The Bavarian Data Protection Authority against Mailchimp for illegal data transfer to the US

On March 15th, the Bavarian DPA, Bavaria’s Data Protection Authority, ruled against Mailchimp, a well-known US email marketing company, for failing to comply with the indications contained in the Schrems II judgment regarding personal data transfer to the US (more in this article).

The ruling represents an important precedent because it is the first formal decision taken by a data protection authority following Schrems II and is at the same time a warning to all those who wish to use US-based providers.

The proceeding started from the initiative of an interested party who complained about the inclusion by a company of his/her email address in a list of recipients of newsletters forwarded through Mailchimp as not complying with the provisions of Articles 44 and ss. of the European Regulation 679/2016 (so-called “GDPR”).

The Bavarian Authority, while not imposing sanctions, confirmed that the provision of a service by a US supplier cannot be considered to be GDPR compliant if the further measures – indicated after the Schrems II decision – are not taken.

As known, the European Court of Justice, with its judgment of 16 July 2020 (C-311/18) better known as Schrems II, has invalidated the decision of the European Commission establishing the adequacy of the so-called Privacy Shield for the transfer of personal data to the United States. Following this ruling, the EDPB, the European Data Protection Board, with Recommendations 1/2020 stated that, even in the presence of specific Standard Contractual Clauses (so-called SCC) –such as those used by Mailchimp in the case under consideration – where a provider subject to US legislation is used, it is in any case necessary to adopt careful assessments in order to guarantee a level of protection substantially equal to the one guaranteed by the GDPR.

Although the company’s defence argued that the aforementioned Recommendations 01/2020 – containing indications on how to interpret such “further measures” – are still not available in their final version, the Authority considered the company’s omissive behaviour as guilty for failing to assess the need for additional measures to ensure the protection of personal data in accordance with the principles outlined in Schrems II.

In addition, according to the Bavarian DPA, Mailchimp may be qualified as an “electronic communications service provider” under the U.S. Foreign Intelligence Surveillance Act and, as such, the U.S. government may request and obtain the communication of its users’ data at all times.

In view of the above, the Bavarian Privacy Authority considered that the level of protection of the data transferred to the United States via Mailchimp was not even at least equal to that guaranteed by the GDPR and therefore, in the face of the failure to assess the need for additional measures, declared the related processing illegal.