The Bavarian Data Protection Authority, in a decision that illustrates the hurdles faced by international marketers under the GPDR, has ruled that a German publisher cannot transfer email addresses to Mailchimp in the U.S. for use in sending email newsletters.
One concern is that the data could be accessed by U.S. intelligence services.
An aggrieved party complained to the authority (the BDPA) about the data transfer, resulting in an inquiry and this ruling.
The unnamed German company had used Mailchimp only occasionally, and has since stopped. There was no legal action, and no fine.
But the BDPA held on March 15 that “the use of Mailchimp by the respondent and thus the transfer of the email addresses to the provider of Mailchimp was unlawful:”
The authority determined that the transfer, which was conducted under EU standard contractual clauses (SCCs), violated understandings reached in the prior SCHREMS II privacy judgement in the EU.
“This kind of interpretation of Schrems II is precisely the outcome that many multi-national companies feared when Schrems II upheld the use of SCCs, but cast doubt on the effectiveness of SCCs as a mechanism for transferring of data to the United States,” Lexology comments.
The ruling continues: “There were indications that Mailchimp qualifies as an electronic communications provider under U.S. surveillance law. Therefore, the transferred email addresses could be in danger of being accessed by U.S. intelligence services.”
Mailchimp had not provided comment on the decision at deadline.
The German company was not named, but the National Law Journal identified it as a fashion magazine.
Lexology concludes that firms using data processors outside of the EU should consider the locations of the processors and the applicable laws in those locales to determine if “personal data transferred could be susceptible to access by government entities.”
In addition, it advises marketers to ascertain if additional protection measures are warranted, and if so, to implement them.