Users of Mailchimp in both the UK and the EU have been left concerned over recent developments in EU data protection law. The state Data Protection Authority of Bavaria (Bavarian DPA), on 15 March 2021, issued a statement which effectively prevents the use of Mailchimp without further protections being put in place (the Decision). This has wide reaching implications for businesses and the tools they use to process personal data, especially where those tools are hosted outside the UK/EU.
The recent Schrems II decision set the bar high for ensuring there are appropriate limitations and safeguards in place to protect personal data being transferred outside of the EU (to the detriment of the now defunct US Privacy Shield). The data protection world has been patiently waiting to see the impact of the Schrems II decision on other cases. The Decision provides a window into how Schrems II has changed the landscape of transferring personal data internationally, particularly to the USA.
The Decision gives us an insight into how different data protection authorities, including the UK’s ICO, may look to apply Schrems II in practice. It suggests that users of US-hosted CRM tools, like Mailchimp, can now no longer just rely on Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the US – more needs to be done to protect the personal data and in turn satisfy Schrems II. We will summarise the Decision and provide an informative insight into its implications, as well as its potential impact on how businesses, as controllers, engage with technology service providers offering solutions hosted outside of the EU or the UK.
A complaint was made to the Bavarian DPA regarding the use of Mailchimp, an email newsletter service tool, by a German magazine company (the GMC). Use of Mailchimp involves personal data being transferred to the US and the complaint asserted that this transfer of data to the US from Germany by the GMC should be considered unlawful under the GDPR. The GMC only used Mailchimp twice and had implemented the EU SCCs to protect those transfers.
Despite this, the Bavarian DPA took the view that, even with SCCs in place, the transfer of personal data to Mailchimp in the US was unlawful. This was because the GMC had failed to assess if any additional measures were necessary in order to ensure the safety of the personal data being transferred (in line with Schrems II).
The Bavarian DPA was of the opinion that the risk of the US government accessing the personal data was considerable. This was due to the determination that Mailchimp may qualify as an ‘electronic communication service provider’ under US surveillance laws (which, according to the Bavarian DPA, the GMC did not assess or take into account).
However, the GMC was not fined – the Bavarian DPA took into account that the GMC had stopped using Mailchimp, had only used it twice, and that the personal data transferred, namely email addresses, was relatively manageable in its sensitivity. The Bavarian DPA also took into account that the European Data Protection Board’s (the EDPB) guidance on supplementary measures for personal data transfers had not yet been finalised.
What does this mean for businesses transferring data outside of the UK/EU?
This interpretation of Schrems II is bound to raise questions as to future difficulties for companies looking to transfer personal data outside of the EU and the UK. It can be said that the Bavarian DPA’s interpretation of Schrems II is quite restrictive in practice, and calls into question the reliability of the SCCs. While it is not surprising that additional measures may be needed when personal data is being transferred, it is surprising to see a CRM tool being held to such a high standard. This in turn expands the scope of instances in which businesses will need to carry out assessments to understand any additional measures are required before progressing with an international data transfer. This, inevitably, will create a significant strain on the resource and time of businesses, particularly SMEs.
Unhelpfully, the Decision fails to identify what specific measures would actually need to be taken in this scenario to protect the personal data transfer. Further guidance from the Bavarian DPA on the steps that should have been taken would have been useful to improve understanding in the market of what specifically should be done to ensure compliance in similar scenarios.
While the EU and US continue discussions around a new system for transferring personal data after the invalidity of the Privacy Shield, it would be wise for businesses to pay extra attention to any processes that involve the transfer of personal data to the US, in particular users of Mailchimp or other US-hosted solutions. Given the Bavarian DPA’s stance, it is unlikely that the SCCs will be considered sufficient without a full assessment of whether any supplementary measures are required. Given the broad US surveillance laws, it is highly likely that additional protections will be required to ensure, as far as possible, that the personal data will be deemed safe in such transfers.
Even though the UK has now left the EU, UK businesses are not in the clear as it remains to be seen how the ICO will look to apply the Schrems II decision in practice post-Brexit. It is likely they will look at the decisions of EU supervisory authorities (like the Bavarian DPA) to help form an opinion. With that in mind, UK users of Mailchimp or other US-hosted solutions should also consider whether further measures and protections are necessary to continue using that (or any similar) CRM tool.
For assistance in reviewing local laws and measures required for personal data transfers outside the EU, businesses should pay attention to the EDPB’s draft guidance on recommended measures to supplement such transfers (to be finalised sometime this year). UK businesses should also keep an eye out for the Information Commissioner’s Office’s own guidance on the topic, which should arrive in the near future as well.