The Monkey’s Pause: Mailchimp Data Transfers Halted in German Schrems II Inquiry
A recent action against a German company transferring data to a US service provider offers a glimpse into forthcoming enforcement of the ‘Schrems II’ decision. First, European companies are expected to grapple with the intricacies of foreign national security laws. Second, hypothetical and unsubstantiated privacy concerns are enough to warrant the suspension of data flows. This should be a wakeup call to both industry and policymakers of the need to rapidly establish practicable and durable legal mechanisms for the protected transfer of data overseas.
European and global industry has been mired in a state of uncertainty since last July, when the Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield framework and declared that Standard Contractual Clauses (SCCs) may require additional measures to ensure compliance with European data protection standards. At issue is the availability of reliable legal instruments for the transfer of personal data overseas, a necessity for both the commercial and internal operations of businesses of all sizes across all sectors. Now, an enforcement decision from the Data Protection Authority of the German State of Bavaria (Bavarian DPA) has further underscored the urgency for policymakers to take swift action to establish durable legal mechanisms for the protected transfer of personal data outside of the European Union.
On March 15, the Bavarian DPA concluded an inquiry involving a complaint about an unnamed German company that, on two occasions, used the U.S. email marketing platform Mailchimp to send newsletters to the company’s own customers. Although the company shared email addresses with Mailchimp pursuant to SCCs, the Bavarian DPA found the transfer to be unlawful because the company had not examined whether “additional measures” pursuant to the CJEU’s Schrems II judgment would be required to ensure adequate protection of the data.
The Bavarian DPA’s decision was grounded in the determination that there are “at least indications that Mailchimp may in principle be subject to data access by U.S. intelligence services” and therefore the transfer would be permissible only “if such additional measures (if possible and sufficient to remediate the problem) were taken.” Ultimately, the inquiry closed when the German company committed to ceasing its use of Mailchimp with immediate effect.
The Bavarian DPA decision is worrying for two reasons:
First, the inquiry took place in the absence of final recommendations from the European Data Protection Board (EDPB) on how companies should assess their transfers of data and what supplementary measures referenced by the Court in Schrems II may be necessary to satisfy data protection standards. As we have noted in the past, businesses are not well-positioned to conduct the intricate legal assessments of foreign surveillance law and practice necessary to determine if they fail to meet data protection standards for a particular transfer.¹ Therefore, organizations are in desperate need of clear and practicable guidance from European regulators on the existence and application of third-country laws and practices that pose a risk of interference where data transfers may merit further scrutiny.
Second, the enforcement action is notable because halting the use of Mailchimp to send newsletters does not appear to mitigate any cognizable risk to individual privacy. There is no public information to suggest that Mailchimp has ever received a Section 702 order or that the U.S. Government would ever seek to leverage this authority to obtain a solitary e-mail address from a newsletter service provider. Furthermore, Mailchimp uses both encryption and access controls to safeguard against unauthorized access to data and states that it has not received either a search warrant or court order from the U.S. government in its most recent transparency report. However, the risk of impermissible data access was addressed by the Bavarian DPA only in announcing its decision not to impose fines, noting that the sensitivity of email addresses is “relatively manageable.”
While European enforcement authorities have hitherto taken varied views on the use of SCCs following the Schrems II decision, the Bavarian DPA’s inquiry is unlikely to be a one-off. With additional enforcement decisions lurking on the horizon, there is a real threat of widespread restrictions on data transfers sweeping Europe, resulting in the interruption of critical services and impediment of the ongoing economic recovery. Stakeholders must pursue all available paths to avoid a European data lockdown by ensuring the availability of mechanisms for trusted, secure, and legal overseas data flows.
¹In this case, whether newsletter services may qualify as an “electronic communications service provider” pursuant to Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) and could thus be subject to production orders in tension with EU data protection standards.