The Bavarian Data Protection Authority (DPA) declared that a German company’s transfer of email addresses to U.S.-based email service Mailchimp was unlawful in light of the 2020 “Schrems II” decision issued by the Court of Justice of the European Union (CJEU). This declaration appears in the DPA’s March 15, 2021 response to a data subject who had complained to the DPA about the transfer (English machine translation available here). The DPA did not issue a fine or a formal decision because the German company discontinued use of Mailchimp when the DPA raised the issue.
In most cases, the GDPR requires GDPR-regulated entities to ensure adequate protection for personal data that they share with entities in countries that the European Commission has not determined to provide an adequate level of protection for personal data, such as the United States. The Schrems II decision invalidated the EU-U.S. Privacy Shield as a means of providing such protection but allowed continued exports to U.S. entities using standard contractual clauses (SCCs), if the SCCs create a sufficient level of protection for the data for the transfer at issue, taking into account any additional safeguards that the parties to the SCCs adopt, among other things. The CJEU stressed that parties may need to adopt additional safeguards to protect data from being disclosed to U.S. intelligence agencies. Subsequent guidance from the European Data Protection Board outlined steps for assessing whether additional safeguards are sufficient in particular situations.
The Bavarian DPA found that the company using Mailchimp had not assessed whether it should implement additional safeguards. The company shared the email addresses of its German customers with Mailchimp using SCCs. However, the DPA stated that Mailchimp could qualify as an “electronic communication service provider” eligible to receive directives for data access under Section 702 of the U.S. Foreign Intelligence Surveillance Act – thus, Mailchimp might be subject to data access requests from U.S. intelligence agencies that would prevent Mailchimp from providing an adequate level of protection for the data. Because of this, the DPA stated that the company should have examined whether it should implement additional safeguards to ensure adequate data protection.
This development highlights the continuing risk surrounding EU-U.S. data transfers in the wake of Schrems II. Data exporters and importers should continue to monitor how DPAs within the European Economic Area and the UK interpret and enforce the decision.