Data protection activists have lodged a complaint with the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht, "BayLDA") arguing that the use of the respondent's newsletter provider Mailchimp was unlawful under Art 44 et seq GDPR because of the transfer of personal data (i.e. e-mail addresses) to this US-based company. In March, the BayLDA held that the transfer of e-mail addresses is unlawful1, following the CJEUs ruling on the transfer of personal data to the USA (Schrems II, Privacy Shield).2 Due to this ruling, data may only be transferred from the EU to the USA if the controller assesses beforehand whether there are additional measures to the controller's standard data protection clauses under Art 46 GDPR in place to guarantee protection of the transferred data from US surveillance.
In the case at hand, Mailchimp based its data transfer on such standard data protection clauses without offering additional safeguards. According to the BayLDA, Mailchimp arguably qualifies as an "electronic communication service provider" under US surveillance law, which means that transferred personal data is in danger of being processed by US intelligence agencies.3 As the controller, a company based in Munich, failed to assess if there are additional safeguards in place, the BayLDA held that the transfer of e-mail addresses to Mailchimp is in itself unlawful.
What does it mean?
The decision of the BayLDA is not a binding court ruling and is only applicable to the case at hand. However, when presented with a similar case, other DPAs are also likely to make the same decision. In addition, it can be presumed that in light of Schrems II, courts in EU Member States would uphold such a decision.
It must be noted, however, that the BayLDA only held that a controller is obliged to assess whether additional safeguards to standard data protection clauses are in place before transferring personal data to a US-based processor, not prohibiting the transfer in general.
What to do?
Companies using Mailchimp or other US-based processors for e-mail marketing do not have to stop using them. To minimise legal risks, however, an internal assessment answering the following questions should be carried out as soon as possible:
- Are there viable alternatives to the use of Mailchimp/US-based processors? If yes, why aren't they used?
Comprehensible reasons should be found for why no equivalent alternative is used (e.g. costs and risks of conversion to a new processor, existing workflow, induction of the staff, etc).
- Which categories of data are transferred? How sensitive is this data? What adverse consequences could access by intelligence services have for subscribers / data subjects?
The content of the newsletter is crucial. A marketing newsletter would pose a minimal risk, but a newsletter containing controversial/opposing political views, indicating sexual orientation or contagious diseases could be problematic.
- How do Mailchimp/US-based processors actually protect personal data apart from the standard contractual clauses?
For example, encryption of data, state-of-the-art technical and organisational measures, thoroughly checking requests for disclosure for necessity, etc.
Apart from exceptional cases (as mentioned under Pt 2), the level of data protection and the technical and organisational measures taken by Mailchimp are arguably considered to be sufficient, although there is no established case law on this as yet. Depending on the result, controllers who have carried out this assessment can decide whether they want to continue using Mailchimp/US-based processors. In any case, they have fulfilled the requirements laid down by the BayLDA.
Another viable alternative is to use an EU-based (e-mail marketing) processor that does not transfer data to the US or other non-member states of the EU.
1 BayLDA 15 March 2021, LDA-1085.1-12159/20-IDV.
2 CJEU 16 July 2020, C-311/18.
3 cf. FISA702 (50 U.S.C. Section 1881).