Last month, the Bavarian Data Protection Authority (DPA) became the first DPA in Europe to issue a judgement in connection with the infamous Schrems II judgement by the Court of Justice of the European Union (CJEU), deeming data transfers from a German company to the US-based company MailChimp unlawful.
Brief overview of the Schrems II judgement and its impact
The landmark CJEU – Schrems II Judgement, issued on July 2020, invalidated the EU-US Privacy Shield, and thus, subjected all non-necessary data transfers from the EU to third countries to specific requirements. Necessary data transfers, e.g., sending an email to Australia, or making a hotel booking using a US website, are not affected. Voluntary data transfers are the ones affected. This is crucial for most businesses, as outsourcing services are considered voluntary data transfers. So, for example, if you are using US-based software as a service (SaaS) solutions such as Mailchimp or SurveyMonkey, you should take steps to review your compliance as your processing may involve third country transfers of data to outside of the EU/EEA.
The Bavarian DPA judgement
A German publishing company used the popular email marketing service Mailchimp to send newsletter pieces. Since Mailchimp is based in the US, the legal basis for the data transfer was Standard Contractual Clauses (SCCs). The complainant, a data subject receiving the newsletter via Mailchimp, lodged a complaint and asked for a fine to be imposed.
The Bavarian DPA deemed the data transfers unlawful for two, equally important, reasons.
- Mailchimp may qualify as an “electronic communication service provider” under US legislation (FISA 702 – 50 USC. § 1881), meaning that the data could be accessed by US Intelligence Services. Interestingly enough, Mailchimp itself acknowledges this fact on multiple locations, while its GDPR Compliance Policy was last updated in 2017.
- The German company failed to assess if further supplementary measures could be taken, such as conducting a Transfer Impact Assessment.
The data transfers were deemed unlawful, but no fine was imposed as the publishing company agreed to cease all unlawful processing. The sensitivity of the personal data transferred was also taken into account. It should also be noted that the EDPB Supplementary Measures were still at the time at a draft stage, and open to public consultation (they were actually adopted in November 2020).
Assessment of the judgement; The bad and the good news
The bad news is, that specifically for US data transfers, the legislative environment can prove a difficult obstacle to overcome:
- The EDPB mentions that US data importers that fall under FISA 702, are under a direct obligation to grant access to or turn over imported personal data that are in their possession, custody, or control. This may also extend to any cryptographic keys necessary to make the data intelligible, potentially rendering encryption methods an inadequate security measure.
- If you use a provider that processes data in the EU/EEA, but is linked to (or uses) a US company, FISA 702 and EO 12.333 may still apply. It is a matter of interpretation of the law, but they seem to have no territorial limitation. The location for hosting can therefore be irrelevant.
The good news is, first and foremost, that you do not need to stop using third-countries platforms immediately; No fine was imposed, and also, the judgement itself paves the way for future compliance:
- The sensitivity of data remains a formidable risk factor.
- Cooperation with Data Protection Authorities will reduce the risk of a fine.
- And most importantly, the mentioning of the now official supplementary measures for data transfers, shows that effective use of the available tools can lead to ultimately compliant data transfers.
So, what should we do?
If your business uses service providers based in third countries, you will have to:
- Avoid third country transfers where possible, and where transfers currently take place assess whether it is necessary to focus on migrating the data processing to EU/EEA countries in the short or medium term. It is important to consider the potential risks, in addition to the risk of regulatory fines, receiving an order to cease processing can be significantly disruptive to an organisation.
- Assess if the country’s legislation and practice provide for an adequate level of protection of your data.
- Assess the sensitivity of the data that will be transferred and complete a Transfer Impact Assessment.
- Implement adequate supplementary measures to safeguard the transferred data. Those measures can range from legal binding agreements to advanced technical security measures such as encryption of data where required.
How can we help you?
At Trilateral Research, our Data Protection and Cyber Risk Team is very familiar with this complex regulatory environment; We will navigate you through it and assist you in mitigating undue risk when using third party suppliers. Our team consists of solicitors, IT specialists, policy makers, so that we can provide you with 360° services, from signing agreements, to implementing state of the art technical measures. As data transfers evolve to be a highly complex issue, we will provide you with highly customised, case-by-case solutions. We offer a range of data protection services, to perform audits and assessments, help you create DPIAs/Data Sharing Agreements, and provide compliance support.
For further assistance and guidance, please feel free to contact a member of our team.