The Bavarian Data Protection Authority, in a decision that illustrates the hurdles faced by international marketers under the GPDR, has ruled that a German publisher cannot transfer email addresses
to Mailchimp in the U.S. for use in sending email newsletters.
One concern is that the data could be accessed by U.S. intelligence services.
An aggrieved
party complained to the authority (the BDPA) about the data transfer, resulting in an inquiry and this ruling.
The unnamed German company had used Mailchimp only occasionally, and has
since stopped. There was no legal action, and no fine.
But the BDPA held on March 15 that “the use of Mailchimp by the respondent and thus the transfer of the email
addresses to the provider of Mailchimp was unlawful:”
The authority determined that the transfer, which was conducted under EU standard contractual clauses (SCCs),
violated understandings reached in the prior SCHREMS II privacy judgement in the EU.
advertisement
advertisement
“This kind of interpretation of Schrems II is precisely the outcome that many
multi-national companies feared when Schrems II upheld the use of SCCs, but cast doubt on the effectiveness of SCCs as a mechanism for transferring of data to the United States,” Lexology
comments.
The ruling continues: “There were indications that Mailchimp qualifies as an electronic communications provider under U.S. surveillance law. Therefore, the transferred
email addresses could be in danger of being accessed by U.S. intelligence services.”
Mailchimp had not provided comment on the decision at deadline.
The German
company was not named, but the National Law Journal identified it as a fashion magazine.
Lexology concludes that firms using data processors outside of the EU should
consider the locations of the processors and the applicable laws in those locales to determine if “personal data transferred could be susceptible to access by government entities.”
In addition, it advises marketers to ascertain if additional protection measures are warranted, and if so, to implement them.