Find out today what the legal world will be talking about tomorrow.
Bavarian data protection authority shows Mailchimp users yellow card - no fine, but final warning
The Facts of the Case
The plaintiff had complained to the BayLDA regarding the use of the newsletter tool Mailchimp by a Munich-based company. He stated that the disclosure of email addresses of subscribers to the respondent's newsletter to the provider of Mailchimp (The Rocket Science Group LLC, a company based in the USA) would run afoul of Art. 44 et seq. GDPR and thus had to be punished with a fine. In his answer to the complaint, the data controller had stated that it had only used Mailchimp twice and had already discontinued its use.
The transfer of the plaintiff's email address to Mailchimp was based on EU Standard Contractual Clauses (SCCs). According to BayLDA, there were indications that Mailchimp's provider falls under U.S. surveillance law (FISA702 (50 U.S.C. § 1881)) as an “electronic communication service provider.” Therefore, there could be a risk that the transmitted email addresses could be inspected by U.S. intelligence agencies. Against the background of the ECJ decision “Schrems II” (C-311/18), the responsible party had not examined whether additional measures had been taken to protect the transferred data from US surveillance. The lack of examination of additional protective measures was the sole reason for which the supervisory authority found a violation of the GDPR.
However, the BayLDA saw no reason to also punish the responsible party with a fine. The merely occasional use and the fact that only the less sensitive email addresses were transferred to the USA, together with the statement that there is still no final guideline from the supervisory authorities on international data transfer, made the violation for the BayLDA an only slightly negligent violation that did not justify a fine. For companies (at least in Bavaria), this is just as reassuring as the BayLDA's comment that fines do not serve to enforce the rights and freedoms of individual data subjects and therefore these data subjects cannot enforce the imposition of fines. Their compensatory interest is to be asserted in the context of damages pursuant to Art. 82 GDPR.
For customers of Mailchimp, it is important to note that the use of the tool per se should not yet be in violation of data protection. However, the BayLDA also emphasizes that contractual measures alone (not even the agreement of standard contractual clauses (SCC)) are no sufficient protection when transferring personal data to US service providers. Additional measures of a technical or organizational nature, such as encryption or the consent of the data subjects, have to be examined in any case. The importance of documenting the check is also once again clearly emphasized by the decision. For new registrations for newsletters, we recommend to check whether an explicit and informed consent is additionally obtained in accordance with Article 49 (1) (a) of the GDPR. It is also reassuring to note that the BayLDA has shown overly optimistic consumer plaintiffs the limits of their actions and, in particular, denied individuals the right to initiate fines on third parties.