A recent decision by the Bavarian data protection authority raises serious doubts about whether the popular email marketing platform MailChimp can be used legally under the GDPR.
By extension, the same problem arises for almost all US software applications that process personal data of EU citizens. After all, data export to the US has been a serious legal issue ever since the European Court of Justice annulled the Privacy Shield last summer and at the same time pointed out that the use of Standard Contract Clauses as an alternative is rather difficult because it requires a case-by-case examination of the need to implement additional security measures to ensure data privacy.
It is precisely that issue of additional measures that is now highlighted by the Bavarian Mailchimp decision.
The impact of the Schrems II ruling of the European Court of Justice last summer has had an increasing impact in Europe over the past few months. Many companies have hesitated about how to react to the ECJ’s decision last summer to overturn the EU-US Privacy Shield. After all, almost all software tools that European companies use today are American and since most of them are now cloud services or online tools, there is by definition data export to the US…
The problem only got worse by the fact that in the same effort, the ECJ also added that in the event of any data export outside the EU (also to destinations other than the US), the exporting company must also immediately take into account the fact that the Standard Contract Clauses that the European Commission itself provides to guarantee secure data export between companies and organizations within and outside the EU are not sufficient.
The Schrems II judgment requires that transfers of personal data to cloud service providers in the United States be assessed on a case-by-case basis and if there is a risk to the integrity of the data in question, additional security safeguards must be provided. These additional safeguards are almost automatically imposed on exports to the US, given the very far-reaching investigative powers of the US intelligence agencies, for example under section 702 (50 USC § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).
Using Mailchimp not OK?
It sounds almost absurd, but the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht) earlier this month banned a European online magazine from using Mailchimp any longer to send its newsletters.
The reason? Well, by using Mailchimp to send newsletters, companies are sending personal data (e.g. email addresses and recipient names) to Mailchimp’s servers in the United States and that is potentially not OK.
The Bavarian Data Protection Authority justified its decision by noting that the company had not previously investigated whether additional safeguards were needed for the transfer of personal data to Mailchimp, in particular because Mailchimp may be subject to the Cloud Services Act.
Note in this context the important nuance that the Bavarian Data Protection Authority did not rule that MailChimp is per se illegal. Instead, it ruled that in this particular case, the company’s use of MailChimp was illegal because the company had not previously assessed whether adequate additional measures had been taken to ensure that its personal data was protected from access by U.S. regulatory agencies.
Following the already mentioned Schrems II judgment, European companies should indeed have started a broad data export audit or “vendor assessment” within their company in order to determine if:
- there is data exchange outside the EU / EEA
- there is an appropriate legal basis in accordance with Chapter V GDPR (standard contract clauses, binding corporate rules or one of the other less common and obvious legal grounds)
- the data concerned is in any way particularly sensitive and whether the data export as such can be justified
- additional safeguards may or may not be required on the receiving end of the data flow
- More in general, whether the receiving party can guarantee all-round GDPR compliance
This exercise should obviously and based on the accountability principle under GDPR be documented in detail and that is precisely why we at Sirius Legal have been offering since last September a free Data Export Impact Assessment form on our website. That form has now been downloaded hundreds of times by companies all over Europe, by the way.
Incidentally, the EDPB has already listed some additional measures to be taken some time ago in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” of 10 November 2020. In this document, various data export scenarios are proposed and each time an indication is given on a case-by-case basis about how to ensure a secure exchange of personal data or which method is certainly not sufficiently secure.
The recurring message in that document is the need to encrypt personal data before exporting it and to make use of proprietary (preferably European) encryption techniques prior to export and separate from the platforms’ own encryption technology.
The use of Mailchimp also falls within this context. After all, personal data is exported to the US, where Mailchimp is considered a telecom provider under FISA legislation, which means that it potentially has to provide access to its customer data to the US government. Therefor encryption is necessary. Only… the use of Mailchimp actually does not allow such encryption from a technical point of view and as a consequence it is hard to imagine how a European company can use Mailchimp in a legally compliant matter…
Mailchimp as a wake-up call?
Until now, it seemed that the European data protection authorities had turned a blind eye for the time being and had given some kind of unofficial grace period for European companies and organizations to adapt to the changed legal situation after the Schrems II judgment. This certainly also had to do with the fact that the aforementioned Standard Contract Clauses are being reviewed and updated by the European Commission at this very moment.
However, the actions of the Bavarian Data Protection Authority now show that things are now getting serious and that companies will eventually have to ensure a secure exchange of personal data with their non-European partners. In a press release accompanying the Mailchimp decision, the Bavarian authority noted that in its view this case is an example of how the Schrems II judgment will be enforced in practice in the future.
Is your software “data export compliant”?
The painfully problematic conclusion is that no American software application currently works completely “GDPR compliant”…
We ourselves at Sirius Legal have conducted a benchmark test in recent months on 10 of the most well-known marketing tools, including Mailchimp, Sharpspring, Hubspot, Active Campaign, Salesforce and a few others. The conclusion is that most of these – all American – providers have adapted in recent months in the sense that they no longer invoke the Privacy Shield as a legal basis, but now refer to Standard Contract Clauses, but that they also all still show several essential shortcomings in the area of data export compliance:
- In some cases, the Standard Contract Clauses are unavailable or in any event nowhere to be found on the website
- most vendors provide either no or only very general and vague “additional safeguards”
- most, if not all, providers rely on sub-processors, of which neither the identity nor the location is sufficiently clear and of which there is little or no guarantee of GDPR and data-export compliance with the sub-processor concerned.
The same applies by extension to other non-European cloud services or online applications. It is almost by definition so that they are not (completely) GDPR compliant and that any use thereof requires a prior audit and possibly the provision of additional technical or organizational guarantees.
Can European companies no longer use American or other non-European services at all?
Fortunately, things are not as problematic as they might seems at first sight. Jumping to the conclusion that all non-EU software should be banned would be absurd in a globalized society and economy as weknow it today.
In the Mailchimp case, the problem was evidently clear, as the company in question apparently had not made any prior risk assessment at all to document whether additional safeguards were needed. That in itself was enough to provoke this decision.
Future matters will probably lead to a less obvious sanction, at least if the EU companies concerned have made a well-balanced and documented prior risk analysis or even implemented additional safeguards. Which measures will be “sufficient” in which context will only become clear when there is sufficient case law available, but it is evident that the “sensitivity” of the data and the risk of access requests from abroad play a role. In that context, a mailing list for a legal weekly appears much less problematic than the membership list of a political party and in the former case a well-founded preliminary estimate may (?) be sufficient …
However, this decision should without a doubt be seen as a warning to all companies and organizations in Europe on the importance of due diligence when transferring personal data outside the EU. As a company, it is best to get started as soon as possible with a strict and thorough internal audit exercise on the basis of which you can demonstrate that you have assessed whether or not your data can come into the hands of third parties and especially foreign governments if you use non-European applications.
If necessary, feel free to use our free Data Export Impact Assessment form to collect the necessary information from your non-European partners.
Also, take into account that if a supplier cannot or does not want to provide information to help you properly assess the potential risks, you will have to consider whether you can continue to work together and that in the worst case you will indeed have to look out for another alternative (preferably European) partner …
Would you like to know more about the practical impact of Schrems II?
Or better yet, register for the Schrems II webinar of our international contact network Consulegis “The Practical Impact of Schrems II on International Data Flows” on April 14th. Speakers from the EU (including Bart Van den Brande for Sirius Legal), the UK, the US and India will discuss all legal and practical sensitivities of international data flows and make time for all your questions and concerns.