court confirms the opinion of the Federal Public Procurement Chamber in its first decision on the “no spy” guarantee dated 24 June 2014 (VK 2-39/14) and clearly states that the “no spy” guarantee cannot be requested as a supplementary proof of suitability pursuant to Sec. 97 Para. 4 Sentence 1 Act against Restraints of Competition (“GWB”).
According to the Higher Regional Court of Duesseldorf, the “no spy” guarantee is only admissible as a further requirement regarding the execution of the contract pursuant to Sec. 97 Para. 4 Sentence 2 GWB. The summoned party argued that the “no spy” guarantee confronts certain companies with obligations and require-ments that they can most likely not comply with due to their national laws. The Hig-her Regional Court denies that the “no spy” guarantee infringes the principle of non-discrimination as long as the public authority has a reason for the data security that is appreciable and justified by the subject matter of the contract, e.g. the protection of sensitive data. The request for a “no spy” guarantee also has to be directed to all companies that are interested in the tendered contract regardless of their origin (European or Non-European). Whether companies are – legally or effectively – able not to disclose information to third parties, particularly to foreign intelligence services, shall not be decisive. Pursuant to the Higher Regional Court, the contracting authority is not requested to tailor its tender requirements to the business concepts of each individual potential bidder.
3. KEY LEARNING POINTS
The long awaited decision of the Higher Regional Court of Duesseldorf, the most influential Higher Regional Court for public procurement law in Germany, is a seve-re setback for those foreign companies that are affected by the “no spy” guarantee and that could face problems participating in comparable upcoming German IT tender procedures (bearing in mind that it is the common opinion in Germany that private companies can be obliged to disclose confidential information to US Federal agencies under the USA PATRIOT Act). The Higher Regional Court of Duesseldorf states that the requirement of a “no spy” guarantee is generally admissible in security-related tender procedures. Against this background, affected foreign companies should now turn their attention to possible “organizational measures” as an option to secure further participation in high-volume security-related tender procedures. The Federal Ministry of the Interior described in its administrative guidance dated 19 Aug 2014 that companies could implement their own organizational measures to avoid the disclosure of confidential information to foreign countries. Affected companies should now start to evaluate effective organizational measures and ways of their implementation in the sense of the administrative guidance.