The Bavarian Data Protection Authority has directed that any German publisher cannot transfer email addresses to MailChimp in the U.S for sending newsletters. This ruling clearly illustrates the hurdles that are faced by foreign marketers under the GDPR. One of the main concerns is that the data can be accessed by U.S intelligence agencies.
An affronted party protested to the authority (the BDPA) concerning data transfer, which resulted in an official inquiry and a verdict. The name of the German company which brought the case to the BDPA has not been disclosed but it is confirmed that it had used MailChimp infrequently and has since stopped. There are no reports of any legal action or fine against the company as well.
The BDPA said on March 15th:
“We are referring to your data protection complaint against …. concerning the use of “Mailchimp“. As a result of our intervention, the company has informed us that it had used Mailchimp twice to send newsletters. As a result of our intervention, the company has now informed us that it will no longer use Mailchimp with immediate effect.
The company also informed us that it had only transmitted email addresses to Mailchimp in the context of the above-mentioned use. It also mentioned that the recommendations of the European Data Protection Board on the so-called Supplementary Measures for transfers of personal data to third countries are not yet available in a final version, but are still subject to public consultation; this is correct.
According to our assessment, the use of Mailchimp by …. in the two cases mentioned – and thus also the transfer of your email address to Mailchimp, which is the subject of your complaint – was unlawful under data protection law, because …. had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7. 2020, C-311/18) were necessary to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services based on the US legal provision FISA 702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken”
The authority concluded that the transfer, which was carried under EU standard contractual clauses (SCCs), broke the agreements that were reached in the prior Schrems II privacy judgment in the EU.
“This type of interpretation of Schrems II is precisely the result that many multinational companies feared when Schrems II upheld the use of SCCs but cast suspicion on the effectiveness of SCCs as a tool for carrying data to the United States,” Lexology comments.
The verdict further states: “There were signs that MailChimp was recognized as a communications provider working under U.S. surveillance jurisdiction. Therefore, a danger in the form of U.S. intelligence agencies accessing those email addresses looms indefinitely. MailChimp also failed to offer any comments about the verdict. Although the German company’s name was never revealed, it is rumoured that it is a fashion magazine.
According to Lexology, the companies that are using data processors located outside of the EU should consider the locations of these processors and the different jurisdictions that are applied to them. This is necessary to ensure that personal data and information aren’t available or accessible by any government entity.