BayLDA declares Mailchimp unlawful

We already reported on the effects of the “Schrems II” judgment of the European Court of Justice (ECJ) on several occasions. The “Schrems II” ruling had overturned the Privacy Shield, which allowed personal data to be freely transferred to the USA under certain circumstances. Since the ruling, the US is considered an “unsafe” third country – and personal data may only be processed in a third country if the level of data protection in the third country is equivalent to the level of data protection in the EU.

The Bavarian State Office for Data Protection Supervision (BayLDA) has set an example with Mailchimp: When sending a newsletter using Mailchimp’s the email marketing service, the email addresses of the recipients are transferred to Mailchimp. The business is based in the United States, which means that this constitutes a straightforward third-country transfer – meaning that personal data is transferred to a country outside the EU or the EEA – which is why arts. 45 et seqq. of the GDPR must be taken into account.

The Bavarian State Office for Data Protection Supervision now ruled that merely relying on the EU standard contractual clauses alone does not constitute a sufficient legal basis for the transfer of data to the USA. Rather, further measures should have been taken to ensure an adequate level of data protection. The decision of the supervisory authority states that email addresses may not be processed by Mailchimp if the permissibility of the transfer has not been separately examined beforehand. The omission of this check in itself constituted a data protection violation.

Although the decision of the Bavarian State Office only considered an individual case, one can assume that further similar decisions will follow.

The main section of the decision reads as follows:
“According to our assessment, the use of Mailchimp by […] in the two cases mentioned – and thus also the transmission of your email address to Mailchimp, which is the subject of your complaint – was impermissible under data protection law, because […] had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, Judgment of. 16.7.2020, C-311/18) are necessary to make the transfer compliant with data protection, and in the present case there are at least indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of US law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if appropriate).”

So what needs to be taken into account?
If you have used Mailchimp for sending newsletters so far, you should check the following details carefully:

  • risk assessment: Depending on the content of the newsletter: what personal data is transmitted and what are the associated risks, e.g. what would it mean if U.S. authorities accessed the data?
  • What is being done to ensure data protection? What measures are taken to protect the data – is there a need for heightened data security?
  • What alternatives are there? Can a German or European provider fulfil the task in the same way? Can the effort and costs involved be justified?

In the case at hand, the BayLDA criticised that the above checks and the search for alternatives had apparently been neglected. The authority therefore determined that the data transfer was inadmissible. No supervisory measures or fines were imposed. However, in comparable cases, documentation should be prepared and appropriate considerations should be made. However, this does not provide legal certainty for the future or for comparable cases.

In summary:
If data is transferred to the U.S., there is continued uncertainty due to the ECJ’s “Schrems II” judgment as to whether and how such transfers can be carried out legally. If you decide to continue using Mailchimp, you must at least document why a switch to a service without a U.S. transfer is not possible.

If you decide to look for a provider in the EU, you should then also check whether they work with subcontractors based in the USA.