Bavarian DPA Holds SCCs Alone Not Enough for European Use of US Email Service

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

In a notable application of the European Court of Justice’s “Schrems II” decision, the data protection authority for the German state of Bavaria recently held that use by a German entity of US-based MailChimp (which use involved transferring personal information to the US) violated GDPR. As we previously wrote, the Schrems II decision turned on concerns around lack of sufficient safeguards under US law. The court cautioned, and the EDPB has since clarified further, that for standard contractual clauses to be used companies must determine whether the information will have the same level of protection under the laws of the receiving country. If not, additional “supplementary measures” must be implemented.

As many may be aware, MailChimp is a popular email vendor. Here, the German company that hired MailChimp sent its European customers’ email addresses to MailChimp, in the US, so that MailChimp could then send the customers email newsletters. Even though the transfer was made pursuant to standard contractual clauses, the Bavarian DPA held that the transfer failed to adequately protect EU data subject rights.

In reaching its decision, the Bavarian DPA pointed to the potential of US intelligence services’ ability to access information held by MailChimp under US law. This was a concern for the DPA. It concluded that this failed to provide European individuals “protection” from such access, thus not giving the same level of protection as if the information remained in the EU. The Bavarian DPA did not provide direction on what supplemental measures could have been used. The EDPB, though, has suggested (para 48) that in such circumstance a technical measure may be the only option. Faced with the DPA’s determination, the data controller promised to stop using MailChimp.

Putting it into Practice: When sending personal data from the EU to the US using standard contractual clauses, businesses should evaluate whether the SCCs alone will provide the same level of protection for the data as under EU law. If not, businesses should consider whether they can employ additional security measures. Although no direction was provided in this case by the Bavarian DPA, the EDPB guidance can be of help.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.