In a notable application of the European Court of Justice’s “Schrems II” decision, the data protection authority for the German state of Bavaria recently held that use by a German entity of US-based MailChimp (which use involved transferring personal information to the US) violated GDPR. As we previously wrote, the Schrems II decision turned on concerns around lack of sufficient safeguards under US law. The court cautioned, and the EDPB has since clarified further, that for standard contractual clauses to be used companies must determine whether the information will have the same level of protection under the laws of the receiving country. If not, additional “supplementary measures” must be implemented.

As many may be aware, MailChimp is a popular email vendor. Here, the German company that hired MailChimp sent its European customers’ email addresses to MailChimp, in the US, so that MailChimp could then send the customers email newsletters. Even though the transfer was made pursuant to standard contractual clauses, the Bavarian DPA held that the transfer failed to adequately protect EU data subject rights.

In reaching its decision, the Bavarian DPA pointed to the potential of US intelligence services’ ability to access information held by MailChimp under US law. This was a concern for the DPA. It concluded that this failed to provide European individuals “protection” from such access, thus not giving the same level of protection as if the information remained in the EU. The Bavarian DPA did not provide direction on what supplemental measures could have been used. The EDPB, though, has suggested (para 48) that in such circumstance a technical measure may be the only option. Faced with the DPA’s determination, the data controller promised to stop using MailChimp.

Putting it into Practice: When sending personal data from the EU to the US using standard contractual clauses, businesses should evaluate whether the SCCs alone will provide the same level of protection for the data as under EU law. If not, businesses should consider whether they can employ additional security measures. Although no direction was provided in this case by the Bavarian DPA, the EDPB guidance can be of help.