Bavarian data protection authority shows Mailchimp users yellow card - no fine, but final warning

While the majority of data privacy users in Germany is still waiting for a signal from the supervisory authorities as to what a practically implementable compromise between modern cloud services on the one hand and data protection post Schrems-II on the other might look like, the first decision in this regard on the part of the Bavarian Supervisory Authority for Data Protection (BayLDA) has now become public. On March 15, 2021, the authority informed an individual plaintiff that the transmission of his e-mail address by a data controller to the popular US newsletter provider Mailchimp was inadmissible due to a lack of additional data protection measures (Ref. LDA-1085.1-12159/20-IDV).

The Facts of the Case

The plaintiff had complained to the BayLDA regarding the use of the newsletter tool Mailchimp by a Munich-based company. He stated that the disclosure of email addresses of subscribers to the respondent's newsletter to the provider of Mailchimp (The Rocket Science Group LLC, a company based in the USA) would run afoul of Art. 44 et seq. GDPR and thus had to be punished with a fine. In his answer to the complaint, the data controller had stated that it had only used Mailchimp twice and had already discontinued its use.

The transfer of the plaintiff's email address to Mailchimp was based on EU Standard Contractual Clauses (SCCs). According to BayLDA, there were indications that Mailchimp's provider falls under U.S. surveillance law (FISA702 (50 U.S.C. § 1881)) as an “electronic communication service provider.” Therefore, there could be a risk that the transmitted email addresses could be inspected by U.S. intelligence agencies. Against the background of the ECJ decision “Schrems II” (C-311/18), the responsible party had not examined whether additional measures had been taken to protect the transferred data from US surveillance. The lack of examination of additional protective measures was the sole reason for which the supervisory authority found a violation of the GDPR.

However, the BayLDA saw no reason to also punish the responsible party with a fine. The merely occasional use and the fact that only the less sensitive email addresses were transferred to the USA, together with the statement that there is still no final guideline from the supervisory authorities on international data transfer, made the violation for the BayLDA an only slightly negligent violation that did not justify a fine. For companies (at least in Bavaria), this is just as reassuring as the BayLDA's comment that fines do not serve to enforce the rights and freedoms of individual data subjects and therefore these data subjects cannot enforce the imposition of fines. Their compensatory interest is to be asserted in the context of damages pursuant to Art. 82 GDPR.

Practical Tip:

For customers of Mailchimp, it is important to note that the use of the tool per se should not yet be in violation of data protection. However, the BayLDA also emphasizes that contractual measures alone (not even the agreement of standard contractual clauses (SCC)) are no sufficient protection when transferring personal data to US service providers. Additional measures of a technical or organizational nature, such as encryption or the consent of the data subjects, have to be examined in any case. The importance of documenting the check is also once again clearly emphasized by the decision. For new registrations for newsletters, we recommend to check whether an explicit and informed consent is additionally obtained in accordance with Article 49 (1) (a) of the GDPR. It is also reassuring to note that the BayLDA has shown overly optimistic consumer plaintiffs the limits of their actions and, in particular, denied individuals the right to initiate fines on third parties.