A German data protection authority has recently ruled that the use by a Munich publishing company of the US-based email marketing platform MailChimp, which involved the transfer of email addresses from the European Union to the United States, violated the General Data Protection Regulation (GDPR). While the case is not binding in the UK, it is likely to be held as persuasive should a similar case arise in the UK given the judgment is based on the interpretation of the GDPR, which does largely apply in the UK under the UK GDPR. The decision by the Bavarian Data Protection Authority (BayLDA), therefore raises serious issues for the significant number of organisations based in the UK that rely on Mailchimp or similar services to support their marketing services. This note discusses the implications of the BayLDA decision and considers the options for organisations in the UK that use Mailchimp or similar providers.
Facts of the case
An English translation of the judgment can be found here. We understand that the complainant, a data subject, lodged a complaint with the Bavarian DPA regarding the use by the respondent publishing company of the Mailchimp platform to send out its newsletter to subscribers.
The complainant argued that the transfer of email addresses of subscribers to the provider of Mailchimp, US-based The Rocket Science Group LLC, was unlawful under Article 44 of the GDPR (General Principles for Transfer of Personal Data).
The data transfer was based on the Standard Contractual Clauses, the effectiveness of which was considered by the Court of Justice of the European Union in the case of Data Protection Commissioner v Facebook Ireland Ltd – the so-called “Schrems II” case.
The CJEU’s “Schrems II” decision
In this case the CJEU held that a transfer of personal data from the EU to third countries outside the European Economic Area (EEA) under the SCCs will be permissible under the GDPR only if the level of protection of the transferred data is adequate.
When assessing the adequacy of protection, organisations must take into account the wording of the SCCs and the legal system of the third country, in particular, with regards to access to the transferred data by public authorities in the third country. Depending on the outcome of this assessment, the data exporter and the data importer may be required to implement adequate “supplementary measures” in order to safeguard the data.
Subsequently, the European Data Protection Board (EDPB) issued preliminary guidance for public consultation as to what constitutes adequate supplementary measures. These include technical, contractual and organisational measures. The consultation has ended, however we have not yet received final guidance in this area. Of key relevance to this case, the EDPB observed in its preliminary guidance that where the importer (in this case Mailchimp) was considered an “electronic communication service provider” under a US federal law, namely s. 702 of Foreign Intelligence and Surveillance Act (FISA), contractual (i.e. SCCs) and organisational measures was unlikely to be enough to satisfy GDPR’s transfer requirements and it is likely technical measures rendering the data inaccessible by US authorities would be required.
The BayLDA decision
The Bavarian DPA observed that there were “indications” that Mailchimp might be subject to data accessible by US intelligence services as an "electronic communication service provider" under FISA.
In light of the Schrems II decision the BayLDA considered that the transfer of the complainant's email address to Mailchimp was unlawful under the GDPR because the publishing company failed to assess whether technical supplementary measures were necessary in addition to the SCCs – and therefore failed to implement any such measures – to ensure the transfer of data satisfied the GDPR requirements.
The publishing company informed the authority that it had used Mailchimp only twice and confirmed that it would stop using the service with immediate effect. It also pointed out that the final recommendations of the EDPB on the supplementary measures for transfers of personal data to third countries are not yet finalised. The BayLDA therefore decided not to impose a fine or take any other enforcement action.
While this decision has no direct effect in the UK, it provides useful guidance on the interpretation of the GDPR post Max Schrems II. As stated above, since the UK GDPR aligns very closely with the EU GDPR (for the time being anyway), the case is likely to be very persuasive should the UK Information Commissioner review a similar case.
The Bavarian DPA did not rule that use of MailChimp was unlawful per se, but found that it was unlawful in the circumstances because the respondent failed to carry out an assessment of whether any supplementary measures were necessary. The publishing company avoided a fine because the case involved a relatively minor and temporary breach only: the personal data involved was EU data subjects’ e-mail addresses; no special category or other high risk data was transferred; the Mailchimp service was used on only two occasions before the company stopped using it; and the EDPB guidance has not yet been finalised.
Mailchimp’s full response to the decision can be found here. In summary, its position is that customers can continue using the Mailchimp email marketing service to host and share content, on the basis that the BayLDA did not make any determination about Mailchimp’s GDPR compliance measures, and therefore the existing SSCs remain a valid data transfer mechanism. Again, the failure was on Mailchimp’s customer to undertake appropriate due diligence.
However, although no penalty was imposed in this case, there is no guarantee the ICO would not impose a fine. The decision therefore presents a real life reminder for organisations in the UK of the importance of undertaking risk assessments of their suppliers and documenting this process with a view to avoiding falling foul of the UK GDPR and Data Protection Act 2018.
Third party processors: Managing data protection risk
It is key to risk management that organisations undertake appropriate risk assessments and identify not just contractual and organisational measures, but what technical measures need to be put in place. With particular respect to use of Mailchimp and similar providers, we would urge organisations to identify such service providers and whether any risk assessment has been undertaken as mentioned above, failing which, to undertake one.
Below are some steps that organisations should take when engaging third party suppliers to process personal data and for ongoing supplier management:
- Build a data protection risk assessment into your on-boarding/procurement processes, to the extent it is not already;
- Review this risk assessment process periodically to ensure it is adequate;
- Maintain a register of suppliers and undertake reviews of your third party processors from time to time. Taking a risk-based approach, prioritise those that process the most risky data for your organisation;
- Have a process in place for completing data protection risk assessments (DPIA). This process should include screening questions to identify whether a DPIA is required, a prescribed form or process to assess and document data protection risk and a DPIA review process;
- Ensure compliant data processing agreements are in place with third party processors – this is a legal requirement; and
- Document processing activities involving third parties within your organisations Record of Processing Activities to demonstrate accountability.
- If it turns out that the third party does not meet the necessary requirements, you may wish to consider exploring alternative, UK/EU-based service providers.
Insight from Loretta Maxfield Data Protection specialist at Thorntons. For more information contact Loretta on 03330 430350.