A decision issued on 15 March 2021 by the Bavarian Data Protection Authority ("BayLDA", publication pending) is the first German enforcement action in connection with last year's decision of the Court of Justice of the European Union ("CJEU", "CJEU's Decision") on the validity of the European Commission's Standard Contractual Clauses ("SCCs") and the EU-US Privacy Shield (C-311/18, more information available in our client alert). In the CJEU Decision, the court held that a transfer of personal data from the EU to third countries outside the European Economic Area ("EEA") under the EU Standard Contractual Clauses will be permissible under the General Data Protection Regulation ("GDPR") only if the level of protection of the transferred data is adequate. When assessing whether the level of protection is adequate, companies have to take into account the wording of the SCCs and the legal system of the third country where the recipient of the personal data is located, in particular, with regards to access to the transferred data by public authorities in the third country. Depending on the outcome of this assessment, the data exporter and the data importer may be required to implement adequate supplementary measures in order to safeguard the transferred data.
Subsequently, the European Data Protection Board ("EDPB") issued preliminary recommendations for public consultation as to what constitutes adequate supplementary measures. The EDPB pointed out that from its perspective there are currently no such supplementary measures available if the recipient is located in the USA and is an electronic communication service provider who needs access to the personal data in the clear in order to render the agreed services. This is due to the fact that US law enforcement agencies have far-reaching access rights to the transferred data under the Foreign Intelligence and Surveillance Act ("FISA") when such a provider is involved (see our client alert for more information).
Facts of the BayLDA decision
A German publishing company based in Munich used the online service "Mailchimp". Mailchimp is a marketing automation platform and email marketing service provided by the US-based provider The Rocket Science Group LLC. For the purposes of distributing newsletters, the Bavarian publishing company transmitted e-mail addresses to the Mailchimp platform in two cases. The data transfer was based on the SCCs for data processors in third countries.
The complainant, a data subject who received a newsletter via the Mailchimp platform, lodged a complaint with the competent local data protection authority, BayLDA, and requested the authority to impose a fine. The authority came to the conclusion that the transfer of the complainant's email address to the Mailchimp platform was unlawful under the GDPR because the publishing company had not examined whether, in addition to the SCCs, supplementary measures within the meaning of the CJEU's Decision were necessary to ensure that the transfer meets the GDPR requirements. BayLDA furthermore stated that there were at least certain indications that Mailchimp might qualify as an "electronic communication service provider" under FISA 702 (50 U.S.C. § 1881). Therefore, the transferred email addresses were potentially in danger of being accessed by US intelligence services. In the light of the CJEU's decision, the publishing company had failed to assess if supplementary measures were needed to ensure that the transferred data was protected from US surveillance and, if required, to implement such supplementary measures.
The publishing company replied that it had used Mailchimp only twice and confirmed that it would immediately stop using the service. In light of this, BayLDA refrained from imposing a fine or taking any other enforcement action. It informed the complainant that in its opinion a data subject had no legal entitlement to the imposition of a fine in the event of a data protection violation. Unlike some of the other remedial powers referred to in Article 58(2) GDPR, the power to impose a fine under Article 83 GDPR did not serve to safeguard the rights and freedoms of the data subject, but rather the public interest in enforcing the law. Consequently, a data subject did not have a subjective right against data protection authorities to decide on the imposition of a fine. Also, the case at hand did not justify the imposition of a fine in BayLDA's opinion because the violation was still to be classified as minor with regard to its nature and gravity, and merely involved a slight degree of negligence at most. This was due to the fact that the EDPB's recommendations on supplementary measures were still undergoing public consultation and were therefore not yet available in the final version. Moreover, the personal data involved (i.e., EU data subject's e-mail addresses) was not of a particularly sensitive nature, and the violation was limited to the two cases.
This decision shows that German data protection authorities take the CJEU's Decision seriously and interpret it with the EDPB's (preliminary) recommendations on supplementary measures in mind. The publishing company avoided a fine because the case involved a minor and temporary violation only, and the company stopped using the Mailchimp service. However, the recent developments described in the present update represent a great challenge for companies in the EEA and the UK that routinely use US-based service providers falling within the scope of FISA and requiring access to the personal data in the clear (as opposed to encrypted, anonymous or aggregate data).
In addition to the EDPB's preliminary recommendations, the draft new SCCs published by the European Commission in November 2020 also envisage that transfers of personal data to jurisdictions that are not subject to an adequacy decision by the European Commission will require the data exporter and data importer to carry out a local law assessment and, where required, implement the supplementary measures identified before the personal data is transferred outside the EEA (see our client alert for more information).
Once the EDPB's recommendations on supplementary measures are finalised, and if there are still no adequate supplementary measures available in EDPB's point of view to safeguard transfers to cloud service providers or other processors falling under FISA who require access to the personal data transferred in the clear, the EEA data protection authorities will most likely no longer tolerate repeated and/or large-scale personal data transfers which do not meet the GDPR requirements for international personal data transfers.
In the UK, the Information Commissioner's Office is expected to issues its own guidance on the implications of the CJEU's Decision which is expected to clarify the regulatory approach and enforcement in the UK.
As a priority, companies whose processing activities are subject to the GDPR should therefore map their international personal data transfers and, where required, explore legally and practically feasible alternatives to such transfers.