Following the publication of its response to a data subject in a German newspapers the “Standard“, the Bavarian Data Protection Authority (DPA) took this opportunity to respond to recurring criticism and draw the attention of people on its actual enforcement of the ECJ Decision Schrems II prohibiting personal data transfer to the US without the implementation of additional measures (see here).
The “ruling” refers to a complaint filed by an individual regarding the transfer of their personal data to the USA by a German company. It appears that the latter used the tool Mailchimps provided by a US based company for its e-mail marketing campaign. The use of this tool, entailed the transfer of the e-mail address to Mailchimp, which is based in the US.
According to the Bavarian DPA, this case demonstrate its enforcement of the requirements of the ECJ decision (Schrems 2) as the company refrained from using the Mailchimp tool following its intervention.
Beyond this demonstration of actual enforcement of the decision, it is also a warning to other companies relying on US based companies for their business activities.
The context
A German individual company used Mailchimp tool for its e-mail marketing compaigns.
Following a data subject complaint with the Bavarian DPA, the latter made a request for comment and detailed information to the concerned company.
The investigations showed that:
- the company used the Mailchimp tool twice to send newsletters;
- it only transmitted email addresses to Mailchimp for their newsletters campaigns.
The personal data transfer is unlawful according to the assessment of the DPA
The Supervisory Authority made the following assessment:
- The use of the Mailchim tool entails the transfer of data to the US;
- There were indications that Mailchimp may be subject to data access by US intelligence services: US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider ;
- According the the ECJ Decision “Schrems II” (ECJ, judgment of 16.7. 2020, C-311/18), in such a case, the transfer could only be lawful if additional measures (if possible and sufficient to remediate the problem) were taken.
- As the company had neither examined whether such additional measures were necessary nor implement any, the data transfer was, therefore, unlawful.
As a result the company declared that it would refrain from using Mailchimp too going forward.
Comments
As correctly raised by the company, the recommendations of the European Data Protection Board on the so-called Supplementary Measures for transfers of personal data to third countries are not yet available in a final version, but are still subject to public consultation.
However, the lack of final guidance is not a legal basis for not complying with law and therefore, a data protection authority could potentially fine a company unlawfully transferring data to the US or any country with similar legislation.
Therefore, this publication should be seen as a warning that companies should carry out the assessment and implement technical and contractual measures to prevent the risk of access to the data by US authorities.
Even though, it is a real challenge for most businesses, there is still hope, as for example, the French highest administrative court (Conseil d’Etat), in a recent decision, did not cancel a data transfer to the US after noticing that contractual measures and encryption were implemented. (see here for more details).
For more information or for any question you can contact, Arnaud Blanc
This post is also available in fr_FR.