Following a complaint filed by a private citizen, the Bavarian Data Protection Authority (BayLDA) has ruled that, in that specific case, the use of the US provider Mailchimp was unlawful. The ruling stems from the inciting incident where the person was contacted by a German company who used the cloud service to send out newsletters and evidently stored email addresses. The decision, first reported in the Austrian daily “Standard”, may have a significant impact on other European companies.
Data protection supervisors criticize the transmission of data to non-EU member states
In order for the transmission of EU data to the USA to be lawful, the General Data Protection Regulation (GDPR) stipulates that specific requirements need to be observed (Article 45 GDPR/ Article 46 GDPR). Per the case in question according to the BayLDA, it was the company’s responsibility to check whether the transmission of data to Mailchimp necessitated “additional measures” to the standard data protection clause in line with the CJEU’s Schrems II ruling. Simply agreeing to the EU standard contractual clauses does not represent a sufficient legal basis for transmitting data to the USA.
In concrete terms, the authority’s response to the data subject states:
“According to our assessment, the use of Mailchimp by …. in the two cases mentioned – and thus also the transfer of your email address to Mailchimp, which is the subject of your complaint – was unlawful under data protection law, because ….[the company] had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7. 2020, C-311/18) were necessary in order to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken.”
By taking this position, the German authority has determined that the transfer of data was unlawful in this case, yet according to the report no other supervisory measures have been imposed at this time.
Using US providers: Duty of care shifted to European companies
This response shows that with US-based providers, it is the European companies using their services that are increasingly burdened with the responsibility of conducting and documenting data protection assessments. Recent reporting on this topic, in addition to considering the position taken by the authority, often points out that even providers based in the EU may still be considered problematic, as long as they are using secondary service providers in the USA.
Find out more about how Retarus, as a European provider, ensures full GDPR compliance with our Transactional Email service run from self-operated local data centers, in our blog post “The CJEU overturns “Privacy Shield”. So what now?“.