A decision from one of the German data protection authorities has cast doubt over whether the popular email marketing platform MailChimp is lawful under GDPR. The decision emphases the importance carrying out full assessments on the use of US-hosted technology services and transfers of personal data outside the UK and EU/EEA, following last year's Schrems II decision.
In July 2020, the European Court of Justice issued its ruling in the Schrems II case on transfers of personal data to the USA. In that case, the court ruled that organisations relying on appropriate safeguards, such as Standard Contractual Clauses (SCCs), need to assess whether the data importer is subject to intrusive surveillance laws (such as section 702 of the Foreign Intelligence Surveillance Act in the USA) and, if so, put in place supplementary measures to prevent access to personal data by surveillance agencies.
In November 2020, the European Data Protection Board published for consultation recommendations on the steps that organisations should take. The EDPB's recommendations explain when supplementary measures may be required in addition to SCCs or Binding Corporate Rules, giving examples of technical, organisational and contractual measures, and when these may or may not be effective.
In particular, the EDPB said that if a data importer is subject to a law such as FISA 702 then the only way that a transfer could be lawful under EU data protection law is if encryption is used to ensure that the data importer does not have access to the unencrypted personal data (whether directly or because the importer also has access to the encryption keys).
The EDPB's consultation period on the draft recommendations closed in December 2020. We are currently awaiting finalised guidance.
What did the Bavarian DPA say about MailChimp?
The Bavarian DPA, BayLDA, was responding to a complaint about a German publishing business's use of MailChimp to send out its newsletter to subscribers. MailChimp is provided by a US company, called The Rocket Science Group LLC, and use of MailChimp involves information on subscribers being transferred to the USA.
In reaching its decision that the use of MailChimp was unlawful, the Bavarian DPA made three findings:
- Firstly, the transfers to the USA were on the basis of the SCCs
- Secondly, there were "indications" that MailChimp is an "electronic communications service provider" under FISA 702 (one of the pieces of law that was the focus of Schrems II), and therefore information held by MailChimp is potentially subject to access by US surveillance agencies
- Thirdly, following Schrems II the respondent company had not assessed whether there were any additional measures in place to ensure that the data transferred to MailChimp was protected from such access.
As the respondent had stopped using MailChimp, the data (in the form of email addresses) was low in sensitivity, and the EDPB guidance has not yet been finalised, the Bavarian DPA concluded that the breach was minor in terms of nature and gravity. On that basis, no fine was imposed.
What does it mean for the use of services such as MailChimp?
The Bavarian DPA did not rule that MailChimp is unlawful per se.
Instead, it ruled that in this case the respondent company's use of MailChimp was unlawful because the respondent company had failed to assess whether there were adequate supplementary measures in place to ensure the personal data was protected from access by US surveillance agencies.
While the Bavarian DPA did not make express finding on the point, MailChimp confirms that it is subject to FISA 702 in its transparency reports. However, as no assessment of supplementary measures had been made by the respondent, the Bavarian DPA could not assess whether those supplementary measures (if any) were sufficient to prevent access to the data by surveillance agencies.
We are still awaiting the EDPB's finalised guidance on Schrems II and an update from the Information Commissioner on whether it is going to apply a similar approach to its EU counterparts on Schrems II. There also remain questions as to whether the EDPB's position goes beyond what is required by EU law.
However, the decision is a warning to all organisations on the importance of carrying out appropriate diligence on transfers of personal data outside the UK or EU/EEA. In particular, organisations need to be able to demonstrate that they have assessed whether the data importer (or any sub-processor) is subject to surveillance laws that are incompatible with UK/EU law, and (if so) the steps that they have taken to put in place appropriate supplementary measures. As this decision shows, taking no action exposes the organisation to enforcement action, regardless of what the actual risk is.
If a supplier is unable or unwilling to provide information to help the organisation properly assess the potential risks, then that organisation will have to decide whether it is comfortable continuing to use the service in question.
You can find the Bavarian DPA's decision, and a machine translation on the GDPR Hub website, operated by NOYB.