Users of Mailchimp in both the UK and the EU have been left concerned over recent developments in EU data protection law. The state Data Protection Authority of Bavaria (Bavarian DPA), on 15 March 2021, issued a statement which effectively prevents the use of Mailchimp without further protections being put in place (the Decision). This has wide reaching implications for businesses and the tools they use to process personal data, especially where those tools are hosted outside the UK/EU.
The recent Schrems II decision set the bar high for ensuring there are appropriate limitations and safeguards in place to protect personal data being transferred outside of the EU (to the detriment of the now defunct US Privacy Shield). The data protection world has been patiently waiting to see the impact of the Schrems II decision on other cases. The Decision provides a window into how Schrems II has changed the landscape of transferring personal data internationally, particularly to the USA.
The Decision gives us an insight into how different data protection authorities, including the UK’s ICO, may look to apply Schrems II in practice. It suggests that users of US-hosted CRM tools, like Mailchimp, can now no longer just rely on Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the US – more needs to be done to protect the personal data and in turn satisfy Schrems II. We will summarise the Decision and provide an informative insight into its implications, as well as its potential impact on how businesses, as controllers, engage with technology service providers offering solutions hosted outside of the EU or the UK.
A complaint was made to the Bavarian DPA regarding the use of Mailchimp, an email newsletter service tool, by a German magazine company (the GMC). Use of Mailchimp involves personal data being transferred to the US and the complaint asserted that this transfer of data to the US from Germany by the GMC should be considered unlawful under the GDPR. The GMC only used Mailchimp twice and had implemented the EU SCCs to protect those transfers.
Despite this, the Bavarian DPA took the view that, even with SCCs in place, the transfer of personal data to Mailchimp in the US was unlawful. This was because the GMC had failed to assess if any additional measures were necessary in order to ensure the safety of the personal data being transferred (in line with Schrems II).
The Bavarian DPA was of the opinion that the risk of the US government accessing the personal data was considerable. This was due to the determination that Mailchimp may qualify as an ‘electronic communication service provider’ under US surveillance laws (which, according to the Bavarian DPA, the GMC did not assess or take into account).
However, the GMC was not fined – the Bavarian DPA took into account that the GMC had stopped using Mailchimp, had only used it twice, and that the personal data transferred, namely email addresses, was relatively manageable in its sensitivity. The Bavarian DPA also took into account that the European Data Protection Board’s (the EDPB) guidance on supplementary measures for personal data transfers had not yet been finalised.
This interpretation of Schrems II is bound to raise questions as to future difficulties for companies looking to transfer personal data outside of the EU and the UK. It can be said that the Bavarian DPA’s interpretation of Schrems II is quite restrictive in practice, and calls into question the reliability of the SCCs. While it is not surprising that additional measures may be needed when personal data is being transferred, it is surprising to see a CRM tool being held to such a high standard. This in turn expands the scope of instances in which businesses will need to carry out assessments to understand any additional measures are required before progressing with an international data transfer. This, inevitably, will create a significant strain on the resource and time of businesses, particularly SMEs.
Unhelpfully, the Decision fails to identify what specific measures would actually need to be taken in this scenario to protect the personal data transfer. Further guidance from the Bavarian DPA on the steps that should have been taken would have been useful to improve understanding in the market of what specifically should be done to ensure compliance in similar scenarios.
While the EU and US continue discussions around a new system for transferring personal data after the invalidity of the Privacy Shield, it would be wise for businesses to pay extra attention to any processes that involve the transfer of personal data to the US, in particular users of Mailchimp or other US-hosted solutions. Given the Bavarian DPA’s stance, it is unlikely that the SCCs will be considered sufficient without a full assessment of whether any supplementary measures are required. Given the broad US surveillance laws, it is highly likely that additional protections will be required to ensure, as far as possible, that the personal data will be deemed safe in such transfers.
Even though the UK has now left the EU, UK businesses are not in the clear as it remains to be seen how the ICO will look to apply the Schrems II decision in practice post-Brexit. It is likely they will look at the decisions of EU supervisory authorities (like the Bavarian DPA) to help form an opinion. With that in mind, UK users of Mailchimp or other US-hosted solutions should also consider whether further measures and protections are necessary to continue using that (or any similar) CRM tool.
For assistance in reviewing local laws and measures required for personal data transfers outside the EU, businesses should pay attention to the EDPB’s draft guidance on recommended measures to supplement such transfers (to be finalised sometime this year). UK businesses should also keep an eye out for the Information Commissioner’s Office’s own guidance on the topic, which should arrive in the near future as well.
If you require help with reviewing your international data transfers, you can reach out to our Data, Privacy and Cybersecurity team at TLT LLP for support and guidance.
Contributors: Junior Mbulu and Louisa Williams
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2021. Specific advice should be sought for specific cases. For more information see our terms & conditions.
European Commission adopts revamped SCCsRead more
Beyond BrexitRead more
Beyond Brexit: services trackerRead more
New ICO guidance on handling DSARsRead more
The impact of flexible working on our towns and citiesRead more
Uber case highlights risks of automated decisions about employeesRead more
Schrems II: Answering your questionsRead more
Privacy Shield declared invalid in long-awaited CJEU judgmentRead more
Adtech: Assessing the lawful basisRead more
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.Read more
Issues that will impact the sector over the coming months - from future proofing social housing developments to managing offices post pandemic, green finance, and creating connected communities.Read more
Watch our video series for information on the legal issues that are affecting the real estate sector. Each...Read more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
The widespread disruption and closure of businesses caused by the Covid-19 pandemic and the subsequent national and local lockdowns has brought into sharp focus the question of available insurance cover for losses under...Read more
The pandemic has had a deep and long-lasting effect on the leisure, food & drink sector, forcing operators to embrace new ways of attracting and servicing customers.Read more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
We can work side by side with your IT security provider to deliver a robust cybersecurity programme.Read more
We can help your organisation build resilience against breaches by coordinating baseline certifications, third party contracts, policies and testing. We offer CPD-accredited bespoke training and rehearsals for responding to incidents, meaning you’ll be equipped and know exactly how to act should a breach arise.Read more
Our expertise and resources are regularly called upon by clients to deal with a variety of investigations including cyber security issues, whistleblowing reports, internal investigations, investigations by external agencies and advising on the remedial steps and the redress exercises that arise as a result .Read more
Our litigation team can deal with cyber or data protection litigation matters including claims by third parties and data subjects.Read more
We have a sophisticated understanding of the technology underpinning the payments process, borne out of working with leading UK acquirers and issuers to procure IT systems, outsourced card processing services and online payment gateways.Read more